Requirements with guidance for use
An Anti-bribery Management System (ABMS) signifies a deep commitment to ethical behavior that helps an organization to function well, increase reputation and avoid potential bribery risks. Involvement in corruption can lead to reputational damage and loss of credentials. Therefore, Anti-bribery management is an essential component of an organization. Being aware that bribery has become a significant risk, and that many organizations consider it as the easiest path to penetrate the market, international conventions require taking the necessary steps to prevent it, and to increase awareness worldwide about the damages that an organization might confront if involved.
The aim of the International Standard is to support the establishment of a worldwide culture that combats bribery and enhances trust and confidence in the business world, as well as in institutions. This is the reason; preventing bribery is becoming a global initiative, starting from individual awareness to organizations that have a responsibility to contribute to bribery prevention. This target can only be met through commitment, transparency, and compliance with the anti-bribery management system framework, which has been set forth in the ISO 37001 standard.
A legal language defines the corruptive offense as deliberate action exhibiting signs of corruption, committed by a person on duty for which the law established criminal, administrative, civil and disciplinary liability. The corruption may be impressed in different ways and even the UN Guide for Anti-Corruption Policies does not give a definition for the term “corruption”. But we can recognize it via different facts and events such as bribery, extortion, kickback, patronage, nepotism, theft, imposture, conflict of interest etc.
The term “bribery” refers to any offering, giving, accepting or promising advantages with any value or bribe in order to influence the decision, action or judgment of persons in charge of a duty. However, this International Standard does not address specifically fraud (“giving bribes”) or any other activities related to corruption; rather it sets requirements and provides guidance for the creation of a management system that helps to prevent, detect and respond to bribery in compliance with anti-bribery laws. Although bribery may be a subset of or driver to corruption, it limits the level playing field while also creating a leeway for corrupt individuals to divert corporate resources. Note that this standard will not be above any anti-bribery laws, but it is a good practical and tangible complement, and in the absence of any anti-bribery laws, this standard is good practice and effective tool to prevent bribery.
An overview of ISO 37001
The role of the International Organization for Standardization is to promote international coordination and the standardization of international standards. By facilitating international standards, they contribute to the development of organizations that operate in compliance with the standard. Considering that, bribery has become a significant risk, ISO took the initiative to establish an Anti-bribery Management System that can be certified, aligned or integrated with existing management systems in order to combat this rising threat to businesses and institutions worldwide.
What is an Anti-bribery Management System?
An Anti-bribery Management System is the establishment of a closed-loop control architecture that establishes, implements, maintains, reviews and improves management strategies and objectives which address the specific requirements of ISO 37001 standard.¬ Even though the nature of an organization differs from one another, this standard addresses management objectives for the prevention of bribery in these contexts:
h) Direct and indirect bribery
- Implement the necessary measures designed to prevent, detect and address bribery
- Promote trust and confidence for the shareholders, key stakeholders, and potential investors
- Avoid and/or minimize the cost, risk and damage of involvement in bribery
- Mitigate risks and achieve reputational notoriety by implementing Anti-bribery Management System policies
Key clauses of ISO 37001
- Normative references
- Terms and definitions
- Context of the organization
- Planning for the Anti-bribery Management System
- Performance evaluation
Clause 4: Context of the organization
4.1 Understanding the organization and its context
To achieve the objectives of an Anti-bribery Management System, an organization shall determine external and internal factors that are relevant to its purpose. Some of these factors include:
- Size and structure of the organization
- Locations and sectors in which the organization operates or anticipates operating
- Nature, scale and complexity of the organization’s activities and operations
- Entities over which the organization has control or any joint ventures
- Organization’s businesses associates and associations
- The nature and extent of interactions with public officials
- Applicable statutory, regulatory, contractual and professional obligations, and duties
4.2 Understanding the needs and expectations of stakeholders
In order to understand the needs and expectations of stakeholders, the organization shall determine the stakeholders that are relevant to the Anti-bribery Management System and shall determine the relevant requirements of these stakeholders.
