It’s a sad fact that issues like fraud and corruption can occur in any company, anywhere, with incidence present across the globe. Bribery of any form can cause irrecoverable damage to reputation and commercial interests.
Data from the world bank shows bribery is endemic. Over a trillion dollars is paid in bribes every year (see here). Companies must be both prepared and equipped to take action regarding financial misconduct to avoid damage.
One method organizations can utilize to equip themselves is through robust governance and controls in the form of an appropriate management system.
In today’s article, we’ll be looking at ISO 37001, which is ISO’s requirements for an Anti-bribery management system. We’ll be looking at:
- The need for ISO37001
- What is ISO37001
- The ISO37001 Management system
- How to obtain ISO37001 certification
- Benefits of ISO37001
- Some issues of ISO37001
The need for ISO37001:2016
Corruption can have an emphatically negative impact on businesses from harming customer and public perception through to restricting performance and damaging productivity.
Corruption has various faces, but at its heart are corrupt acts like bribery, embezzlement, and abuse of corporate power.
Sadly as we described in our introduction, bribery is rampant in modern society and business. Statistics from organizations like the World Bank, ttps://www.transparency.org.uk portray a world in which over a trillion dollars a year is paid out in bribes, and in some countries, rates of bribe requests extend well into double percentage digits.
For most organizations, credibility is king. Credibility builds trust for both internal and external stakeholders. Credibility is lost when corruption is present.
All too often, the key enabler for corruption is a shortage of relevant processes and controls bourne out of an overarching management system designed to prevent occurrence.
Recognizing the challenge bribery puts upon business ISO has built a standard to assist organizations in supporting ethical business practices and culture.
ISO37001 helps guide businesses in the building, implementing, and sustaining of an anti-bribery management system.
ISO37001 has a number of key objectives
- Impart an anti-bribery culture within an organization
- Facilitate the introduction of appropriate controls,
- Reduce the incidence of bribery within an organization
- Increase the opportunity of detecting bribery
- Address bribery if and when it does occur.
As a management system, the standard aims to achieve this through a number of facets:
- Defining governance & policy
- Defining responsibility
- Defining the appropriate process
- Risk management / Mitigation
- Appropriate measures and controls
As with ISO9001, you can achieve certification against the standard.
Let’s have a look at the standard in a bit more detail.
What is ISO37001
The standards objective is the development of a management system that addresses bribery. It should be remembered that the standard does not address other forms of corruption, such as fraud or anti-competitive practices.
The goal is a management system that
- Prevents bribery
- Detects bribery
- Responds to bribery
It should be remembered that ISO 37001 is not a panacea and, by itself, will not prevent bribery from occurring. What ISO37001 will do is help deploy systems that could.
As with normal ISO standards, a business can gain ISO37001 Certification via a certification body. This is in exactly the same way as ISO9001:2015.
The standard references and aims to target bribery
- By the organization
- By personnel or associates
- Of the organization
- Of its personnel or associates.
- Of any value at any location
As with the deployment of any standards-based management system, it will require both leadership and appropriate resources to support it.
But what should your organization implement by way of a management system in support of the standard?
ISO37001 management system
It has been argued that ISO37001 is perhaps a little broad and lacks enough definition, but there are some key criteria (policies, procedures, measures) that will need to be implemented, including:
- Commitment from your organization’s leadership
- An Organizational Anti-bribery policy
- Policies & processes describing the monitioring and investigating of possible bribery within the business.
- Appropriate governance & controls
- An appropriate management review process
- Assessment of skill requirements
- Training & the recording of appropriate training evidence (i.e Training records)
- A Documented risk management process
- Processes that describe how due diligence will be applied, how this is applied to the business itself, and how it extends to third parties).
- Appropriate corrective action processes that look to drive improvement.
The generic basis of the standard empowers the organization to develop its processes around this basic framework of governance.
ISO 37001:2016 certification
Certification can be obtained by much the same route as other ISO standards.
The standard can be autonomous or integrated within an organization’s existing Quality Management system.
The certification process is typical of aquiringCertificationn in other standards and typically resembles the following:
- Implementation of a suitably compliant management system within the organization
- Ensure organization awareness
- Carry out internal audits to provide confidence of compliance,
- Provide action plans for any non-conformances
- Capture sufficient records to demonstrate the working of the management system
- Engage with 3rd party certification body and request registration
- Undertake 3rd party audit
- Carry out any required corrective action
Remember that the certification process is much the same as other ISO standards and the same do’s and don’t apply in the way you should engage with auditors during the process.
- Be Transparent,
- Be Open,
- Ensure your organization is properly briefed and prepared
- Recognize that the auditors may not be subject matter experts in your industry but they will have a thorough knowledge of the standard.
- Be unprepared
- Be argumentative
- Try and hide things
Should your organization pay for ISO 37001 Certification?
Bribery is a complex and evolving issue.
In some countries, the anti-corruption Certification has become mandatory in order to take part in public procurement (i.e., Peru, where it has mandated ISO37001.)
In others, it’s a nice to have as it visibly demonstrates that the organization takes the prevention of bribery seriously, potentially showing advantages over the competition.
The decision on whether to commence implementation of an ISO37001 system and then approach Certification is likely to depend on a number of attributes.
Organizations should weigh the benefits that certification brings and against the issues it may face in achieving it (and maintaining it once awarded).
Of course, where certification is mandated, then the decision is easy but for other organizations less so. ISO37001 is likely to evolve (as will industry standards) as the complex nature of corruption also does.
Ultimately, the key question of whether a compliance-based ethics standard will benefit an organization will have to be evaluated on a case by case basis.
In the longterm, there are likely to be many benefits.
In the short term achieving certification, which is broad, may be complicated and take resources that many companies might not have at their disposal (or could be managing the certification of other more primary and mandated standards).
What are the benefits of ISO37001
ISO37001 offers various benefits which include:
- It demonstrates organizations’ commitment against bribery.
- It can be used to benchmark internal systems against an agreed standard.
- It can be used to evaluate third parties, such as suppliers.
- Certification communicates the companies stance & transparency on bribery. This stance is communicated to internal & external stakeholders such as employees, management, investors, business partners.
- It promotes a strong anti-bribery focussed culture.
- ISO37001 Certification helps differentiate from potential competitors.
- Where relevant, it demonstrates compliance with applicable law.
- Through certification, it potentially reduces the likelihood of possible litigation (or severity of it) through exhibiting the embodiment of a compliance-based standard.
What the issues with ISO37001
While there are, as we’ve stipulated above, various benefits ISO37001 does have some issues which should be considered when an organization is evaluating whether it should target certification.
- It has been argued that the standard is very broad and does not provide sufficient detail or guidance. This is especially concerning when understanding what needs to be executed to achieve compliance.
- External industry policies (e.g., financial industry) continue to evolve, and as a result, ISO37001 will need to keep pace or risk becoming obsolete.
- The evolution of the standard will no doubt drive requirements for recertification.
Bribery and corruption are highly complex issues. ISO37001 provides a significant step forward by implementing a preventative management system.
We hope you’ve enjoyed this article. As the world of corruption evolves, we’d love to hear people’s experiences in implementing the ISO37001 standard. The key benefits you’ve realized and the challenges you found along the way to achieving certification.
As ever, you can leave a comment below or fire us a message on twitter.