Overview of ISO 37001 Anti-bribery management system (ABMS)
ISO 37001 is an anti-bribery management system standard published by International Organization for Standardization (ISO) on 15 October 2016.
ISO 37001 superseded BS 10500 (specification for an anti-bribery management system) with effect from 15 October 2016.
ISO 37001 requirements like other international standards are generic and are designed for all organizations (or parts of an organization) of any size, the nature of the activity, and whether in the public, private and voluntary sectors, or non-profit organizations.
It requires organizations to implement various anti-bribery measures in a reasonable and proportionate manner according to the type and size of the organization, and the nature and extent of bribery risks faced – it is not “a one-size” fits all organisations with the requirements of internationally recognised good practices taken into account.
It provides assurance to owners, directors, employees and business associates that the organization is taking steps to prevent bribery.
ISO 37001 cannot provide absolute assurance that no bribery will take place in relation to an organization. But it can help establish that the organization has implemented reasonable and proportionate measures designed to prevent bribery.
ISO 37001 is applicable only to bribery. It does not specifically address fraud, cartels and other anti-competition offences, money laundering, misuse of power, falsified claims or other corrupt practices although you can choose to extend the scope to include such activities.
Impact of Bribery
- It adds to the cost of doing business.
- Impact on the firm’s financial standing.
- Negative effect on employee morale.
- Impacts on firms’ reputation.
- Organisational focus and resources diverted away from delivering core business and services to the community.
- Increased scrutiny, oversight and regulation.
Who Should Use ISO 37001?
- Organizations of all types and sizes and natures can implement ISO 37001 ABMS.
It does not matter what size your organization is:
- Any organisation with as few as 2 persons to as large as million persons can benefit from ISO 37001 ABMS.
It does not matter what industry you are in:
- Any organisation in service or manufacturing, profit or non-profit organisation, private or public or government can implement ISO 37001 ABMS.
- Any organization that wants to prevent bribery from occurring as it is normally far cheaper and less disruptive for an organization to implement controls to prevent bribery from occurring than to deal with the consequences if bribery does occur.
- Any organization that wants to give assurance to the management and owners of an organization that their organization has implemented internationally recognised good practice anti-bribery controls, and is therefore taking steps to reduce risk and any adverse consequences.
- Any organization that wants to give assurance to its customers, business associates and personnel that it has implemented internationally recognised good practice anti-bribery controls, and therefore assists the organization in obtaining work, recruiting good personnel and enhancing its reputation.
Why Should You Use ISO 37001?
- It makes your organization capable of complying with globally recognized anti-bribery best practices and proves your competence toward implementing and managing an Anti-bribery Management System.
- ISO 37001 helps your organization prevent, detect, and address bribery towards better ethical business culture, transparency and integrity.
- Demonstrates your organisation’s commitment to upholding the best practices in the corporate world.
- ISO 37001 is designed to allow you to engage in ethical business conduct by implementing a viable anti-bribery management program.
- It protects your organisational assets and the interests of various stakeholders from the effects of corruption. If found culpable, the organization may be subject to imprisonment sanctions fines or orders of winding up. As such, it is highly desirable to avoid bribery and corruption.
- The due diligence and internal investigation procedures recommended by the ISO 37001 anti-bribery management system allow you to adduce evidence to show that it has taken reasonable steps to prevent bribery and corruption.
- Some consumers base their purchase decisions on the ethical operations of a company. As such, ISO 37001 standard serves as a pull factor for you to attract new consumers.
- It improves the way the organisation protects its people from fraud and ensures that there is a favourable working environment.
- When investors are investing in any organisation, they need to be protected from unscrupulous businesses. The ISO 37001 system allows them to have genuine business deals that are free from bribery.
- ISO 37001 levels the market by eradicating unfair commercial practices of bribery that stand to distort the market.
- You may face the risks and lost opportunities involved with not having an ISO 37001:
- where ISO 37001 may be a legal or contractual requirement; and
- you will potentially be eligible for more lucrative, large scale both government and private sector contracts that are only offered to organisations that have ISO 37001.
