When ISO 37001 was released in October 2016, I commented that if one is familiar with the numerous sources of best practices in the anti-bribery space, then ISO 37001 is a complete yawner, indeed a disappointment as several best practices are not even captured in the purported best practices document.
Despite many laughable and desperate attempts (see here, here, here, here) by ISO 37001 service providers to market ISO 37001, it seems that most of the FCPA compliance community views ISO 37001 as a close to useless document.
As previously highlighted, the DOJ seemed to agree because its February 2017 policy document titled “Evaluation of Corporate Compliance Programs” (see here for the prior post) heavily footnotes various best practice metrics and documents long in the public domain, but does not mention ISO 37001.
Recently, the primary drafter of the DOJ document, former DOJ compliance counsel Hui Chen, penned this LinkedIn post in which she seems not to think much of ISO 37001.
In the post, Chen states:
“One question I often get is my views on ISO 37001 (the “Anti-bribery management system – Requirements with guidance for use”, published October 15, 2016) and/or certification programs in general. An associated question is how does the Department of Justice (DoJ) view such certifications.
On the second question, Dan Kahn, the Chief of the FCPA Unit in the Fraud Section of DoJ’s Criminal Division, has been very consistent: prosecutors will not outsource their responsibilities. DoJ policies require prosecutors to assess companies’ compliance programs in evaluating charging decisions, and while certifications may be a point of reference, it cannot substitute the prosecutors’ own inquiry and judgment.
My views on ISO 37001 and other certification programs fully support such position, and in fact question their validity even as a point of reference.
Let’s start with ISO 37001 standard itself. The most fundamental flaw is that there is no statistical evidence to prove that the implementation of such a “management system” would be effective in actually reducing the instances of bribery. Let’s compare this with the World Health Organization’s (WHO) Surgical Safety Checklist. As the practitioners gathered in 2007 to discuss ways to reduce complications from surgery, they already had specific data from hospitals that had employed some form or surgical checklist: infection and complication rates before and at intervals after the introduction of such checklists. Next, the WHO working group conducted a pilot study in eight selected hospitals across different environments around the globe, tracking data of thousands of patients from three months before the introduction of the checklist to six months after. They scrubbed the data to distinguish causation from correlation. Only when the resulting data proves the improvement to be significant (36% drop in complication rate, 47% drop in death rate) was the checklist made public in January 2009.
Where are the statistics and pilot studies for ISO 37001?
Indeed, other than a token mention that “[t]he anti-bribery system objectives shall…be measurable (if applicable)” (Section 6.2(b), which also happens to be the only requirement in this section to carry a parenthetical “out”), nowhere else does the document mandates or even suggests that organizations should actually measure the effectiveness of their programs and actions.
For a one-page, 19-step, two-minute checklist, WHO can show data of numbers of complications avoided and lives saved. For a 22-page document that requires too many steps to count and potentially millions of dollars and hours of investment, can ISO show data on how many bribes prevented?
Even if the standard had been proven to be effective, which it most definitely has not or even pretended to, certification is a whole different ball game altogether. The questions I always have when it comes to certifications are: who is doing the certification and how are they doing it?
The “who” questions relate to the competency, experience, and judgment of those conducting the certification. Too often I have seen people ill-equipped to be conducting the types of evaluation and assessments they claim to be experts in conducting: lacking substantive expertise, practical experience, common sense, social intelligence are among the most common. Having a big title or being a fancy firm does not make someone an expert assessor of E&C programs: having actual experience, common sense, social intelligence, and statistical discipline does.
The “how” question relates to the methodology used for the certification. Most of the prevailing certification programs on the market today rely on self-reported data and paper-based reviews of policies and procedures. I will not belabour how unreliable such reliance can be. Even if a certification goes beyond these sources, I would want to know what methodologies are used to measure and assess the different metrics and components of E&C programs, and how the reliability of these measurements and assessments have been tested.
There should be a third question: why? Why do organizations seek certification? In my experience, it is more often than not a public relations exercise. If there is no evidence a particular set of exercises is useful in actually achieving results, what is the value of saying you have done that set of exercises?
It’s time the E&C profession recognizes that we need data to backup our claims that our programs are accomplishing anything other than spending and bureaucracy.”
Chen’s critical comments about ISO 37001 are an important contribution, but my own two cents is that preventing “bribery” is not like a surgical safety checklist.
“Bribery” under the FCPA and similar laws is often an ill-defined concept (indeed recent FCPA enforcement actions have been based on internships, charitable donations, sports tickets and golf in the morning and beer drinking in the evening). Moreover, corporate liability is often based on the acts of a single or small group of employees.
So the question arises for Ms. Chen: just what sorts of data do you suggest for measuring the effectiveness of FCPA (and related) compliance programs? Moreover, what does effective even mean?
For instance, in prior FCPA guidance the SEC stated:
“The test of a company’s internal control system is not whether occasional failings can occur. Those will happen in the most ideally managed company. But, an adequate system of internal controls means that, when such breaches do arise, they will be isolated rather than systemic, and they will be subject to a reasonable likelihood of being uncovered in a timely manner and then remedied promptly. Barring, of course, the participation or complicity of senior company officials in the deed, when discovery and correction expeditiously follow, no failing in the company’s internal accounting system would have existed. To the contrary, routine discovery and correction would evidence its effectiveness.”
Judging from much recent FCPA enforcement activity, this concepts seems to have been forgotten.
Likewise, the DOJ has stated: “[N]o compliance program can ever prevent all criminal activity by a corporation’s employees …”.
FCPA Institute - Nashville (April 11-12, 2019)
A unique two-day learning experience ideal for a diverse group of professionals seeking to elevate their FCPA knowledge and practical skills through active learning. Learn more, spend less. CLE credit is available.