Your Anti-Bribery Programme must reflect your company to meet ISO 37001 requirements
The lawyers reading this will know that 'fitness for purpose' is a phrase that we learnt in our first few days of law school. It essentally means that what we design and build needs to suit the situation in which we will actually use it.
In compliance programmes, especially, anti-bribery programmes, this is very applicable. Focusing on the wrong things can really frustrate your business partners and cause them to lose trust in your programme when you focus on all the wrong things. It also means your anti-bribery programme will be less effective and possibly give rise to non conforming actions.
The great thing about the ISO 37001 Standard is that it challenges you to build an anti-bribery management system that is essentially 'fit for purpose'. It does this through one of the first key sections of the Standard.
Let's look at section 4 more closely as it is one of the most important parts of the Standard but is often overlooked by practitioners. It is also commonly and conveniently lacking from pundit summaries of the Standard who claim that the Standard is not relevant to their region or laws or company because it somehow ignores named laws or regulations. Commentary which is fundamentally wrong and misguided.
Section 4 of the ISO 37001 Standard says that you need to look at the external and internal issues that are relevant to your company's purpose when designing the anti-bribery management system. Those issues include its size, structure, decision-making approaches, locations and sectors in which the organisation operates, the nature, scale and complexity of the organisation’s activities and operations and any applicable statutory, regulatory, contractual and professional obligations and duties.
So, for example, if your organisation is headquartered in the USA but operates globally through very localised management that have significant power with minimal oversight from 'corporate', then your programme would most likely be more decentralised. It may be, for example, a programme that has central oversight in the form of internal audit and investigations but management is allowed to set their own risk tolerance locally. It may also mean that each country has its own risk assessment, or even its own local policies and procedures. Such a global company might have to adjust its policy locally in many cases because the business is different.
Contrast that to a company that is based solely in one country, is mostly trading and buying domestically, and manages the touch points with Governments very closely and tightly in a small group. The anti-bribery management system for this sort of company might be extremely small and very simple. A mere handful of people might be 'relevant' to the anti-bribery management system.
Compare that again to a company that is privately held, not listed on any stock exchange, doesn't sell to nor buy from Governments, and has a global business selling to consumers online. Again, that company will need to design a totally different anti-bribery management system. Totally different risks, totally different obligations, different shareholder expectations, different risk profiles and likely different management structures. Many of the typical bribery risks may simply not exist and will not need to be covered at all.
Compare two companies in two different industries. One industry has been heavily prosecuted for bribery and has been scandal plagued and one industry that has not. It is not unreasonable to think that the company in the industry that has had lots of scandals might have a more cautious, and, therefore, have a much less risk tolerant approach to their anti-bribery management system. The other one may take on additional risks. Again, nothing wrong with either approach, but they may still be all totally legal.
Another example might be a company that is a provider to many large defense contractors where those defense contractor customers push down expectations to you via contracts. Or, perhaps there is an industry code of conduct or some type of non-binding industry understanding that places additional obligations on your company. In both these situations your anti-bribery programme would have to address the additional requirements. If you don't address those issues, then your programme simply wouldn't be 'fit for purpose'.
The great thing about section 4 of the ISO 37001 Standard is that it challenges you to think about all these elements and make sure that your anti-bribery management system is 'fit for purpose'. As you build your programme, you will need to really understand this ever changing landscape so that you can truly ensure that you address all the obligations, standards, expectations, laws and regulations that apply to you in all of the markets in which you operate. This requires some thought and some analysis.
Your auditor will also challenge you around these issues and make sure that these areas have been taken into account when you built and designed your anti-bribery management system. This is another example where the knowledge of the auditor and their content expertise is just so important to you and you should be cautious as to what certification body you choose for your project.