What you need to know about the ISO 37001 standard
What is DIN ISO 37001?
The DIN ISO 37001:2016 standard on anti-bribery management systems is an international standard for management systems to help organizations tackle corruption. It was developed between 2013 and 2016 and published in October 2016. The standard defines requirements and provides guidance on setting up, implementing, maintaining, reviewing and improving an anti-corruption management system.
It incorporates existing and well-established anti-bribery principles, such as the guidance on the UK Bribery Act, in order to publicize these principles internationally and make them accessible. Since it is applicable to all countries and all industries, ISO 37001 promotes a standardized understanding of anti-bribery management systems (ABMS) in organizations of different types. It sets out generally applicable standards for the development, implementation, operation and improvement of ABMS.
ISO 37001 details a number of specific measures and checks which organizations are urged to implement to prevent corruption or at least identify it promptly.
Who produced the standard?
Development of the ISO anti-bribery management standard was initiated by the British Standards Institute (BSI). At the end of 2012 the International Organization for Standardization (ISO) decided to pursue this initiative itself. Since the majority of ISO members were in favour of developing a new standard of this sort, project committee ISO/PC 278 was set up to take the matter forward. Experts from 28 countries, including Germany, worked on drawing up the standard and a further 19 countries with observer status were also involved. Seven liaison organizations such as the OECD and Transparency International contributed external expertise.
Anti-corruption lawyer Jean-Pierre Mean played a key part in the development and drafting of ISO 37001. In an interview with LexisNexis he reports on how organizations can successfully implement the standard and how they benefit from certification.
Who is ISO 37001 for?
The standard is so flexible that it can be used in all countries and by organizations of any type or size. It can therefore be applied in small, owner-managed businesses, foundations, associations or official bodies as well as in multi-national companies and other public or private-sector organizations.
Does the standard require a stand-alone management system?
ISO 37001 is in principle a stand-alone management system. However, the measures it contains are designed so that they can also be integrated into existing management systems and the control mechanisms that they specify. Like the widely used quality management system ISO 9001, DIN ISO 37001 adopts a top-down approach.
What are the main requirements of the standard?
The most important function of a compliance management system (CMS) is to ensure that any potential for material violations of the rules is identified promptly and that violations are prevented.
Despite an exemplary CMS, violations can still occur; even the best system cannot totally prevent them. The CMS sets out rules on appropriate responses and countermeasures in the event of a violation.
ISO 37001 defines seven core steps and assigns concrete measures to each:
Implementing a comprehensive compliance policy makes economic sense and ultimately boosts sales. An organization that complies with legal obligations and can demonstrate that it has put measures in place to prevent compliance violations earns the trust of customers, suppliers and other parties.
Compliance only functions in organizations if it is practiced by management. Compliance managers may find that establishing this “tone from the top” is a challenging task. But correct behavior at all levels and across all departments can only be achieved if everyone acts together. The ISO explicitly refers to this in Section 5.
The standard requires organizations to have an independent compliance manager who should also be responsible for the anti-bribery management system. To enable the employee assigned to this function to work independently, it is essential to avoid conflicts of interest.
According to the ISO, the organization’s managers are also responsible for ensuring that an anti-bribery policy is adopted. The policy must state clearly that bribery is prohibited and that any violations by employees will be reported and appropriate action taken. The policy must be communicated to all members of staff and relevant external partners.
As part of the anti-bribery management system, effective controls specific to the organization must be developed. These controls must cover all corruption risks and ensure effective monitoring for violations.
According to ISO 37001, employees should participate in regular training that enables them to understand the organization’s anti-bribery policy and comply with it. The ISO does not require all employees to receive training but only those with elevated risk potential. The training programme must be tailored to the organization.
There are many different aspects to the establishment of an anti-bribery management system. The standard provides some advice on designing an ABMS. For example, enhanced due diligence must always be performed on transactions, projects, personnel and business partners if the corruption risk is any higher than “low”.
The ISO requires business partners to be included in the financial and non-financial controls. In high-risk cases ISO 37001 also calls for the business partners of the business partners to be checked. ISO-certified organizations should require these checks from their direct business partners.
If the corruption risk is classed as low, it is not necessary to demand that business partners carry out checks. In this situation the check of the organization’s own business partners is sufficient.
