What is ISO 37001?
ISO 37001 is an anti-bribery management system (ABMS) standard for organizations. It was published in October 2016. It specifies various anti-bribery policies and procedures which an organization should implement to assist it in preventing bribery, and in identifying and dealing with any bribery which does occur.
It is published by the International Organization for Standardization (ISO), which is an independent, non-governmental international organization which develops and publishes International Standards. It is based in Geneva, and is made up of the national standards bodies from 162 member countries.
Who can use ISO 37001?
ISO 37001 is designed to be used by small, medium and large organizations in the public, private and voluntary sectors. It can be used by such a wide range of organizations because the standard is designed to be a flexible tool, which can be adapted according to the size and nature of the organization and the bribery risk it faces.
In which countries can ISO 37001 be used?
ISO 37001 can be used in any country. It is designed to aid compliance by the organization both with international good practice and with the relevant anti-bribery legal requirements in all countries in which the organization operates.
How was ISO 37001 developed?
ISO 37001 was developed by a Project Committee established by ISO in 2013. The committee comprised experts from the following participating and observing countries and liaison organizations.
- Participating countries (37): Australia, Austria, Brazil, Cameroon, Canada, China, Colombia, Croatia, Czech Republic, Denmark, Ecuador, Egypt, France, Germany, Guatemala, India, Iraq, Israel, Kenya, Lebanon, Malaysia, Mauritius, Mexico, Morocco, Nigeria, Norway, Pakistan, Saudi Arabia, Serbia, Singapore, Spain, Sweden, Switzerland, Tunisia, UK, USA, Zambia.
- Observing countries (22): Argentina, Armenia, Bulgaria, Chile, Cyprus, Cote d’Ivoire, Finland, Hong Kong, Hungary, Italy, Japan, Korea, Lithuania, Macau, Mongolia, Netherlands, New Zealand, Poland, Portugal, Russia, Thailand, Uruguay.
- Liaison organizations (8): ASIS, European Construction Industry Federation (FIEC), Independent International Organization for Certification (IIOC), International Federation of Consulting Engineers (FIDIC), IQNet, Organization for Economic Co-operation and Development (OECD), Transparency International (TI), World Federation of Engineering Organizations (WFEO).
- Committee Secretariat and Chair: British Standards Institution (BSI).
The draft standard was circulated for international comment, and was modified at six international drafting meetings over three years to take account of international comments. Over 120 experts from over 20 countries participated in these meetings, which were held in London, Madrid, Miami, Paris, Kuala Lumpur and Mexico City. Decisions on the text were made by consensus of participating countries.
ISO 37001 was published on 15th October 2016.
What are the potential consequences if an organization gets involved in bribery?
From an organization’s perspective, there are many potential adverse consequences if it gets involved in bribery, and which therefore justify the organization taking adequate steps to prevent bribery in relation to the organization’s activities.
- Ethical factors: From an international and national perspective, bribery is now widely regarded as unethical and unacceptable. It is one of the greatest obstacles to good government and the development of safe and adequate infrastructure. Funds which could be used for schools, roads, hospitals etc. are diverted by corrupt people for their private use. Safety and environmental procedures can be corruptly avoided, resulting in dangerous infrastructure and living conditions. Ethical organizations which are unwilling to bribe lose work to unethical organizations, which is unfair to ethical organizations, and may provide lower quality and higher cost solutions.
- Legal risk: The international and national legal environment is rapidly changing, reflecting the increasing desire of people worldwide to prevent bribery.
- Many international treaties have been signed during the last 20 years requiring member states to implement anti-bribery laws and procedures. The most internationally significant of these are the United Nations Convention against Corruption (2003) and the OECD Convention on Combating Bribery (1999).
- Most countries have changed their laws in accordance with treaty requirements. Bribery and other corruption offences are therefore crimes worldwide. All OECD countries have now made it a crime for their nationals and organizations to bribe overseas. As a result, a person or organization may be liable for bribery both in the country where the bribery took place, and in the person or organization’s home country.
- Individuals and organizations can be held liable for bribery under both criminal law and civil law. The type and extent of liability will depend on the laws of each country.
- Criminal laws can result in fines and imprisonment for individuals, and fines and debarment for organizations. Prosecution agencies in many countries are now starting to investigate and prosecute organizations and individuals for bribery. There have been many recent major cases. An organization may also incur criminal liability in several jurisdictions as result of new laws passed which make the organization responsible for bribes paid on its behalf or for its benefit by joint venture partners, suppliers, contractors etc. It may be a defence or mitigate liability in some cases for the organization to show that it had implemented effective controls designed to prevent the relevant act of bribery.
- Civil laws can result in contracts being terminated in the event of bribery, and individuals and organizations being required to pay compensation to parties affected by the bribery.
