Understanding ISO 37001 Anti Bribery Management System: The What, The How, and The Why

3rd Mar, 2023

ISO 37001 is an international standard that provides a systematic approach to anti-bribery management. This standard provides a framework for organizations to establish, implement, maintain, and continually improve their anti-bribery management system, which essentially enables them to address bribery risks; prevent, detect and respond to bribery.

ISO 37001 covers all forms of bribery, including Active Bribery – offering or paying a bribe; Passive Bribery – soliciting or receiving a bribe; Public Sector – bribery of public officials; in the Private Sector – bribery of personnel of corporations or of other private organization or of private individuals; Direct Bribery – by the organization or its personnel, or; Indirect Bribery – bribery through business associates such as agents, consultants or outsourcing partners.

The standard was first published by the International Organization for Standardization (ISO) in 2016 and has since been widely adopted by organizations worldwide.

• Formation of anti-bribery Compliance Function
• Anti-bribery policy
• Bribery risk assessment
• ABMS Training & communications
• Due diligence for employees and associates
• Procedures on gifts, hospitality, donations
• Procedure for raising concerns (Whistle Blower Policy)
• Investigation procedure

What is the scope of ISO 37001 include?

• Payment to a policeman, a customs officer, or an immigration officer
• Commissions to high-ranking public officials for reasons such as procurement, large infrastructure projects, or access to natural resources
• Payment to the employee of a private organization, e.g., procurement
• Expensive gifts and entertainment
• The hiring of relatives, friends, or associates
• The payment of medical expenses
• The arrangement of payment for studies abroad
• The payment of travel and accommodation expenses without an explainable business purpose
• The free use of a vacation apartment
• Political contributions in violation of applicable law to gain favour
• Charitable donations or sponsoring benefiting a limited circle of individuals

What are the key steps to implement ISO 37001?

1. Define the scope of ABMS
2. Form an anti-bribery Compliance Function
3. Conduct bribery risk assessment
4. Draft an anti-bribery policy
5. Draft anti-bribery objective
6. Training
7. Implement due diligence
8. Implement or adapt financial and non-financial controls
9. Implement procedures on gifts, hospitality, donations and similar benefits
10. Establish a plan for internal and external communication
11. Implement the procedure for raising concerns (Whistle Blower Policy) & investigation procedure
12. Internal Audits & MRM

Bribery Risk Assessment

The bribery risk assessment enables the organization to form a solid foundation for its anti-bribery management system. Risk assessment methodology depends upon two factors:

1. How the bribery risks are weighted and prioritized
2. The level of exposure to bribery risk that is accepted (i.e., ‘risk appetite’) or tolerated by the organization

The organization establishes its criteria for evaluating bribery risk keeping in mind different factors. The risk assessment design’s purpose and objectives are divided into four major phases, as explained below.

The first phase of a risk assessment process establishes criteria for evaluating the level of bribery risk, which considers the organization’s policies and objectives. An organization can achieve this by understanding the impact and likelihood of the risk occurring. To measure the impact, the extent to which the risk becomes acceptable or tolerable is taken into account. To measure the risk, the likelihood of risks is rated on a  five-point scale.

1. Very unlikely to occur
2. Unlikely to occur
3. Could occur
4. Likely to occur
5. Almost certain to occur

The impact rating should consider the following –

1. Financial effect
2. Organization’s reputation
3. Strategic objectives
4. Recovering scenario

The second phase of the risk assessment process identifies risk, which consists of finding, recognizing and describing risks that might prevent an organization from achieving its objectives. Risk identification is based on the organization’s environment, including the nature of its operations, business and locations.

The second phase includes

1. Interviewing personnel in key areas (sales, procurement, marketing, finance, internal audit, top management, etc.)
2. Reviewing internal and external audit reports or hotline records
3. Analyzing past incidents that took place in the organization or in similar organizations
4. Obtaining advice from lawyers, auditors or other professionals

The risk categories concerning bribery include the following:

• Country risk: How prevalent is bribery in each location of operation?
• Sectoral risk: Is the organization’s industry exposed to bribery?
• Business partners’ risk: Is the organization involved in business relationships that it does not fully control?
• Public sector risk: How much interaction with public officials occurs in certain activities?

The third phase of the risk assessment is the risk analysis and evaluation. The risk analysis is conducted by applying the risk criteria, which includes the likelihood and the impact of occurrence, with reference to the risks identified in the different categories. Further, it is evaluated how likely the risk is to occur, and if it does, what is its adverse impact on the organization? The analysis provides a risk score for each category.

The fourth phase is the risk response and monitoring by management to bring the residual risk within the desired level of risk exposure. The possible responses are:

1. Avoidance: The first and most preferred response is to avoid the risk by ceasing the risk-bearing activity or exiting a market to eliminate the risk from the root.
2. Mitigation: Another response is to use or implement standard controls that mitigate the risk to an acceptable level within the organization.
3. Transfer: In some cases, shifting the risk to another party, such as engaging with customers or suppliers via contractual arrangements.
4. Acceptance: At last, the response to risk can consist of acceptance of the exposure.

Why is ISO 37001 important for your organization?

ISO 37001 helps organizations improve their reputation and credibility. And the ones that are certified to ISO 37001 are seen as being committed to ethical business practices and reducing bribery risks. This can increase stakeholders’ and partners’ confidence and improve due diligence processes.

From improving overall risk management and compliance management to identifying and addressing bribery risks, ISO 37001 brings a number of implementation benefits, as listed below.

• Identify and manage bribery and related risks, such as reputational risk
• Set minimum requirements and support guidance to implement or benchmark an anti-bribery management system
• Provide assurance to the relevant parties, including the governing body, management, investors, personnel, customers, regulators and other stakeholders, that an organization is taking reasonable steps to prevent, detect and respond to bribery
• Reduce the risk of bribery occurring in relation to the organization’s activities
• Strengthen organization’s reputation, and brand and contribute to its sustainability
• Most importantly, establishing a culture of transparency and integrity

4C Consulting recently empowered a client in a cargo and mineral port based in, Central Africa. ISO 37001 enabled our client to introduce a speak-up culture, comply with local laws, improve ESG rating and also increase stakeholder trust. To achieve the same results and much more, reach out to our consultant at info@4cpl.com And for more information on ISO 37001.