The ISO 17000 series of standards is aimed at certification or accreditation bodies (depending on which one you’re reading), and cover a wide variety of subjects. ISO 17021-1 is for certification bodies, ISO 17011 for accreditation bodies, ISO 17024 for personnel credentialing bodies, etc. But despite their differences, many of the ISO 17xxx standards share a common set of requirements related to managing conflicts of interest.
History Lesson
Earlier editions of many of these standards, some of which go back to when they were “ISO Guides” and not part of the 17xxx family, had stronger language about managing conflicts of interest. Unfortunately, this set of standards is written by the ISO Committee on Conformity Assessment, or “ISO/CASCO,” which has allowed itself to become overrun by representatives of the CBs and ABs themselves. Yes, this means they are writing their own rules, which has inevitably led to a dilution of those rules over time.
Consider this language from the 1998 version of ISO Guide 61, which would later become ISO 17011, the standard governing accreditation bodies like UKAS:
In particular, the accreditation body … shall not offer or provide, directly or indirectly: 1) those services that it accredits others to
perform, 2) consulting services to obtain or maintain accreditation, 3) services to design, implement or maintain a certification scheme.
Fast forward to the 2004 version of ISO 17011, and the language was suddenly more tolerant, allowing an AB to engage in the previously forbidden practices provided they took some unspecified “appropriate action.”
The accreditation body… shall identify, analyse and document the relationships with related bodies to determine the potential for conflict of interest, whether they arise from within the accreditation body or from the activities of the related bodies. Where conflicts are identified, appropriate action shall be taken.
Now look at the current version of that standard, from the latest 2017 version:
The accreditation body shall have a process to identify, analyse, evaluate, treat, monitor and document on an ongoing basis the risks to impartiality arising from its activities including any conflicts arising from its relationships or from the relationships of its personnel.
With the advent of “risk-based thinking,” a term that means exactly nothing, ISO standards could suddenly inject a vague requirement for bodies to perform vague “risk assessments” to justify all sorts of bad behavior. Then, because the same standards have convenient clauses on “confidentiality,” the bodies are not under any obligation to show those risk assessments to anyone. They merely have to say they were done.
The Oxebridge Method
Well, at Oxebridge we think that sucks. A lot.
You see, ISO understands, at least on paper, that conflicts of interest are a threat to impartiality and objectivity. And the ISO 17xxx standards are nearly universal in demanding impartiality and objectivity, since the users of these standards are typically sitting in judgment over a person, a thing, or another organization. That is a reality brought on by the nature of the work done by any certification or accreditation body.
In short, this stuff matters. It’s both a technical and ethical concern.
So for clients approaching ISO 17xxx standards that call out these vague requirements, we help put them into meaningful, real practices that ensure conflicts of interest are truly managed, and are not just dismissed with a hand-wave. (Which is why if you’re a company that wants to sneak by with conflicts of interest, you’re probably not a good fit for us as a client.)
To use a practical risk-based approach to managing conflicts of interest requires three steps:
- Assess and manage risks associated with individual conflicts of interest
- Assess and manage risks associated with organizational conflicts of interest
- Assess and manage risks associated with potential client conflicts of interest
Step One: Individual Conflicts of Interest
For this first step, we are working to identify if any staff members, subcontractors, or other individuals either within your organization or with a direct hand in managing its operations, have a conflict of interest that could jeopardize impartiality and objectivity.
To do this, you first must make a list of these persons, by group. Typically, this boils down to:
- Senior Management Team Member
- Certification / Accreditation Committee Member
- Auditor / Assessor / Evaluator
- Other Employee
- Subcontractor
- Technical Expert
- Advisor
- Observer
The actual list will be dependent on the nature of your organization’s work and the specific ISO 17xxx standard being implemented. For ISO 17021-1 or 17020, a “Certification Committee” may be useful, while for ISO 17011 or ISO 17025, this will likely be an “Accreditation Committee.” There are a million ways to skin the “oversight committee” cat here, so don’t take this article as implementation advice on that specific point.
Next, you should identify the types of conflicts that persons may face. This is fairly standards across any ISO 17xxx standard, and should include the following:
- Self-dealing; the party could obtain financial or other personal benefits from their position
- Accepting gifts can jeopardize impartiality
- Accepting bribes can jeopardize impartiality
- Family dealing can jeopardize impartiality
- Relationships with a higher oversight body can jeopardize impartiality
- Relationships with clients/customers can jeopardize impartiality
- Relationships with other third-party organizations can jeopardize impartiality
- Prior criminal activity could become a pressure point
You would likely tweak this list accordingly, but you get the idea. When you’re done you will likely have a list of about 10 such general conflicts of interest.
Next, you create a Conflict of Interest Disclosure Form, asking individuals to identify any conflicts from the above list, and providing some details on them. Each individual person, from the categories identified in the first step, must be required to complete this, no matter how high up in the organization they reside. Explain that this is to be used to manage risks, not identify reasons for firing anyone.
