The business case for a formal Anti-Bribery Management System (ABMS)
As business becomes more globalized, organizations are faced with new challenges and opportunities. Part of this new environment is compliance with newly emerging anti-bribery and anti-corruption laws, such as the US Foreign Corrupt Practices Act (FCPA), the UK Bribery Act, the Corruption of Foreign Public Officials Act in Canada, the General Law of Administrative Accountability and Model Program for Corporation Integrity in Mexico, and several others in Russia, France, Germany, China, and Brazil just to name a few.
International development and enforcement of new bribery and corruption (ABC) laws and guidelines is not an ad-hoc coincidence. As of August 2017, 43 countries have committed to implementing the recommendations and requirements of the OECD Anti-Bribery Convention. 140 Countries have committed to the United Nations' Convention against Corruption. This means that adoption and rigorous enforcement of anti-bribery and anti-corruption programs and best practices is already well-established, and is growing stronger by the day.
While each of these laws and conventions are somewhat different in scope and reach, the corrupt activities they prohibit are similar. “Bribery” involves improper inducement and occurs when something of value is offered or accepted in order to influence a transaction or encourage improper or illegal behavior. “Corruption” involves dishonest or illegal behavior achieved through unethical means, such as bribery. To ensure that bribery and corruption are minimized, a common requirement of these laws is for an organization to establish and maintain a formal bribery and corruption (ABC) management program (system). Failure to establish such a system puts public and private sector organizations and their employees at risk of incurring severe fines or even criminal prosecution. Today, a formal ABC compliance program is simply a mandatory requirement for all organizations, public or private. In fact, many organizations no longer purchase from a vendor, supplier, or contractor that doesn't have evidence of a formal Anti-Bribery Management System (ABMS) fulfilling local, national, and even international ABC compliance requirements.
Strict enforcement of UK's Bribery Act of 2010 (examples here) is now in the news quite frequently, so it is also natural that any UK organization, citizen, or even UK resident will be particularly sensitive to the need to show due diligence in having an ABMS to prevent, detect, and correct bribery and corruption. Not a UK organization or citizen? You might need to comply with UK's bribery Act anyway. If your organization buys from or provides products or services to any UK organizations or citizens anywhere in the world, expect to be required to show evidence of your own organization's ABMS to continue business with these UK organizations and citizens since they need to prove that the scope of their own ABMS includes their vendors and customers - everywhere they do business.
Expect even more pressure to control bribery and corruption when doing business in Russia or with any Russian organization. On January 1, 2013, Russia amended its its Federal Anti-Corruption Law No. 273 with Article 13.3 to go beyond the reach of both the U.S. Foreign Corrupt Practices Act (FCPA) and the U.K. Bribery Act (UKBA) to require all corporations organized in Russia to develop anti-corruption compliance measures.
Country by country, anti-bribery and anti-corruption laws and related enforcement is growing rapidly and more severely. And the growth is gaining momentum every year. If your organization wants to continue to conduct business in this new era necessitating proof of compliance with existing and emerging regulatory and legislative anti-bribery requirements, it should invest in developing and maintaining an ISO 37001-certified anti-bribery management program. The alternative is losing B2B business, or even potentially paying huge fines and penalties for failing to practice anti-bribery and anti-corruption due diligence.
The new standard for an Anti-Bribery Management System (ABMS) - ISO 37001
While organizations critically need to prove due diligence in preventing, detecting, and correcting bribery and corruption, the dilemma is that there has not been a universally-recognized standard of exactly what a sufficient ABC program would entail. Until now. As of October 2016, there is a new global standard for bribery and corruption (ABC) management systems, made available by the International Organization for Standardization. With the new ISO 37001 standard, "Anti-bribery management systems - Requirements with guidance for use," it means there is now an internationally recognized set of best practices to prevent and detect bribery. Moreover, these best practices are auditable and can be ISO certified. The standard is designed for use in both public-sector and private-sector organizations. Expect to see early widespread international adoption by the public sector, which will subsequently drive private-sector organizations wanting to do business with them to become certified to the same standard. Even if your organization already has an ABC program, it should immediately perform an audit against the new ISO standard to ensure that all details are addressed and compliant. After all, ISO 37001 will likely determine the minimum of what your organization's customers, regulators, and suppliers will expect of your program.
