A challenge for any company with an embedded anti-corruption compliance programme is implementing an anti-bribery management system as required by the ISO 37001 standard. Part of this challenge is ‘retrofitting’ some of your programme into the structure of a management system. While there are very significant similarities between an anti-corruption compliance programme and an anti-bribery management system, there are some areas that make a management system capable of being certified.
The main thing to remember is that a management system relies on documented evidence. You may ‘do something’, but you need to be able to prove it – especially if your management system is the subject of a certification audit.
Clause 4.2 of the ISO 37001 standard asks you to understand the needs and expectations of your stakeholders as part of your management system. This section is often poorly understood and therefore subject to many non-conformities throughout the audit and certification process.
There are many companies that built a compliance programme to manage their bribery risks and simply didn’t spend enough time studying the specific words of each section during the transition to a management system. Many assume that the work done for their compliance programme will be enough to meet the standard.
The following are some pointers for meeting the requirements of clause 4.2 that go above and beyond what most companies look at when they are building a pure compliance programme instead of a certifiable management system.
Firstly, the standard says that you ‘shall’ consider your stakeholders, so a failure to do so will be a major or minor non-conformity.
The first part of clause 4.2 requires you to determine the stakeholders that are relevant to the management system. These stakeholders are not the ‘normal’ stakeholders that interact with the company, so, while there may be some overlap with these general stakeholders, pointing to an annual report that discusses stakeholders is not sufficient evidence of compliance.
Most companies that operate a management system of this type will have a review session annually where they look at the stakeholder list and discuss whether any changes are required. The stakeholders are normally shown in a stakeholder map and will list at least the following information:
- the stakeholder group definition
- the reason why each stakeholder group is relevant to the management system
- how the organisation engages with each group of stakeholders
- examples of named stakeholders from each group
- what the position of those stakeholders is towards the management system (for, against, supportive etc.)
- the dates the organisation sought the stakeholders’ expectations regarding the management system.
The documentation for this section is often a spreadsheet or the stakeholder map.
The second and more challenging part of clause 4.2 requires you to determine the relevant requirements of each stakeholder as they apply to the anti-bribery management system. This requires far more thought and is often overlooked. These ‘requirements’ can be obtained through:
- legislation, if your stakeholder is a government
- a contract, if your stakeholder is a customer
- a joint venture agreement, if your stakeholder is a partner.
In many cases, there will be no written requirements from the stakeholder, so you will need to ask them what their requirements are via a survey or some form of engagement meeting where the management system and its design are discussed (in which case the documentation for this section would be meeting minutes, meeting outcomes, or perhaps a presentation that was delivered at the meeting).
As with all things in the management system standards, review sessions with stakeholders should be regular – at least annually – and documented. During these sessions with key stakeholders you must review and validate existing requirements as well as gather new requirements.
While stakeholder management is generally seen as a given in many of these business initiatives, it is important to remember that, when it comes to a management system, the engagement needs to be documented and subject to regular review. Pointing to or naming stakeholders is not enough to meet the demands of clause 4.2 – there needs to be documented engagement with the stakeholders to gather their requirements.