By Kristy Grant-Hart
Imagine you’re really hungry. You walk up the street and see two restaurants. One has an “A” rating on the window for food safety, certified by the city’s health and safety body. The other has a handwritten “A” on the window, without any information as to who gave the grade. Which restaurant would you go into?
With respect to the ISO 37001 Anti-Bribery Management Systems Certification, many commentators have asked the question, “Who is doing the certification!?!” Up until recently the answer was simply, “Certification bodies.” But which certification bodies? And how do you know whether a certification body has a quality process in place to ensure that it only certifies companies that meet the high threshold requirements of ISO 37001?
When the anti-bribery ISO standard was published in Oct. 2016, a second standard was published with it. This second Standard, ISO 17021-9, laid out the auditing criteria that was to be used to determine whether a company had met the standard, and specified that only anti-bribery experts could be auditors. While the auditing criteria could be applied immediately, verification that a certifying body was following that criteria would take longer to judge. That is because, similar to companies seeking ISO 37001 certification, certification bodies can seek accreditation by proving that they are following proper ISO certification standards.
The Accreditation Process
ISO is a global NGO comprised of member bodies from all participating country. Each country has what’s called an accrediting body. This body evaluates certifying bodies and decides whether the certifying body is following the auditing criteria associated with various ISO standards, including ISO 37001. This is a rigorous process. After reviewing audits, if the accrediting body is satisfied, it will accredit the certifying body.
Where I live in the United Kingdom, the ISO member body is called UKAS. It is “responsible for determining, in the public interest, the technical competence and integrity of organizations offering testing, calibration and certification services.” UKAS began a pilot program in July 2017 to begin accrediting certification bodies for the ISO 37001 Standard. The process is long and arduous, requiring the applicant certification body to submit to multiple reviews while the UKAS personnel observe the ISO 37001 certification audits as they take place to ensure the certification body is adhering to the ISO 17021-1 and -9 standards, and awarding ISO 37001 certification only when it is truly earned.
In the United States, the ISO member body is called ANSI/ANAB. It is responsible for granting accreditation to certifying bodies. After launching its ISO 37001 accreditation process last year, it has now accredited several certification bodies and several more certification bodies are going through the accreditation process, including ETHIC Intelligence and Perry Johnson Registrars, Inc.
The good news? Accreditation is FINALLY being granted to the best ISO 37001 certification bodies. It is now possible to separate the wheat from the chaff, as the multi-year review process is coming to an end for the early adopters. UKAS’ pilot program, in which Bureau Veritas Certification Holding SAS – UK Branch, DNV GL Business Assurance UK Limited, and Intertek Certification Ltd. are participating, is set to conclude by the end of the summer. Accreditation will be granted to the participating companies that implemented the rigorous quality controls set forth in the ISO 17021 standards.
Similarly, U.S.-based ANAB has already granted accreditation to Global Standards S.C. and two others. Later this year, ANAB will make a determination on its other pending applicants.
And it’s not just the US and UK – Dubai’s DAC (Dubai Accreditation Department) recently awarded accreditation to CRI Group.
If you’re seeking certification…
If your organization is seeking ISO 37001 certification, you must do your homework to find an accredited certifying body, or one that is in the process of becoming accredited. Choose a certification body with a long-standing reputation granting other types of certifications or from a country ranked low on Transparency International’s Corruption Perception Index. Ask to see paperwork or check online to ensure that the accrediting body has indeed granted accreditation to the certifying body. Certification bodies with quality processes in place should be able to readily share with you how they conduct their certification audits and who they use as certification auditors.
If you’re reviewing a company’s certification
One of the benefits of ISO 37001 certification is that it streamlines the due diligence process, allowing companies to choose third parties who have been ISO 37001 certified as an additional assurance that adequate anti-bribery and anti-corruption measures are in place. But do not rely on a third-party’s ISO 37001 certification alone. Be sure to ask the name and status of the certification body from any supplier or third-party that claims to be certified. Then check to ensure that the third-party is listed on that certification body’s website as currently ISO 37001 certified and that the certification body is accredited or seeking accredited. As the popularity of certification grows, it is incumbent on forward-thinking organizations to draft a list of trusted accredited certification bodies that are acceptable to the company.
As ever, no certification or program review will prevent a prosecution or investigation; but going through the ISO certification process will help companies to put in place best practices and documentation which will prevent and detect problems and can serve as a mitigating factor if an issue arises.
As for us? We only work with accredited certification bodies or those formally going through the accreditation process. After all, just like picking restaurants, we don’t want to choose the wrong place and end up feeling sick.
Kristy Grant-Hart is the CEO of Spark Compliance Consulting, a former Chief Compliance Officer, and a former adjunct professor. Diana Trevley is a certified ISO 37001 auditor and the West Coast Director of Spark Compliance Consulting. They can be found at www.sparkcompliance.com.