Key Elements of ISO 37001:2016 ABMS
- To determine external and internal issues that are relevant to your organization's purpose and that affect your ability to achieve the objectives of your anti-bribery management system.
- To determine mandatory requirements of stakeholders, non-mandatory expectations of stakeholders and voluntary commitments to stakeholders that are relevant to your organization's purpose and that affect its ability to achieve the objectives of its anti-bribery management system:
- Customers
- Employees
- External providers
- Shareholders or Owners of the Business
- Government Agency
- Other Legal or Regulatory Authorities
- To determine the Scope of the ABMS
- In determining the Scope of the ABMS, you have to determine the boundaries and applicability of the ABMS and to consider:
- Clause 4.1 External and Internal Issues;
- Clause 4.2 Needs and Expectations of Stakeholders; and
- Clause 4.5 Results of the bribery risk assessment
- Based on the outcome of the abovementioned, the organization is to identify all the processes needed to develop a “reasonable and proportionate” anti-bribery management system to prevent, detect and respond to bribery and comply with anti-bribery laws and voluntary commitments applicable to your organization’s activities such as:
- the size and structure of the organization;
- the locations and sectors in which the organization operates;
- the nature, scale and complexity of the organization’s activities; and
- the bribery risks faced by the organization.
- To conduct a bribery risk assessment
The organization takes an overview of its whole business such as:
- size;
- where it operates;
- its business associates etc.; and
- assesses the overall bribery risks facing the organization;
to enable the organization to form a solid foundation for its ABMS to identify the bribery risks that the company will focus on for:
- bribery risk mitigation,
- control implementation; and
- allocation of anti-bribery compliance personnel, resources and activities
- To conduct a detailed risk assessment and due diligence
- Where the organization is to enter into a transaction with a specific business associate (e.g. supplier, subcontractor etc.) which falls within a ''more than a low risk'' category identified under the overview risk assessment, the organization is required to undertake a detailed risk assessment of that transaction by way of specific due diligence on the business associate.
- Examples of due diligence include Questionnaires or Internet Searches or checking publicly available organizations.
- Under this allocated structure of compliance, it is not possible for an action to occur which is no-one’s management responsibility. The responsibility for implementing and complying with the anti-bribery policy and ABMS is specifically allocated between:
- Governing Body;
- Top Management;
- Compliance Function;
- Managers; and
- Personnel
- The organization’s governing body shall:
- approve the anti-bribery policy;
- review the content of the ABMS; and
- exercise reasonable oversight over the implementation and effectiveness of the ABMS
- The organization’s top management shall:
- have overall responsibility for the implementation of, and compliance with, the ABMS; and
- ensure that responsibilities for relevant roles are assigned and communicated throughout the organization
- Top management shall assign to an anti-bribery compliance function the responsibility and authority for:
- overseeing the design and implementation of the ABMS;
- providing advice and guidance to personnel on the ABMS and issues relating to bribery; and
- ensuring that the ABMS conforms to the requirements of ISO 37001
- The anti-bribery compliance function shall be adequately resourced and be assigned to person(s) who have appropriate ''competence'', ''status'', ''authority'' and ''independence.
- The compliance function shall have direct and prompt access to the governing body and top management in the event that any concern needs to be raised in relation to bribery or the ABMS.
- Managers at every level shall be responsible for requiring that the ABMS requirements are applied and complied with in their department or function.
- All personnel shall be responsible for understanding, complying with and applying the ABMS requirements, as they relate to their role in the organization.
- Where top management delegates to personnel the authority for making decisions in relation to which there is ''more than a low bribery risk'', the organization shall ensure that controls are in place which require that the decision process and the level of authority of the decision-maker(s) are:
- appropriate to the level of bribery risk; and
- free of actual or potential conflicts of interest.
There are three elements to this process:
- Seniority of the decision maker;
- Number of decision-makers; and
- Absence of conflict of interest in relation to decision makers.