4.3 Determining the scope of the Anti-bribery Management System
4.4 Anti-bribery Management System
4.5 Bribery risk assessment
- Identify the bribery risks the organization might reasonably anticipate, given the external and internal factors determined
- Assess and prioritize the identified bribery risks
- Evaluate the suitability and effectiveness of the organization’s existing controls to mitigate the assessed bribery risks.
Clause 5: Leadership
5.1.1: A governing body (or top management if the organization does not have a governing body) of an organization shall demonstrate leadership and commitment in respect to the Anti-bribery Management System by:
- Approving Anti-bribery policies of the organization
- Ensuring that the organization’s strategy and anti-bribery policy are aligned
- Receiving and reviewing information related to the content and operation of the Anti-bribery Management System of the organization at planned intervals
- Ensuring that adequate and appropriate resources are allocated and assigned for an effective operation of the Anti-bribery Management System
- Ensuring that appropriate investigation and remediation actions were taken into action and effectively documented
- Exercising reasonable oversight over the implementation of the organization’s ABMS by top management and its effectiveness.
5.1.2 Top management shall demonstrate their leadership and commitment to the ABMS by:
- Ensuring that the Anti-bribery Management System , including its policies and objectives, is established, implemented, maintained and reviewed to adequately address the organization’s bribery risks
- Ensuring the integration of the Anti-bribery Management system requirements into the organization’s processes
- Deploying adequate and appropriate resources for the effective operation of the ABMS
- Communicating internally and externally regarding the Anti-bribery policy
- Communicating internally the importance of effective Anti-bribery management and of conforming to the ABMS requirements
- Ensuring that Anti-bribery Management system is appropriately designed to achieve its objectives
- Promoting an appropriate Anti-bribery culture within the organization and continual improvement
- Supporting other relevant management roles to demonstrate their leadership in preventing and detecting bribery as it applies to their areas of responsibility
- Encouraging the use of reporting procedures for suspected and actual bribery
- Ensuring that no personnel will suffer retaliation or discriminatory or disciplinary action for reports made in good faith or on the basis of reasonable belief of violations or suspected violations of the organization’s anti-bribery policy, or for refusing to engage in bribery, even if such refusal may result in the organization losing business (except where the individual participated in the breach)
- At planned intervals, reporting to the governing body, on the content and operation of the ABMS and of allegations of serious and systematic bribery.
5.2 An Anti-bribery policy established, maintained and reviewed by top management shall:
5.3 Organizational roles, responsibilities and authorities
5.3.1 Roles and responsibilities
5.3.2 Anti-bribery compliance function
Top management shall assign to an anti-bribery compliance function with responsibility and authority for:
- Overseeing the design and implementation of ABMS by the organization
- Providing advice and guidance to personnel on ABMS and issues relating to bribery
- Ensuring conformity to requirements of ISO 37001
- Reporting the performance of the ABMS to governing body and top management
Clause 6: Planning
When planning an Anti-bribery Management system the organization shall refer to:
- External and internal factors determined in context
- Requirements of stakeholders as determined
- Bribery risk assessment and their effective control
- Opportunities for improvement
By referring to clauses stated above, the organization can give reasonable assurance that the Anti-bribery Management System can achieve its objectives, can prevent or reduce the undesired effects relevant to the anti-bribery policy and objectives, the organization can also take a proactive, managerial stance, on continual improvement of the ABMS.
The organizations shall plan actions to address these bribery risks and opportunities and shall determine how to integrate and implement these actions into the ABMS and to evaluate the effectiveness of these actions.
The measurable and achievable anti-bribery objectives need to be consistent with the policy, monitored and updated as appropriate. The documented information on the anti-bribery objectives shall be retained.
When planning how to achieve anti-bribery objectives, the organization shall determine what will be achieved, what resources will be needed, who will be responsible, when objectives will be achieved and how the results will be evaluated and reported.
