A curious development has emerged in the world of corporate compliance. In recent years, the International Organization for Standardization (ISO), the world’s leading private standard-setter, has been developing a flurry of new compliance-related international standards. These standards range from specific risk areas, such as anti-bribery (ISO 37001) and whistleblowing (ISO 37002), to broader concerns, such as general compliance management (ISO 37301) and corporate governance (ISO 37007). On its face, this trend is somewhat peculiar. ISO is historically known for standardizing things like screw threads, freight containers, cement, plastics, steel, and other technical products—areas far removed from bribery and compliance. Nonetheless, this trend appears to be gaining steam, with ISO currently embarking on a host of compliance-related standard-setting activities and some companies and governments displaying particular interest in the ISO 37001 anti-bribery standard.
These underexamined developments warrant scholarly attention. As blockbuster compliance failures and corruption scandals continue to plague business and governments, ISO’s compliance standards aim to provide a new and more effective means for mitigating such risks. Consider, for example, the construction conglomerate Novonor (formerly Odebrecht), whose misconduct was at the heart of Latin America’s unprecedented “Operation Car Wash” scandal. In June 2021, Novonor obtained ISO 37001 certification, announcing that its newly certified anti-bribery management system marked “a milestone in [its] transformation.” But was it? In other words, as a general matter, how much stock should we place in ISO’s new compliance standards? My answer: in and of themselves, not very much.
In my recent article, I argue that ISO’s nascent international compliance regime constitutes clickbait compliance, a set of superficially attractive and theoretically alluring compliance solutions that are likely to overpromise and underdeliver in many respects. This argument proceeds in three steps. First, a conceptual analysis of ISO 37001 illustrates that ISO’s new compliance standards are likely to underdeliver on their promised functions and benefits (“clickbait functionality”). Second, an examination of ISO’s growing presence in the corporate compliance domain more generally shows that apparent synergies and connections between the organization’s new standards and compliance laws, practices, and trends are unlikely to materialize (“clickbait connections”). Third, the article proposes reforms to the ISO standard-setting system that may help curtail—but will certainly not eliminate—some of these concerns.
ISO 37001 and “Clickbait Functionality”
After providing an overview of the global anti-corruption regime and the rise of private governance initiatives within that regime, the article turns its attention to the ISO 37001 anti-bribery standard. It first identifies three major structural features of the standard: (1) its technocratic orientation, meaning that it was developed by a technical committee of subject-matter experts; (2) its multi-stakeholder framework, meaning that it was the product of an international consensus involving experts from multiple countries (as well as input from a host of interested actors such as international civil society organizations); and (3) its third-party certification feature, which gives interested entities the option of hiring a third-party auditor to attest that their anti-bribery management systems are good enough to be “ISO 37001-certified.” The article then asserts that these three features give rise to three corresponding functions, each of which promises a variety of theoretically alluring benefits but is unlikely to deliver on them. The article terms this overpromise-underdeliver phenomenon “clickbait functionality.”
First, ISO 37001’s technocratic orientation gives rise to a systematic function in which the standard aims to systematize organizations’ anti-bribery management in accordance with an expert-developed template and, thereby, reduce their bribery risks. At first glance, this approach may seem promising to the extent that it provides a step-by-step framework for addressing bribery concerns, one that may provide a particularly helpful roadmap for companies with underdeveloped compliance programs. However, among other concerns, there is a real danger that the mere formalization of a compliance system will generate unrealistic expectations and perhaps even undercut the ultimate goal of reducing bribery risks. Indeed, such an approach may well engender a check-the-box mindset that seeks to “engineer” anti-bribery compliance—a mindset that compliance theorists and practitioners have long (and quite rightly) deplored.
Second, ISO 37001’s multi-stakeholder framework gives rise to a symbolic function in which the standard aims to help implementing organizations garner social legitimacy by symbolizing their moral commitments to global anti-corruption values generally, and an international consensus on anti-bribery management in particular. However, there are two senses in which the standard may, problematically, serve a “merely symbolic” function. For one, experts from a small number of developed countries have long steered ISO’s standard-setting agenda, leading many to question the authenticity of its professed commitments to multi-stakeholderism. For another, the standard itself contains a number of open-ended provisions, leaving ample room for disingenuous organizations to implement the standard in form rather than in substance. Such organizations may seek to enjoy the benefits of adopting an international multi-stakeholder standard (e.g., heightened legitimacy) even as they maintain a problematic status quo.
Third, ISO 37001’s third-party certification system serves a signaling function that seeks to provide organizations with a way to credibly signal information about the quality of their anti-bribery compliance systems to external audiences. As a general matter, third-party verification tends to provide relatively greater assurances regarding the veracity of an organization’s commitments. That said, external certification is far from irreproachable, ISO’s certification system in particular. In the ISO ecosystem, certification and accreditation are far-flung and disaggregated processes, raising legitimate forum-shopping concerns. Furthermore, the standard’s flexible provisions give certifiers significant leeway to engage in overly generous certification audits, something they may well be incentivized to do given that certifiers depend on their clients for revenue. Finally, even assuming complete rectitude, ISO’s highly decentralized system of oversight virtually ensures that certifications will be awarded on the basis of (i) certification audits of varying stringency that are (ii) conducted by certification bodies subject to varying degrees of oversight by different national accreditation bodies. Such variability makes the precise meaning of ISO certification somewhat ambiguous, and it also provides an opening for “false signalers” to claim to possess certification-worthy characteristics that they in fact lack.
