Where to Start Building an Anti-Bribery Management System
When the working group ISO/PC 278 was charged with drafting the “Anti-Bribery Management Systems Standard” or what would become known as ISO 37001, they had three objectives:
- To provide Compliance Officers with a manual with which they could design an anti-bribery management system (ABMS)
- This is why the Standard has a detailed annex on best practices
- To provide Compliance Officers, who already have an established ABMS, with an internationally recognised standard to compare it against
- This is why the standard is so detailed
- To provide the international community with a certifiable standard on corruption prevention
- This is why the decision was made to draft ISO 37001 as a certifiable standard and not as a set of guidelines
There is an inherent difficulty in accomplishing these objectives with a standard that can be used by organisations of all sizes and from all sectors, whether public, private, or not-for-profit. This challenge is reflected in the sometimes-repetitive nature of the standard, which can make reading, comprehension, and implementation frustrating for compliance officers or executives who are not familiar with other standards published by ISO. A typical related question we often receive is: With which chapter should we start when building our ABMS? Taking into account organisational specificities like stakeholder expectations, corruption risks, and scope, the best place to start an ABMS is with Chapter 4. This will make the rest of the standard easier to understand and implement.
4.1 – Understanding the organisation and its context
Each organisation will have a unique anti-bribery management system (ABMS). You might be thinking, how can each ABMS be unique if they are following ISO 37001 requirements? It is true, that major principles of the standard like “tone at the top”, training, or reporting and investigation procedures will remain the same.
Where the differences will emerge though, is the way that each system is implemented. In order to be effective, an ABMS must be adapted to the organisation. This will vary according to the organisation’s activity, size, operating model, countries of operation, etc. Before designing an ABMS, there must be a thorough understanding of the organisation’s specificities. Section 4.1 of ISO 37001 focuses on just that. It requires that each organisation identify the factors that could influence its anti-corruption efforts and includes:
- a) the size, structure, and system of governance and delegated authority
- b) countries and sectors of operations
- c) the nature, the scale, and the complexity of the activities and operations
- d) the economic model
- e) the entities over which the organisation exercises control (subsidiaries) and the entities which exercise control over the organisation (parent company)
- f) business partners
- g) the nature and extent of interactions with representatives of public administrations
- h) applicable legal, regulatory, contractual, or professional obligations.
It is essential to consider all of these points to create an effective and appropriate ABMS that is adapted to your organisation. This document is compulsory if the organisation is interested in having its ABMS certified according to ISO 37001.
4.2 – Understanding the needs and the expectations of stakeholders
Understanding the needs of the stakeholder is another crucial element for implementing a successful anti-bribery management system. Clients, suppliers, workers, rating agencies, associations, the media, and more all have different expectations in regard to what should be included in the ABMS. For example, Transparency International UK expects members of the defence industry to detail their anti-corruption programmes. Rating agencies expect listed companies to have an anti-corruption programme in place to limit the risks an act of corruption could have on profit. JV partners also want to know what sort of anti-corruption programme their partners have in place.
That is why the standard asks organisations to identify:
- a) stakeholders relevant to the anti-bribery management system; and
- b) stakeholder requirements
Although time-consuming, it is crucial to identify the needs and demands of your organisation’s stakeholders in order to satisfy their expectations of your future ABMS. This process is also compulsory if an organisation wishes to be certified against ISO 37001.
4.5 – Evaluating corruption risks
Once the organisation has identified its context, stakeholders, and their expectations, the ISO/PC 278 working group determined that it could then proceed to the risk assessment stage. Though it may seem illogical that sub-section 4.5 would precede 4.3, this irregularity was created due to the working group using the formula of general management systems as a reference for the ISO 37001 standard. As this formula does not include a risk assessment a provision needed to be added to end of chapter 4, thus the creation of sub-section 4.5.
Therefore, though it may be found near the end of chapter 4, sub-section 4.5 needs to be completed before determining the scope of the anti-bribery management system (ABMS) (section 4.3). This arrangement is necessary because section 4.3 will need to reference the previous work done on the context (4.1), the stakeholders (4.2), and the risk assessment (4.5) sections in order to be completed properly.
An organisation must:
- a) identify corruption risks that could be reasonably anticipated, given the indicators of 4.1
- b) analyse, assess, and prioritise identified risks
- c) evaluate the appropriateness and efficiency of controls put in place to mitigate identified corruption risks
4.3 – Determining the anti-bribery management system’s scope
An organisation can choose to implement an ABMS as a separate system, or as an integrated part of an overall compliance management system. It might also choose to implement the ABMS in parallel with, or as part of, its other management systems i.e. quality, environmental, information security, etc.
It is important to note however, for companies who want to get certified, but do not want to go for a “big bang” approach, that it makes perfect sense to start with a limited scope (for example the Head Office + one or several Business Unit(s), or a limited number of countries). This doesn’t mean that your ABMS should not apply to the whole company (this is actually a requirement of §8.5), but this means you can focus your energy to have a certifiable system limited to the areas you have evaluated as the most important (or presenting the highest risk when it comes to corruption), and you can extend the scope of certification year after year.
The ISO 37001 requires that an organisation consider the following to determine the scope of the ABMS:
- a) the internal and external challenges mentioned in 4.1
- b) the requirements referenced in 4.2 and
- c) the results of the risk assessment mentioned in 4.5
Specifying the scope will enable the organisation to determine which areas or entities do not present a corruption risk. ISO 37001 requires a risk-based ABMS, i.e. one which considers any risk to be ‘low.’
4.4 – Anti-Bribery Management Systems
After following the guidelines given to meet the requirements of sections 4.1, 4.2, 4.5 and 4.3, the organisation will be in a position to establish, document, implement, maintain and continually review and improve its ABMS.
ISO 37001 requires that an anti-bribery management system be “reasonable and proportionate with regard to the nature and extent of bribery risks faced by the organisation.”
Once an organisation has met the requirements of chapter 4, it will be easier to implement the other chapters: 5-leadership; 6-planning; 7-resources; 8-tools; 9-controls and 10-continual improvement.
Ultimately, an ISO 37001 certification demonstrates that the organisation has implemented an appropriate ABMS. In other words, one that is tailored to the organisation’s operations, meets all relevant legal obligations, and satisfies stakeholder expectations.
by Philippe Montigny
President, Certification & Impartiality Committees