ISO37001 anti-bribery management system

According to the World Bank approximately US$1 trillion is paid in bribes each year around the world. The economic loss from corruption is estimated to be many times that number.¹

Undoubtedly one of the gravest risks to any business is corruption. In addition to the significant reputational harm it can cause and the subsequent in-country legal and criminal implications, there are a range of international conventions and legislations that can expose the business to a broader range of sanctions. These include, but are not limited to, the Foreign Corrupt Practices Act (FCPA) in the United States, the UK Anti-Bribery Act and the the French Sapin II Law.

The Kingdom of Saudi Arabia signed the United Nations Convention against Corruption on 9 January 2004 and ratified the same on 29 April 2013. May 2011 saw the establishment of the National Anti-Corruption Commission (Nazaha) to combat administrative and financial corruption. Nazaha encompasses all public sectors—with no exception—with the intent to combat financial and administrative corruption, defining corruption as “every act that threatens the public interest as well as any abuse of the civil service in order to earn an individual advantage.”²

In a bid to assist organizations the International Organization for Standardization released the new ISO 37001: Anti-Bribery Management System Standard in October last year (see MEPOV Spring 2017.) Saudi Arabia was one of the 37 countries that participated in the development of this new standard which is designed to support organizations in their bribery and promote an ethical business culture by establishing, implementing and maintaining an anti-bribery compliance program. 

The standard sets out a series of measures that an organization must implement and address that represent globally recognized anti-bribery best practice:³

• Bribery by the organization, or by its personnel or business associates acting on the organization’s behalf or for its benefit.
• Bribery of the organization, or of its personnel or business associates in relation to the organization’s activities.

This standard can be used by any organization, large or small, whether it be in the public, private or voluntary sector, and in any country. It is a flexible tool, which can be adapted according to the size and nature of the organization and the bribery risk it faces.  But how exactly will this new standard benefit organizations? Here are a few examples:

• Ensuring compliance with global best practices in respect of anti-bribery good practice;
• Assurance to management, investors, business associates, personnel, and other stakeholders that an organization is taking reasonable steps to prevent bribery;
• Supporting organizations to establish, implement, maintain and improve an anti-bribery compliance program;
• Commercial advantage, particularly when contracting with other companies operating under strict anti-corruption laws, such as the United States;
• Certification – third parties will be able to certify an organization’s compliance with the standard in the same way that they are certified with other standards such as ISO 9001 and 14001. Currently Microsoft and Wal-Mart are seeking such certification as they see value in having a uniform international standard to combat bribery⁴;
• Providing minimum requirements and supporting guidance for implementing or benchmarking an anti-bribery management system;
• Evidence in court that an organization has taken reasonable steps to prevent bribery.

And just what measure will organizations have to implement? Broadly the measures to help organizations prevent, detect and address bribery include:

1. Implementing an anti-bribery policy and program;
2. Communicating the policy and program to all relevant personnel and business associates (joint venture partners, sub-contractors, suppliers, consultants etc.);
3. Appointing a compliance manager (full- or part-time) to oversee the program;
4. Providing appropriate anti-bribery training to personnel;
5. Assessing bribery risks, including appropriate due diligence;
6. Take reasonable and proportionate steps to ensure that controlled organizations and business associates have implemented appropriate anti-bribery controls;
7. Verify as far as reasonable that personnel will comply with the anti-bribery policy;
8. Controlling gifts, hospitality, donations and similar benefits to ensure that they do not have a corrupt purpose;
9. Implementing appropriate financial, procurement and other commercial controls so as to help prevent the risk of bribery;
10. Implement reporting (whistle-blowing) procedures;
11. Investigating and dealing appropriately with any actual or suspected bribery;
12. Conduct appropriate due diligence on staff, third parties, business partners and transactions.

The above required measures are designed to be integrated into the organization’s existing management processes and controls and follows the common ISO structure for management system standards.

