A challenge for any company with an embedded anti-corruption compliance programme is implementing an anti-bribery management system as required by the ISO 37001 standard. Part of this challenge is ‘retrofitting’ some of your programme into the structure of a management system. While there are very significant similarities between an anti-corruption compliance programme and an anti-bribery management system, there are some areas that make a management system capable of being certified.
The main thing to remember is that a management system relies on documented evidence. You may ‘do something’, but you need to be able to prove it – especially if your management system is the subject of a certification audit.
When working on an anti-bribery management system (ABMS) or converting a compliance programme to an ABMS, you will become very engaged with what is known as ‘top management’ under the ISO 37001 standard.
Top management is your management team, including the CEO of the entity and all the direct reports of the CEO. Whether it is called ‘top management’ or ‘the executive committee’ or some other name, when the ABMS refers to ‘top management’ it is referring to the group that runs the business.
It is this group, howsoever named, that has overall responsibility for the design and operation of the ABMS. This group owns, manages and reviews the system. It is the primary group to look to when assessing the ABMS.
It is also understood and acknowledged in practice and in the standard itself that top management will delegate daily operation to the compliance function. This is a delegation; it is not a removal of accountability.
Given the role of top management, those included must know the ABMS very well, they must set its objectives, they must control its operation and they must monitor and measure its performance.
Here is some guidance for every manager in a company that is looking to certify its ABMS:
- Know the ISO 37001 standard – read it, train on it, and know how it works
- You should be able to tell an auditor the main risks of the business down to a very specific level, not just high-level obvious areas where bribery could happen
- You must be able to prove to the auditor that you can link a specific stated risk to a set of controls to manage that risk, and explain how those controls are being monitored and measured
- You must participate in reviews of the ABMS – not just sit through presentations from compliance – and you must be able to prove that you have participated in management reviews
- You must be able to walk through the main objectives, trends and results of the ABMS and go beyond high-level comments about training and the number of cases.
What should become clear is that management needs to own the ABMS and needs to understand it. A cursory understanding of high-level issues is not sufficient for a certification, and pointing to compliance to answer questions will not build confidence and trust with an auditor.
Like the standard says: it is a management system, not a compliance programme.