The DNV survey revealed that companies are most concerned over compliance, reputation and ethical risks. To meet legal requirements tops the list (78%) of reasons to apply anti-bribery measures. There is little doubt that applying accepted best-practices like the ISO standards can make regulatory compliance easier and improve the ability to manage other risks, as well. However, take up of the anti-bribery management system standard was initially slow but seems to be accelerating. In 2018 only 389 organizations were certified to ISO 37001 and although that number reached 2,896 in 2021 it is still miniscule when compared to the over 1 million organizations globally certified to ISO 9001, the quality management systems standard, for example.
Benefits of a proactive approach
Many companies begin a structured journey and perhaps certification to ISO 37001 after an incident – often resulting in heavy financial losses and fines – within their organization. This would seem to indicate that most companies would have benefitted from a proactive rather than a reactive approach.
ISO 37001 provides requirements and guidance for any organization to establish, implement, review and improve an anti-bribery management system. The requirements are designed to help prevent, detect and respond to bribery as well as comply with anti-bribery laws and voluntary commitments. Certification to ISO 37001 assures stakeholders, internally and externally, that effective anti-bribery measures are in place, maintained and continually improved.
While ISO 37001 primarily covers bribery, other aspects such as fraud or money laundering can be included in the management system scope in accordance with relevant legislation and best-practices.
Establishing an ISO 37001 complaint management system will most certainly help build a better understanding of risks both internally and throughout the supply chain. Most importantly it enables a proactive rather than reactive approach to the issue. Most often, perpetrators show behavioral red flags. A management system covering awareness training and whistle blowing mechanisms is likely to improve any organization’s ability to prevent or uncover issues to be managed.
What are companies certified to ISO 37001 discovering?
Diving into the data from all anti-bribery management system audits performed by DNV in 2022 provides a unique view into the areas with which companies certified to ISO 37001 find most challenging. However, knowing where their risks are allows for effective improvement measures.
The areas of the standard causing companies the most concern are Chapter 7 Support and Chapter 8 Operations, where 83% and 88% respectively receive findings. For about 50% and 62% respectively of the companies these are non-conformities, which means that corrective actions must be implemented in order to be fully compliant with the ISO 37001 requirements.
Chapter 4 Context of the organization and Chapter 5 Leadership also appear to be causing problems with findings of 76% (32% with non-conformities) and 71% (34% with non-conformities) respectively.
It should be noted that these four chapters along with Chapter 9 Performance evaluation do contain a far higher level of mandatory requirements than the other chapters of the standard. However, the high number of non-conformities in those chapters is almost certainly attributable to the level of maturity. This should improve as organizations improve their management systems and implementation.
If diving deeper into the sub-clauses of the standard, analyzing the most common findings and non-conformities, it is clear that due diligence, risk assessments and controls must be addressed further in most companies.
The higher concentration of findings in Chapter 8 Operation derives from the fact that this chapter applies across all processes in the organization. As an example, it includes the conduct of due diligence which applies to people, business partners, activities, projects, transactions and extraordinary transactions such as mergers and acquisitions. It is common that anti-bribery due diligence is confused with other due diligence activities already in use in the organization even though the processes are different and separate.
The high number of issues in Chapter 4 Context of the organization demonstrate a lack of documentation in the system and in Chapter 5 Leadership poor commitment by the management team or incorrect handling of conflicts of interest. Chapter 7 Support contains requirements applicable to human resources in terms of managing the selection process, staff recruitment, internal communication, management of remuneration and incentive policies, and training on anti- bribery. Findings against Chapter 9 Performance evaluation relate to poor monitoring of the anti-bribery management system, which is essential to get right in order to improve.
While there are central areas where the certified companies can and must improve, the benefit these companies have is that they are aware of their risks and where to concentrate improvement efforts. However, companies satisfied with implementing an anti-bribery policy only, as the DNV survey showed is the case for many, have little control of their risks or means to uncover and manage an incident should it occur.