People who live in Europe tend to hold ISO (International Organisation for Standardisation) standards in very high regard and the same can be said for people in most developing and recently emergent economies. Americans, however, hold them in less regard and their acceptance, in countries such as Australia lies somewhere in between.
Some of these differences are psychological. Setting Brexit aside for a moment, there has been a general push amongst European nations towards standardisation and the elimination of regulatory and economic differences. The US, on the other hand, tends to keep itself to itself.
Recently, the governments of emerging economies have realised that their laws are not facilitating trade very well and have therefore been placing greater emphasis upon the importance of international standards. In fact, ISO standards are so good for trade that Li Keqiang, the Chinese premier, has been singing their praises in recent months.
When it comes to engineering and product safety, it is easy to make a good argument for standardising the design of widgets. In recent years, however, there has also been a rise in “management systems standards.” These have been designed to help organisations manage their operations in specific areas of practice.
How do these standards fare in the promotion and facilitation of trade and economic activity? To answer this question, let us concentrate on the following five ISO standards:
- ISO 9001 – Quality Management Systems
- ISO 31000- Risk Management: Principles and guidelines
- ISO 19600 – Compliance Management System
- ISO 37001 – Anti-bribery Management Systems
- ISO 20400 – Sustainable Procurement
I have chosen to discuss these standards for two reasons. Firstly, they can apply to all manner of organisational types and all manner of operations at organisations. Secondly, they are most relevant to the potential readership of this article, namely compliance, risk, in-house legal and procurement professionals.
It is important to state from the outset that ISO standards are deliberately agnostic about the laws of various countries. The above standards represent 'best practice' as determined by the experts who wrote them. They generally focus on operational processes, although the obvious exception on the list above is that of ISO 37001, which aims to manage or reduce the risk that bribery might occur at organisations. As a consequence, much of its content does spring from regulatory requirements, but it sits above national laws. Whenever there is a clash between a standard and a nation's law, however, the standard states very clearly that the law takes precedence.
Getting down to cases
The first of these 'management systems' standards that came to prominence was ISO 9001. First published in 1987 and revised in September 2015, ISO 9001 is one of the ISO's most well-known standards, with some 951,000 certifications issued in 178 countries. Although the standard was created to help firms assess the adequacy of their 'quality management' systems, it was also an attempt to streamline the supply chain management process. Today, people see a certificate of conformity with ISO 9001 as a way of ensuring that orgqanisations up and down the supply chain are using good principles of "total quality management."
The 2015 revision of ISO 9001 includes a new requirement (7.4 and 7.4.1) that exhorts organisations to “control what [they] buy, outsource or subcontract (goods, materials or services) if it affects [their] services or products” and “make sure what [is bought] meets the requirements...specified; [and for the organisation to] assess and monitor [its] suppliers/supply chain."
In a nutshell, this new addition requires an organisation to:
- define the product/service requirements that it is obtaining from suppliers;
- evaluate suppliers to ensure that they can meet the specified requirements;
- state categorically that the product or service that it has sought meets the specified requirements;
- determine the controls required in the management of the supplier; and
- determine the effectiveness of corrective action if 'nonconformance' is found.
Of course, the above only addresses one aspect of concern for organisations that have outsourced various aspects of their supply chains. This is where ISO 20400 comes to the fore. To be published in March this year, ISO 20400 will define 'sustainability' broadly to include the economic, social and environmental effects that an organisation can have, with a view to ensuring that the procurement process minimises any negative effects it may have upon these results. It will try to ensure that the procurement process does not run afoul of anti-bribery and anti-trust legislative requirements and will also deal with PEPs.
On the procurement side of the equation, the standard is to mention compliance, risk management, the non-performance of suppliers, contract management and principles of governance. A number of safeguards for consumers are also included. These examine such concepts as the protection of consumers' data, privacy, the handling of complaints, the resolution of disputes and the protection of consumers' health and safety. Many of these 'risk areas' form the backbone of IntegraWatch's 'due diligence' offerings.
Two standards - ISO 19600 and ISO 31000 - have been designed to first identify and then mitigate and monitor risks. Some will argue that people should look at these two standards separately but, in reality, irrespective of where a risk originates (be it operational or regulatory), each firm should deal with it by the same process. Although both standards have become increasingly popular in their use as ways of benchmarking things to do with compliance and risk, and a firm can use both to meet its regulatory obligations, both are again agnostic when it comes to regulatory content. These two standards concentrate on establishing systems that will then have to deal with risks and compliance obligations that the organisations themselves identify.
Where does this leave us?
Over the past decade, it is safe to say that there has been a general rise in the international standardisation of regulations, especially in areas such as financial services, the fight against monopoly, the protection of consumers from sharp practice, data privacy, taxation and the crusade against bribery. Additionally, more and more major international fora take place in which regulatory agencies from around the world share information, exchange tactics, monitor trends and co-operate to deny people opportunities for regulatory arbitrage.
However, over the last six months we have seen a small undercurrent of resistance gain momentum and finally begin to undermine the drive of Western rulers towards global economic and regulatory standardisation. I am referring to the decision by the UK to leave the EU, the election of President Donald Trump in the US and the increasing popularity of politicians in various countries whose aim is to swim (albeit very weakly) against the flood tide of international political co-ordination.
People around the world are more and more dissatisfied with the way in which powerful corporations dominate politics. This dissatisfaction has led to the rise of the “outsider politician”. Candidates who answer to this description are not always elected to office but still influence mainstream policy through their growing popularity. When they are elected, they can have an immediate effect on policy. More often than not, however, mainstream parties maintain their hold on government in the time-honoured fashion by adjusting their policies to accommodate them. The new politicians are therefore likely to either overturn years of progress towards regulatory standardisation or, at the very least, slow the process down. All this can create uncertainty about regulators' actions in the future.
By contrast with the changeable nature of regulation and regulatory enforcement priorities, ISO standards tend to very stable. Once published, an ISO standard has a life of five years, at which point it is reviewed - not by politicians who are exposed to the vagaries of public opinion, by rather by experts in their field. Yes, the standard-setting process involves an element of compromise because it has to traverse different legal, cultural and business practices, but it usually concentrates on the production of a system for managing a specific business operation in the most effective and efficient manner. In addition, the review processes themselves tend to tinker at the edges and focus upon improvements that can be made in accordance with feedback from firms.
The need for interpretation
Consequently, ISO standards represent sound benchmarks that all organisations, but especially by multi-jurisdictional organisations that operate on a global scale, can use. That said, the implementation process can be less than straightforward because it is an art and not a science.
In the first instance, organisations should seek out experts with knowledge of these ISO standards who can help them identify gaps between the processes outlined in the standards and current business practices. Then they ought to use experts who can provide advisory services to fill in these gaps with the missing business processes. In the case of a standard like ISO 37001 and ISO 9001, the firm in question ought to hire an independent firm that was not involved in the advisory process to review the business operations against the standard to find out whether all the required elements are present, before signing a certificate to that effect.
In conclusion, there are many advantages to benchmarking business operations against ISO standards. Not only do they represent international best practice, but their use should offset the risks and disruptions that an uncertain regulatory landscape can throw up. A firm is bound to spend less time and money on 'regulatory change' projects and to have to revise compliance policies and procedures less frequently. This will lead ultimately to a better use of limited resources. Although the firm may have to make an initial upfront investment to secure the advisory assistance it needs to observe an ISO, its compliance effort will eventually benefit because it will have more time to review and monitor it from a strategic perspective instead of having to concentrate on day-to-day operations.