In all organisations, public and private, it is essential to systematically and effectively manage product and service quality, information security and occupational health and safety, just to mention some key areas of management. With regard to compliance management, the single most important legal risk to many organisations remains corruption, be it on the supply side or the demand side of corruption. According to the World Bank, around US$1 trillion is paid each year in bribes, causing and cementing poverty and depriving countries and their citizens of development and prosperity. Still, when it comes to managing risk and compliance, and in particular combatting bribery, most organisations do not yet appear to follow a transparent standards-based approach, preferring rather to mix and match outdated bits and pieces of anti-corruption practices instead: governmental and enforcement agency compliance guidelines are mixed with topical guidelines issued by trade or political organisations and then matched to the organisation’s own management concepts. The final product is then often spiced up using ‘home-made’ ingredients, such as flawed and incomplete third-party due diligence data bases. The result is that most organisations that manage risks and compliance continue to apply management practices that are couched in undefined terms and are based on discretionary principles and approaches, priorities and instruments. These home-made programmes are therefore often completely non-transparent and de facto non-auditable.
Management is systematic and transparent when it follows documented, defined rules and involves planned, structured action, if it can be easily understood by outsiders who are familiar with the rules; and if the results can be, and indeed are, independently audited. Over the past few years, one of the most noteworthy steps aimed at rendering risk and compliance management more effective has been the implementation of standards-based risk and compliance management systems in organisations and their independent certification. The main standards are ISO Standard 19600 – Compliance Management Systems, and ISO 37001 – Anti-bribery Management Systems.
A well-known example of this best practice procedure is the implementation of and certification under ISO Standard 9001 – Quality Management Systems. More than one million businesses worldwide assure their product and service quality on the basis of an ISO 9001 quality management system. The key reason for applying standard-based management systems is that standardisation reduces complexity and cost while harmonising technical specifications for processes, products and services. This in turn increases transparency, comparability and effectiveness. By the same logic, businesses worldwide apply generally accepted accounting standards such as the US Generally Accepted Accounting Principles (US GAAP) or the International Financial Reporting Standards (IFRS).
A company that decides to follow ISO Standard 37001 in its anti-bribery management acts diligently because it decides to apply internationally recognised best management practices to mitigate its bribery risks. Essentially, this is what matters only for effective management of bribery risks. And companies could rightly and reasonably say that they are now done with maintaining this level of legal risk management. However, once a company has implemented the anti-bribery management system, it can, by choice, decide to engage an independent certifying body and strive for certification of its anti-bribery management system.
The pros of independent certification are the independent expert review of the management system and the additional level of assurance provided by the experts. And in case certification is achieved, the independent confirmation of ‘good management’ (ie, the certificate) certainly has material value for corporate communications, marketing, government and customer relations, sales etc. The cons are that certification requires the allocation of resources and – if the company has a sound management system – may provide little additional assurance.
In my experience, independent compliance and anti-bribery management system reviews and certifications in most cases provide significant additional assurance because they draw leadership’s attention to residual organisational and procedural weaknesses. In many cases, reviews and certification processes also help in overcoming internal blockades, organisational blindness and overestimation.
Of course, any audit is only as good (or bad) as the auditor. Therefore, organisations that want value for money should carefully select the certifying body and pay reasonable fees. Pressure on fees inevitably results in a lesser quality of the certificate.
An often-heard critique is that certification does not prevent misconduct from happening. This statement completely misses the point. Certification of management systems provides assurance that a particular management system is properly implemented and maintained, not that an organisation is compliant and has no risks. Certification confirms proper implementation of the requirements of the Standard, which warrants for maximum effectiveness of management. Management systems as such and, on the other hand, particular instances of non-conformity with the Standard or non-compliance with obligations, are two entirely different things. This is not only clear from the US Sentencing Guidelines but also from ISO 19600, section 10 – Improvement, which more or less repeats the Sentencing Guidelines: the failure (of an organisation) to prevent or detect a one-off noncompliance does not necessarily mean that the compliance management system is not generally effective in preventing and detecting noncompliance.
Another critique is that standards are complex and costly to implement. Also, this statement is a fairy tale. Standards reduce complexity and cost and create transparency. Just think of the additional cost created by the fact that no single internal control system of a company in the world is comparable to the control system of another company, unless international standards are followed. Financial institutions alone probably spend dozens of billions a year on additional cost because they do not apply one single global standard in risk management and compliance management and, de facto, remain non-auditable in this perspective.
In summary, management of legal risks based on ISO Standards 19600 and 37001 is today’s best practice, is effective and reduces cost. Certification is a choice, which is worth the effort and the resources for reasons of additional assurance and the value it brings to communications, government and customer relationships and sales.