Applies to: Health Check
Context behind the development of the ISO 37001: Anti-bribery management standard
A well-managed organisation should have a compliance policy supported by appropriate management systems to assist it in complying with its legal obligations and ethical aspirations. An anti-bribery policy is a component of an overall compliance policy. The anti-bribery policy and supporting management system helps an organisation to avoid the costs, risks and damage of involvement in bribery and to enhance its corporate reputation.
Bribery is a significant risk in many countries and sectors. Increasing awareness of the damage caused by bribery to countries, organisations and individuals has resulted in calls both at international and national level for effective action to be taken to prevent and detect bribery.
Several international conventions have been passed which require signatory countries to criminalise bribery and to take effective steps to prevent and deal with it. Of particular international significance are the United Nations Convention against Corruption and the Organisation for Economic Co-operation and Development (OECD) Convention on the Bribery of Foreign Public Officials in International Business Transactions.
Most countries have introduced or strengthened anti-bribery legislation which makes it an offence for organisations and individuals to pay or receive bribes. All OECD Convention signatory countries have made it an offence for organisations and individuals from those countries to pay bribes to public officials in other countries.
Anti-Bribery Health Check Methodology
The methodology behind the Anti-Bribery Health Check is based on the ISO 37001: Anti-bribery management systems, standard which is expected to be published by the International Organization for Standards Organisation (ISO) in its final form by the end of 2016.
ISO is an independent, non-governmental membership organisation, made up of 162 member countries and the world’s largest developer of voluntary International Standards.
About the ISO 37001: Anti-Bribery Management Standard
ISO37001: Anti-bribery management systems specifies requirements and provides guidance for establishing, implementing, maintaining, reviewing and improving an anti-bribery management system. The system can be standalone or can be integrated into an overall management system. It can be used internationally as it requires an organisation to take account of, and comply with, any specific anti-bribery legislation in all countries in which it operates. Internationally recognised good practice is also taken into account.
ISO37001: Anti-bribery management systems addresses the following in relation to the organisation’s activities:
- Bribery in the public, private and not-for-profit sectors
- Bribery by the organisation
- Bribery by the organisation’s personnel acting on the organisation’s behalf or for its benefit
- Bribery by the organisation’s business associates acting on the organisation’s behalf or for its benefit
- Bribery of the organisation
- Bribery of the organisation’s personnel in relation to the organisation’s activities
- Bribery of the organisation’s business associates in relation to the organisation’s activities
- Direct and indirect bribery (e.g. a bribe offered or accepted through or by a third party
ISO37001: Anti-bribery management systems is applicable only to bribery. It sets out requirements and provides guidance for a management system designed to help an organisation to prevent, detect and respond to bribery and comply with anti-bribery laws and voluntary commitments applicable to its activities.
The term “bribery” in the context of ISO37001 is used to refer to the offering, promising, giving, accepting or soliciting of an undue advantage of any value (which could be financial or non-financial), directly or indirectly, and irrespective of location(s), in violation of applicable law, as an inducement or reward for a person acting or refraining from acting in relation to the performance of that person’s duties. This general use of the term “bribery” should be defined by the anti-bribery law(s) applicable to the organisation and the anti-bribery management system designed by the organisation.
ISO37001 does not specifically address fraud, cartels and other anti-trust/competition offences, money laundering or other activities related to corrupt practices (although an organisation can choose to extend the scope of the management system to include such activities).
The requirements defined in ISO37001 are generic and are intended to be applicable to all organisations (or parts of an organisation), regardless of type, size and nature of activity, and whether in the public, private or not for profit sectors. It is recommended by ISO that if any requirement (whole or in-part) is in conflict with, or prohibited by, any applicable law, then the whole or part of that requirement will not be applicable to the organisation. And further recommends that the organisation document existing conflicts between national legislation and ISO37001.
General
The bribery risk facing an organisation varies according to factors such as the size of the organisation, the countries and sectors in which the organisation operates, and the nature, scale and complexity of the organisation’s activities. Therefore, ISO37001 specifies the implementation by the organisation of policies, procedures and controls which are reasonable and proportionate according to the bribery risks the organisation faces.