- Safety and quality risk: From an organization’s perspective, bribery can adversely impact on its safety and quality management. A bribe paid by the organization’s sub-contractor to the organization’s site supervisor to overlook poor safety management on site can result in death or personal injury. A bribe paid by a supplier to the organization’s procurement manager can result in the organization buying poor quality products which need repair or replacing. Therefore, effective safety and quality management also requires effective anti-bribery controls.
- Financial risk: Involvement in bribery can result in financial risk to the organization:
- Fines levied by prosecutors or regulators.
- Compensation paid to other parties affected by the bribery.
- The internal management costs and external legal costs of investigating and dealing with the bribery and any consequent legal actions.
- The costs of dealing with claims for death or personal injury resulting from bribery.
- The costs of purchasing products which are over-expensive due to bribery, or of rectifying defective products.
- Reputational risk: Involvement in bribery can result in reputational risk for an organization and its employees. The press frequently carries articles on individuals and organizations implicated in or being prosecuted for bribery. An individual implicated in bribery may be unable to obtain employment. Customers may be unwilling to do business with an organization implicated in bribery. Ethical employees may be unwilling to work for an organization which is believed to be unethical.
How can ISO 37001 benefit an organization?
As stated in the paragraph above, bribery can have very serious adverse consequences for an organization and for its employees. It is therefore in the interests of an organization and all its employees to take reasonable and proportionate steps to prevent bribery from occurring. It is normally far cheaper and less disruptive for an organization to implement controls to prevent bribery from occurring than to deal with the consequences if bribery does occur. ISO 37001 can benefit an organization in the following ways.
- By specifying necessary policies and procedures, ISO 37001 assists an organization in implementing an ABMS, or in enhancing its existing controls. An ISO 37001 compliant ABMS can help prevent bribery from occurring, and can significantly reduce its impact if it does occur.
- It helps provide assurance to the management and owners of an organization that their organization has implemented internationally recognised good practice anti-bribery controls, and is therefore taking steps to reduce risk and any adverse consequences.
- It helps the organization provide assurance to its customers, business associates and personnel that it has implemented internationally recognised good practice anti-bribery controls, and therefore assists the organization in obtaining work, recruiting good personnel and enhancing its reputation.
- Organizations may require their major contractors, suppliers and consultants to provide evidence of compliance with ISO 37001 as part of their pre-qualification or supply chain approval process (on a similar basis to their requiring evidence of compliance with ISO 9001 (quality management) etc.).
- In the event of a bribery investigation which involves the organization, it helps provide evidence to the prosecutors or courts that the organization had taken reasonable steps to prevent bribery. It can therefore help avoid a prosecution, or mitigate the outcome.
Well-managed ethical organizations are likely to implement effective anti-bribery policies and procedures in their organizations in the same way that they would implement effective quality, environmental and safety policies and procedures. Many organizations are also likely to obtain independent certification to ISO 37001 in a similar way to obtaining certification to ISO 9001 (quality), ISO 14001 (environment) and ISO 45001 (safety).
What does “management system” mean?
A management system is a set of policies and procedures which can be implemented by the organization to help it control a specific risk or to help produce a specific outcome. An organization cannot for example achieve a safe working environment, or good quality products, simply by requiring this to happen. It has to implement a series of policies and procedures which are designed to achieve this outcome. On a similar basis, bribery prevention is increasingly being seen as a management issue (i.e. something which the organization needs to control through good management practices).
Will the organization have to implement a totally new stand-alone management system to control bribery risk?
No. The measures required by ISO 37001 are designed to be integrated into the organization’s existing management structure and controls. Many of the required measures will be those which the organization has already implemented. Where a new or enhanced measure is required, this can be integrated into the organization’s existing structure and systems.
Will ISO 37001 impose an unnecessarily heavy bureaucracy on an organization?
ISO 37001 should not impose an unnecessarily heavy bureaucracy on an organization. The standard specifically states that the required anti-bribery policies and procedures should be implemented in a manner which is reasonable and proportionate to a number of relevant factors, such as the size and structure of the organization, the locations and sectors in which the organization operates, the nature, scale and complexity of the organization’s activities, and the bribery risks which the organization faces.
Does ISO 37001 address all types of corruption?
No. ISO 37001 only addresses bribery, and does not address fraud, cartels, money-laundering or other criminal activities (although an organization may choose to extend the scope of its compliance management system to include such activities).
How is bribery defined in ISO 37001?
As different legal systems define bribery differently, ISO 37001 does not provide a strict definition of bribery. It provides a guidance definition to help users understand the intention and scope of the standard. The standard requires the organization to take account of the applicable legal definition of bribery in the countries in which it is operating, and to take steps to ensure that its management controls are appropriate to prevent bribery as defined in those jurisdictions.
