A challenge for any company with an embedded anti-corruption compliance programme is implementing an anti-bribery management system as required by the ISO 37001 standard. Part of this challenge is ‘retrofitting’ some of your programme into the structure of a management system. While there are very significant similarities between an anti-corruption compliance programme and an anti-bribery management system, there are some areas that make a management system capable of being certified.
The main thing to remember is that a management system relies on documented evidence. You may ‘do something’, but you need to be able to prove it – especially if your management system is the subject of a certification audit.
Out of all of the areas that are covered as part of an ABMS, we often find that the compliance function is the strongest. It is typically staffed with dedicated compliance experts who are doing their best (often under challenging circumstances).
However, areas for improvement that we often identify when reviewing an anti-bribery management system as part of an ISO 37001 standard audit are the competencies and training requirements of the compliance function.
The competencies should be well thought out, and should include change management, legal knowledge and investigations experience. The training should be regular and include both ISO management system training and specific anti-bribery training. We expect to see that every member involved in the ABMS has achieved a high level of proficiency, and we look for records to prove this or will otherwise assess it through interviews.
Things we look for as auditors as part of a certification process:
-
CVs of all members of the compliance function
-
Background, skills and education
-
On-the-job experience handling bribery matters
-
Demonstrated knowledge via interviews and dialogue
-
Completion of a course on ISO 37001 management systems
-
Attendance at a recent anti-bribery conference
-
Reporting structures and seniority
-
Decision-making authority
-
Seniority compared to other functions and management
-
Independence and ability to report without fear of retaliation
-
Independence from management
While the compliance function is very often the strongest when it comes to knowledge and competence, we need to prove that as part of a certification audit.