Internally, a dual control principle for important transactions may be enough. In dealing with external partners, corruption often occurs in connection with procurement procedures. A transparent procurement procedure for important transactions can prevent corruption.
The review process involves identifying and categorizing the risks within the organization and among third parties so that they can be tackled effectively. In other words, this is a risk-based approach.
If corruption risks are identified internally or among partners, suppliers and other business partners, the due diligence checks described in the “Review” section must be rigorously performed and documented.
Setting up a compliance management system in accordance with ISO 37001 is not a one-off task – even if the CMS is successfully certified. The compliance manager and the organization’s managers must maintain ongoing due diligence, which includes reporting, monitoring, investigating and checking. All processes must be enshrined in the organization’s DNA as an automatic aspect of the management task.
No system functions perfectly from the get-go. As part of a process of continuous improvement, the CMS must therefore be regularly scrutinized so that violations can be systematically prevented and non-conformities addressed. This systematic process is explicitly required in Section 10 of ISO 37001, which deals with improvement.
It may sometimes be necessary to adapt the CMS as a result of external factors such as changes in procurement law or the commercial banking system or revision of ISO 37001 itself.
LexisNexis helps you perform due diligence on your business partners in accordance with ISO 37001. Find out about our Nexis Diligence™ solution now.
Implementation for business: What are the impacts?
How will the standard benefit businesses?
DIN ISO 37001 sets out minimum requirements for businesses and organizations and provides helpful guidance on successful implementation of an anti-bribery management system and assessment of its capability. This benefits management, investors, staff, customers and other stakeholders since it enables them to be certain that appropriate steps are being taken to minimize corruption risks.
Can my organization get ISO 37001 certification?
Because DIN ISO 37001 is a Type A standard and thus goes beyond being merely recommendatory, organizations can be certified by an independent body. Any organization can be certified if an audit establishes that it meets the requirements of the standard.
Who carries out certification?
Businesses and organizations can only be certified to ISO 37001 by an external auditor. Internal auditing by the organization’s own personnel is not permitted. External auditors must be recognized by a certification body; this body also oversees performance and acceptance of the audit. The organization seeking certification is free to decide which certification body to select. Certification bodies can themselves be accredited by the Berlin-based Deutsche Akkreditierungsstelle GmbH (DAkkS). On 1 January 2010 the DAkkS was appointed Germany’s national accreditation body for the accreditation of certification bodies and testing laboratories under Regulation (EC) no. 765/2008 (Article 4(1)).
How often must certification be repeated?
An on-site audit identifies whether the organization meets the requirements of ISO 37001. At least a day must be allowed for this: a longer period may be required depending on the size of the organization, the number of customers and the complexity of the processes involved. Upon successful completion of the certification audit, the auditor issues a certificate that is valid for three years. A yearly review is needed to maintain the certification.
What measures does ISO 37001 specify in relation to gifts and invitations?
ISO 37001 requires effective controls in relation to gifts, invitations and the like. A total ban may be imposed or – if the risk of corruption is low – a degree of tolerance may be permitted, depending on the value and frequency of the gifts/invitations and on other factors. However, the emphasis is on transparency and seamless documentation.
Our web-based compliance tool Nexis Diligence™ enables you to stay on the safe side and avoid working with individuals or organization that present a business risk. With this user-friendly tool you can search for your business partners in sanctions and PEP lists, company databases, biographies, judgements and international news sources, thus reliably safeguarding yourself. Easily performed know-your-customer analyses quickly tell you whether working with an individual or organization poses compliance risks. At the press of a button you can then save your research sources and findings in the tamper-proof Report Builder and download them as required.
How does ISO 37001 differ from ISO 19600?
There are two important differences between ISO 37001 and ISO 19600, which was introduced in 2014. Firstly, ISO 19600 is a Type B standard and thus merely recommendatory, whereas ISO 37001 is a Type A standard and therefore contains compulsory requirements that can be verified and certified. Secondly, DIN ISO 37001 is a standard that focuses on a single important compliance issue, while ISO 19600 is a generic standard that sets out recommendations for compliance management systems covering a range of issues.
Further information on the similarities and differences between ISO 19600 and ISO 37001 can be found in the presentation slides or the video recording of our webinar “The ISO 37001 and ISO 19600 compliance standards – Curse, blessing or a lot of fuss about nothing?”.