ISO 37001:2016 - Anti-Bribery Management Systems (Requirements with guidance for use)

Risk and Management 2016-12-09

Introduction

An Anti-bribery Management System (ABMS) signifies a deep commitment to ethical behavior that helps an organization to function well, increase reputation and avoid potential bribery risks. Involvement in corruption can lead to reputational damage and loss of credentials.

Therefore, Anti-bribery management is an essential component of an organization. Being aware that bribery has become a significant risk, and that many organizations consider it as the easiest path to penetrate the market, international conventions require taking the necessary steps to prevent it, and to increase awareness worldwide about the damages that an organization might confront if involved.

The aim of the International Standard is to support the establishment of a worldwide culture that combats bribery and enhances trust and confidence in the business world, as well as in institutions. This is the reason; preventing bribery is becoming a global initiative, starting from individual awareness to organizations that have a responsibility to contribute to bribery prevention. This target can only be met through commitment, transparency, and compliance with the anti-bribery management system framework, which has been set forth in the ISO 37001 standard.

A legal language defines the corruptive offense as deliberate action exhibiting signs of corruption, committed by a person on duty for which the law established criminal, administrative, civil and disciplinary liability. The corruption may be impressed in different ways and even the UN Guide for Anti-Corruption Policies does not give a definition for the term “corruption”. But we can recognize it via different facts and events such as bribery, extortion, kickback, patronage, nepotism, theft, imposture, conflict of interest etc.

The term “bribery” refers to any offering, giving, accepting or promising advantages with any value or bribe in order to influence the decision, action or judgment of persons in charge of a duty.

However, this International Standard does not address specifically fraud (“giving bribes”) or any other activities related to corruption; rather it sets requirements and provides guidance for the creation of a management system that helps to prevent, detect and respond to bribery in compliance with anti-bribery laws. Although bribery may be a subset of or driver to corruption, it limits the level playing field while also creating a leeway for corrupt individuals to divert corporate resources.

Note that this standard will not be above any anti-bribery laws, but it is a good practical and tangible complement, and in the absence of any anti-bribery laws, this standard is good practice and effective tool to prevent bribery.

An overview of ISO 37001:2016

The role of the International Organization for Standardization is to promote international coordination and the standardization of international standards. By facilitating international standards, they contribute to the development of organizations that operate in compliance with the standard. Considering that, bribery has become a significant risk, ISO took the initiative to establish an Anti-bribery Management System that can be certified, aligned or integrated with existing management systems in order to combat this rising threat to businesses and institutions worldwide.

What is an Anti-bribery Management System?

An Anti-bribery Management System is the establishment of a closed-loop control architecture that establishes, implements, maintains, reviews and improves management strategies and objectives which address the specific requirements of ISO 37001 standard.¬ Even though the nature of an organization differs from one another, this standard addresses management objectives for the prevention of bribery in these contexts:

a) Bribery in the public, private and non-for-profit sectors

b) Bribery by the organization

c) Bribery by the organization’s personnel acting on organization’s behalf or for its benefit

d) Bribery by the organization’s business associates acting on the organization’s behalf or for its benefit

e) Bribery of the organization

f) Bribery of the organization’s personnel in relation to the organization’s activities

g) Bribery of the organization’s businesses associates in relation to the organization’s activities
h) Direct and indirect bribery

ISO 37001 applies to all types and sizes of organizations that wish to:

Implement the necessary measures designed to prevent, detect and address bribery
Promote trust and confidence for the shareholders, key stakeholders, and potential investors
Avoid and/or minimize the cost, risk and damage of involvement in bribery
Mitigate risks and achieve reputational notoriety by implementing Anti-bribery Management System policies

Key clauses of ISO 37001:2016

Scope
Normative references
Terms and definitions
Context of the organization
Leadership
Planning for the Anti-bribery Management System
Support
Operation
Performance evaluation
Improvement

Clause 4: Context of the organization

An organization is a person or group of people that has its own functions with responsibilities, authorities, and relationships to achieve its objectives, such as a company, corporation, firm, enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated or not, public or private.

