The recent publication of the ISO standard 37001 on anti-bribery management systems is garnering more and more interest from a variety of sectors and organizations. For the first time, more than 80 countries were able to agree on a set of requirements which facilitate the design of an anti-bribery management system. The requirements apply not only to companies but also to administrations, associations, NGOs….
Going beyond a set of mere guidelines this norm introduces the concept of continuous improvement through the implementation of set objectives and their control. The norm follows four precepts: Plan, Do, Check, Act. An organization must plan its anti-bribery management system according to its structure, its stakeholders and its specific risks which allows the identification of appropriate objectives. Then the organization must do. That is to say, it must implement reasonable and proportionate procedures to attain the identified objectives. The third step, check, involves an assessment or evaluation of the procedures and their implementation throughout the organization. The act component comes into play when the results of an evaluation determine which corrective measures need to be implemented to ensure an appropriate and effective program.
There are five questions that compliance officers generally ask when considering the implementation of an anti-bribery management system according to the ISO 37001:
1. How do I define the scope of my anti-bribery management system?
Defining the scope of a management system can be daunting if you don’t know where to start. The first step should be a general brainstorming session to analyze the structure, activities, locations of business, employees and the internal requirements specific to the organization. It is also important to analyze the external requirements of the organization as these change: who are the stakeholders? What are the expectations of these stakeholders vis-à-vis the feasibility and durability of an anti-bribery management system? You should also investigate which legal obligations concern your entity. For instance, it could be the Italian Law decree 231, Chapter 8 of the US Federal Sentencing Guidelines, the UK Bribery Act Guidance or the French Sapin II law on compliance obligations. When you then conduct a corruption risk assessment and add it to these analyses an aggregate of the internal and external requirements emerges and the scope becomes evident.
2. Who are my stakeholders and how do I ensure their requirements fit into my anti-bribery management system?
The stakeholders are any parties which interact with the organization. Typically, these include clients, suppliers, employees, regulatory bodies, unions, investors, the media… Each stakeholder has different expectations in terms of an anti-bribery management system. To address the different expectations of the various stakeholders it is useful to list each one and detail its specific needs and expectations.
3. What should the role of the top management be apart from “tone from the top”?
The position of the ISO 37001 is that top management is the ambassador of an efficient anti-bribery management system. Top management must promote the implementation of the system and ensure that it is integrated into the business and throughout the organization. It must also ensure that communication on the program is widespread, that a compliance team is appointed and that regular evaluations of the efficiency of the program are executed. Top management’s dedication to the anti-bribery management system is critical.
4. How are my objectives reflected in daily operations?
The organization must define the objectives expected from an anti-bribery management system. The objectives form the basis of the procedures selected for implementation. The objectives must respect the pre-determined scope and reflect the expectations of stakeholders, the corruption risks specific to the organization, the commitment of top management, the availability of resources…. The norm does not require a defined period for the accomplishment of these objectives but it is important, during the planning stage, to set specific time limits on certain objectives and assess the degree to which they have been attained at the given time. Once the objectives have been defined, the means necessary to attain them can be established by the organization.
5. What is a nonconformity? What should I do in the event of a non-conformity?
An issue of non-conformity highlights that a requirement of the norm has not been respected or that an objective set by the organization has not been obtained. A non-conformity can be minor, in other words, it does not impede the exercise of the anti-bribery management systems, but it does reduce its efficacy. A non-conformity is major if it prevents the management system from functioning efficiently. A major non-conformity can manifest itself in different ways from not reaching a defined objective to neglecting to implement the requirements of a specific chapter of the norm or the identification of a cluster of non-conformities on a specific theme. The identification of a major non-conformity during an ISO 37001 audit would preclude attribution of the certification. A non-conformity, whether minor or major, requires a plan for corrective action. The plan for corrective action promotes the continuous improvement of the management system and supports its development through a virtuous circle.
The ETHIC Intelligence Expert’s Corner is an opportunity for specialists in the field of anti-corruption compliance to express their views on approaches to and developments in the sector. The views expressed in these articles are those of the authors.