In 2016, a standard named ISO 37001 was published by the International Organization for Standardization (ISO). It was designed ‘to prevent, detect and address bribery’ (ISO 2016) within small, medium, and large organisations, in both the private and public sectors.

Its use has increased in recent years, with private companies such as Alstom, ENI, and Microsoft achieving ISO 37001 certification. By the end of 2019, 898 organisations had received certification from accredited bodies, mainly in Europe, Asia, and South America.42be5f6eeb2e The standard is also increasingly used within public administration: a fifth of all certifications take place in the public sector. For example, ISO 37001 is implemented within many Malaysian public administrations.

A voluntary standard to harmonise good practice

Any entity can use an ISO standard to help build and assess its management system and have that management system certified. ISO standards differ from accounting certification (a mandatory process that follows the International Standards for Auditing), as their use is on a voluntary basis, aiming to improve and harmonise good practice.

The focus here is ISO 37001, a set of requirements to define and integrate an anti-bribery management system within any organisation. Even where the standard focuses only on anti-bribery, its design relates to the integration of corruption risk management (CRM) within an organisation. We look at how the standard was drafted, as well as its requirements.

To date, development aid agencies have shown only tentative interest in ISO 37001 certification. No development donor agency has used the ISO 37001 standard for its own CRM internal processes. Yet, such agencies do promote ISO 37001 within their development programmes. In Tunisia, a UN Development Programme (UNDP) public accountability programme supported the use of the ISO 37001 standard as a benchmark for municipalities, hospitals, and customs. The results from this experience will be presented later in this paper. Also in Tunisia, the French development agency (AFD) supported the certification process of the Central Directorate for Equipment. In Ukraine, the EU Anti-Corruption Initiative trained officers from the National Anti-Corruption Bureau, which became the first Ukrainian agency certified to ISO 37001. In Africa and Asia, meanwhile, the Swedish International Development Cooperation Agency is funding ISO 37001 training.

What is the value of ISO 37001 for development aid agencies in helping them build a management system to prevent and manage corruption risks? Does ISO 37001 certification guarantee that agencies have implemented an effective anti-corruption system?

Is ISO 37001 useful and adaptable for developing countries?

ISO 37001 was designed by an international project committee. The committee included around 59 participating and observing ISO member countries, international anti-corruption experts, and some representatives of civil society organisations. Within that plurality and in a development aid perspective, it is important to question how the standard represents the vision and interests of developing countries. Will it be useful and adaptable for them? How can developing countries engage with the ISO 37001 standard?

Media attention has showcased international scandals regarding accounting certification. Good examples include Equifax (certified by EY on information security that was then breached); Enron (certified by EY and PwC for financial audits, while hiding billions dollars of debts and failures); and Lehman Brothers (certified by EY, despite its toxic assets). These cases have led to public distrust of auditing firms, questioning the validity of external certification processes. Yet, while accounting certification and ISO certification are both external certification processes, they respond to different standards and procedures. It is therefore interesting to go further than this image, to understand the framework and methodology for an external auditing process related to ISO standards. Such research develops knowledge on checking anti-bribery mechanisms and finds out what value should be given to the certification of management systems. How are ISO 37001 certification audits performed? Are they useful to support the management of corruption risks?

This study is based on interviews with officers working in the public and private sectors, and international organisations. They all had first-hand knowledge of ISO 37001, from the production of the standard to its implementation in different countries (Tunisia, Canada, and Malaysia). Interviews took place remotely in 2021, on a participatory basis. The author also carried out desk-based research of grey literature and academic publications related to ISO 37001.

The paper first presents the theoretical framework surrounding the ISO 37001 standard, as well as its design. The research then focuses on the methodology of the certification process. It considers the outcomes and outputs of this process, before providing some final conclusions and recommendations for development aid agencies. A summary of ISO 37001 requirements is presented in Annex 1.

