A challenge for any company with an embedded anti-corruption compliance programme is implementing an anti-bribery management system as required by the ISO 37001 standard. Part of this challenge is ‘retrofitting’ some of your programme into the structure of a management system. While there are very significant similarities between an anti-corruption compliance programme and an anti-bribery management system, there are some areas that make a management system capable of being certified.
The main thing to remember is that a management system relies on documented evidence. You may ‘do something’, but you need to be able to prove it – especially if your management system is the subject of a certification audit.
Clause 4.3 of the ISO 37001 standard covers the ‘scope’ of your management system, which is one of the elements that is often overlooked when the company is doing a conversion from a compliance system to a management system. The scope sets the foundation for the management system, and, while most companies know the scope of their system, they have not adequately documented it. The assumption is that it is ‘global’, but in most cases that is not enough detail to satisfy the expectations of clause 4.3.
To ensure that the scope is adequately considered and documented:
- list the precise entities that are subject to the management system
- likewise, list those entities that are excluded (for example, minority interests in companies or perhaps certain joint ventures)
- list in full all of the laws, regulations, industry codes and other agreements that form part of your management system, so people can see exactly what your system is managing in terms of legislation and observations
- clarify what ‘governing body’ and ‘top management’ mean for each of the entities covered by the management system by mapping out who and what they are (for example, is the governing body the top level of the company headquarters and top management each entity’s local top level, or is there a governing body and top management at each level of each subsidiary?).
While not as vital, it is also good practice to include:
- other management factors, such as the key people involved, the role of compliance and integrity in organisations, and the role of part-time resources (often known as compliance champions or ambassadors)
- the key risks that you are building the management system around – while the risk assessment is covered in clause 4.5 of the standard, it is good practice to include some reference to key risks in the documentation of your scope to show that you have thought through the basic bribery risk areas and that your scope covers these (or, equally as important, that your scope does not cover them and why).
Remember, you define what is in and out of scope for your management system. If something is not included, you can still operate a compliance programme to manage any associated risks.
Regardless of which area of a management system you are developing, the key is documenting the thought process and ensuring that you have the evidence to prove the steps you took. As highlighted above, the risk is for those that are moving from an embedded compliance programme into a management system, as some of these more foundational areas are often overlooked and not documented.