Global Insight now offers ISO 37001 Consulting Services
- February 19, 2018
- Posted by: Simon
- Category: Blog
Simon Goddard, Global Insight’s founder and principal, is now an accredited PECB ISO 37001 Lead Auditor.
What does this mean? The following is fairly comprehensive explanation of the new Standard and its implications for businesses –
What is ISO 37001?
ISO 37001 is an anti-bribery management system (ABMS) standard for organizations. It specifies various anti-bribery policies and procedures which an organization should implement to assist it prevent bribery and identify and deal with any bribery which does occur.
It is published by the International Organization for Standardization (ISO), an independent, non-governmental international organization which develops and publishes International Standards. It is based in Geneva and is made up of the national standards bodies from 162 Member countries.
Who can use ISO 37001?
ISO 37001 is designed to be used by small, medium and large organizations in the public, private and voluntary sectors. It can be used by such a wide range of organizations because the standard is designed to be a flexible tool, which can be adapted according to the size and nature of the organization and the bribery risk it faces.
How can ISO 37001 benefit an organization?
Bribery can have very serious adverse consequences for an organization and for its employees. It is therefore in the interests of an organization and all its employees to take reasonable and proportionate steps to prevent bribery occurring. It is normally far cheaper and less disruptive for an organization to implement controls to prevent bribery from occurring than to deal with the consequences if bribery does occur. ISO 37001 can benefit an organization in the following ways –
- By specifying necessary policies and procedures, ISO 37001 assists an organization in implementing an ABMS, or in enhancing its existing controls. An ISO 37001 compliant ABMS can help prevent bribery occurring and can significantly reduce its impact if it does occur.
- It helps provide assurance to the management and owners of an organization that their organization has implemented internationally recognised good practice anti-bribery controls and is therefore taking steps to reduce risk and any adverse consequences.
- It helps the organization provide assurance to its customers, business associates and personnel that it has implemented internationally recognised good practice anti-bribery controls, and therefore assists the organization in obtaining work, recruiting good personnel and enhancing its reputation.
- Organizations may require their major contractors, suppliers and consultants to provide evidence of compliance with ISO 37001 as part of their pre-qualification or supply chain approval process (on a similar basis to their requiring evidence of compliance with ISO 9001 (quality management) etc.)
- In the event of a bribery investigation which involves the organization, it helps provide evidence to the prosecutors or courts that the organization had taken reasonable steps to prevent bribery. It can therefore help avoid a prosecution or mitigate the outcome.
Well-managed ethical organizations are likely to implement effective anti-bribery policies and procedures in their organizations in the same way that they would implement effective quality, environmental and safety policies and procedures. Many organizations are also likely to obtain independent certification to ISO 37001 in a similar way to obtaining certification to ISO 9001, ISO 14001 and OHSAS 18001.
What types of bribery does ISO 37001 aim to help prevent?
ISO 37001 aims to help prevent:
- Bribery by the organization and by the organization’s personnel or business associates acting on the organization’s behalf or for its benefit.
- Bribery of the organization or of the organization’s personnel or business associates in relation to the organization’s activities.
(Business associate includes parties with which the organization has a business relationship, e.g. customers, joint venture partners, consultants, sub-contractors, suppliers, agents)
What are the types of anti-bribery measure required by ISO 37001?
ISO 37001 requires the organization to implement, in a reasonable and proportionate manner, a series of measures which are designed to help the organization prevent, detect and deal with bribery. The following summarises the key measures:
- Implement an anti-bribery policy and supporting anti-bribery procedures (the ABMS). These procedures are the ones listed below –
- Ensure that the organization’s top management has overall responsibility for the implementation and effectiveness of the anti-bribery policy and ABMS and provides the appropriate commitment and leadership in this regard
- Ensure that responsibilities for ensuring compliance with the anti-bribery policy and ABMS are effectively allocated and communicated throughout the organization. For example
- department heads will be responsible for compliance within their departments
- all personnel will be responsible for their personal compliance
- Appoint a person(s) with responsibility for overseeing anti-bribery compliance by the organization (compliance function). This person(s) can be full-time or part-time, depending on the size of organization and can combine this responsibility with other responsibilities.
- Ensure that controls are in place over the making of decisions in relation to more than low bribery risk transactions. The decision process and the level of authority of the decision-maker(s) must be appropriate to the level of bribery risk and be free of actual or potential conflicts of interest.
- Ensure that resources (personnel, equipment and financial) are made available as necessary for the effective implementation of the ABMS.
- Implement appropriate vetting and controls over the organization’s personnel designed to ensure that they are competent and will comply with the anti-bribery policy and ABMS and can be disciplined if they do not comply.
- Provide appropriate anti-bribery training and/or guidance to personnel on the anti-bribery policy and ABMS
- Produce and retain appropriate documentation in relation to the design and implementation of the anti-bribery policy and ABMS
- Undertake periodic bribery risk assessments and appropriate due diligence on transactions and business associates
- Implement appropriate financial controls to reduce bribery risk (e.g. two signatures on payments, restricting use of cash, etc.)
- Implement appropriate procurement, commercial and other non-financial controls to reduce bribery risk (e.g. separation of functions, two signatures on work approvals, etc.)
- Ensure that all other organizations over which it has control implement anti-bribery measures which are reasonable and proportionate to the nature and extent of bribery risks which the controlled organization faces
- Require, where it is practicable to do so, and would help mitigate the bribery risk, any business associate which poses more than a low bribery risk to the organization to implement anti-bribery controls which manage the relevant bribery risk
- Ensure, where practicable, that appropriate anti-bribery commitments are obtained from business associates which pose more than a low bribery risk to the organization
- Implement controls over gifts, hospitality, donations and similar benefits to prevent them from being used for bribery purposes
- Ensure that the organization does not participate in, or withdraws from, any transaction where it cannot appropriately manage the bribery risk
- Implement reporting (whistle-blowing) procedures which encourage and enable persons to report suspected bribery, or any violation of or weakness in the ABMS, to the compliance function or to appropriate personnel
- Implement procedures to investigate and deal appropriately with any suspected or actual bribery or violation of the ABMS
- Monitor, measure and evaluate the effectiveness of the ABMS procedures
- Undertake internal audits at planned intervals which assess whether the ABMS conforms to the requirements of ISO 37001 and is being effectively implemented
- Undertake periodic reviews of the effectiveness of the ABMS by the compliance function and top management
- Rectify any identified problem with the ABMS and improve the ABMS as necessary
Does the organisation need to comply with all the ISO 37001 requirements?
Yes. ISO 37001 specifies various anti-bribery policies and procedures which the organization must implement to assist it prevent bribery and identify and deal with any bribery which does occur. An organization is only compliant with ISO 37001 if it has implemented all of the required measures. However, these measures should be implemented by the organization in a reasonable and proportionate manner according to the type and size of the organization, and the nature and extent of bribery risks it faces.
Can a third party certify the organisation’s compliance with ISO 37001?
An organization’s compliance with ISO 37001 can be certified by an independent third party.
- This provides additional assurance that the organization is compliant.
- The risk of corrupt or negligent certification is reduced by the use of major, well known, accredited national or international certifiers.
There is no obligation for an organization to obtain independent certification to ISO 37001. An organization may simply ensure that its procedures are compliant with the standard. However, independent certification adds an extra level of independent assurance.