Standardising corruption risk management

Need for an international standard

How can we develop incentives to enforce compliance with anti-corruption laws? An idea emerged from the private sector to enable any kind of organisation to communicate on the quality of its financial governance, while enhancing its reputation, credibility, and enforcing anti-bribery policies. By adopting the 37001 ISO standard and securing independent accredited certification, it would give organisations the opportunity to demonstrate probity. This was even if they were located in countries where anti-corruption enforcement was weak. With such a standard, it would not be the national legislator but the market incentivising organisations to deploy new measures to curb bribery. Consequently, market conditions and anti-corruption would level-up.

In 2010, the UK Bribery Act was enacted. It established as a criminal offence the failure of an organisation to prevent bribery. However, a defence for the organisation was that it had implemented adequate anti-bribery procedures. Consequently, efforts to develop an anti-bribery standard started. In 2011, the UK national standards body, the British Standards Institution (BSI), published the BS 10500 Anti-bribery Management System. It was designed for public and private sector organisations that wanted to implement adequate anti-bribery procedures. In 2014, ISO 19600 Standard for compliance management systems was published. Yet, this was not a certifiable requirements standard, but rather provided guidance to help an organisation implement a compliance programme. For Neill Stansbury,79b5c9696671 one of the initiators of the BS 10500 project, the only way to make a breakthrough internationally was if there was a certifiable international anti-bribery requirements standard.

Work started to develop ISO 37001 as such a standard for any type of entity. This included private companies and public administrations, but also non-governmental organisations (NGOs). In parallel, a special committee ensured coordination with the already existing ISO 19600 compliance standard. In 2016, ISO 37001 superseded the BS 10500 standard.

In 2021, ISO 19600 became the new certifiable ISO 37301 compliance standard. ISO 37301 provides a general framework for compliance with all types of laws and regulations which are applicable to an organisation. ISO 37001, by comparison, provides detailed requirements that are specific to bribery prevention. The purpose of the ISO 37001 standard is to help any organisation comply with all anti-bribery laws in all territories in which it is operating.

ISO 37001 aims at providing: ‘requirements with guidance for use for a management system designed to help an organisation to prevent, detect and respond to bribery and comply with anti-bribery laws and voluntary commitments applicable to its activities’ (ISO 2016). In other words, it provides minimum requirements and associated guidance to implement or improve an anti-bribery management system. It is a corruption risk management tool. It helps an organisation take reasonable steps to prevent, detect, and manage bribery risks.

Use of ISO 37001 can help improve the business environment, good governance, and development issues. As T. Bekri, UNDP Programme Coordinator, explains:

‘[The] current trend is the standardisation of anti-corruption responses, in line with the UN Convention against Corruption (UNCAC), but also Sustainable Development Goal 16, to build effective, accountable and inclusive institutions at all levels. Moreover, with the expansion of international trade and North–South cooperation, it is important to develop joint policies for anti-corruption. ISO 37001 is for organisations a managerial translation of this legal and institutional framework.’45e196b3e9e3

We go on now to look at how the standard was developed and how developing countries became involved.

Drafting a quality document

From 2013 to 2016, the standard was drafted by a project committee. The project committee comprised representatives from 59 countries (27 Organisation for Economic Co-operation and Development [OECD] countries and 32 non-OECD countries), with ISO experts, lawyers, anti-bribery experts, scholars, and civil society representatives. The draft process took three years and was participative and consensual:

‘All requirements stated in the main body of the standard were agreed by the participants as being essential parts of an Anti-Bribery Management System (ABMS). Where the participants believed that an action was important, but not sufficiently necessary to be a requirement, then that action was included in the guidance as a recommended action.’11e69badd94a

One interesting aspect during committee discussions was the relationship between bribery and cultural differences. According to P. Montigny, who was part of the drafting committee, ‘some delegations were quite against integrating the notion of culture and ethic; it was even a starting point to not integrate them in the document, as each country might have its own definition and sensitivity towards ethics’.3ef18b80804d Bribery is defined in the standard as the:

‘offering, promising, giving, accepting or soliciting of an undue advantage of any value (which could be financial or non-financial), directly or indirectly, and irrespective of location(s), in violation of applicable law, as an inducement or reward for a person acting or refraining from acting in relation to the performance of that person’s duties.’(ISO 2016: 2)

Accordingly, it requires the organisation to comply with the bribery laws in all territories in which it is operating. From a legal perspective, the document focuses mainly on structural aspects and disciplinary methods (as well as information and training).