ISO Compliance and “Clickbait Connections”
In addition to functions that are likely to overpromise and underdeliver (as illustrated by an in-depth examination of ISO 37001), ISO’s new compliance standards also present some theoretically alluring connections to various aspects of corporate compliance that raise similar overpromise-underdeliver concerns. The article labels these “clickbait connections,” and they pertain to three different areas of compliance policy and practice: (1) laws; (2) the corporate social responsibility agenda; and (3) the rise of data analytics and compliance program testing. Each of these areas appears to promise opportunities for complementarity or synergistic integration with ISO’s new compliance standards, but in each case the article shows that these potentially beneficial linkages are unlikely to materialize.
First, “soft law” ISO standards have a long history of interplay with “hard law” rules—from their incorporation into administrative regulations and private contracts, to their use by courts as evidence of due care, to their use by enforcement authorities as conditions of settlement. Such interplay, then, would seem not only natural but potentially desirable in the area of corporate compliance, which has witnessed a marked increase in laws and legal enforcement in the wake of recent corporate scandals. Indeed, some commentators have spoken about using ISO certification as a basis for leniency, or even an affirmative defense, for corporations facing potential criminal charges. These soft law-hard law connections, however, are not as obviously beneficial as they might seem. For one, “hardening” ISO’s compliance standards in this manner may well undercut the underlying rationale of the standards, crowding out the voluntaristic motivations that undergird their adoption and eviscerating the flexibility that they promise. For another, ambiguities surrounding the meaning and quality of ISO certification raise serious concerns for prosecutors or courts interested in relying on certification as a basis for leniency.
Second, ISO’s agenda has increasingly taken a more prosocial turn in recent decades as evidenced by its popular environmental management (ISO 14001) and social responsibility (ISO 26000) standards. This shift dovetails with recent trends in compliance that seek to promote more ethical values-based approaches to compliance under umbrella terms such as “corporate social responsibility” (CSR) or “environmental, social, and governance” (ESG) criteria. However, notwithstanding this apparent connection, ISO’s management systems orientation to compliance is arguably more likely to promote a box-ticking approach to compliance, one that may cut against rather than meaningfully complement efforts to promote a more prosocial, values-oriented compliance paradigm.
Third, data analytics and empirical testing have grown in prominence in the field of compliance, and ISO’s new compliance standards contain numerous provisions calling for organizations to monitor, measure, analyze, and evaluate their compliance programs. Together, these provisions would seem to provide interested organizations with a promising framework for testing their programs and using third-party inspection as a means to validate and improve them. However, given the inherent open-endedness of these provisions and their lack of specific guidance as to how organizations should measure the effectiveness of their programs, it is far from certain that ISO’s compliance standards will answer calls for more data-driven compliance management or promote any systematic advances toward a more evidence-based compliance science.
Curbing Clickbait: From Silos to Networks
While the article provides a skeptical take on ISO’s compliance standards, one that principally seeks to make pertinent actors (e.g., firms, regulators, compliance professionals, and scholars) better aware of their limitations, it also suggests avenues for improving ISO compliance and reducing some of its “clickbait” concerns. To that end, it concludes by proposing that ISO implement a mandatory disclosure regime. This regime would require ISO-certified entities to disclose compliance-related information (preferably data amenable to empirical evaluation) to ISO national standard-setting bodies and central ISO, and it would also require ISO experts at both levels to examine this data and provide feedback. If implemented, this proposal would transform ISO from a hodgepodge of “compliance silos” to more evidence-based “compliance networks” predicated upon regular information dissemination, more sophisticated compliance program evaluation, and more meaningful learning about which compliance measures tend to work (or falter) in given settings. Together, these improvements would provide a firmer basis for evaluating the efficacy of ISO’s compliance standards in practice, address certain monitoring concerns, and make it more likely that well-intentioned entities that choose to adopt the standards will obtain more meaningful benefits from doing so.
As ISO’s compliance agenda continues to develop, and as more and more companies and governments turn to the organization’s standards, scholars and practitioners will need to take a closer look at their potential benefits and drawbacks as well as how (and whether) to improve them. Their viability as a compliance tool depends on it.
William R. Heaston is a Ph.D. Candidate at the Wharton School of the University of Pennsylvania and a recent graduate of the University of Pennsylvania Carey Law School.
This post is adapted from his paper, “Clickbait Compliance and Transnational Corruption,” forthcoming in the University of Dayton Law Review and available on SSRN.
The views expressed in this post are those of the author and do not represent the views of the Global Financial Markets Center or Duke Law.