In the past many businesses regarded bribery as an unfortunate but necessary cost of doing business in certain countries and sectors. There has been increasing recognition, however, that bribery has a corrosive effect not only on the organizations and individuals that practice it, but also the wider community and the institutions that support it. There is now wide support for global calls for effective action to be taken against the risk of bribery both within an organization and all its global value chains and subsidiaries.
In light of this the International Standards Organization (ISO) released the ISO standard 37001:2016 ‘Anti-bribery management systems — Requirements with guidance for use’, to provide a formal standard for organizations to support anti-bribery efforts. The standard is designed to complement existing anti-bribery measures that organizations’ management may already have in place while defining and broadening the scope of such measures, providing clarity on the specific procedures and controls that organizations need to have in place and providing guidance on how to implement these requirements as efficiently and effectively as possible.
The overall aim of the ISO 37001 standard is to prevent and detect bribery and how to deal with it when it occurs. The standard is applicable whether bribery occurs because it was instigated by the organization itself, any of its employees, or on its behalf by any associated businesses or subsidiaries. Through well defined policies, measures and controls, as well as providing implementation guidance, the standard sets specific requirements for preventing and combating bribery.
To support anti-bribery goals it specifies what is required in the following areas: senior management leadership and responsibility; creation of anti-bribery policies and procedures, oversight by a compliance function; staff anti-bribery training; regular risk assessments and due diligence on business associates and specific projects; anti-bribery controls in all financial, purchasing and commercial contracts entered into; a reporting regime that provides constant monitoring and investigation; corrective action reporting for all incidents; and a plan for ongoing continual assessment and improvement of these requirements.
The ISO 37001 standard has been designed to be flexible and broad enough so that it can be used by organizations of any size and in any market that they operate. The standard seeks to define the procedures, policies and controls in general terms that are reasonable and proportionate; the scale and complexity of an organization will determine how to much effort is required to implement them effectively.