Statement: Coronavirus (COVID-19)

ISO 37001 - Q&A Session

1. Can you briefly describe the history and importance of ISO 37001? 

ISO 37001 History

ISO 37001 originated as the result of a meeting held in London in June 2013 and had its scope and title approved by the ISO Technical Management Board, in September 2013. ISO/PC 278 Anti-Bribery Management Systems was then subsequently created.

The first official meeting occurred in March 2014 in Madrid, where two important decisions were made:

  • to use the British Standard BS 10500 as a basis, which deals with an Anti-Bribery Management System; and
  • to adopt the same structure as the ISO Management System Standards, for example ISO 9001, in order to ensure compatibility among the various ISO Management System standards, facilitating its implementation.

To complete the standard, four more meetings were held in Miami, Paris, Kuala Lumpur and Mexico, the last one having occurred from May 31 to June 2, 2016. Sixty-five experts from thirty-three countries, including the Brazilian Delegation, have participated in this meeting. 

Officially, on October 15th, 2016 ISO 37001 was published in Genève.

Importance of ISO 37001

As it is widely-known, bribery is one of the world’s most destructive and challenging issues. With over US$ 1.5 trillion paid in bribes every year according to the World Bank estimate, the consequences are catastrophic – reducing quality of life, increasing poverty, and eroding public trust. It is a major obstacle for democracy and the rule of law. As such, ISO 37001 is considered to be a huge benefit for the civil society.

Impact of bribery on Society

The impacts that bribery has on society are vile, some to mention are: 

  • allows organized crime, terrorism and other threats to human security, 
  • hampers development, 
  • drives away investments, 
  • leads to loss of confidence in government and institutions, and 
  • causes serious social, moral, economic, and political problems.

Impact of bribery on Individuals

  • denies access to basic services,
  • erodes the quality of life,
  • denies opportunities for employment,
  • ruins careers and reputation

The countries bribed had to suffer the consequences of rising costs for hospitals, roads, and other basic services.

Impact of bribery on Business

Businesses are impacted by bribery in various aspects including:

  • distortion of markets and competition, 
  • increases in the cost of doing business, 
  • causes in loss of business reputation, and 
  • wrong incentives

Bribery scandals have caused reputational damage to the companies involved.

World Bribery Cases

Bribery is a world phenomenon that goes from A, Argentina, up to Z, Zambia.

A report by the OECD found that more than 50% of foreign bribery cases between 1999 and 2014, occurred in just four sectors: construction, extraction, transportation, and IT/communication. We can add here the defense sector too.

A German conglomerate was embroiled in the largest bribery case seen in history years ago. Bribery payments between 2001 - 2007, the majority of which were made via external consultants, let us say business associates, totaled a staggering US $1.4bn.

Unfortunately, bribery is many organization’s business model. Among the biggest examples of this Germany organization, was a US $40m bribe payout to the president of Argentina to obtain a one-billion-dollar contract for producing national identity cards.

Other payouts included US $16m of bribe to build rail lines in Venezuela and US $14m for medical equipment in China.

In 2009, a Texas-based engineering and construction company, pleaded guilty to paying government officials in Nigeria to win engineering, procurement and construction contracts – worth more than US $6bn for a liquefied natural gas plant.

Furthermore, one of the world’s biggest defense companies, had bribed foreign officials with payments worth hundreds of millions of US $, to obtain defense contracts in Saudi Arabia. In Bangladesh officials received US $5m in bribe to obtain a mobile phone contract. 

For years, Latin America's construction giant, built some of the region's most crucial infrastructure projects. In 2016, the Brazilian-based group signed what has been described as the world's largest leniency deal with US and Swiss authorities, in which it confessed to corruption and paid $2.6bn in fines.

And this is just the tip of the iceberg. Every week we have a new bribery case.

2. What is the difference between bribery and corruption?

The figure below explains very well the difference between bribery and corruption:

Figure 1. The difference between bribery and corruption

It is also important to know the generic definition of bribery in the ISO 37001 standard: 

Bribery: offering, promising, giving, accepting or soliciting of an undue advantage of any value (which could be financial or non-financial), directly or indirectly, and irrespective of location(s), in violation of applicable law, as an inducement or reward for a person acting or refraining from acting in relation to the performance of that person's duties.