What types of bribery does ISO 37001 aim to help prevent?
ISO 37001 aims to help prevent:
- Bribery by the organization, and by the organization’s personnel or business associates acting on the organization’s behalf or for its benefit.
- Bribery of the organization, or of the organization’s personnel or business associates in relation to the organization’s activities.
(Business associate includes parties with which the organization has a business relationship, e.g. customers, joint venture partners, consultants, sub-contractors, suppliers, agents.)
Does ISO 37001 exempt small bribes and facilitation payments?
No. ISO 37001 requires the organization to prohibit all types of bribes, large and small, including facilitation payments.
What are the types of anti-bribery measure required by ISO 37001?
ISO 37001 requires the organization to implement, in a reasonable and proportionate manner, a series of measures which are designed to help the organization prevent, detect and deal with bribery. The following summarises the key measures:
- Implement an anti-bribery policy and supporting anti-bribery procedures (the ABMS). These procedures are the ones listed in sub-sections 2 to 23 below.
- Ensure that the organization’s top management has overall responsibility for the implementation and effectiveness of the anti-bribery policy and ABMS, and provides the appropriate commitment and leadership in this regard.
- Ensure that responsibilities for ensuring compliance with the anti-bribery policy and ABMS are effectively allocated and communicated throughout the organization. For example:
- department heads will be responsible for compliance within their departments;
- all personnel will be responsible for their personal compliance.
- Appoint a person(s) with responsibility for overseeing anti-bribery compliance by the organization (compliance function). This person(s) can be full-time or part-time, depending on the size of organization, and can combine this responsibility with other responsibilities.
- Ensure that controls are in place over the making of decisions in relation to more than low bribery risk transactions. The decision process and the level of authority of the decision-maker(s) must be appropriate to the level of bribery risk and be free of actual or potential conflicts of interest.
- Ensure that resources (personnel, equipment and financial) are made available as necessary for the effective implementation of the ABMS.
- Implement appropriate vetting and controls over the organization’s personnel designed to ensure that they are competent, and will comply with the anti-bribery policy and ABMS, and can be disciplined if they do not comply.
- Provide appropriate anti-bribery training and/or guidance to personnel on the anti-bribery policy and ABMS.
- Produce and retain appropriate documentation in relation to the design and implementation of the anti-bribery policy and ABMS.
- Undertake periodic bribery risk assessments and appropriate due diligence on transactions and business associates.
- Implement appropriate financial controls to reduce bribery risk (e.g. two signatures on payments, restricting use of cash, etc.).
- Implement appropriate procurement, commercial and other non-financial controls to reduce bribery risk (e.g. separation of functions, two signatures on work approvals, etc.).
- Ensure that all other organizations over which it has control implement anti-bribery measures which are reasonable and proportionate to the nature and extent of bribery risks which the controlled organization faces.
- Require, where it is practicable to do so, and would help mitigate the bribery risk, any business associate which poses more than a low bribery risk to the organization to implement anti-bribery controls which manage the relevant bribery risk.
- Ensure, where practicable, that appropriate anti-bribery commitments are obtained from business associates which pose more than a low bribery risk to the organization.
- Implement controls over gifts, hospitality, donations and similar benefits to prevent them from being used for bribery purposes.
- Ensure that the organization does not participate in, or withdraws from, any transaction where it cannot appropriately manage the bribery risk.
- Implement reporting (whistle-blowing) procedures which encourage and enable persons to report suspected bribery, or any violation of or weakness in the ABMS, to the compliance function or to appropriate personnel.
- Implement procedures to investigate and deal appropriately with any suspected or actual bribery or violation of the ABMS.
- Monitor, measure and evaluate the effectiveness of the ABMS procedures.
- Undertake internal audits at planned intervals which assess whether the ABMS conforms to the requirements of ISO 37001 and is being effectively implemented.
- Undertake periodic reviews by the compliance function and top management of the effectiveness of the ABMS.
- Rectify any identified problem with the ABMS, and improve the ABMS as necessary.
ISO 37001 has an Annex which contains guidance to help an organization implement the ABMS.
Does the organization need to comply with all of the ISO 37001 requirements?
Yes. ISO 37001 specifies various anti-bribery policies and procedures which the organization must implement to assist it in preventing bribery, and in identifying and dealing with any bribery which does occur. An organization is only compliant with ISO 37001 if it has implemented all of the required measures. However, these measures should be implemented by the organization in a reasonable and proportionate manner according to the type and size of the organization, and the nature and extent of bribery risks it faces.
Can a third party certify the organization’s compliance with ISO 37001?
Yes. An organization’s compliance with ISO 37001 can be certified by an independent third party.
- This provides additional assurance that the organization is compliant.