- The organization shall establish an anti-bribery policy that:
- prohibits bribery;
- requires compliance with applicable anti-bribery laws; and
- requires compliance with the ABMS.
- The organization is to take actions to address the Risks and Opportunities identified in the Bribery Risk Assessment:
- accept the risk; or
- reduce the risk; or
- terminate risk; or
- transfer risk; and
- evaluate the effectiveness of these actions.
- Taking into account factors of “context of the organization”, “needs and expectations of stakeholders” and “bribery risk assessment” the organisation is to determine objectives with respect to:
- what will be done;
- who will be responsible;
- when the objectives will be achieved;
- how the results will be evaluated and reported;
- who will impose sanctions or penalties?
- The organization is required to determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the ABMS:
- Human resources: There should be sufficient personnel who are able to apply sufficient time to their relevant anti-bribery responsibilities so that the ABMS can function effectively.
- Physical resources: There should be the necessary physical resources in the organization for the ABMS to function effectively.
- Financial resources: There should be a sufficient budget, including in the ABMS compliance function, for the ABMS to function effectively.
- The organization shall:
- determine what level of competence personnel and business associates require from an anti-bribery perspective; and
- ensure that personnel and business associates are competent on the basis of appropriate education, training, or experience.
Appointing incompetent persons to a role can result in weakness in controls which can result in bribery.
- In relation to all of its personnel, the organization shall implement procedures such that:
- Conditions of employment:
- require personnel to comply with the anti-bribery policy and ABMS, and
- give the organization the right to discipline personnel in the event of non-compliance;
- Personnel receive a copy of the anti-bribery policy and training in relation to that policy;
- The organization can take appropriate disciplinary action against personnel who violate the anti-bribery policy or ABMS;
- Personnel will not suffer retaliation (e.g. by threats, demotion, preventing promotion, transfer, dismissal, bullying) for:
refusing to participate in any activity in respect of which they have reasonably judged there to be ''more than a low bribery risk''; or
- concerns raised in good faith of attempted, actual or suspected bribery or violation of the anti-bribery policy or ABMS.
- In relation to personnel positions exposed to ''more than a low bribery risk'', the organization shall implement procedures by which:
- Due diligence is conducted on personnel before they are employed, transferred or promoted by the organization, to ascertain as far as is reasonable:
- that it is appropriate to employ or redeploy them; and
- that it is reasonable to believe that they will comply with the anti-bribery policy and ABMS requirements.
- Performance bonuses and targets are reviewed periodically to verify that there are reasonable safeguards in to prevent them from encouraging bribery; and
- Such personnel, top management, and the governing body file a declaration at reasonable intervals confirming their compliance with the anti-bribery policy.
- The organization shall provide adequate and appropriate anti-bribery training to personnel, which shall cover:
- the organization’s anti-bribery policy and ABMS, and their duty to comply;
- the bribery risk and damage to them and the organization which can result from bribery;
- the circumstances in which bribery can occur in relation to their duties, and how to
- recognize, prevent and avoid these circumstances;
- the consequences of not conforming with the ABMS requirements; and
- how they are able to report any concerns.
- The organization shall implement procedures addressing anti-bribery training for business associates acting on the organization’s behalf or for its benefit, which could pose “more than a low bribery risk” to the organization.
- The organization shall determine the necessary internal and external communications relevant to the ABMS.
- The organization shall implement financial controls that manage bribery risk.
- The organization shall implement non-financial controls that manage bribery risk with respect to such areas as procurement, operational, sales, commercial human resources, legal and regulatory activities.
- The implementation of anti-bribery controls is extended to organizations controlled by the organization and business associates, where the organization can help to mitigate the relevant bribery risk.
- Where business associates with ''more than a low bribery risk'', effective controls and decisions are required, and it may lead to the termination of the relationship. Bribery risk assessment is necessary for such situations for evaluating the risk to the organization.
