The importance of building a 'fit for purpose' anti-bribery programme
The lawyers reading this will know that 'fitness for purpose' is a phrase that we learnt in our first few days of law school. It essentally means that what we design and build needs to suit the situation in which we will actually use it.
In compliance programmes, especially anti-bribery programmes, this same phrase rings true. Focusing on the wrong things can frustrate your business partners and cause them to lose trust in your programme. It also means your anti-bribery programme will be less effective and potentially give rise to non-conforming actions.
The great thing about the ISO 37001 standard is that it challenges you to build an anti-bribery management system that is essentially 'fit for purpose'. It does this through one of the key sections of the standard.
Section 4 of ISO 37001
This is one of the most important parts of the standard, but it is somehow often overlooked by practitioners. It is also commonly and conveniently lacking from pundit summaries of the standard who claim that it is not relevant to their region, laws, or company because it somehow ignores named laws or regulations. This commentary is fundamentally wrong and misguided.
Section 4 of the ISO 37001 standard says that you need to look at the external and internal issues that are relevant to your company's purpose when designing the anti-bribery management system. Those issues include:
- Decision-making approaches
- Locations and sectors in which the organisation operates
- The nature, scale, and complexity of the organisation’s activities and operations
- Any applicable statutory, regulatory, contractual and professional obligations and duties.
Different businesses have different needs
If your organisation is headquartered in the USA, but operates globally through very localised management who have significant power with minimal oversight from 'corporate', then your programme would most likely be more decentralised. It could be the case that this programme has central oversight in the form of internal audits and investigations, but management is allowed to set their own risk tolerance locally. Another possibility is that each country has its own risk assessment or even its own local policies and procedures. Such a global company might have to adjust its policy locally in many cases because the business is different.
Contrast that to a company that is based solely in one country, mostly trading and buying domestically, and managing government touch points in very closely and tightly in a small group. The anti-bribery management system for this sort of company might be extremely small and very simple. A mere handful of people might be 'relevant' to the anti-bribery management system.
Compare that again to a company that is privately held, doesn't sell to nor buy from governments, and has a global business selling to consumers online. Again, that company will need to design a totally different anti-bribery management system than the previous two. Totally different risks, totally different obligations, different shareholder expectations, different risk profiles, and likely different management structures. Many of the typical bribery risks may simply not exist and will not need to be covered at all.
Compare two companies in two different industries. One industry has been heavily prosecuted for bribery with a multitude of scandals occurring, and one industry has not. It is not unreasonable to think that the company in the industry that has had lots of scandals might be more cautious, and therefore build a much less risk tolerant anti-bribery management system. The other one may find it acceptable to take on additional risks. Again, there is nothing wrong with either approach, as both may still be completely legal.
Another example might be a company that is a provider to many large defense contractors who push down expectations to you via contracts. There could also be an industry code of conduct or some type of non-binding industry understanding in such a situation, which places additional obligations on your company. In both cases your anti-bribery programme would have to address these additional requirements. If these issues weren't addressed, then your programme simply wouldn't comply with ISO 37001 standards.
Making your programme 'fit for purpose'
The great thing about section 4 of the ISO 37001 standard is that it challenges you to think about all these elements, making sure that your anti-bribery management system is 'fit for purpose'. As you build your programme, you will need to really understand this ever changing landscape. This is the only way to truly ensure that you address all the obligations, standards, expectations, laws, and regulations that apply to you in all of the markets your organisation operates. This of course requires a great deal of thought and analysis.
When applying for ISO 37001 certification, you can expect your auditor will challenge you around these issues. This ensures that these areas had been taken into account when you built and designed your anti-bribery management system. This is yet another instance where the knowledge of the auditor and their content expertise is so important. We cannot stress to you enough how cautious you should be when choosing what certification body audits your project.