At the end of the ISO 37001 drafting process, only three of the 164 ISO member countries voted against the final draft. It was adopted almost unanimously, an indication of the quality of the document.

Comprehensive set of requirements

The standard’s requirements start by looking at the context of the organisation (its legal environment, its partners, sector specificities). It also considers stakeholders’ views and concerns,as well as a corruption risk analysis to establish a ‘reasonable’ and ‘proportionate’ (ISO 2016: 2) anti-bribery management system (ABMS). The level of resources dedicated to the CRM strategy, as well as the CRM governance scheme, will be determined from the definition of objectives and this initial risk diagnostic.

The standard then focuses on the governance structure to implement the ABMS. A governing body is responsible for oversight of the ABMS, while top management ensures the ABMS is well designed and implemented. The standard then provides detail for planning and support to implement the ABMS. In particular, it focuses on implementing an appropriate anti-bribery awareness and training programme for all personnel, adequate internal and external communication on the ABMS, and dedicated documentation. It explains operational aspects, considering due diligence, financial and non-financial controls, particular procedures for partners that pose more than a low bribery risk, and specific procedures for reporting. It also details appropriate actions when bribery or a violation of the ABMS takes place. Finally, the standard develops requirements for the ABMS performance evaluation and its continual improvement.

The ISO 37001 standard is a well-structured document in terms of providing for the implementation and monitoring of an anti-bribery management system. To ensure a better understanding of the document, but also to convey information on corruption risk management, a more detailed summary of the ISO 37001 requirements is provided in Annex 1. For now, it is important to consider how those requirements can be used.

Means to check an anti-bribery management system

Identifying risk and non-conformities with indicators

When an organisation has a ABMS is in place, it might contract a third-party audit company to review and certify its accuracy. Audit organisations will check the structure and functioning of the ABMS. When the auditors assess that the ABMS conforms to ISO 37001, a three-year certificate is issued, pending the successful completion of two successive annual control audits. It is then the organisation’s responsibility to organise those annual third-party audits, generally with the same certifying organisation used previously. This means that the organisation must constantly monitor and update its anti-bribery management system. After a three-year period, a full certification process must take place again.

Auditing procedures involve document-based reviews and interviews. Auditors also use field observations to check all processes and procedures related to the ABMS. Around half of the audit time is spent on-site. During those audits, evidence is checked (e-mails, information, posting, recording, etc.). For example, the audit will check how many meetings took place on compliance and if these were enough to meet objectives. The investigation period can take from a few days for a small organisation to two or three months for large organisations.

Certifiers ensure the efficiency of the anti-bribery system. ‘There is a distinction between gross and net risk, where gross risk corresponds to the absolute risk to occur while net risk is considering the remaining risk when prevention means have been put in place. What is important is the relevance of those prevention means to diminish corruption risks’.8851bd917e67 The idea is that risk assessments call for action to be taken for all gross risks that are greater than ‘low’. This will result in all net risks being low following implementation of those actions.

The auditors check the relevance of measures; for example, they compare measures implemented by the organisation with international bribery indicators (known as ‘red flags) developed by the World Bank, the OECD, or the International Chamber of Commerce. Certifiers also check the quality of indicators. There should be a good balance between implementation indicators and indicators that measure the control and efficacy of the system. When they identify non-conformities, auditors need to understand the motives behind these. A major non-conformity indicates that the management system is unable to work properly. It is not possible to fix such a non-conformity easily during the annual cycle. A minor non-conformity, by comparison, only affects the efficiency of a measure (prevention or control).

