Those of us working in the ethics and compliance field know that there is no shortage of guidance on best practices for establishing and maintaining an ethics and compliance program. In the U.S., the Federal Sentencing Guidelines as well as numerous industry-specific guidelines have helped establish common standards. Internationally, since the OECD Guidance of 2010, there have been several regional and country-specific guidelines, all of which include components similar to the Sentencing Guidelines.
Given the number of established standards with similar frameworks, it is puzzling why anyone would see the need for another. Nevertheless we now have ISO 19600:2014, a guideline created by the International Organization for Standardization (ISO). There are differences, but for the most part, the new ISO standard describes a similar management system as outlined in all existing standards. The ISO standard is, however, more detailed and prescriptive, which means it will require much more time and effort to comply with and to document compliance.
Most puzzling, however, is why there has been so little fanfare or push-back from the ethics and compliance professional community since the standard’s December 2014 launch.
Some Historical Context
This is not the first attempt to launch an ISO ethics and compliance standard. In the early 2000s, the Ethics Officer Association, as it was then called, worked for nearly three years with the American National Standards Institute (ANSI) to develop a similar standard. We (the authors of this article) served in leadership positions at the EOA at that time—Ed from 1991 to 2005 and Carrie from 1996 to 2003.
The effort was motivated by a need to get out in front of other ISO proposals spearheaded by European-based NGOs and others. Their proposed standards were more aligned with Corporate Social Responsibility (CSR) goals and did not complement existing ethics and compliance program elements. The hope was that, by creating an ISO standard similar to the Sentencing Guidelines, we could help create a uniform, global approach to corporate ethics and to use the existing ethics and compliance program structure as a foundation to better address CSR concerns.
At the time, the EOA worked closely with ANSI to develop draft guidelines, and had regular meetings with EOA and ANSI members to move the guidelines forward. But in the third year of the process, we began to experience serious push-back from major corporations worried that the standards would be burdensome and require too much time to document.
Another concern was that even though the proposed ISO standard was voluntary, it could quickly become a de facto requirement once adopted by major corporations. This would affect others, including suppliers, who would have little choice but to comply.
For these reasons the proposal was withdrawn, and that was the end of it. Until last December.
While ISO 19600:2014 may have far reaching consequences, it’s interesting to note that there has been little buzz about it among ethics and compliance industry professionals—at least in America. We are wondering why. Is it because the standard wasn’t born here? Is it because ISO has lost clout? Is it because the standard is so prescriptive that everyone is hoping it will go away?
What Ethics and Compliance Officers Need to Do
We believe there is still time and a need for discussion—and we hope the debate can be at least as robust and organized as the debate that took place the last time such a standard was proposed. Ethics and compliance officers should begin by:
Contacting in-house colleagues who regularly deal with ISO or ANSI standards. What do they know about the new standards? Were they apprised of developments, and what is their opinion going forward?
If the ethics and compliance professional is a member of industry or professional ethics and compliance associations, they should insist that the topic be added to upcoming conference agendas and that the association takes a position on the standards, and offers guidance to members.
Immediately assess the likely impact of the standards on their organization. Will they be expected to meet the standard and, if so, are they prepared for the added workload and documentation? Will they require organizations in their supply chain to comply? Or conversely, will they be required by business partners to document compliance and respond to audit requests?
The standard was adopted nearly a year ago and the silence since then is deafening. It’s time to be sure that ISO 19600:2014 is not only on your radar, but a priority to understand its impact on your program and your organization.