Module 10:  The benefits and requirements of ISO 37001

Requirements: (11) Risk assessment; (12) Due diligence; (13) Withdrawal

(11)  Risk assessment

Undertake periodic (e.g. annual) bribery risk assessments which examine the likely level of bribery risk which the organisation faces when undertaking its business. 

This risk assessment will normally take account of the type of business which the organisation undertakes, the countries where it operates, and the types of business associate with which it may work.  It will normally allocate a risk band to each category of risk (e.g. low, medium and high). 

The risk assessment will then assess whether risks which are categorised as medium or high can be reduced to an acceptable low level of risk by application of the organisation’s anti-bribery controls contained in the ABMS.  If the level of risk is not adequately reduced, the organisation can determine where appropriate to increase the level of controls until the risk is so reduced.  

(12)  Due diligence

When the organisation enters into a specific transaction which falls within a medium or high bribery risk category identified in the risk assessment, then the organisation should undertake due diligence on that transaction prior to entering into it, so as to ensure that the organisation’s ABMS can effectively reduce the risk of that transaction to low risk.

For example, before entering into a contract with a new business associate, the organisation should:

  • undertake an internet search on that business associate and its key managers to see whether there are any rumours of bribery in relation to them
  • discuss the risk of bribery with the senior management of that business associate, and obtain reasonable assurance that the business associate will act with integrity in relation to the relevant transaction.

Using the information obtained from the due diligence, and taking into account the organisation’s ABMS, the organisation will then determine whether the risk of entering into a transacation with that business association is suitably low.  

(13)  Withdrawal from transaction

If the risk assessment and any consequent due diligence in relation to a transaction ascertains that the bribery risk is unacceptably high, and that the ABMS of the organisation is unlikely to be able to reduce this risk to an acceptably low level, then the organisation should not participate in the transaction.  If the transaction is already ongoing, then the organisation should withdraw from it as soon as reasonably practicable.

                            12 of 22

January 2025
© GIACC