This clause is divided into five sections and describes what is important to know about the organization and the Anti-bribery Management System implementation.

In order to implement the Anti-bribery Management System we should understand the organization and its context, understand the needs and expectations of the stakeholder, determine the scope of the Anti-bribery Management System, Anti-bribery Management System, and bribery risk assessment.

4.1 Understanding the organization and its context

To achieve the objectives of an Anti-bribery Management System, an organization shall determine external and internal factors that are relevant to its purpose. Some of these factors include:

Size and structure of the organization
Locations and sectors in which the organization operates or anticipates operating
Nature, scale and complexity of the organization’s activities and operations
Entities over which the organization has control or any joint ventures
Organization’s businesses associates and associations
The nature and extent of interactions with public officials
Applicable statutory, regulatory, contractual and professional obligations, and duties

4.2 Understanding the needs and expectations of stakeholders

In order to understand the needs and expectations of stakeholders, the organization shall determine the stakeholders that are relevant to the Anti-bribery Management System and shall determine the relevant requirements of these stakeholders.

4.3 Determining the scope of the Anti-bribery Management System

To establish its scope, the organization shall determine the boundaries and applicability of the Anti-bribery Management System. The scope shall be available as documented information. When determining the scope, the organization shall consider:

External and internal factors referred to in 4.1

Requirements referred to in 4.2

Results of the bribery risk assessment referred to in 4.5

4.4 Anti-bribery Management System

In accordance with the requirements of an Anti-bribery Management System, an organization shall establish, implement, maintain, continually review and, where necessary, improve Anti-bribery Management System, including the processes needed and their interactions.

The Anti-bribery Management System shall contain measures designed to identify, evaluate the risk of, and to prevent, detect and address, bribery.

4.5 Bribery risk assessment

The organization shall undertake bribery risk assessments which shall:

Identify the bribery risks the organization might reasonably anticipate, given the external and internal factors determined
Assess and prioritize the identified bribery risks
Evaluate the suitability and effectiveness of the organization’s existing controls to mitigate the assessed bribery risks.

When undertaking a bribery risk assessment, the organization shall establish criteria for evaluating its level of bribery risk, while taking into account the organization’s policies and objectives.

The bribery risk assessment shall be reviewed on a regular basis, for a proper assessment of changes and new information; and in the event of a significant change to the structure or activities of the organization.

Clause 5: Leadership

5.1.1: A governing body (or top management if the organization does not have a governing body) of an organization shall demonstrate leadership and commitment in respect to the Anti-bribery Management System by:

Approving Anti-bribery policies of the organization
Ensuring that the organization’s strategy and anti-bribery policy are aligned
Receiving and reviewing information related to the content and operation of the Anti-bribery Management System of the organization at planned intervals
Ensuring that adequate and appropriate resources are allocated and assigned for an effective operation of the Anti-bribery Management System
Ensuring that appropriate investigation and remediation actions were taken into action and effectively documented
Exercising reasonable oversight over the implementation of the organization’s ABMS by top management and its effectiveness.

5.1.2 Top management shall demonstrate their leadership and commitment to the ABMS by:

Ensuring that the Anti-bribery Management System , including its policies and objectives, is established, implemented, maintained and reviewed to adequately address the organization’s bribery risks
Ensuring the integration of the Anti-bribery Management system requirements into the organization’s processes
Deploying adequate and appropriate resources for the effective operation of the ABMS
Communicating internally and externally regarding the Anti-bribery policy
Communicating internally the importance of effective Anti-bribery management and of conforming to the ABMS requirements
Ensuring that Anti-bribery Management system is appropriately designed to achieve its objectives
Promoting an appropriate Anti-bribery culture within the organization and continual improvement
Supporting other relevant management roles to demonstrate their leadership in preventing and detecting bribery as it applies to their areas of responsibility
Encouraging the use of reporting procedures for suspected and actual bribery
Ensuring that no personnel will suffer retaliation or discriminatory or disciplinary action for reports made in good faith or on the basis of reasonable belief of violations or suspected violations of the organization’s anti-bribery policy, or for refusing to engage in bribery, even if such refusal may result in the organization losing business (except where the individual participated in the breach)
At planned intervals, reporting to the governing body, on the content and operation of the ABMS and of allegations of serious and systematic bribery.