Conformance with ISO37001 cannot provide assurance that no bribery has occurred or will take place in relation to the organisation. However, ISO37001 can help the organisation prevent and detect bribery, and can help demonstrate that the organisation has implemented reasonable and proportionate measures designed to prevent and detect bribery.
Scope of the anti-bribery management system
The bribery risk facing an organisation varies according to factors such as the size of the organisation, the countries and sectors in which the organisation operates, and the nature, scale and complexity of the organisation’s activities. Therefore, this International Standard specifies the implementation by the organisation of policies, procedures and controls which are reasonable and proportionate according to the bribery risks the organisation faces.
Conformance with ISO37001 cannot provide assurance that no bribery has occurred or will take place in relation to the organisation. However, ISO37001 can help the organisation prevent and detect bribery, and can help demonstrate that the organisation has implemented reasonable and proportionate measures designed to prevent and detect bribery.
Standalone or integrated?
Organisations may choose to implement the anti-bribery management system as a separate system, or as an integrated part of an overall compliance management system, such as that described in ISO19600. Organisations may also choose to implement the anti-bribery management system alongside ot as part of its other management systems, such as quality, environmental and safety, described in ISO9001, ISO14001, ISO26000 and ISO31000.
Facilitation and distortion payments
Facilitation payment is the term sometimes given to an illegal or unofficial payment made in return for services which the payer is legally entitled to receive without making such payment. It is normally a relatively minor payment made to a public official or person with a certifying function in order to secure or expedite the performance of a routine or necessary action, such as the issuing of a visa, work permit, customs clearance or installation of a telephone. Although facilitation payments are often regarded as different in nature to, for example, a bribe paid to win business, they are illegal in most locations, and are treated as bribes for the purpose of this International Standard, and therefore should be prohibited by the organisation’s anti-bribery management system.
An extortion payment is when money is forcibly extracted from personnel by real or perceived threats to health, safety or liberty and is outside of the scope of this International Standard. The safety and liberty of a person is paramount and many legal systems do not criminalise the making of a payment by someone who reasonably fears for their or someone else’s health, safety or liberty. Therefore, the organisation can have a policy to permit a payment by personnel in circumstances where they have a fear of imminent danger to their or another’s health, safety or liberty.
The organisation should provide specific guidance to any personnel who may be faced with requests or demands for such payments on how to avoid them and deal with them. Such guidance could include, for example:
Specifying action to be taken by any personnel faced with a demand for payment, such as:
- in the case of a facilitation payment, asking for proof that the payment is legitimate, and an official receipt for payment and, if no satisfactory proof is available, refusing to make the payment;
- in the case of an extortion payment, making the payment if their health, safety or liberty, or that of another, is threatened;
Specifying action to be taken by personnel who have made a facilitation or extortion payment:
- making a record of the event;
- reporting the event to an appropriate manager or the anti-bribery compliance function;
Specifying action to be taken by the organisation when personnel have made a facilitation or extortion payment:
- appointing an appropriate manager to investigate the event (preferably the anti-bribery compliance function or a manager who is independent from the personnel’s department or function);
- correctly recording the payment in the organisation’s accounts;
- if appropriate, or if required by law, reporting the payment to the relevant authorities.
Reasonable and proportionate
Bribery is normally concealed. It can be difficult to prevent, detect and respond to. Recognising these difficulties, the overall intent of this International Standard is that the governing body (if any) and top management of an organisation need to have a genuine commitment to prevent, detect and respond to bribery in relation to the organisation’s business or activities and need to, with genuine intent, implement measures in the organisation which are designed to prevent, detect and respond to bribery. The measures cannot be so expensive, burdensome and bureaucratic that they are unaffordable or bring the business to a halt. Nor can they be so simple and ineffective that bribery can easily take place. The measures need to be appropriate to the bribery risk, and should have a reasonable chance of being successful in their aim of preventing, detecting and responding to bribery.
