Can the same standard really apply to all companies? Yes — but it depends on how the standard is applied and how compliance programs are evaluated.
Faced with a large number of anti-corruption compliance guidance on the one hand and with a pressing need to strengthen their reputation and public trust on the other, companies are increasingly considering third-party certification of their anti-corruption compliance programs. As a result, several organizations have developed standards and evaluation methodologies to address this need. The latest has taken the form of an overall compliance management system set of guidelines issued by the ISO (ISO 19600:2014) and a certifiable ISO standard specific to anti-corruption compliance (ISO 37001), which will most likely be published at the end of this year.
Certification standards can be limited, depending on the certification type and methodology
The quality of the certificate, the approach to certification and the expertise of the certifying body make a difference in this area. The main concern involving certification standards and anti-corruption compliance systems is that, as we repeatedly hear at compliance events, “one size does not fit all.” How can one standard take into account all possible aspects of a compliance program across industry sectors, business models, countries of operation and other such company-specific factors while staying practical and relevant to each company?
Useful certification attests to the effectiveness and end purpose of a compliance program
It is now generally accepted among the compliance community that how a program is implemented is as important as how it is designed on paper, and how it is designed must take into account company specifics. Boards and investors are reassured by knowing that their compliance programs are designed to address their companies’ specific corruption risks and are effectively understood and implemented throughout the company. Why a company implements a compliance program is another question authorities try to answer. Does the company have a program simply to satisfy requirements and avoid prosecution? Or does it have a program to effectively eliminate the incidence of corruption?
Fixed, “yes/no, check-the-box” certification standards, while useful in attesting to the existence of a compliance program, do not attest to program effectiveness, nor to an end purpose. This is where the traditional approach to certification reaches its limits; understandably, certifying anti-corruption compliance management systems requires a much more involved level of evaluation than, for example, certifying electrical installations or medical equipment.
Anti-corruption compliance programs: a mirror image of company-specific corruption risk
Given that an anti-corruption compliance program can be just as effective as it is ineffective depending on the company, the most valuable approach to anti-corruption compliance certification involves not just evaluating the program against a detailed, set standard (supposedly, though impossibly, applicable to all companies), but rather evaluating the program both against the company’s specific corruption risks and the body of guidance, recommendations and best practices available to date.
What to look for when shopping for certification
Good quality certification includes corruption risk assessments against which compliance programs are evaluated. It involves regularly-planned, on-site, independent external reviews and recommendations for improvement from trained and experienced professionals. Its certifying body has ensured independence and the absence of conflict of interests, as well as a transparency of certification standards and the scope of reviews.
With good-quality certification, companies can do more than just communicate on a label. They can use the certification process as a management tool to push through their programs and ensure that they are up to evolving, international best practices standards, year after year.