5.2 An Anti-bribery policy established, maintained and reviewed by top management shall:

Anti-bribery policy features image

The policy shall be appropriate to the purpose of the organization and shall encourage raising concerns in confidence without fear of reprisal.

5.3 Organizational roles, responsibilities and authorities

Top management shall assign to an anti-bribery compliance function the responsibility and authority for overseeing the design and implementation of the system, providing advice and guidance, ensuring that the system conforms to the requirements of the standard and reporting on its performance. The anti-bribery compliance function shall be adequately resourced and assigned to a person(s) with the appropriate competence, status, authority, and independence. It shall have direct access to the governing body (if any) and top management.

5.3.1 Roles and responsibilities

Top management keeps the overall responsibility for the implementation and compliance of an ABMS.

Responsibilities and authorities of relevant roles are assigned and communicated across the organization. Managers at every level remain responsible for the ABMS application and compliance in their department or function.

The governing body, top management, and all other personnel are responsible to; understand, comply with and apply ABMS requirements related to their roles.

5.3.2 Anti-bribery compliance function

Top management shall assign to an anti-bribery compliance function with responsibility and authority for:

Overseeing the design and implementation of ABMS by the organization
Providing advice and guidance to personnel on ABMS and issues relating to bribery
Ensuring conformity to requirements of ISO 37001
Reporting the performance of the ABMS to governing body and top management

The function will be provided with adequate resources, including the competent person with status and independence. The function shall have direct and prompt access to the governing body and top management.

5.3.3 For low-risk bribery, top management shall establish and maintain a decision-making process or set of controls. The level of authority shall be appropriate and free of actual or potential conflicts of interest. The processes and compliances shall be reviewed periodically by top management.

Clause 6: Planning

When planning an Anti-bribery Management system the organization shall refer to:

External and internal factors determined in context
Requirements of stakeholders as determined
Bribery risk assessment and their effective control
Opportunities for improvement

By referring to clauses stated above, the organization can give reasonable assurance that the Anti-bribery Management System can achieve its objectives, can prevent or reduce the undesired effects relevant to the anti-bribery policy and objectives, the organization can also take a proactive, managerial stance, on continual improvement of the ABMS.

The organizations shall plan actions to address these bribery risks and opportunities and shall determine how to integrate and implement these actions into the ABMS and to evaluate the effectiveness of these actions.

The measurable and achievable anti-bribery objectives need to be consistent with the policy, monitored and updated as appropriate. The documented information on the anti-bribery objectives shall be retained.

When planning how to achieve anti-bribery objectives, the organization shall determine what will be achieved, what resources will be needed, who will be responsible, when objectives will be achieved and how the results will be evaluated and reported.

Clause 7: Support

The organization shall provide the necessary resources needed for the establishment, implementation, maintenance and continual improvement of the Anti-bribery Management System. Moreover, the organization shall determine competent persons to perform an Anti-bribery Management System framework along with its policies within the organization, and provide training and appropriate awareness to the personnel, including business associates acting on its behalf or for its benefit, and which could pose more than a low bribery risk to the organization.

The organization shall implement procedures related to employment with controls on:

Employment conditions to comply with ABMS and the right to discipline
Access to policy and training on it
Actions to be taken for breaching the anti-bribery policy and ABMS
Personnel is not penalized for refusing to participate in any activity in respect of which they have judged there to be a more than a low risk of bribery or for raising concerns or reports made on actual or suspected bribery or breach of policy/ABMS.

Clause 8: Operation

The organization shall plan, implement, monitor and control the processes needed to meet the requirements of the Anti-bribery Management System and to implement actions to address bribery risks and opportunities. The organization shall control and review any planned or unintended changes and shall take action to mitigate any adverse effect, if necessary. Moreover, procedures that prevent the offer, provision or gift acceptance and similar benefits shall be implemented because these could be perceived as bribery.

The organization shall be committed to Anti-bribery policies, managing inadequacy of Anti-bribery controls, raising concerns and investigating bribery within the organization.

