Do We Really Need an ISO Standard for Internal Investigations?
Call me a skeptic. Call me cynical.
I understand that the International Organization for Standardization (ISO) provides valuable standardization services and guidance. The ISO is comprised of 169 member countries.
The ISO recently issued a new standard governing internal investigations. From my vantage point, I was a critic of ISO 37001, anti-corruption compliance, because of its over-generalization and failure to provide more specific guidance on important issues. So, I am coming to this new one with a disclosed bias.
My concerns are three-fold.
First, I am not convinced that the new ISO standard provides any meaningful guidance. It is not difficult to assemble the elements of an internal investigation policy and a set of guidance procedures. In practice, an ISO standard offers little beyond a collection of amorphous concepts, the application of which is so heavily fact dependent that it offers little guidance nor direction. In practical effect, the ISO standard provides at best a checklist and at worst an amalgam of ambiguous or ill-defined concepts.
Second, ISO standards on compliance and internal investigation topics provide organizations that “meet” such standards with a false sense of comfort. Walking into the Department of Justice with a stack of certifications in the context of a government investigation will not deter prosecutors from looking under the hood, reviewing an internal investigation and verifying that all avenues were examined. Meeting an international standard and presenting a certification is unlikely to have any appreciable impact on DOJ’s investigation.
Third, from my cynical perspective, which is limited to ISO 37001, on anti-corruption, and the ISO’s new internal investigation standard, the ISO certification has created its own industry of private “certifiers” who charge companies money to review their program and decide whether to not to certify the company as satisfying the specific standard. This seems more focused on promoting the private certification industry.
Let me offer companies another option.
Rather than spending money on gaining access to the ISO standard, reviewing your company’s operations against the standard and investing money to meet the standard, and then paying a so-called certifier to tell you where you stand, take the money and time, assemble an internal team consisting of legal, compliance, finance, human resource, and audit professionals to review all available government guidance, best practices guides, and then apply the group’s common sense and experience to assess you own internal investigation program, propose improvements, and then set a schedule to make some changes, all tailored to meet your company’s culture, investigative needs, and commitment to a culture of ethics and compliance.
In the end, you will have accomplished something that will improve your internal investigation program, and at the same time, save a bundle of money and time.