Five questions to consider as you get ready for ISO 37001
Business leaders are growing increasingly vigilant about bribery and corruption risk – and for good reason. The fact that opportunities for corruption exist in business is well known. Indeed, in certain countries and industries, bribery has traditionally been considered a “necessary” part of doing business. However, increasing regulation and enforcement are pushing the need to deal with corruption up the corporate agenda.
However, statistics show that there is still work to be done. In a 2018 survey of global white-collar crime spearheaded by international law firm White & Case LLP, 39% of respondents believed that it would be possible for someone in their company to bribe a public official in exchange for preferential treatment. 40% of employees from legal and compliance departments said that they had felt under pressure to approve the engagement of a third party despite bribery and corruption red flags. However, increasing awareness of the damage bribery causes to countries, organizations and individuals is leading to greater vigilance and due diligence in supply chains, tighter regulations and more consistent enforcement.
Demonstrate integrity by certifying your Anti-Bribery Management System
As a result, implementing an Anti-Bribery Management System (ABMS) is more important than ever for meeting the expectations of demanding stakeholders and staying on top of increasingly stringent legal requirements. Going one step further and certifying that system to an internationally recognized standard such as ISO 37001 proves just how seriously your organization takes its commitment to ethical business practices. Certification helps embed the ABMS in your organizational culture, which improves controls, mitigates risk and limits opportunities for corrupt acts. It also offers your organization a competitive advantage by boosting your reputation and ethical credentials.
ISO 37001 helps combat the risk of bribery throughout global value chains by providing a framework for creating, implementing and improving anti-bribery controls and procedures. To make sure you are ISO 37001-ready, ask yourself the following five questions.
1. Do I have the right documentation?
ISO 37001 may not require documentation to comply with some of its clauses, but possessing such evidence makes it easier to demonstrate compliance to auditors. How much you choose to document when ISO 37001 does not stipulate a specific requirement will depend on the size of your organization, the complexity of your processes, staff competence, and the risk of loss of information and lack of communication. It is particularly important to document all training offered and completed. You should keep records of the courses offered and the profiles of staff trained, including their level of involvement in risky activities.
2. Have I considered non-financial controls?
Since bribery and corruption are inherently linked to money, you might think you can leave ISO 37001 compliance in the hands of your finance department. Indeed, ISO 37001 does require a number of financial controls such as double signatures on payment approvals. It also requires non-financial controls, which are equally important and extend responsibility for compliance throughout your organization. These include, for example, evaluation that a real need exists for the services provided by a business partner, and checking the anti-bribery policies, procedures and controls of contractors, suppliers and consultants.
3. Have I included all the right elements?
It is important to implement a clear and accessible anti-bribery policy, which includes certain key elements to ensure your system will be compliant for certification. ISO 37001 requires that an anti-bribery policy must, for example, provide a framework for achieving its goals, encourage the reporting of suspected bribery acts, and clearly outline corrective and disciplinary actions to implement in the event of non-compliance with procedures and the policy. Once the right policy has been designed, it is critical that you consider how it will be communicated (remembering to document your strategy and actions) and what procedures will be put in place around relevant activities to demonstrate compliance.
4. Have I taken into account my third parties?
Your organization’s anti-bribery policy must extend to all subsidiaries and organizations with whom you have a working or operational relationship – agents, distributors, contractors and suppliers are all “business associates” in the language of the standard. You should apply a risk-based approach to managing corruption and bribery among these business associates. You need to be able to list them according to the risk they pose, justify the criteria you have used to evaluate them, and then demonstrate that you have deployed appropriate resources to manage bribery and corruption for each according to that risk assessment. It is also crucial that in all contracts you stipulate the right to audit your business associates in order to monitor their anti-bribery controls and performance.
5. Have I made a plan and timeline?
To get your management system ready for ISO 37001 certification, map your anti-bribery objectives and create a schedule of activities that will enable you to achieve them. This will allow you to compare your actions, timing and results with the standard to see where gaps exist and what further action is required. This dashboard can act as a to-do list as you prepare yourself for an ISO 37001 audit, and will provide the auditor with a valuable overview of your compliance program.
One last tip: find a partner you can trust
Working with an internationally recognized and experienced certification partner enhances the credibility of your ABMS. Bureau Veritas supports organizations looking to manage bribery risks, comply with legal obligations and strengthen their reputation for ethical practices by offering training, auditing and certification to ISO 37001. This comprehensive range of services familiarizes your staff with the impacts and risks of bribery in its different forms, and introduces the fundamental principles of an ABMS and its place in managing risks, enabling you to deeply embed a culture of compliance across your organization.