Even if you feel your ABM program covers all of the new ISO requirements, and can claim such as fact, how do you prove it to your organization's stakeholders? Going through a fresh review/audit every time someone asks? A better alternative is having your organization's ABMS certified to ISO 37001 so it can easily provide third-party assurance of its ABC program. Although ISO 37001 does not bring any amazingly fresh best practices to the table regarding bribery and corruption control, ISO certification is the single best solution for getting credible third-party assurance and validation of your organization's ABC management system - which is a critical business need today. Certification to ISO 37001 will become essential for companies wanting to do public-sector work, and we will see it quickly permeate through industry commercial sectors as well. Companies not certified will be at a substantial disadvantage in the near future.
ISO 37001 certification is granted to an organization who meets, or goes beyond, the minimum requirements set forth in ISO 37001, taking into account, as the standard dictates, that an organization's anti-bribery program should be reasonable and proportionate to the nature and extent of the bribery risks the organization faces. The reasonable and proportionate qualification in the standard means that small and medium-sized organizations, or organizations with a relatively low risk of bribery, may not need to implement the same level of measures and controls as a large organization or an organization with a high risk of bribery.
To obtain ISO ABMS certification an organization must have the following anti-bribery measures and controls in place:
- A bribery risk assessment
- Anti-bribery objectives
- An anti-bribery policy
- Governing body and top management oversight and demonstrated commitment to combating bribery
- An anti-bribery compliance function
- Awareness and training around the anti-bribery policy and anti-bribery program
- Anti-bribery procedures and controls, including:
- Due diligence on personnel, projects and transactions, and business associates with more than a low-level risk of bribery
- Policies and procedures relating to gifts, entertainment, hospitality, travel charitable or political donations, or other benefits as appropriate
- Financial controls
- Reporting procedures, including a non-retaliation policy
- Investigation procedures
- Continuous monitoring and periodic audits, including documenting non-conformities and implementing corrective action when needed
- Continuous efforts to improve the anti-bribery program
- Get a better understanding of your organization's business and legal requirements for having an ABMS.
CIS' ABMS Strategy and Policy workshop will fulfill this first requirement. Learn more
- Get your team trained to design and implement an ISO 37001-conforming ABMS.
You can't get your organization to establish, operate, and maintain an ISO 37001 ABC management system without understanding ISO's requirements, and how to establish proper strategy, policy, roles/responsibilities, and procedures to support ISO 37001's requirements. All of the international laws, regulations, and requirements mentioned above require a system that is integrated and managed throughout the organization, not just from a single compliance manager's desk. The very ISO standard in question requires the same. This means your organization needs to get its entire management team properly trained with a course that will give them more than just awareness. They need a workshop course that will give them direction and tangible support with developing ISO 37001 policies and procedures. Such training can be phased, but be sure to start with the governing function and c-level management first. After all, they are the people accountable for ensuring the organization is fulfilling its obligations to internal and external stakeholders, and they are also the only people with sufficient authority to decide upon ABM scope, requirements, resourcing, and roles/responsibilities to be assigned. ISO ABMS requirements begin with "Leadership" from the top, so these are the people who need to get involved first.
CIS' ABMS Strategy and Policy workshop will fulfill this second requirement. Learn more
- Plan and design an ISO 37001-conforming ABMS.
- Implement the agreed-upon policy and protocols.
- After the program is established and has been in practice, it needs to be audited to ensure it is performing according to design and is fulfilling policy requirements as desired.
- Maintain and improve the system by reviewing audit findings to identify opportunities for improvement, and then acting on those opportunities with plans of remedy.
- Arrange for an ISO 37001 certification audit with an ISO certification body accredited to perform ISO 37001 certification audits.