Where you are in the world as you are reading this article could dramatically affect your perspective on the arguments made. Generally, the more fragmented or fluid the laws are in a country, the more there is interest in outside benchmarking standards, such as those from the International Organization for Standardization. ISO’s published guidelines relate to such things as product quality, environment management, item codes, IT security and risk management.
For those in Europe, ISO standards are generally held in high regard. The same can be said for businesses in most developing and recently emergent economies. However, businesses in the United States have been less receptive to ISO standards. In much of Asia and in Australia, the rate of acceptance lies somewhere between that of the Europe and the US.
Some of these different perspectives are purely philosophical. Setting Brexit aside for a moment, there has been a general push among European nations towards harmonisation and the elimination of regulatory and economic differences. American businesses, on the other hand, tend to pay greater attention to their own domestic regulatory administration.
Recently, there has been a greater focus on the importance of international standardisation by emerging economies where local legislative guidelines are inadequate to facilitate effective trade. If a country’s existing laws or recommendation are vague, incomplete or confusing, companies could be apprehensive about conducting their business for fear of inadvertently violating global standards. ISO standards can assist in the facilitation of trade and to overcome differing legislative requirements. This was noted by Chinese Premier Li Keqiang, who spoke in support of ISO standards and noted that they were gaining popularity in China among businesses and government regulators.
Many companies look at ISO standards in terms of engineering-based product safety standards, but newer standards have been developed for general business management. It’s easy to make the rationale for harmonising manufacturing processes and meeting international standards. In recent years we have seen a rise in what have been coined “management systems standards,” including some specifically aimed at bribery, corruption and compliance programmes. Do these standards provide an effective basis to promote global economic activity through standardised risk-mitigation practices?
To answer this question, we will focus our analysis on five ISO standards:
- ISO 9001 – Quality Management Systems
- ISO 20400 – Sustainable Procurement
- ISO 31000 – Risk Management: Principles and guidelines
- ISO 19600 – Compliance Management System
- ISO 37001 – Anti-Bribery Management Systems
These standards have been chosen for several reasons. First, their application can be universal in terms of both organisational type and industry. Secondly, these standards have the most relevance to compliance, risk, legal, HR and procurement activities.
It is important to state from the outset that when it comes to legislative obligations, ISO standards are deliberately agnostic; in most cases, they can be adopted by any company regardless of industry. The standards are determined by experts, as designated by ISO, who have had first-hand experience or knowledge of the individual topics. They generally focus on operational processes, with the obvious exception of ISO 37001 – Anti-Bribery Management Systems, which represents the creation of a best-practice framework to manage or reduce the risk of bribery. Much of the content in ISO 37001 has its origins in regulatory requirements, but the standard sits above local legislation and takes an international perspective of best practices. However, the standard is very clear in stating that if there is a conflict between 37001 recommendations and local laws, local law is to take precedence.
The first of these ISO management systems standards that came to prominence was ISO 9001. First published in 1987 and revised in 2015, ISO 9001 is one of the most recognised standards, with some 951,000 certifications issued in 178 countries. While the standard was created to assess effective quality management systems, it also attempted to streamline the supply chain management process. The 9001 certification was a way to identify and ensure that the principles of total quality management were being used up and down the supply chain.
The 2015 revision of 9001 includes a requirement (7.4 and 7.4.1) that organisations need to monitor what they buy, outsource or subcontract and to monitor their suppliers and supply chain. This put an additional emphasis on the obligation of companies to look at their suppliers and verify that quality management systems are in place.
In a nutshell, this addition requires organisations to:
- Define the product and service requirements for what they are obtaining from suppliers
- Evaluate suppliers to ensure that they can meet the specified requirements
- Confirm that the product or service they have sought meets the specified requirements
- Determine the controls required in the management of the supplier
- Determine effectiveness of corrective action if non-conformance is found.
What this means to compliance and procurement professionals is that they need a deeper understanding of their suppliers, what they do for the company, and how compliance with the law and company policies is ingrained in all that suppliers do. Specifically, there needs to be a plan in place to determine what happens where there is a failure in the supply chain. For some companies, this might be an ad hoc process that is largely reactive, but ISO standards and government regulators look for systems to already be in place. If there is a failure in the supply chain that leads to government investigation or enforcement actions, companies will have a much easier time defending themselves if they can prove that controls were in place before the misconduct occurred. The above only addresses one aspect of concern for organisations that have outsourced various aspects of their supply chain. This is where ISO 20400 comes to the forefront.