‘Let’s imagine that an organization establishes an action plan for training and only half of the objective is achieved. Reasons will be checked: lack of dedicated resources corresponds to a major non-conformity, as it proves a lack of coherence [with objectives]; a sick leave would be a minor non-conformity.’15c18be968ef

While a major non-conformity prohibits certification, a minor non-conformity does not stop certification. Nonetheless, it must still be rectified before the next annual review.

Certifiers might face difficulties during audits. An obvious one is lack of employee availability. This could be related to resistance, especially from people who would like to keep ‘room for manoeuvre’. For example, an employee may be unwilling to implement the standard thinking it would reduce their capacity to negotiate contracts, deal with partners etc. What is more, some requirements necessitate more administrative work, paperwork, and more resources for the organisation.

Indicators and terms open to interpretation

A recurrent criticism is that ISO 37001 provides ‘no guidance on how context and judgement should be applied, except that it should be “reasonable”’ (Mohamed and Yusal Yusoff 2020: 102). Terms such as ‘appropriateness’ or ‘reasonable safeguards’ are not considered to be controllable variables, bringing doubts over the objectivity of audits. ISO 37001 certifier and anti-corruption expert François Sibille partially backs this argument:

‘It is true that ISO 37001 standard does not provide indicators to ensure that processes are efficient. References could be clearer to adopt a more operational perspective. There is some flexibility for certifiers to interpret situations. Yet, what is required by certifiers is to check the coherence of thresholds defining risk levels, if it is justified and how it is implemented.’4744c14eb658

Defining thresholds and risk levels is an inherent difficulty to any corruption risk management mechanism, not only ISO 37001. As a company representative explains,

It can from time to time be difficult to assess whether our risk is high enough to actually allocate more resources. In theory, if we actually end up in a corruption scandal, if some third party did something that we should have known about, it’s hard to know. It’s difficult to know how much to prioritize if it is not a real threat.’

Hence, context is crucial. It is uncertain and difficult to know how deep due diligence audits for third parties should be. The problem is that a universal standard such as ISO 37001 cannot bring clarity on all contextual variations. Nor can it help to define which risk is acceptable and which is not, as the perception of risk varies from one context to another. For example, favouritism in recruitment represents a corruption risk for human resources management; yet, its social acceptability and then risk evaluation may be different from one country to another.

As a way to respond to critics, it is important to present the guiding principles for certifiers (ISO 2015):

1. Conformity with rules and plans.
2. Command over situations.
3. Coherence between objectives and means.
4. Relevance between an organisation’s environment and its CRM objectives.
5. Continuous improvement to continue updating the management system.

Those five principles bring some criteria for certifiers. They may compensate for the lack of metrics within ISO 37001, due to the difficulty in assessing aspects that are not quantity but quality oriented. This shows that the anti-corruption system must be assessed according to its internal components, as well as its overall consistency. For example, if no general indicator is provided to assess the efficiency of a training, looking at its coherence with CRM objectives, the resources dedicated to it, its relevance for corruption risks, and measurements for improvement (such as the number of attendees, its review rating, etc.) is a way to ensure the training is a reasonable measure to support the ABMS.

Yet, these principles must be considered looking at the overall reliability of the certification process. This will now be discussed.

Value of certification may vary

As stated earlier, conformity assessments are based on technical rules and guidelines (ISO/IEC 17021-1 and -9). These have been developed by ISO’s Committee on Conformity Assessment (CASCO), to ensure quality and reliability in the certification process. ISO/IEC 17021-9 defines competence requirements for ABMS audit teams. It stipulates that audit teams should be knowledgeable on ABMS, bribery, bribery risks, bribery risk assessment, and anti-bribery controls, laws, regulations, and due diligence. Accordingly, elements related to bribery are well developed. For example, the audit team will have knowledge of bribery indicators (‘red flags’). Yet, the level of knowledge is not determined. Hence, this may vary from one country to another, from one organisation to another, or from one certifier to another. How can we be sure that the certification is valuable?