This International standard has provided several controls in the sections of Due diligence (8.2), Financial and nonfinancial controls. The controls are mainly in transactions, projects or activities and relationships. (8.3 & 8.4)

The implementation of anti-bribery controls is extended to organizations controlled by the organization and business associates, where the organization can help to mitigate the relevant bribery risk. The organization shall implement procedures which require that all other organizations over which it has control, to either implement the organization’s anti-bribery management system or implement their own anti-bribery controls (8.5).

8.6 Anti-bribery commitments

Where business associates are with more than acceptable or low bribery risk, effective controls and decisions are required, and it may lead to termination of the relationship. Bribery risk assessment is necessary for such situations for evaluating the risk to the organization.

The organization shall have a procedure to regulate the issues concerning gifts, hospitality, donations and similar benefits. (8.7)

Managing inadequacy of anti-bribery controls

Where the organization cannot manage bribery risk - the relationship or project or contract is to be reviewed at appropriate stages, and withdraw or decline, as practicable. (8.8)

The organization shall implement procedures on raising concerns to enable persons to report attempted, suspected and actual bribery or any breach of or weakness in the ABMS, to the compliance function or to appropriate personnel. The procedure shall also maintain confidentiality, allow anonymous reporting, prohibit retaliation and protect personnel from retaliation. The organization shall ensure that people are aware of the reporting procedure, their rights, and protections. (8.9)

The organization shall implement procedures for the investigation and dealing of bribery which ensures an effective investigation, requires appropriate action, empowerment of investigators and the status and reports to compliance function. The investigations should be carried out by independent personnel and that reports the results to personnel who are not part of the role or function being investigated. (8.10)

Clause 9: Performance evaluation

The organization shall monitor, measure, analyze and evaluate Anti-bribery policies. However, before completing that, the organization shall determine:

What needs to be monitored
What methods shall be used to ensure valid results
When monitoring and measuring shall be performed
How it is documented

Correspondently, an internal audit shall be held in order to provide information whether the Anti-bribery System is conforming to the organization's requirements and International Standard requirements.

In order to understand whether the Anti-bribery Management System is adequate to manage effectively the bribery risks confronted by the organization and whether it is effectively implemented, the organization shall review and report at planned intervals to the top management, the adequacy of implementation and the results of investigation audits of ABMS.

The governing body shall undertake periodic reviews of ABMS based upon information provided by top management.

Clause 10: Improvement

The organization shall react towards any non-conformity that occurs by taking action to control, correct and deal with consequences. Moreover, the organization shall evaluate the need for action to eliminate the causes of nonconformities by reviewing, determining the cause and determining if similar non-conformities exist or could potentially occur. The reason behind evaluating the need for action to eliminate the causes of nonconformities is to prevent recurrence of nonconformities.

Corrective actions shall be appropriate to the effects of nonconformities encountered and the organization shall retain documented information as evidence of the nature of the non-conformity. The organization shall continually improve the adequacy, effectiveness and suitability of the Anti-bribery Management System that has been implemented. Furthermore, with continual improvement, the organization increases the effectiveness of the operating system and achieves its objectives easier.

Integration of ISO 37001 with other management systems

The organization can choose if it wants to implement the Anti-bribery Management System as a separate system, or as an integrated part of an overall compliance management system. In such a case, the organization can refer for guidance to ISO 19600. This International Standard can stand alone or it can be integrated with other existing management systems such as Quality Management System, Environmental and Safety Management System (ISO 9001, ISO 14001, ISO 27001 and ISO 22301).

Anti-bribery Management System - the business benefits

Conformity with ISO 37001 cannot provide assurance that any bribery risk has occurred or will occur in the organization because it is not possible to completely eliminate the risk of bribery. However, ISO 37001 can help the organization to implement the necessary measures to prevent, detect and address bribery. Organizations that are certified and comply with an Anti-bribery Management System are more trusted and recognized for implementing Anti-bribery policies and practicing Anti-bribery culture within the working place and the territory where it operates.

