A challenge for any company with an embedded anti-corruption compliance programme is implementing an anti-bribery management system as required by the ISO 37001 standard. Part of this challenge is ‘retrofitting’ some of your programme into the structure of a management system. While there are very significant similarities between an anti-corruption compliance programme and an anti-bribery management system, there are some areas that make a management system capable of being certified.
The main thing to remember is that a management system relies on documented evidence. You may ‘do something’, but you need to be able to prove it – especially if your management system is the subject of a certification audit.
One element of the ISO 37001 standard that is commonly overlooked is clause 4, which focuses on the context of the organisation. Clause 4.1, ‘Understanding the organization and its context’, is designed for companies that are starting from scratch with their management systems, outlining how to plan out how the management system will function and how to design it appropriately for the business.
Companies that are transitioning from a compliance programme to a management system should not overlook clause 4.1, however. This can lead to non-conformities when the management system is being certified – not necessarily because the system is poorly designed, but because there is a lack of documentation.
To ensure that this clause is not ignored or overlooked, build your management system according to the context of the company that you are operating. ISO 37001 requires management systems that are ‘fit for purpose’, so it challenges you to think through the elements of your company that might dictate how you build your management system. As you’re thinking these elements through, it is important that you document them, even if you are already operating a comprehensive compliance system and transitioning to a management system.
There are many elements of the context of your company that might influence your management system. Some things you should document are:
- if you already have other management systems and plan to operate an integrated management system
- if you plan on operating the management system in certain ways in certain countries because of the different business structure in that country
- whether the company operates as a top-down or bottom-up structure, or on a federated model of governance – these structures will all affect how to operate the management system, specifically how the system will be governed and managed
- the elements of the company that might limit its management system, for example budget constraints, risk tolerance, approach to compliance, special banking or lender issues, conditions posed by investors, or issues that large customers have requested be addressed.
When considering and documenting the context of your organisation with regard to your management system, as required by clause 4.1 of the standard, it is important that even the simplest of issues are documented. The more you have documented, the better you can really show the relationship between the company and the management system. It is essential that the implementation of the management system is ‘fit for purpose’, and the correct application of clause 4.1 does just that.
Document tip: The document that is included as part of your management system is often a PowerPoint presentation or Word document that is updated annually to adjust for any changes in the company that might influence the management system. The document must show the context and how the management system will be impacted and in what way. This can be done in a two-column slide that shows the context and impact side-by-side.