Not all certifications have the same value. First, there is a distinction to make between certification with or without accreditation. When an auditing firm wants to get accreditation for its certification services, it has to be accredited with ISO 17021 (this is a standard that defines requirements for bodies that provide audit and certification services). For Philippe Montigny, Founder and Former Director of ETHIC Intelligence, ‘it is a heavy process, with annual audits, participation of observers from the accreditation body during certification processes and checks on procedures. It assesses conformity of methods for certification and rules for auditing’.4483953a282d Accordingly, a certification from an accredited firm provides a much stronger assurance that standards are respected, ensuring quality in review processes.

Yet, another aspect must be considered: each country has its own accreditation body. Anti-corruption experts have confirmed that the way these bodies work may vary from one country to another. As J. P. Méan explains, ‘not all countries are equal. A certification under accreditation in France, Germany, the UK, or Switzerland is a way to minimise risks compared to a certification from a country with less demanding requirements’.020d6167b096 The standard might be universal, but its value may vary geographically according to the rigor of national accreditation bodies. A lower expertise is also likely to impact the quality of certification, as will the relevance of certification to curb bribery risks in developing states. For A. Taibi, ‘It is an issue. ISO 37001 standard would hardly be implemented within countries with less expertise and experience with ISO standards’.9a45068f4f63

An additional issue is how on-site visits take place. Certifiers work with sampling, checking the square root of premises: so, for example, when an organisation controls 16 entities, four will be audited. Under accreditation, some premises are chosen by the auditor, some may be proposed by the customer, while others are selected randomly. Sampling can be problematic for two reasons: 1) some entities of the sampling could face non-conformities but will not be controlled; and 2) organisations could reach an illegal agreement with the auditors on excluding possibly negative premises from the sample.

An addition problem is that only one part of the organisation can be certified. So the organisation may present the certification as valid for the whole organisation:

‘A bank can choose to certify its purchase department, as it is generally the most exposed to corruption. Yet, for a bank, the credit department is the one more at risk, not the purchase department. The bank will get certification for its purchase department and then communicate on its ISO 37001 certification without specifying that it was only for one department.’9fc14612654f

Yet, if this bank had incorrectly communicated that it was fully certified, the certification body should withdraw the certification immediately. If the certifying body was accredited and it did not withdraw such certification, it would lose its accreditation.

Finally, audits for certification are based on a contract between two organisations. Of course, fraud can take place. Certifiers have good anecdotes of suspect requests:

‘During an international conference on anti-corruption, the subsidiary of a big private company operating in a non-OECD country presented a “juicy” offer to get ISO 37001 certification without audits. For me, it was obviously clearly impossible. A few weeks later, that company communicated on its newly acquired ISO 37001 certification, certified by a non-accredited audit company.’7a15e81ecb6d

Yet, certifying entities stake their reputation on each contract. Requesting certified auditors from accredited firms clearly adds value to ensure that requirements for certification (impartiality, legal responsibility, and competence) (ISO 2015) are respected.

Now that the method for the verification of ABMS is clearer and its value has been discussed, a last question remains: what is ISO 37001’s potential impact?

Adding value on integrity, public administration, and development aid

Compliance versus integrity

The rationale behind the standard is to define a clear set of procedures and requirements that can be put in place within organisations and to ensure that officers comply with them. An important issue to understand is if those aspects also consider integrity. This can be defined as ‘a positive set of attitudes which foster honest and ethical behaviour and work practices’. In fact, organisational culture is quite important to the ABMS achieving efficiency. As J. P. Méan explains, ‘in Europe, the consensus is that rules-based approach does not work without considering ethical aspects and integrity culture behind it’.58c6b462855f In other words, organisations can be managed more by values than by rules. Integrity helps us ‘do the right thing’. It is particularly important in preventing bribery within public administration, as passive bribery (the act of receiving a bribe) is much more difficult to detect than active bribery.ccf2976cf513 How then is integrity considered within ISO 37001?

