1. ISO 37001 –
Preparing for Certification
Karl Schlagenhaufen
Associate Consultant at ENFINA Security
2. 2
ISO 37001
Anti-bribery Management System
Bribery is one of the world’s most challenging issues
Over US$ 1 trillion paid in bribes each year (OECD)
Consequences: reducing quality of life, increasing poverty, eroding
public trust
Despite efforts on national and international levels, bribery, remains
a significant issue
Comprehensive standard on management system against bribery
and corruption issued in 2016
Promoting ethical business culture
System approach, not forensic approach
3. 3
Why get certified?
Benefits to your organization
Helps fight bribery
Promotes ethical business culture
Improves performance of affected processes
Proves employees’ commitment to anti-bribery best practices
Monitors and manages risk throughout your business
Demonstrates that your organization implements, maintains and
improves its anti-bribery compliance program
Protects the company, assets, shareholders and directors from
bribery
4. 4
Why get certified?
Benefits to your organization
Gains the confidence of regulators
Helps to recognize and manage risks
Helps optimizing efficiency and costs
Contributes to defense for regulatory scrutiny
Provides opportunities for business growth
Your business partners can benefit as well
Helps in obtaining public sector contracts
7. 7
To have in mind when considering certification:
Initial Considerations
Best preparation: existing ISO 19600
certification
Full support of management
Knowledge of the ISO 37001
Standard
8. 8
Structure of the Standard
PDCA-Cycle
8. Operation9. Performance evaluation
10. Improvement
4. Context of the
Organization
5. Leadership
6. Planning
7. Support
9. 9
Plan
4. Context of the Organization
4.1 Understanding the organization and its context
4.2 Understanding the needs and expectations of stakeholders
4.3 Determining the scope of the anti-bribery management system
4.4 Anti-bribery management system (purpose)
4.5 Bribery risk assessment
10. 10
Plan
5. Leadership
5.1 Leadership and commitment (tone on the top)
5.2 Anti-bribery policy (structure, responsibilities, …)
5.3 Organizational roles, responsibilities and authorities
11. 11
Plan
6. Planning
6.1 Actions to address bribery risks and opportunities (how are risks
identified and managed – roles and responsibilities)
6.2 Anti-bribery objectives and planning to achieve them
12. 12
PLAN
7. Support
7.1 Resources (infrastructure, deployment and monitoring of resources)
7.2 Competence (training is appropriately calibrated and managed in set
intervals)
7.3 Awareness and training (of the compliance policy, its objectives,
everyone’s role, culture of the organization)
7.4 Communication (internal and external)
7.5 Documented information (accurate, valid, reliable, appropriately
controlled)
13. 13
Do
8. Operation
8.1 Operational planning and control (objectives and criteria defined,
effective controls in place, requirements documented, plans and their
implementation)
8.2 Due diligence (assessment of bribery risk in relation to specific
transactions, projects, activities etc.)
8.3 Financial controls (e.g. budget restrains)
14. 14
Do
8. Operation
8.4 Non-financial controls (management of sensitive areas like
procurement, operations, sales, commercials, legal activities etc.)
8.5 Implementation of anti-bribery controls by controlled organizations
and by business associates
8.6 Anti-bribery commitments (of business associates –termination
clauses in case of violations)
15. 15
Do
8. Operation
8.7 Gifts, hospitality, donations and similar benefits
8.8 Managing inadequacy of anti-bribery controls (define when you
refuse deals or activities because you cannot manage the bribery risk)
8.9 Raising concerns (whistleblowing procedures)
8.10 Investigating and dealing with bribery
16. 16
Check
9. Performance Evaluation
9.1 Monitoring, measurement, analysis and evaluation
9.2 Review by anti-bribery compliance function
9.3 Internal audit
9.4 Top management review
9.5 Governing body review
18. 18
Documents
Useful documents (examples)
• Code of Ethics, Code of Conduct
• Compliance manager or function
(appointment, job description)
• Anti-bribery training (records, participant lists)
• Risk assessments and due diligence on
projects and business associates
• Operational risk matrix
• Control documentation:
financial, procurement,
commercial and contractual
• Reporting, monitoring, investigation,
review records
• Corrective action and continual
improvement