When I participated in the ISO/PC 278 working group which drafted the "Anti-Bribery Management Systems Standard", we had three objectives:
- To provide Compliance Officers with a manual with which they could design an anti-bribery management system. That is why the Standard has a detailed annex on best practices.
- To allow Compliance Officers with an already established anti-bribery management system to compare it to an internationally recognized standard. That is why the standard is so detailed.
- To provide the international community with a certifiable standard on corruption prevention. That is why we wanted to draft ISO 37001 as a certifiable standard and not as guidelines.
The difficulty was to design a standard which could be used by organizations of all sizes and from all sectors regardless if they were public, private or not-for-profit. This challenge is reflected in the sometimes-repetitive nature of the standard.
To optimize the Standard’s utility, organizations should concentrate on Section 4 - the context of the organization. Once this section has been integrated and documented, the standard becomes easier to understand and implement.
4.1 – Understanding the organization and its context
It is redundant to say that each organization is unique, but what is less redundant is to recognize that each organization has a unique anti-bribery management system. Regardless, the major tenets of an anti-bribery management system remain: “tone at the top”, training, etc.… however, what differs is the way the program is implemented. The implementation varies according to the structure’s activity, size, operating model, countries of operation, etc.
We know that an anti-corruption compliance program must be adapted to the organization in order to be effective. Thus, the prerequisite of an effective program is to understand the organization’s specificities. Section 4.1 of the ISO 37001 requires that each organization identify the specific factors that could influence its anti-corruption program and include:
a) the size, structure and system of governance and delegated authority;
b) countries and sectors of operations;
c) the nature, the scale and the complexity of the activities and operations;
d) the economic model;
e) the entities over which the organization exercises control (subsidiaries) and the entities which exercise control over the organization (parent company);
f) business partners;
g) the nature and extent of interactions with representatives of public administrations;
h) applicable legal, regulatory, contractual or professional obligations.
It may seem daunting to draft a document which takes into account these specificities, but it is an essential exercise for an effective and appropriate anti-bribery management program. In addition, if an organization is interested in certification the aforementioned document is compulsory.
4.2 – Understanding the needs and the expectations of stakeholders
An organization is characterized by the interactions it has with a multitude of stakeholders: clients, suppliers, rating agencies, not to mention associations, the media, etc.…. stakeholders have different expectations vis-à-vis an organization’s anti-corruption program. Transparency International UK for example expects members of the defense industry to detail their anti-corruption programs. Rating agencies expect listed companies to have an anti-corruption program which would limit the risk of corruption and consequently limit the risks an act of corruption could have on profit. In addition, JV partners will want to know what sort of anti-corruption program their partners have in place.
That is why the standard asks organizations to determine:
a) stakeholders relevant to the anti-bribery management system; and
b) stakeholder requirements
Again, it will be time-consuming to identify these stakeholders and their needs or demands, but it is an essential exercise in order to meet their expectations. Once again, for organizations who wish to be certified, this document is compulsory.
4.5 – Evaluating corruption risks
Once the organization has identified its context and stakeholder expectations, the ISO/PC 278 working group determined that it (the organization) could proceed to the risk assessment stage.
Sub-section 4.5 was the origin of sub-section 4.3. Because the ISO 37001 standard respects the formula of general management systems which do not include a risk assessment, the Working Group had to insert this provision at the end of section 4 and call it section 4.5. Thus, the risk assessment is specific to the ISO 37001
Although it may be found near the end of point 4 (4.5) this does not mean that it should be dealt with at the end of section 4. In fact, when determining the scope of the anti-bribery management system (section 4.3), it is necessary to reference the context (4.1), the stakeholders (4.2), and the risk assessment (4.5).
An organization must:
a) identify corruption risks that could be reasonably anticipated given the indicators of 4.1;
b) analyze, assess and prioritize identified risks;
c) evaluate the appropriateness and efficiency of controls put in place to mitigate identified corruption risks
It becomes apparent that an organization’s understanding of section 4.1 is fundamental before continuing with the risk assessment which is the foundation of an organization’s anti-bribery management system.
4.3 – Determining the anti-bribery management system’s scope
To determine the anti-bribery management system’s scope the ISO 37001 requires that an organization consider:
a) the internal and external challenges mentioned in 4.1;
b) the requirements referenced in 4.2; and
c) the results of the risk assessment mentioned in 4.5.
By specifying the scope, the organization will be able to determine which areas or entities do not present a corruption risk. ISO 37001 requires a risk-based anti-bribery management system, i.e. one which considers any risk over ‘low.’
4.4 – Anti-Bribery Management Systems
The work done to meet the requirements of 4.1, 4.2, 4.5 and then 4.3 helps the company implement an appropriate anti-bribery management system: neither too heavy nor too light. ISO 37001 requires that an anti-bribery management system be “reasonable and proportionate with regard to the nature and extent of bribery risks faced by the organization.” Once an organization has met the requirements of section 4, it becomes easier to implement the other sections: 5-leadership; 6-planning; 7-resources; 8-tools; 9-controls and 10-continuous improvement. Ultimately, an ISO 37001 certification demonstrates that the organization has implemented an appropriate anti-bribery management system which is tailored to the organization’s operations and which meets all relevant legal obligations as well as stakeholder expectations.