Published in March 2017, ISO 20400 takes a broad definition of sustainability to include the economic, social and environmental impacts an organisation can have, with the aim of ensuring that the procurement process minimises any negative effects it may have upon these outcomes. On first inspection, it would appear the standard should also include reference to regulatory obligations, but reference is made to making sure that the procurement process does not run afoul of anti-bribery and antitrust legislative requirements, and it deals with politically exposed persons.
On the procurement side, guidance is provided on governance principles to manage a sustainable procurement system, risk management, supplier non-performance and contract management. Several consumer safeguards are also built into the systems. These examine such concepts as consumer data protection and privacy, complaint handling, dispute resolution, and the protection of consumer health and safety. This new standard follows a trend of risk-universe expansion. The risks of bribery, sanctions and anti-competitive activities are typically the focus of a compliance programme and, especially, controls focused on suppliers and third parties. The companies that wish to protect their profits, reputation and resources need to look at new areas including sustainability, privacy and human rights. Government regulations are starting to trickle out in these areas, but consumer opinions and judgements can typically be just as harsh as a fine from a regulatory body.
Turning our attention briefly to ISO 19600 and 31000, these two standards have been designed to identify, mitigate and then monitor risk. Some will argue these two standards should be looked at independently, but irrespective of where a risk originates (be it operational or regulatory), its treatment in terms of process should be largely the same.
While both standards have become increasingly popular in their use as benchmarking tools for compliance and risk frameworks, and both can be used to address some regulatory obligations, both are, again, agnostic when it comes to regulatory content. The focus with these two standards is the establishment of frameworks, which will then be populated with the risks and compliance obligations identified by the organisations themselves.
Over the past decade, it is safe to say, there has been a general rise in harmonisation of international regulations, especially in areas of common practice, such as financial services, antitrust, consumer protection, data privacy, anti-terrorism and anti-bribery. Regulators are even more connected then ever, with major international forums where regulatory agencies from around the world share information, exchange tactics, discuss emerging trends and build cooperation to remove opportunities for avoiding regulatory oversight by exploiting loopholes from occurring.
There have been some recent departures from a theme of a single global standard or set of unifying rules. These include the decision by the UK to leave the EU, the election of President Donald Trump in the US on an “America First” platform and the increased popularity of isolationist rhetoric around the world.
The US election and Brexit have shown an increased dissatisfaction with the political decision-making and policy-formulation processes. This dissatisfaction is manifesting itself with the rise of the outsider politician. These outsiders exert an effect on mainstream policy through their very existence and growing mainstream popularity. If elected, their impact can be immediate, but mainstream parties will adjust their policy platforms to counter the outsider influence to ensure they can maintain their hold on government. All of this has the potential to create regulatory uncertainty that can stall global enforcement efforts.
In contrast to the fluid nature of regulation and regulatory enforcement priorities, ISO standards are very stable. Once published, an ISO standard faces review after five years, not by politicians exposed to the vagaries of public opinion, but by industry. The standard-setting process involves an element of compromise to ensure that differing legal, cultural and business practices can be captured. But the focus is always on producing a system for managing operations in the most effective and efficient manner. In addition, the review process tends to examine emerging trends and focus on improvements based on feedback from the international business community. The focus is on how the standard can be improved, how it can be made more relevant for its users and how to ensure that changes in business practices are captured.
ISO standards serve as benchmarks for many organisations, especially multi-jurisdictional organisations operating on a global scale. That said, the implementation process can be a somewhat less than straightforward. The process is open to interpretation, and the application of ISO standards can differ greatly among different organisations.
At the start, organisations should seek out experts with knowledge of these ISO standards who can help identify gaps between the processes outlined in the standards and current business practices. From there, it’s a question of seeking advisory services to fill in these gaps. Organisations would be wise to enlist the services of an independent consultant that specialises in compliance so that they have an objective view of where their programme stands. Using the ISO standards as a way of benchmarking a programme is one way to see how it stacks up to peer companies, but it is not the only way. Compliance-specific firms typically have access to non-public data from their internal databases that can be used to identify strengths and weaknesses of a programme. Obtaining a certification shows that an organisation has certain processes in place, but engaging in a specific benchmarking project can have an entirely new and eye-opening set of findings.
There are many advantages to benchmarking business operations against ISO standards or other benchmarking criteria. Not only do the standards represent some best practices, but their use can reduce risks and disruptions caused by uncertain regulatory landscapes. The result is less time and budget spent on regulatory change projects with less need to constantly revise compliance policies and procedures, which means better use of limited resources. While there may be an upfront investment in securing advisory assistance, in the long term, the compliance program and organisation will benefit from having more time to monitor the compliance framework from a strategic perspective, thus obtaining a better alignment with organisational strategy rather than focusing on day-to-day operational issues.