- The organization shall implement procedures that are designed to prevent the offering, provision or acceptance of gifts, hospitality, donations and similar benefits where the offering, provision or acceptance is, or could reasonably be, perceived as bribery. These could include, for example:
- gifts, entertainment and hospitality;
- political or charitable donations;
- client representative or public official travel;
- sponsorship; and
- community benefits.
- The organization is required to implement procedures that:
- encourage and enable persons to report in good faith suspected bribery, or any violation of or weakness in the ABMS, to the compliance function or to appropriate personnel;
- require that the organization treats reports confidentially (unless this is prohibited by applicable law);
- allow anonymous reporting (unless this is prohibited by applicable law);
- prohibit retaliation against persons who make reports in good faith;
- enable personnel to receive advice from an appropriate person on what to do if faced with a concern or suspected bribery.
- The organization is to implement procedures that:
- require assessment and, where appropriate, investigation of any suspected bribery, or violation of the anti-bribery policy or the ABMS;
- require appropriate action in the event that the investigation reveals any bribery, or violation of the anti-bribery policy or the ABMS;
- empower and enable investigators;
- require cooperation in the investigation by relevant personnel;
- require that the status and results of the investigation are reported to the anti-bribery compliance function and other compliance functions, as appropriate; and
- require that the investigation is carried out confidentially and that the outputs of the investigation are confidential.
- The organization is to determine:
- what needs to be monitored and measured;
- who is responsible; and
- the methods for monitoring and measurement;
Undertake internal audits at planned intervals which assess whether the ABMS conforms to the requirements of ISO 37001 and is being effectively implemented.
- Top management shall review the organization’s ABMS, at planned intervals, to ensure its continuing effectiveness.
- The governing body (if any) shall undertake periodic reviews of the ABMS based on information provided by top management and the anti-bribery compliance function and any other information that the governing body requests or obtains.
- The anti-bribery compliance function shall assess on a continual basis whether the ABMS is:
- adequate to manage effectively the bribery risks faced by the organization; and
- being effectively implemented.
- To rectify any identified problem with the ABMS, and improve the ABMS as necessary.
- To continually improve the suitability, adequacy, and effectiveness of the ABMS to enhance ABMS performance.
MLOK’s methodology and approach to making your company ISO 37001 complied for certification
We adopt four stages of the most practical and methodological process to help you certified for ISO 37001
Stage 1: Planning
Conduct Kick-Off Meeting to:
- to introduce you to ISO 37001;
- to set up Project Time Line;
- to establish ABMS Committee Members;
- to confirm the Scope of Certification;
- to establish ABMS Documentation Framework or Structure; and
- to explain ISO 37001 certification process.
Stage 2: Documentation
Drafting and writing documents to comply with ISO 37001 requirements:
- ABMS Manual
- ABMS process and sequence and their interaction (ISO 37001 Clause 4.4);
- ABMS Policy (ISO 3701 Clause 5.2);
- ABMS Objectives (ISO 37001 Clause 6.2);
- ABMS External & Internal Issues & Interested Parties (ISO 37001 Clause 4.1 & 4.2); and
- ABMS Organisation Chart (ISO 37001 Clause 5.3).
- Job Description (ISO 37001 Clause 5.3).
- ABMS Core Procedures.
- ABMS Supporting Process Procedures.
- ABMS System Procedures.
- ABMS Forms, Work Instructions and others.
Stage 3: Implementation
- Guidance and advice on the implementation of the documented ABMS.
- To conduct an ISO 37001 ABMS Internal Audit Training.
- To conduct an ISO 37001 ABMS Internal Audit.
- To conduct an ISO 37001 ABMS Management Review Meeting.
Stage 4: External Audit
- Stage 1 Documentation Audit by the Certification Body.
- Rectification of Stage 1 Audit Finding issued by the Certification Body.
- Stage 2 Audit Compliance Audit by the Certification Body.
- Rectification of Stage 2 NCRs issued by the Certification Body.
You will then receive your ISO 37001 certificate.