While the types of anti-bribery measures that need to be implemented are reasonably well recognised by international good practice, and some of which are reflected as requirements in this International Standard, the actual detail of the measures to be implemented differ widely according to the relevant circumstances. Therefore, it is impossible to prescribe exactly in any detail what an organisation should do in any particular circumstance. The reasonable and proportionate qualification has been introduced into this International Standard, so that every circumstance can be judged on its own merit.
The following examples provide some guidance on how the reasonable and proportionate qualification may apply in relation to differing circumstances:
- A very large multi-national organisation may need to deal with multiple layers of management, and thousands of personnel. Its anti-bribery management system will therefore typically need to be far more detailed than that of a small organisation with only a few personnel.
- An organisation which has activities in a higher bribery risk location will normally need more comprehensive bribery risk assessment and due diligence procedures and a higher level of anti-bribery control over its business transactions in that location than an organisation which only has activities in a lower bribery risk location, where bribery is relatively rare.
- Although bribery risk exists in relation to many transactions or activities, the bribery risk assessment, due diligence procedures and anti-bribery controls implemented by an organisation involved in a large, high value transaction or activities involving a wide range of business associates are likely to be more comprehensive than those implemented by an organisation in relation to a business which involves selling small value items to multiple customers or multiple smaller transactions with a single party.
- An organisation with a very broad range of business associates may conclude, as part of its bribery risk assessment, that certain categories of business associates, such as retail customers, may not pose more than a low bribery risk, and take that into account in the design and implementation of its anti-bribery management system. For example, due diligence is unlikely to be necessary, or to be a proportionate and reasonable control, in relation to retail customers who are purchasing items such as consumer goods from the organisation.
- An organisation which has activities related to the scope and direct intervention of governmental agencies, including public enterprises or entities funded by public resources.
Although bribery risk exists in relation to many transactions, an organisation should implement a more comprehensive level of anti-bribery control over a high bribery risk transaction than over a low bribery risk transaction. In this context, it is important to understand that identifying and accepting a low risk of bribery does not mean that the organisation may accept the fact of bribery occurring. That is, the risk of bribery occurring (i.e., whether a bribe might occur) is not the same as the occurrence of a bribe (the fact of the bribery itself). Therefore, an organisation may have a “zero tolerance” for the occurrence of bribery while still engaging in business in situations where there may be a low bribery risk, or more than a low bribery risk (as long as adequate mitigation measures are applied), of bribery occurring. Further guidance on specific controls is provided below.
Bribery Risk Assessment
The intention of the bribery risk assessment is to enable the organisation to form a solid foundation for its anti-bribery management system. This assessment identifies the bribery risks that the system will focus on; that is, the bribery risks deemed by the organisation to be a priority for bribery risk mitigation, control implementation, and allocation of anti-bribery compliance personnel, resources, and activities. How the organisation undertakes the bribery risk assessment, what methodology it employs, how the bribery risks are weighted and prioritised, and the level of bribery risk that is accepted (i.e., “risk appetite”) or tolerated, are all at the discretion of the organisation. In particular, it is the organisation that establishes its criteria for evaluating bribery risk (e.g. whether a risk is “low”, “medium” or “high”), though in so doing the organisation should take into account its anti-bribery policy and objectives. The following provides an example of how an organisation may choose to undertake this assessment:
- Select bribery risk evaluation criteria. For example, the organisation may select a 3 tier criteria such as “low”, “medium”, “high”, a more detailed 5 or 7 level criteria, or a more detailed approach. The criteria will often take into account several factors, including the nature of the bribery risk, the likelihood of bribery occurring, and the magnitude of the consequences should it occur.
- Assess the bribery risks posed by the size and structure of the A small organisation based in one location with centralised management controls in the hands of a few people may be able to control its bribery risk more easily than a very large organisation with a decentralised structure operating in many locations.
