ISO 37001:2016 was published by the International Standards Organization on October 15th, 2016. This 45 page standard, 22 pages of the actual standard plus 23 pages of guidance, sets out the processes by which any organization will be measured as to how it addresses the issue of bribery across the globe.
Failure to act appropriately and in accordance with this standard has consequences. It is likely that significantly higher penalties could be applied if appropriate steps had not been taken by the organization. And, importantly, the organization has been able to demonstrate that it has taken all reasonable steps to prevent bribery. Benchmarking against ISO 37001 is likely to become the norm when assessing culpability.
This standard provides guidance on how to implement and maintain an anti-bribery management system – the main benefits of doing so being:
- minimizing reputational damage if bribery has occurred
- minimizing penalties, and
- taking a risk based approach — essentially targeting those activities that have the highest potential for some form of bribery activity.
A key component of the standard is in 4.5 Bribery Risk Assessment where the standard drives towards risk based approach. This section is used in identifying bribery risks, analyzing those risks, prioritizing the risks, and evaluating the effectiveness of existing controls to mitigate bribery risk. Although not referenced in this section, the system should also be expected to record and report on the plans to improve control activity. Essentially producing a list of bribery risks, ranked by inherent risk, current risk and target risk levels. This fits in well with the concepts outlined in ISO 31000 and other enterprise wide risk management guidance. Tucked inside, 4.5.4 stresses the need to maintain a well documented process to support defense against allegations made against the organization.
The standard defines that controls may be financial or non-financial and that these controls shall apply to the organization and its business associates. This extends the need to actively measure and monitor the third party relationship and how those parties are managing bribery issues. This also extends the vendor risk management process from simply monitoring if the vendor is able to supply the required services or products to include how well these third parties are conforming with anti-bribery requirements. Additionally, it includes client relationships within the scope of this process — providing goods or services to an organization that is found to have been breaching bribery laws may reflect badly on their vendors and clients.
The explicit relationship with Internal Audit (9.2) emphasizes the need for integrated risk management systems that connect a wide range of previously siloed systems. Risk management, Finance, Compliance, Legal, Internal Audit, and even Crisis Management need to be interconnected, with the appropriate safeguards on data to ensure all the relevant stakeholders and requirements are adequately addressed.
Organizations must now take positive steps to determine if they have the right processes in place to respond to questions from stakeholders on how they are managing bribery issues, before becoming tainted by a well publicized bribery event.