3. Does ISO 37001 address all types of bribery?

ISO 37001 can help the organization to implement reasonable and proportionate controls designed to prevent, detect, and respond to bribery.

It specifies the implementation by the organization of policies, procedures and controls which are reasonable and proportionate according to the bribery risks the organization faces.

4. Which are the most important clauses of this standard?

All of the requirements of ISO 37001 are important since we have to follow the PDCA Cycle. So, from 4.1 Understanding the organization and its context up to 10.2 Continual improvement, the organization shall meet all its requirements.

Nevertheless, for sure that the following requirements are crucial for the success of ISO 37001, if very well implemented:

  • 5.1 Governing Body as well as Top management leadership and commitment,
  • 6.1 Actions to address risks and opportunities, 
  • 7.3 Awareness and training,
  • 8.2 Due diligence, 
  • 8.5. Implementation of anti-bribery controls by controlled organizations and by business associates,
  • 8.9 Raising concerns,
  • 8.10 Investigating and dealing with bribery.

5. Is ISO 37001 related to other ISO standards?

ISO 37001 standard conforms to ISO’s requirements for management system standards. These requirements include a high level structure, identical core text, and common terms with core definitions, designed to benefit users implementing multiple ISO management system standards.

ISO 37001 can be used in conjunction with other management system standards, such as the newest ISO 37301, ISO 9001 and other ISO management system standards.

6. Which industries can benefit the most from this standard and how?

The requirements of the ISO 37001 standard are generic and are intended to be applicable to all organizations (or parts of an organization), regardless of their type, size, nature of activity, or whether it fits the public, private or not-for-profit sectors.

7. How does ISO 37001 help an organization comply with other anti-bribery laws?

ISO 37001 standard sets out requirements and provides guidance for a management system designed to:

  • help an organization to prevent, detect and respond to bribery,
  • comply with anti-bribery laws and voluntary commitments applicable to its activities, 
  • be in conformity with the organization´s policies and procedures.

8. How does the certification audit against ISO 37001 help companies?

ISO 37001 certification provided by an Accredited Certification Body is surely a demonstration to enforcement agencies, investors, shareholders, suppliers, collaborators and society that the organization is fully committed to adopting effective controls to combat bribery in all its forms.

9. Does conformity with ISO 37001 guarantee that no briberies will happen?

Conformity with ISO 37001 cannot provide assurance that no bribery has occurred or will occur in relation to the organization, as it is not possible to completely eliminate the risk of bribery.

So the organization has to identify the potential bribery risk areas that will be confirmed through the bribery risk assessment. This assessment identifies the bribery risks the organization will focus on in order to treat the risks, implement the controls (preventive, detective and corrective) and allocate the anti-bribery compliance personnel, resources as well as the activities.

10. What are some tips and advices to get ready for a certification audit against ISO 37001?

Please, be very careful when designing your Anti-bribery Management System (ABMS) and take into account the message from one of the management’s Guru (Dr. Joseph Juran), who recommends organizations to implement a management system, part by part. In order words, the ABMS shall be implemented processes by processes and not in the entire organization at once.

So, choose 3 or 4 areas/processes, define your high and very high bribery risks (such as business associates and other interested parties), and then implement the ISO 37001.

Also, please take into account that differently from other ISO MSS, ISO 37001 relies heavily on human ware. Based on this scenario and on the requirements of ISO 37001, the five personnel behaviors: Integrity, Honesty, Ethics, Transparency, and Respect, are expected from everyone in the organization, and shall be described in the organization´s Code of Conduct, from top-down to bottom up, including the business associates and other interested parties, in order to be in compliance with the law and regulations, as well as the organization´s anti-bribery policies and procedures. 

This is the way for a successful implementation of an ABMS.

About the Author

Ariosto Farias Jr has been an ISO Management Systems Senior Advisor, Instructor and Auditor for the past 25 years, helping more than 30 organizations to establish, implement, maintain, review and improve their Management Systems, based on ISO Standards, including here ISO 37001. He has been acting since 2016 as a Brazilian Expert on ISO/TC 309, that is the Committee responsible for ISO 37001 and ISO 37301, having participated in all ISO 37301 meetings. Ariosto Farias Jr is approved as a PECB MS Auditor for ISO/IEC 27001 and ISO 37001.