- Examine the locations and sectors in which the organisation operates or anticipates operating, and assess the level of bribery risk these locations and sectors may An appropriate bribery index can be used to assist in this assessment. Locations or sectors with a higher risk of bribery may be deemed by the organisation e.g. as “medium” or “high” risk, which may result in the organisation imposing a higher level of controls applicable to activities by the organisation in those locations or sectors.
- Examine the nature, scale and complexity of the organization’s types of activities and
- It may for example be easier to control bribery risk where an organization undertakes a small manufacturing operation in one location than where an organization is involved in numerous large construction projects in several locations.
- Some activities may carry specific bribery risks. For example, offset arrangements by which the government of a country purchasing products or services requires the supplier to reinvest some proportion of the value of the contract in the purchasing country. The organization should take appropriate steps to ensure that the offset arrangements do not constitute bribery.
- Examine the organisation’s existing and potential types of business associates by category, and assess the bribery risk in principle which they pose. For example:
- The organisation may have large numbers of customers who purchase very low value products from the organisation, and who in practice pose a minimal bribery risk to the organisation. In this case the organisation may deem these customers low bribery risk, and may determine that these customers will not need to have any specific anti-bribery controls related to them. Alternatively, the organisation may deal with customers who buy very large value products from the organisation, and may pose a significant bribery risk (e.g. the risk of demanding bribes from the organisation in return for payments, approvals etc). These types of customers may be deemed e.g. as “medium” or “high” bribery risk, and therefore require a higher level of anti-bribery controls by the organisation.
- Different categories of suppliers can pose different levels of bribery risk. For example, suppliers with a very large scope of work, or who may be in contact with the organisation’s clients, customers or relevant public officials, may pose a “medium” or “high” bribery risk. Some categories of suppliers may be “low” risk, e.g. suppliers based in low bribery risk locations which have no interface with public officials relevant to the transaction or the organisation’s clients or customers. Some categories of suppliers may pose a “very low” bribery risk e.g. suppliers of low quantities of low value items, on-line purchasing services for air travel or hotels, etc. The organisation might conclude that specific anti-bribery controls do not need to be implemented in relation to these low or very low bribery risk suppliers.
- Agents or intermediaries who interact with the organisation’s clients or public officials on behalf of the organisation are likely to pose a “medium” or “high” bribery risk, particularly if they are paid on a commission or success fee basis.
- Examine the nature and frequency of interactions with domestic or foreign public officials who can pose a bribery risk. For example, interactions with public officials responsible for issuing permits and approvals can pose a bribery risk.
- Examine applicable statutory, regulatory, contractual and professional obligations and duties, such as the prohibition or limitation of entertainment of public officials or of the use of agents.
- Consider the extent to which the organisation is able to influence or control the assessed risks.
The above bribery risk factors inter-relate. For example, suppliers in the same category may pose a differing bribery risk depending on the location in which they operate.
Having assessed the relevant bribery risks, the organisation can then determine the type and level of anti-bribery controls being applied to each risk category, and can assess whether existing controls are adequate. If not, the controls can be appropriately improved. For example, a higher level of control is likely to be implemented with respect to higher bribery risk locations and higher bribery risk categories of business associate. The organisation may determine that it is acceptable to have a low level of control over low bribery risk activities or business associates. Some of the requirements in this International Standard expressly exclude the need to apply those requirements to low bribery risk activities or business associates (although the organisation may choose to apply them if it wishes).
The organisation may change the nature of the transaction, project, activity or relationship such that the nature and extent of the bribery risk is reduced to a level that can be adequately managed by existing, enhanced or additional anti-bribery risk controls.
This bribery risk assessment exercise is not meant to be an extensive or overly complex exercise. Nor are the results of the assessment necessarily going to be proven to be correct (e.g. a transaction assessed as low bribery risk may turn out to have involved bribery). As far as reasonably practicable, the results of the bribery risk assessment should reflect the actual bribery risks faced by the organisation. The exercise should be designed as a tool to help the organisation assess and prioritise its bribery risk, and should be regularly reviewed and revised based on changes in the organisation, circumstances (e.g. new markets or products, legal requirements, experiences gained, etc.).
Comments
0 comments
Article is closed for comments.