- The risk of corrupt or negligent certification is reduced by the use of major, well known, accredited national or international certifiers.
There is no obligation on an organization to obtain independent certification to ISO 37001. An organization may simply ensure that its procedures are compliant with the standard. However, independent certification adds an extra level of independent assurance.
What is the cost of implementing ISO 37001?
There is likely to be a cost to an organization of implementing an ISO 37001 compliant ABMS. The organization needs to put sufficient resources into the design and implementation of the programme so that it works effectively. Some organizations will already have implemented an anti-bribery programme which is compliant with international good practice, and in this case may not need to incur any additional expenditure. Other organizations may need only to implement some limited enhancements. At the other end of the spectrum, some organizations may have no controls, and may therefore need to incur the time and expense to put an effective control environment in place.
The actual cost will depend on many factors such as the size of the organization, the complexity of its structure and operations, where it does business, the number of interactions it has with other organizations etc.
If the organization chooses to get its programme independently certified, then there will also be the cost of certification. This cost is also likely to vary according to the size and structure of the organization (which is the same as with e.g. ISO 9001).
The cost of implementing the anti-bribery programme and (if applicable) obtaining certification is unlikely to be a competitive disadvantage. If, for example, a procuring entity requires all its bidders to be certified to ISO 37001, then all bidders will be required to bear the cost and so will be on an equivalent footing. Where certification to ISO 37001 is not a tender requirement, organizations may find it a competitive advantage to be certified, as they will be able to show the procuring entity that they have an ABMS in place which may gain them an advantage in the procurement evaluation.
The cost of implementing the anti-bribery programme and obtaining certification is also likely to be minimal when compared to the loss and damage which could be suffered by an organization which gets involved in bribery. Having such a system can help prevent this loss and damage, and therefore save money.
Can implementing an ISO 37001 compliant ABMS provide assurance that no bribery will take place?
No, it is not possible to completely eliminate the risk of bribery. However, implementing an ISO 37001 compliant ABMS can help assure an organization that it has implemented reasonable and proportionate measures designed to prevent, detect and deal with bribery, and so minimise the risk of bribery and its consequences.
Can ISO 37001 be used in conjunction with other ISO management system standards?
Yes. ISO 37001 uses the same common structure, terminology and methodology as ISO 9001 (quality management), ISO 14001 (environmental management) and ISO 45001 (safety management). Therefore, an organization can implement some or all of these standards in a similar and integrated manner. ISO 37001 can also be used in conjunction with other standards.
Is ISO 37001 just a tick box exercise?
No. An organization cannot achieve compliance with ISO 37001 just by ticking boxes. It requires:
- The genuine commitment of the organization’s top management to make the system work.
- The planning and design of policies and procedures intended to prevent bribery.
- The effective implementation of these policies and procedures.
- Monitoring and review of the effectiveness of these policies and procedures.
- Continual improvement of the policies and procedures to ensure their effectiveness.
Will ISO 37001 be widely used?
As ISO 37001 was only published in October 2016, it is too early to tell how widely it will be used. However, it is believed that ISO 37001 will become a widely used and recognised ABMS, as:
- It is the world’s first internationally recognised ABMS which can be independently certified.
- It can be implemented together with other management standards (such as ISO 9001, 14001 and 45001).
- It achieved very wide international support in its development (59 participating and observing countries).
How do I obtain a copy of ISO 37001?
Any organization which wishes to use ISO 37001 must first purchase a copy, as it is a copyrighted product. It can be purchased from ISO’s web-site for 158 Swiss Francs.
Many national standards agencies also sell it on their web-sites.
Any organization using ISO 37001 should rely on the full text of ISO 37001, not on the summary on this web-page.
How do I obtain further guidance on implementing an ISO 37001 compliant ABMS?
ISO 37001 has an Annex which contains some guidance on implementing ISO 37001.
For further information on ISO 37001, see ISO web-page
GIACC’s free on-line anti-corruption programme for organizations provides detailed guidance and supporting templates to assist an organization implement an anti-bribery programme. GIACC’s programme is consistent with the requirements of ISO 37001. GIACC’s guidance and templates can therefore help an organization implement an ISO 37001 compliant programme.
Is British Standard BS 10500 still in force?
ISO 37001 superseded BS 10500 (specification for an anti-bribery management system) with effect from 15th October 2016. Organisations which were compliant with or certified to BS 10500 were able to continue to use BS 10500 for a transitional period to the end of 2019. After that, they will be unable to be certified to BS 10500, and will need to switch to ISO 37001.
BS 10500 will continue to be relevant even after discontinuance in relation to any investigations which relate to a period during which the organisation claims to be compliant with or certified to BS 10500.
For information on BS 10500 see BS 10500.