A challenge for any company with an embedded anti-corruption compliance programme is implementing an anti-bribery management system as required by the ISO 37001 standard. Part of this challenge is ‘retrofitting’ some of your programme into the structure of a management system. While there are very significant similarities between an anti-corruption compliance programme and an anti-bribery management system, there are some areas that make a management system capable of being certified.
The main thing to remember is that a management system relies on documented evidence. You may ‘do something’, but you need to be able to prove it – especially if your management system is the subject of a certification audit.
The governing body of a company that operates an anti-bribery management system (ABMS) is the highest level of the company. While this is usually the board of directors, it can be the top management if the company doesn’t have a separate board and management structure.
The governing body does what a governing body typically does in any company: it sets the strategy for the ABMS and approves all the major elements of the system. It is also involved in making sure the risks are managed correctly, and that there is sufficient oversight, the right management focus and the right local resources.
The most important role of the governing body in an ABMS is making sure the system works. The governing body must ensure that the ABMS meets the requirements of the ISO 37001 standard and that it meets its stated company objectives. It has to ensure that the performance of the system is as expected and that it remains what was designed to align with the company strategy.
The governing body should be not only setting strategy, reviewing and approving, it should also be delegating the operation of the system to management and the compliance function. This delegation should be documented and made very clear to everyone engaged as part of the system.
Everyone involved should have basic training on anti-bribery matters and how the ISO 37001 standard works. They should be more than capable of articulating the implemented system and be able to talk through the programme without reference materials.