Guest blogger Neill Stansbury is the Co-founder and Director of GIACC, and Chair of the ISO 37001 Project Committee.

Background

The International Organization for Standardization (ISO) is an independent, non-governmental organisation whose members are the national standards bodies from 162 countries.  It publishes international standards. The most popular global standard is ISO 9001 Quality Management System, which is used by over 1,000,000 organisations in 178 countries.  The second most popular global standard is ISO 14001 Environmental Management System.

In 2013, ISO decided to develop an international anti-bribery management system standard.  The standard, which is numbered ISO 37001, has been developed by an ISO Project Committee.  It uses the same overall template as ISO 9001 and ISO 14001.

The following countries and organisations are members of the ISO 37001 Project Committee:

Participating countries (37):  Australia, Austria, Brazil, Cameroon, Canada, China, Colombia, Croatia, Czech Republic, Denmark, Ecuador, Egypt, France, Germany, Guatemala, India, Iraq, Israel, Kenya, Lebanon, Malaysia, Mauritius, Mexico, Morocco, Nigeria, Norway, Pakistan, Saudi Arabia, Serbia, Singapore, Spain, Sweden, Switzerland, Tunisia, UK, USA, Zambia.

Observing countries (22): Argentina, Armenia, Bulgaria, Chile, Cyprus, Cote d’Ivoire, Finland, Hong Kong, Hungary, Italy, Japan, Korea, Lithuania, Macau, Mongolia, Netherlands, New Zealand, Poland, Portugal, Russia, Thailand, Uruguay.

Liaison organisations (8): ASIS, European Construction Industry Federation, Independent International Organisation for Certification, International Federation of Consulting Engineers, IQNet, OECD, Transparency International, World Federation of Engineering Organisations.

Committee Secretariat and Chair:  UK.

The draft standard was developed and amended over the course of three years by a process of international consultation and drafting meetings.  ISO 37001 was approved by final vote of participating countries, and was published on 15th October 2016.

Purpose and scope of ISO 37001

ISO 37001 is intended to help an organisation to implement an effective anti-bribery management system.  It can be used internationally.  The requirements of internationally recognised good practice are taken into account.  It is applicable to small, medium and large organisations in the public, private and voluntary sectors.

Compliance with ISO 37001 cannot provide assurance that no bribery has occurred or will occur in relation to an organisation.  However, the standard can help establish that the organisation has implemented reasonable and proportionate measures designed to prevent bribery.

Well-managed ethical organisations are likely to implement effective anti-bribery management systems in their organisations in the same way that they would implement effective quality, environmental and safety management systems.

ISO 37001 is likely to be useful to organisations in the following way.

• It will help provide assurance to the board and shareholders of an organisation that their organisation has implemented good practice anti-bribery controls.

• A project developer or project funder may require the contractors, suppliers and consultants which are constructing a project to provide certification to ISO 37001 as evidence that they have implemented anti-bribery controls in their organisations.

• Organisations may require their major sub-contractors, suppliers and consultants to provide evidence of certification to ISO 37001 as part of their supply chain approval process.

ISO 37001 is applicable only to bribery.  It is not applicable to other criminal offences such as fraud, cartels, and money laundering, although the organisation may choose to extend the scope of its anti-bribery programme to include these other offences.

Requirements of ISO 37001

In order to comply with ISO 37001, an organisation must implement specified minimum requirements in a manner which is reasonable and proportionate to the bribery risk faced by the organisation.  These requirements include the following:

• Implement an anti-bribery policy and programme.
• Communicate the policy and programme to all relevant personnel and business associates (joint venture partners, sub-contractors, suppliers, consultants etc.).
• Appoint a compliance manager (full time or part time) to oversee the programme.
• Provide appropriate anti-bribery training to personnel.
• Assess bribery risks, including undertaking appropriate due diligence.
• Take reasonable steps to ensure that controlled organisations and business associates have implemented appropriate anti-bribery controls.
• Verify as far as reasonable that personnel will comply with the anti-bribery policy.
• Control gifts, hospitality, donations and similar benefits to ensure that they do not have a corrupt purpose.
• Implement appropriate financial, procurement, contractual and other commercial controls so as to help prevent the risk of bribery.
• Implement reporting (whistle-blowing) procedures.
• Investigate and deal appropriately with any actual or suspected bribery.
• Monitor and review the effectiveness of the programme, and make improvements where necessary.

ISO 37001 has an Annex which contains guidance to help an organisation implement the anti-bribery programme.

Certification to ISO 37001

ISO 37001 will be most effective if its implementation by an organisation is independently certified.  Certification bodies could be the existing organisations which provide certification to e.g. ISO 9001.  They could also be accounting practices which can provide certification as part of their annual financial audit.  Alternatively, other organisations could provide this service.

The cost of certification is likely to vary according to the size of the organisation obtaining the certification (as is the case with the cost of obtaining certification, for example, to ISO 9001).  The cost of implementing the anti-bribery programme and obtaining certification is unlikely to be a competitive disadvantage.  If, for example, a procuring entity requires all its bidders to be certified to ISO 37001, then all bidders will be required to bear the cost and so will be on an equivalent footing.  Where certification to ISO 37001 is not a tender requirement, organisations may be able to show the procuring entity that they have an anti-bribery management system in place which may gain them an advantage in the procurement evaluation.

The cost of implementing the anti-bribery programme and obtaining certification is also likely to be minimal when compared to the loss and damage which could be suffered by an organisation which gets involved in bribery.  Having such a system can help prevent this loss and damage.

For further information on ISO 37001, see ISO web-page.