ISO Here, ISO There, I See ISO Almost Everywhere

ISO, the International Standards Organization[1], has published over 21,000 standards covering just about anything you can think of and probably a few you’d never imagine. It is a global organization, and has 163 national standards bodies as members. That’s a lot of power as there are nearly 200 countries in the world. While many of its standards are more like guidelines than cast-in-stone mandates, they are often used to assist buyers and others in determining if it is a good idea to buy the product or service to which it applies.

Since the introduction of ISO 31000 on risk management[2] in 2009, risk has increasingly been incorporated into these standards. In part, one assumes, to avoid wasting resources on blindly enforcing compliance with the last letter of the standard.

In April 2016 ISO 37001 was moved into the final stage before implementation[3]. The standard applies to anti-bribery management systems, and is closely aligned to many governmental standards. What sets this standard apart from many standards is that organizations can get certified to be in compliance.

So, we expect to see a rash of opportunities to get trained as a “certifier”. This is, probably not in itself, a bad thing, but there is a need to be aware if two key components: Risk, and Process. Both need to be supported by an adequate level of efficiency, transparency, and auditability.

Risk is an essentially a combination of three factors:

  1. The likelihood the event will occur.
  2. The impact if it does occur.
  3. The timing of the event.

Most people are familiar with a 1:100 flood, but no-one is able to state exactly when that flood will occur. Similarly, how big is the impact? A very costly, ruinous event, or perhaps a slap on the wrist and don’t do it again?

Refer to ISO 31000 for an in-depth description of these components and a lot more related to risk. The questions are, essentially, “can the event occur (yes/no/perhaps)?” and “if it does occur, how bad are the consequences likely to be?” Neither of these values can be exact. To do so would mean there is complete certainty — the opposite of risk.

To be certified, organizations require processes that prove your organization has done enough to prevent bribery from occurring. Of course, there doesn’t seem to be much effort into minimizing the size of bribes, just the likelihood that they will occur. It is analogous to fire sprinklers that have never prevented a fire from starting, but typically do a great job of preventing the fire growing into an inferno. ISO 37001 addresses likelihood, but not impact.

For this the organization must be able to have a clear understanding of the relevant Governance (e.g. anti-bribery regulations in any country in which they operate), the level of risk (not always determined by the size of sales in a specific country), and it’s ability to get assurance from all the relevant participants (employees, customers, vendors, ectc) in an efficient,simple and secure manner.

This has all the hallmarks of another boost for the Chief Compliance Officer role, with a heavy dependence on technology to support the process.