But there are also three fundamental elements that organizations who wish to ensure the success of the Anti-Bribery Management System (ABMS) need to consider, as outlined below.

Top level commitment

It is crucial that top management fully support and back the compliance program as without their support the program is doomed to fail from the start. Senior management needs to demonstrate that it is committed to preventing bribery and must clearly communicate its anti-bribery stance to all stakeholders.

Naturally senior management may be concerned that the implementation of this new standard would inflict an unnecessary additional burden of red tape on the organization, processes and procedures. This is not necessarily the case as the ABMS only requires that anti-bribery measures are implemented in a manner that is “reasonable and proportionate” to the:⁵

• Size and structure of the organization;
• Its location and the business sector within which it operates;
• The nature, scale and complexity of its activities; and,
• The bribery risk it faces. 

Top management needs to understand that being able to demonstrate successful implementation of ABMS will provide assurance to all the stakeholders that the organization has implemented internationally recognized good practice anti-bribery controls and is taking reasonable steps to prevent bribery. 

Communication

The second most fundamental element to ABMS is continuous communication. By using communication in conjunction with consultation and the participation of all stakeholders the organization will be able to establish and reinforce the significance of ABMS throughout the organization. 

Senior management will have to continuously communicate its stance on anti-bribery and the importance of ABMS, the organization’s anti-bribery policy, procedures and the duty to comply throughout the organization through poster campaigns, newsletters, company magazines, the company intranet, regular employee training and consistent e-mail communication.

In order to embed the bribery prevention policies and procedures and ensure they are understood, the organization will have to communicate the anti-bribery policy and programme to all relevant personnel and business associates, including joint venture partners, sub-contractors, suppliers and consultants among others.

For record purposes the organization should retain a record on the training provided to employees and third parties, including the content of the training material, information on the training procedures, to whom it was provided and when. The challenge for the organization is to ensure that the training is properly understood by employees throughout the organization.

Compliance with the ISO 37001 demonstrates to customers, stakeholders, business associates, regulatory authorities, personnel, and the public that the organization is committed to ethical business practices. In times of rigorous media scrutiny of business ethics, certification in terms of ISO 37001 also provides a substantial competitive advantage.

Adequate resources and budget

The third fundamental element is to appoint a compliance manager/officer to oversee the design and implementation of the ABMS program. The compliance manager’s role will also include providing advice and guidance to personnel on the ABMS system and issues relating to bribery and ensuring compliance to the ISO standard. 

The challenge for the organization is to ensure that this role is adequately resourced and funded and assigned to appropriate persons with the relevant skills, necessary competence, status, independence and authority. The compliance function must have direct access to top management.

Application of such a program can be challenging and there are a number of organizations grappling with implementation currently. With giants like Microsoft and Wal-Mart now seeking certification there will be pressure on more organizations to get their houses in order.

The ISO:37001 Standard can be found at: www.iso.org/standard/65034.html

by Roy Gillespie, Director, Forensic, Financial Advisory, Deloitte, Middle East

Endnotes

1. Nazaha, Strategy No.: (43), Date :01/02/1428 A.H, available online at https://www.nazaha.gov.sa/en/About/Pages/Strategy.aspx
2. Nazaha, Strategy No.: (43), Date :01/02/1428 A.H, available online at www.nazaha.gov.sa/en/About/Pages/Strategy.aspx
3. Adapted from ISO/DIS 37001, Anti-bribery management systems - Requirements with guidance for use www.iso.org/iso/catalogue_detail.htm?csnumber=65034
4. Microsoft and Wal-Mart seek ISO:37001 Anti-Bribery Certification, The FCPA Blog, available online at www.fcpablog.com/blog/2017/5/11/microsoft-and-wal-mart-seek-iso-37001-anti-bribery-certifica.html
5. ISO, ISO:37001, Anti-Bribery Management System Standard, FAQS Summary, 2015