Some organizations, such as multinationals and those in specific industries, including defense, major construction, and resources, are particularly at risk, but it typically extends to any organization competing for contracts across the globe. Virtually no business is completely free of the risks associated with some form of corrupt payments.

These are some of the key business benefits of adopting the ISO 37001:

Prevent, detect and address bribery risks

Increased opportunity of detecting bribery risk
Efficient mechanisms to prevent and address bribery risk
General improvement of risk assessment
Gains market trust, improving its reputation and image;
Manages its business risks, including those related to third parties;
Investigating bribery internally before the incident comes to public
Revenue growth and cost savings
Corporate social responsibility

Increase international recognition

The International Organization for Standardization (ISO) is recognized worldwide as the authority on
Anti-bribery management
Conformity to other industry standards
Compliance with national and international laws

Prevent conflict of interest

Awareness of consequences if involved in bribery
General improvement in the effectiveness of the organization
Improved financial performance
Increased opportunity for detecting fraud and due diligence

Cost reduction

Control of financial statement
Efficient mechanisms to track transactions
Transparent, straightforward and manageable processes with clear responsibility
Implement a robust investigation methodology and due diligence
Develop an appropriate documentary maintenance and review

Promotes an Anti-bribery culture

Better awareness on ABMS and anti-bribery culture
General improvement among personnel
General improvement of employee performance
Ethical values within organization can be promoted among industries and markets
Influence of the common social processes in the society via self-regulatory organizations and civilian control

Implementation of an Anti-bribery Management System with IMS2 methodology

When implementing an Anti-bribery Management System based on ISO 37001 it is important to follow a well-structured and effective methodology to cover all the minimum requirements of the standard. For an effective implementation methodology, organizations need to consider specific risks that would impact the anti-bribery performance. It is important to implement a plan that balances the standard requirements, business needs, and the deadline to become certified.

There is no single blueprint for implementing ISO 37001 that will work for every company, but there are some common steps that will allow the organization to balance the often-conflicting requirements and prepare for a successfully accredited certification audit.

PECB has developed a methodology for implementing a management system, called “Integrated Implementation Methodology for Management Systems and Standards (IMS2)”. This methodology is based on the guidelines of ISO standards and also meets the requirements of ISO 37001.

As such, Plan, Do, Check, Act cycle is divided into four phases and has 2-8 steps for a total of 20 steps. These steps are divided into 101 activities and tasks. This “Practical Guide” considers the key phases of the implementation project from start to finish and suggests the appropriate “best practice” for each one, while directing the organization to further helpful resources it embarks on its ISO 37001 journeys.

By following a structured and effective methodology, an organization can ensure it covers all minimum requirements for the implementation of a management system. As stated above, whatever methodology used, the organization must adapt it to its particular context, and not apply it like a cookbook. The key implementation lies in a contextualized and adaptable approach by the organization, which will ensure a robust outcome.

The sequence of steps required in this process may be changed (inversion, merge), to meet the most suitable outcome.

Certification of organizations

The usual path for an organization that wishes to be certified against ISO 37001 is the following:

Implementation of the management system: Before being audited, a management system must be in operation for some time.
Internal audit and review by the anti-bribery compliance function, top management, and governing body: Before a management system can be certified, it must have had at least one internal audit report, one management review and one review by anti-bribery compliance function.
Selection of the certification body (registrar): Each organization can select the certification body (registrar) of its choice.
Pre-assessment audit (optional): An organization can choose to perform a pre-audit to identify any possible gap between its current management system and the requirements of the standard.
Stage 1 audit: A conformity review of the design of the management system. Therefore, the main objective is to verify that the management system is designed to meet the requirements of the standard(s) and the objectives of the organization. It is recommended that at least some portion of the Stage 1 audit should be performed on-site at the organization’s premises.
Stage 2 audits (On-site visit): The Stage 2 audit objective is to evaluate whether the declared management system conforms to all requirements of the standard that is actually being implemented in the organization, and can support the organization in achieving its objectives. Stage 2 takes place at the site(s) of the organization’s site(s) where the management system is implemented.
Follow-up audit (optional): If the auditee has non-conformities that require an additional audit before being certified, the auditor will perform a follow-up visit to validate only the action plans linked to the non-conformities (usually one day).
Confirmation of registration: If the organization is compliant with the conditions of the standard, the Registrar confirms the registration and publishes the certificate.
Continual improvement and surveillance audits: Once an organization is registered, surveillance activities are conducted by the Certification Body to ensure that the management system still complies with the standard. The surveillance activities must include on-site visits (at least 1 per year) that allow verifying the conformity of the certified client’s management system and can also include: investigations following a complaint, review of a website, a written request for follow-up, etc.