Clause 7: Support
- Employment conditions to comply with ABMS and the right to discipline
- Access to policy and training on it
- Actions to be taken for breaching the anti-bribery policy and ABMS
- Personnel is not penalized for refusing to participate in any activity in respect of which they have judged there to be a more than a low risk of bribery or for raising concerns or reports made on actual or suspected bribery or breach of policy/ABMS.
Clause 8: Operation
8.6 Anti-bribery commitments
Where business associates are with more than acceptable or low bribery risk, effective controls and decisions are required, and it may lead to termination of the relationship. Bribery risk assessment is necessary for such situations for evaluating the risk to the organization.
The organization shall have a procedure to regulate the issues concerning gifts, hospitality, donations and similar benefits. (8.7)
Managing inadequacy of anti-bribery controls
Where the organization cannot manage bribery risk – the relationship or project or contract is to be reviewed at appropriate stages, and withdraw or decline, as practicable. (8.8)
The organization shall implement procedures on raising concerns to enable persons to report attempted, suspected and actual bribery or any breach of or weakness in the ABMS, to the compliance function or to appropriate personnel. The procedure shall also maintain confidentiality, allow anonymous reporting, prohibit retaliation and protect personnel from retaliation. The organization shall ensure that people are aware of the reporting procedure, their rights, and protections. (8.9)
The organization shall implement procedures for the investigation and dealing of bribery which ensures an effective investigation, requires appropriate action, empowerment of investigators and the status and reports to compliance function. The investigations should be carried out by independent personnel and that reports the results to personnel who are not part of the role or function being investigated. (8.10)
Clause 9: Performance evaluation
The organization shall monitor, measure, analyze and evaluate Anti-bribery policies. However, before completing that, the organization shall determine:
- What needs to be monitored
- What methods shall be used to ensure valid results
- When monitoring and measuring shall be performed
- How it is documented
Correspondently, an internal audit shall be held in order to provide information whether the Anti-bribery System is conforming to the organization’s requirements and International Standard requirements.
Clause 10: Improvement
The organization shall react towards any non-conformity that occurs by taking action to control, correct and deal with consequences. Moreover, the organization shall evaluate the need for action to eliminate the causes of nonconformities by reviewing, determining the cause and determining if similar non-conformities exist or could potentially occur. The reason behind evaluating the need for action to eliminate the causes of nonconformities is to prevent recurrence of nonconformities.
Corrective actions shall be appropriate to the effects of nonconformities encountered and the organization shall retain documented information as evidence of the nature of the non-conformity. The organization shall continually improve the adequacy, effectiveness and suitability of the Anti-bribery Management System that has been implemented. Furthermore, with continual improvement, the organization increases the effectiveness of the operating system and achieves its objectives easier.
Integration of ISO 37001 with other management systems
The organization can choose if it wants to implement the Anti-bribery Management System as a separate system, or as an integrated part of an overall compliance management system. In such a case, the organization can refer for guidance to ISO 19600. This International Standard can stand alone or it can be integrated with other existing management systems such as Quality Management System, Environmental and Safety Management System (ISO 9001, ISO 14001, ISO 27001 and ISO 22301).
Anti-bribery Management System – the business benefits
Conformity with ISO 37001 cannot provide assurance that any bribery risk has occurred or will occur in the organization because it is not possible to completely eliminate the risk of bribery. However, ISO 37001 can help the organization to implement the necessary measures to prevent, detect and address bribery. Organizations that are certified and comply with an Anti-bribery Management System are more trusted and recognized for implementing Anti-bribery policies and practicing Anti-bribery culture within the working place and the territory where it operates.
Some organizations, such as multinationals and those in specific industries, including defense, major construction, and resources, are particularly at risk, but it typically extends to any organization competing for contracts across the globe. Virtually no business is completely free of the risks associated with some form of corrupt payments.