Now, you create a simple risk analysis form that applies a score for each of the conflict types, such as:
1 – No risk / cannot occur
2 – Minor risk
3 – Moderate risk
4 – Significant risk
5 – Major risk
Now, score each of the Conflict of Interest Disclosures — again, for each individual — to identify two things:
- Any single risk that presents a need for mitigation, and/or
- Any individual with a set of collective risks that require mitigation
For example, Jane may score a high risk on only one question, while Joe may score medium on multiple questions. In both cases, you’d want to go in and develop mitigation strategies. For an employee who scores low risk on all questions, you do not need to do anything.
For individuals, mitigation strategies may include:
- Ensuring the person does not participate in certification/accreditation decisions
- Allowing their participation in certification/accreditation decisions, but only as a member of a team, so their individual influence is buffered
- Requiring them to recuse themselves in certain defined situations or circumstances
- Re-assigning their roles related to certification/accreditation decisions
Then, as you hire more staff and utilize more subcontractors, they go through the same exercise: complete the Conflict of Interest Disclosure, rank it, and mitigate as needed. You may also want to repeat this with current personnel every few years, in case new COIs have arisen that they need to disclose.
Step Two: Organizational Conflicts of Interest
Here we assess what conflicts the organization could get itself involved in. Whereas the individual COI activity above is done frequently, the Organizational Conflict of Interest (often abbreviated OCI) can be done once, and then only re-examined if major changes to the organization occur.
For this, I create a larger risk matrix, but — again — don’t panic because it’s not something you will have to maintain on a daily basis. The matrix lists each of the identified groups along with the identified COIs, both from Step One. If you have five groups of parties identified (employees, subcontractors, etc.) and five major risks, then you will have 25 entries in total.
This is what that might look like:
Then, for each row you will perform a simple risk ranking, using whatever method you prefer. You can use, for example, the traditional “likelihood X consequence” method to come up with an overall risk priority number (RPN). Whereas I argue against this approach in other aspects of managing a company, for this exercise it’s perfectly fine, because we are trying to get a general sense of the highest sources of conflicts of interest.
You then can set a scoring threshold, so that when a risk exceeds that score, a mitigation plan must be put in place. For risks that don’t exceed the score, you can do nothing and be justified in this decision.
Typically, we find the highest risks are related to persons acting in a Certification Committee or Accreditation Committee role, where they are reviewing reports or making some major decision on granting or denying certification/accreditation. Subcontractors may have a far lesser risk level, since they are being managed by the organization’s management, and (usually) not responsible for final decisions. Observers may have the lowest level of risk.
Again, once this is done, and mitigations put in place for the highest organizational risks, you can usually leave it alone unless there is a major change. Such changes may be the introduction of a group of persons with potential COIs, or the identification of an entirely new COI risk based on changes to the organization.
Step Three: Client Conflicts of Interest
The final step is to identify and manage COIs presented by potential clients, as they seek to hire your organization. Keep in mind, “client” here could be an individual or an applicant company, depending on what service you are providing.
This one is the simplest. As new clients approach your organization, you conduct a simple risk assessment during client intake, but before any contracts are signed. The questions to ask here might include:
- The client/applicant’s application is complete and contains all necessary information
- The client/applicant has not been the subject of any prior complaint or issue initiated by our organization
- The client/applicant is not a family member of any staff person
- The client/applicant is not an employee of any competitor
- The client/applicant is not an employee of any related organization
- The client/applicant does not hold any current known criminal record that could impact their rights or ability to hold certification/accreditation
- The client/applicant is within the geographical area of our services
- The client/applicant is free from any other conflicts of interest that could limit or prevent the provision of services
- Applicant is free of any known public scandals, criminal activities or other negative events which could harm our reputation
These may not require scoring at all, but simply to be answered with “Yes” or “No.” Where a COI is identified, the organization can then decide on one of three actions to take:
- Accept the client/applicant (no risks identified)
- Accept the client/applicant, but document mitigations
- Deny the client/applicant
For the second option, “mitigation” may mean limiting what services can be offered to that client. In some schemes, this option may not be possible, as you either offer the services or not; you may not be able to “limit” what you do for them. Any mitigations you can apply, however, should then be put into your contract with that client so that they are aware of them, and legally bound to them.
Alternatively, you may want to create a risk matrix that applies a score to each answer, and thus the calculation will suggest whether to accept or deny the client on the basis of a total score.
Conclusion
To the untrained eye, this appears to go above and beyond what the ISO 17xxx standards may be asking. That’s not technically true, but many will see it this way because the language of those standards has been so polluted — and diluted — over the years. But the principles of impartiality and objectivity remain in effect, and a company that truly embraces them will succeed while the scammers may not.
The methods defined above will certainly satisfy the requirements, while also ensuring you go above and beyond what lesser organizations are getting away with.
If your organization is seeking to become a certification or accreditation body under one of the ISO 17xxx series standards, be sure to contact Oxebridge for implementation assistance and consulting. For more details on each of the standards, click here.
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years’ experience implementing ISO 9001 and AS9100 systems, and helps establish certification and accreditation bodies with the ISO 17000 series. He is a vocal advocate for the development and use of standards from the point of view of actual users. He is the writer and artist of THE AUDITOR comic strip, and is currently writing the DR. CUBA pulp novel series. Visit www.drcuba.world