The standard makes references to ethical aspects, integrity, or organisational culture mainly in its introduction. Top management is required to ‘promote an appropriate anti-bribery culture within the organization’ (ISO 2016). However, the standard focuses mainly on specific measures to ensure that bribery does not take place, rather than on measures to promote ethics or culture. Yet, bribery is a much more complex issue than just conforming to rules and guidelines. It is not only about self-interest, utility-maximisation, and principal–agent problems; social aspects may provide incentives to maintain corrupt practices.

Methods based on the scrutiny of informal contexts, such as techniques to assess social norms or to understand psychological drivers of ethical behaviour, can be useful to promote norms of behaviour or to regulate relationships within an organisation and with stakeholders outside the organisation. Other compliance guides, such as the OECD Good Practice Guidance or the OECD Anti-Corruption Ethics and Compliance Handbook for business, rely on ethics and integrity to enforce compliance. Accordingly, by not linking anti-bribery directly to ethics and values, the ISO 37001 standard and its implementation may appear superficial.

Yet, on the contrary, ISO 37001 auditors consider that the standard forms the basis for developing integrity. That is, an organisational culture that enhances ethics and moral values should develop when it combines prohibition of bribery; communication, awareness, and training; bribery reporting; identification of stakeholders’ expectations; and a strong emphasis on leadership commitment. In particular, training provides the opportunity to question people’s behaviour and their expectations. Reporting mechanisms are also put in place to ensure the system is not bypassed by the leadership nor by any agent within the organisation. According to the auditors interviewed, a change in people’s behaviour and ethical practices within an organisation was noticeable over a three-year period:

‘Even in new sites that have not been checked earlier and being part of a new sampling, perception and practices towards corruption are upstanding compared to situations audited earlier in first sites.’b971c516aec6

Finally, another insightful argument refers to the capacity for management and employees to make more ethical decisions thanks to ISO 37001. With an ABMS based on ISO 37001, it is easier for employees to resist any pressure put on them by their managers or third parties to act unlawfully. Accordingly, while the primary focus of the ISO 37001 standard is to ensure compliance with anti-bribery laws and guidelines, the standard can be adapted to develop integrity within an organisation. Nonetheless, a revision of the standard should consider making more reference to the development of an anti-bribery culture within its requirements.

Use of ISO 37001 in public administration

Corruption is particularly harmful for public administration, as it directly affects trust towards public institutions and the management of public goods. Corrupt practices are likely to decline significantly if all entities, from the private to the public sectors, implement measures to curb corruption. While a lot of efforts have been directed towards the implementation of good governance measures, few public administrations, especially those in developing countries, are interested in the implementation of an anti-corruption management system. This is regardless of certification. This section discusses the potential added value of ISO 37001 in terms of managing corruption risks in the public sector. Several different examples are presented.

Malaysia provides a good example of commitment to curb corruption risks within public administration. As of the end of 2019, the country had more than 20 public administrations with ISO 37001 certification. With the support of the UNDP, the Malaysian National Centre for Governance, Integrity and Anti-Corruption is in charge of advancing the governance reform agenda in Malaysia, in particular introducing ISO 37001 on a voluntary basis within public administrations. Centre representatives recommend the introduction of ISO 37001 as a proactive confirmation of an organisation’s commitment to identifying and reducing bribery. Yet, they recommend a scaled approach, first implementing integrity pacts and CRM tools before implementing an ABMS: ‘ISO 37001 can be a contributing factor to prevent and manage corruption risks, but it is more a bonus’.63034b8f36fe ‘We urge organisations to first implement the basics and an adequate governance structure for managing corruption risks before aiming at implementing ISO 37001’.fa11392246e3

Financial costs related to ISO 37001 are another major issue when considering ISO 37001 in public administration. The cost for certification is between 10,000 and 20 000 euros. However, the main costs relate to the implementation of the anti-corruption management system, with these being proportional to the level of risk. These costs are significant for small organisations, especially those in developing countries. Accordingly, it is pointless to aim at implementing ISO 37001 in all sectors. It is much more practical and efficient to focus on CRM measures for key risk areas.