These are some of the key business benefits of adopting the ISO 37001:
Prevent, detect and address bribery risks
- Increased opportunity of detecting bribery risk
- Efficient mechanisms to prevent and address bribery risk
- General improvement of risk assessment
- Gains market trust, improving its reputation and image;
- Manages its business risks, including those related to third parties;
- Investigating bribery internally before the incident comes to public
- Revenue growth and cost savings
- Corporate social responsibility
Increase international recognition
- The International Organization for Standardization (ISO) is recognized worldwide as the authority on
- Anti-bribery management
- Conformity to other industry standards
- Compliance with national and international laws
Prevent conflict of interest
- Awareness of consequences if involved in bribery
- General improvement in the effectiveness of the organization
- Improved financial performance
- Increased opportunity for detecting fraud and due diligence
- Control of financial statement
- Efficient mechanisms to track transactions
- Transparent, straightforward and manageable processes with clear responsibility
- Implement a robust investigation methodology and due diligence
- Develop an appropriate documentary maintenance and review
Promotes an Anti-bribery culture
- Better awareness on ABMS and anti-bribery culture
- General improvement among personnel
- General improvement of employee performance
- Ethical values within organization can be promoted among industries and markets
- Influence of the common social processes in the society via self-regulatory organizations and civilian control
Implementation of an Anti-bribery Management System with IMS2 methodology
Certification of organizations
- Implementation of the management system: Before being audited, a management system must be in operation for some time.
- Internal audit and review by the anti-bribery compliance function, top management, and governing body: Before a management system can be certified, it must have had at least one internal audit report, one management review and one review by anti-bribery compliance function.
- Selection of the certification body (registrar): Each organization can select the certification body (registrar) of its choice.
- Pre-assessment audit (optional): An organization can choose to perform a pre-audit to identify any possible gap between its current management system and the requirements of the standard.
- Stage 1 audit: A conformity review of the design of the management system. Therefore, the main objective is to verify that the management system is designed to meet the requirements of the standard(s) and the objectives of the organization. It is recommended that at least some portion of the Stage 1 audit should be performed on-site at the organization’s premises.
- Stage 2 audits (On-site visit): The Stage 2 audit objective is to evaluate whether the declared management system conforms to all requirements of the standard that is actually being implemented in the organization, and can support the organization in achieving its objectives. Stage 2 takes place at the site(s) of the organization’s site(s) where the management system is implemented.
- Follow-up audit (optional): If the auditee has non-conformities that require an additional audit before being certified, the auditor will perform a follow-up visit to validate only the action plans linked to the non-conformities (usually one day).
- Confirmation of registration: If the organization is compliant with the conditions of the standard, the Registrar confirms the registration and publishes the certificate.
- Continual improvement and surveillance audits: Once an organization is registered, surveillance activities are conducted by the Certification Body to ensure that the management system still complies with the standard. The surveillance activities must include on-site visits (at least 1 per year) that allow verifying the conformity of the certified client’s management system and can also include: investigations following a complaint, review of a website, a written request for follow-up, etc.
Training and certification of professionals
Certification of individuals serves as documented evidence of professional competencies and experience, while also providing evidence that the individual has attended one of the related courses and successfully completed exams.
Personnel certifications demonstrate that the professional holds defined competencies based on best practices. It also allows organizations to make an informed selection of employees or services based on the competencies that are represented by the certification designation.
Finally, it provides incentives for the professional to constantly improve his/her skills and knowledge and serve as a tool for employers to ensure that training and awareness have been effective.
The table below gives a short description about the official training courses for Anti-Bribery Management Systems based on ISO 37001.
Choosing the right certification
The ISO 37001 Master certification is a professional certification for professionals needing to implement an ABMS and to master the audit techniques and manage (or be part of) audit teams and audit program.As specified in the table below, based on the candidate’s overall professional experience and their acquired qualifications, they will be granted one or more of these certifications based on projects or audit activities performed in the past or on which they are currently working.