A challenge for any company with an embedded anti-corruption compliance programme is implementing an anti-bribery management system as required by the ISO 37001 standard. Part of this challenge is ‘retrofitting’ some of your programme into the structure of a management system. While there are very significant similarities between an anti-corruption compliance programme and an anti-bribery management system, there are some areas that make a management system capable of being certified.
The main thing to remember is that a management system relies on documented evidence. You may ‘do something’, but you need to be able to prove it – especially if your management system is the subject of a certification audit.
One area that is commonly overlooked in the ISO 37001 standard is clause 4.4, which asks you to establish, document, implement, maintain and continually review a management system. While this seems like an obvious section in that it essentially summarises the point of the entire ISO 37001 standard, the question you need to ask yourself is, ‘What do I need to show to an auditor to prove that the clause has been complied with?’. There is no point providing hundreds of documents that overlap with other documents and sections – what you need to do is think about how to show the management system in a wholistic but very simple way.
Many operators of an anti-bribery management system struggle to produce documentation that satisfies a certification auditor that the requirements of clause 4.4 have been met. This failure to produce a document often leads to a non-conformity that is sometimes unjustified, given the fact that the company may have a substantive management system but just can’t seem to answer the question posed in clause 4.4. Many compliance officers have erroneously pointed to their anti-bribery policy as documented evidence to satisfy this requirement. This is categorically incomplete and sends a very clear message to the auditor that you really have not understood the depth of the requirements of the standard, as well as sending a poor message on what is to come in terms of further responses.
Here are some things to consider when preparing for a certification audit for your anti-bribery management system and trying to answer the question posed by clause 4.4 of the standard:
- The management system is made up of several elements, including policies, procedures, KPIs and monitoring and measuring systems, just to name a few. Including all of these as part of the documentation of satisfying the requirements of clause 4.4 of the standard would not only overwhelm you, it would also overwhelm an auditor.
- Producing a document like the one linked below shows all of the elements that come together to form the management system on one page. This image, which may be designed as a rectangle or as a circle, shows all of the elements of the management system and links them to the sections of the standard. This is a great tool to explain your system as well as to act as a checklist to ensure you don’t forget something that is included but not otherwise documented as part of the management system.
- Remember that not everything in your management system needs to be specifically prepared for the management system. It is totally fine for the management system to draw on other elements or policies from different parts of the organisation. What clause 4.4 is asking you to do is show how they all fit together and show what is included as part of the management system. That is why a one-page graphic is always the easiest to manage.
- A simple one-page image like the one linked below is going to satisfy an auditor and will go a long way in showing that you have a comprehensive system. It can be used not only for this section, but also in communications and executive presentations to show the management system in an easy-to-understand way. A picture is always worth a thousand words.
We know that anti-bribery management systems are complex and contain many moving parts, so keeping things simple really helps with the audit and certification process. The easier that it is to explain your management system to an auditor (particularly when there is a very short deadline for the audit), the better.