Training and certification of professionals

PECB has created a training roadmap and personnel certification schemes which are strongly recommended to implementers and auditors of an organization wishing to get certified against ISO 37001. Certification of organizations is a vital component of the anti-bribery management system, as it provides evidence that organizations have developed standardized processes based on best practices. Yet, certification of individuals serves as documented evidence of professional competencies and experience, while also providing evidence that the individual has attended one of the related courses and successfully completed exams.

Personnel certifications demonstrate that the professional holds defined competencies based on best practices. It also allows organizations to make an informed selection of employees or services based on the competencies that are represented by the certification designation. Finally, it provides incentives for the professional to constantly improve his/her skills and knowledge and serve as a tool for employers to ensure that training and awareness have been effective.

PECB training courses are offered globally through a network of authorized training providers and they are available in several languages. Courses include introduction, foundation, implementer and auditor courses. The table below gives a short description about PECB’s official training courses for Anti-bribery Management Systems based on ISO 37001:2016.

It is worth mentioning that, although a specified set of courses or curriculum of study is not required as part of the certification process, the completion of a recognized PECB course or program of study will significantly enhance your chance of passing a PECB certification examination.

The list of approved organizations that offer PECB official training sessions is found on our website: https://pecb.com/en/partner/active_partners.

Choosing the right certification

The ISO 37001 Foundation is a professional certification for professionals needing to have an overall understanding of the ISO 37001 standard and its requirements.

The ISO 37001 Implementer certifications are professional certifications for professionals needing to implement an ABMS and, in the case of the ISO 37001 Lead Implementer Certification, needing to manage an implementation project.

The ISO 37001 Auditor certifications are credentials for professionals needing to audit an ABMS and, in the case of the ISO 37001 Lead Auditor Certification, needing to manage a team of auditors.

The ISO 37001 Master certification is a professional certification for professionals needing to implement an ABMS and to master the audit techniques and manage (or be part of) audit teams and audit program.

As specified in the table below, based on the candidate's overall professional experience and their acquired qualifications, they will be granted one or more of these certifications based on projects or audit activities performed in the past or on which they are currently working.

Principal Authors

Eric LACHAPELLE, PECB

Faton ALIU, PECB

Lorika BINA, PECB
Donika MUÇOLLI, PECB

Contributors

Alba KEQA, PECB

Subhas C BISWAS, Trainer, Auditor & Consultant (India)

John ADERIBIGBE, DU&T Consulting (Nigeria)

Phil WILSON, GRC Sphere (Greater Boston)

Jean-Pierre MEAN, MCE Legal (Switzerland)

Jacob MCLEAN, Kaizen Training & Management Consultants Limited (Jamaica)

Ariosto FARIAS Jr, Member of the Editorial Drafting Group of ISO 37001 (Brazil)

Adam GALACH, Galach Consulting (Poland)

Alkesh MISHRA, Moulik IT Services LLP (India)

Volodymyr TKACHENNKO, PECB Ukraine

Valentyn SYSOEV, Deloitte (Ukraine)

Mohamad KHACHAB, Consultant (Lebanon)

Clifton FERNANDEZ, Royalcert International Registrar (Malaysia)

Alexander ANAGO, Numeric Technologies Limited (Nigeria)

Tawfik SOUKIEH, Global Experience Consulting Company (Kuwait)

Deep RAWAT, SAS Services (Philippines)

Fernando CEVALLOS, Control Risks (Mexico)
Christine VARGAS, Control Risks (Washington District of Columbia)

Contact

Help Center

Fax: +1-844-426-7322

Email: customer@pecb.com

PARTNERS

TRAINERS