What is ISO 37001:2016?
ISO 37001:2016 is the international standard for anti-bribery management systems (ABMSs) for organisations of all types and sizes, and in all parts of the world, that are committed to anti-bribery policies and controls.
The predecessor of ISO 37001 is BS 10500:2011. This, of course, is a British standard and although it attracted interest outside the UK, an international standard such as ISO 37001 will have a wider appeal across the globe.
ISO 37001 has a number of similarities to standards such as ISO 9001:2015, ISO 14001:2015 and ISO 27001:2013. This is because they all provide for a management system structured around ISO’s Annex SL. Those organisations operating to, say, ISO 9001:2015 will find a wide degree of compatibility with the new ISO 37001:2016 in terms of broad approach and structure, e.g. a leadership-based, risk-based and process-based management system.
However, there are surprisingly few differences in terms of operational requirements between BS 10500:2011 and ISO 37001:2016 if the above structural changes are understood and implemented.
In short, ISO 37001 specifies a number of anti-bribery policies and procedures that an organisation can establish, implement and maintain in order to prevent bribery from occurring, and to help it to effectively identify and deal with any bribery that does occur.
What does ISO 37001 mean in terms of corporate policy?
An ABMS provides a framework for top management and other leadership elements of an organisation to decide upon risk-based objectives in order to minimise the risk of bribery impacting their organisation.
As with all management systems, it starts with leadership. An ABMS shows that an organisation is serious about legal compliance and that it is doing all it reasonably can to prevent itself from becoming involved in corrupt practices. It presents an ongoing commitment to continual improvement.
Implementing an ABMS helps organisations to mitigate reputational risk. Normally, the greater the public profile of an organisation, the more it needs to avoid being associated with anything that might be seen to be questionable by the law, regulators, its customers or any other stakeholders.
Having an ABMS in place does not guarantee compliance with ISO 37001, as an organisation still needs to adapt its culture, ensuring its commitment to anti-bribery is communicated throughout the business and well-practised. Implementing ISO 37001 helps organisations to promote and maintain a compliance approach to anti-bribery standards and laws, while ensuring that the ABMS is appropriate to the size of the organisation and the level of bribery risk it faces.
Risk-based approach to management
ISO 37001 follows the structure of Annex SL, which is an ISO document established as the framework for new assessable standards and revisions to existing ones (such as ISO 9001, ISO 14001 and ISO 27001).
One key element of Annex SL is that process-based management systems should define objectives in accordance with the organisation’s risks and opportunities, whereby the leadership of the organisation decides the key risks and opportunities relevant to the management system.
The five main differences between ISO 37001 and its predecessor, BS 10500, are, broadly:
1. A new focus on leadership, through top management and the leadership of the governing body for the ABMS. The term ‘governing body’ needs to be defined in your own organisation. Governance sits above the operational decision making of top management. The following list is not exhaustive, but in the public sector governance might be elected representatives, in a charity it might be its trustees, in a company it might be non-executive directors and/or an external regulatory body, and in a very large group of companies it might be the holding company’s board of directors (supervising the board of its subsidiary).
2. There is no compliance manager requirement in ISO 37001 (unlike BS 10500). The ABMS is the direct responsibility of top management. However, top management may delegate some aspects of ABMS delivery to what ISO 37001 describes as the anti-bribery compliance function and, in some organisations, this may be a compliance manager.
3. The introduction of a risk-based approach to process management. This includes a requirement to plan and address actions to tackle risks and opportunities. This is also likely to feed into another new requirement, which includes defining the context of the organisation. One way of looking at this is to consider the overall ABMS risk created by the risk universe that the organisation operates in – leadership, staff, customers, suppliers, competitors, regulators, trade bodies and others – which in turn influences the risks and opportunities that will be defined.
4. More control over the anti-bribery approaches taken by business associates and any outsourced activity.
5. There is now a specific duty to manage inadequacy in anti-bribery controls. This was implied in BS 10500, but under ISO 37001, top management needs to take formal action. For example, if during a project the initial controls put into place to prevent bribery are not effective, leadership might have to withdraw from the project or any future projects with a corrupt party. It would certainly lead to a formal review of risk-based controls and due diligence generally.
• ISO 37001 has already formally replaced BS 10500 but a number of organisations are still using the latter and being assessed against it. The transition to ISO 37001 will take place over the coming months and new entrants are likely to adopt the Standard.
• Since ISO 37001 is based on Annex SL, ISO 37001 can be combined or integrated with other Annex SL-aligned management systems. Therefore, a number of processes – such as defining risks and conducting management reviews or internal audits – can be integrated into one suite of processes.
• The processes for defining the context of the organisation and defining the interests of stakeholders is similar to that in other Annex SL standards. However, with ISO 37001, these high-level analyses of the organisation and those it interacts with will feed into strategic decision making about the ABMS policy and the specific expectations of ISO 37001, such as the adequacy of anti-bribery controls.
• Some ISO 37001 requirements align with existing business processes. For example, the requirements relating to financial controls (clause 8.3), non-financial controls (clause 8.4) and anti-bribery commitments (clause 8.6) should only need some adjustments to existing contractual arrangements.
• Appendix A to ISO 37001 provides guidance notes to help further understand the above points.