ISO37001: How You Should Prepare For Certification – Risk Assessment And Planning
In our previous blog, we reported that ISO37001, the internationally recognised standard for anti-bribery management systems, had been published.
The standard itself says that a "well-managed organisation is expected to have a compliance policy supported by appropriate management systems to assist it in complying with its legal obligations and commitment to integrity. An anti-bribery policy is a component of an overall compliance policy. The anti-bribery policy and supporting management system helps an organisation to avoid or mitigate the costs, risk and damage of involvement in bribery, to promote trust and confidence in business dealings and to enhance its reputation".
The standard acts as a step by step guide on how to develop a management system designed to help an organisation prevent, detect and respond to bribery; from the initial risk assessment phase through to implementation, audit and review and improvement. The standard seems to follow the UK’s Ministry of Justice guidance on what constitutes “adequate procedures” under the Bribery Act 2010, and so those organisations which have already followed that guidance in preparing their anti-bribery management system should in theory be able to get that management system into shape for certification under ISO37001.
There is an initial introductory page followed by a preamble in sections 1 to 3 detailing the scope of the standard and listing some terms and definitions which are used throughout. Sections 4 to 6 explain Context, Leadership and Planning, section 7 Resources and Training, section 8 Operation (including due diligence), section 9 Performance Evaluation and Section 10 Improvement. Annex A sets out some more detailed guidance.
In this and the following updates we take a closer look at what we think are the key areas for organisations to focus on in order to prepare for the certification process.
Section 4 – Context of the Organisation
The first step in the process is for an organisation to ask itself what are the biggest bribery risks it faces. In order to answer this question an organisation can take account of many factors, including: its size and location and sectors in which it operates; the entities over which it has control and entities which exercise control over the organisation; the nature and extent of its interactions with public officials; and the needs and expectations of stakeholders.
Once this assessment has been undertaken, the risks identified should be prioritised and the suitability and effectiveness of the organisation’s existing controls should be assessed.
The nature and extent of any risk assessment process will vary from organisation to organisation. There is no “one size fits all” approach and it is very much for the organisation to decide, based on the factors above, what form their risk assessment should take. For larger organisations operating globally this exercise is likely to be complex.
Any bribery risk assessment should be reviewed on a regular basis and updated to reflect changes and new information.
Annex A provides more detailed guidance on how this risk assessment should be undertaken, as well as guidance on the scope of the management system and that the measures implemented should be “reasonable and proportionate” to the bribery risks identified. The management system should provide staff with guidance on what to do if they are faced with requests or demands for payment, or if they have made or received a payment themselves, and what the organisation itself should do in such circumstances.
Whilst the standard will not provide organisations with all of the answers, there is no doubt that ISO37001 serves as a useful benchmark for organisations seeking to either set up a new anti-bribery management system or review an existing one. However, the risk assessment process will differ from organisation to organisation and you may need to review and update yours as new information becomes available. This process should always be carried out in consultation with your organisation’s compliance officers and legal advisors.
Our next blog will look at leadership and the roles and responsibilities of an organisation’s governing body and top management.
20th September 2021
We explore Greenpeace’s legal case against the UK government.
15th September 2021
Time bar is a very complex area of law in Scotland.
14th September 2021
Covid restrictions on enforcement action against debtors are now being phased out.