Still, the implementation of anti-corruption measures should not be analysed only as a cost but as an investment. For a public administration, improving citizens’ consent to pay taxes and trying to build a relationship of trust with the public is valuable (and not just quantitively).

In Quebec, Canada, the debate on the use of ISO 37001 within public organisations provides rich data. Montreal’s Commission on Finances and Administration did not recommend the use of ISO 37001 for the municipality. Rather, the commission emphasised that the standard did not take account of enough fraud and collusion, and provided a false feeling of security. It said the municipality already had in place various compliance mechanisms and the standard did not fit with the complexity of Montreal’s governance system.6b9e16d2088a

By comparison, Granby, a town of 70,000 inhabitants and with around 500 permanent civil servants, was the first municipality in Quebec to get ISO 37001 certification. For that municipality, ISO 37001 represented an opportunity to be proactive on corruption prevention, while also covering ethical aspects. ‘It is the organisation choosing the vision and angle to be given to the standard’.198f09222fdd The municipality has succeeded in adapting the use of the standard to its governance scheme: while the city council ensures global supervision of the functioning of the ABMS, the executive oversees running it. Moreover, a group of ambassadors and an ISO liaison committee were established to ensure top-down and bottom-up communication for, respectively, the running and monitoring of the ABMS. According to its lead implementer, the municipality is now much better equipped to raise concerns, increase awareness on integrity issues, and to ensure compliance with its values and procedures.

‘Thanks to the ABMS, we identified risks such as conflict of interests due to overlapping positions or the non-disclosure of wrongdoings. Mitigation measures have been put in place, such as a declaration of interests and an ad campaign to inform employees and citizens on the tip line [the telephone number to report abuses].’20be245dee29

In addition, ISO 37001 certification presents added value in terms of reputation, credibility, and commitment: ‘A loss of certification would represent a reputational risk for officials, as Granby’s image towards citizens is important for our representatives.’55be57a0ed54

ISO 37001 for development aid agencies

At the time of writing, no cooperation aid agency had achieved ISO 37001 certification. In fact, at the project or programme level, the structure and constraints inherent to ISO 37001 are likely to disincentivise its use. The governance structure of development projects or programmes may not correspond to ISO 37001 requirements. It would also require too many resources to adapt to those requirements, putting the programmes’ other activities at risk. Also, development projects or programmes, by their nature, are deemed to be non-permanent. Hence time constraints can be an issue. The budget necessary to deploy an ABMS for programmes and projects would also be significant, given that it will be in place for only a few years. Other guides and manuals, such as the U4 Guide to using corruption measurements and analysis tools for development programming or the U4 Issue on the basics of corruption risk management, are much better adapted to meet programme needs to manage corruption risks.

Despite this, the ISO 37001 standard can provide a good reference point for a development agency to implement or improve an anti-bribery management system at the headquarters level. This might involve a whole system or focus instead on particular aspects of the ABMS. The standard’s requirements to assess organisational context, its focus on the commitment of senior leaders, and its distribution of responsibilities within the organisation (distinguishing oversight and executive roles) all provide good guidelines to introduce an ABMS. Its planning and operational aspects also add value to streamline CRM processes along the value chain. This could involve incorporating reasonable and proportionate procedures throughout the organisation and its activities to control corruption risks.

The standard could also be introduced into multi-stakeholder initiatives or public–private partnerships supported by development aid agencies. For example, GIZ started the develoPPP.de project, which allows EU-registered companies to partner with GIZ, with both parties providing funds and expertise. ISO 37001 could be a useful tool to ensure that such partnerships comply with anti-bribery requirements. Second, the standard could be used by development aid agencies to check the quality of anti-bribery mechanisms for pooled funds, such as the Maritime Anti-Corruption Network, or in blended finance schemes. Moreover, cooperation agencies could use the standard as a reference for their third-party due diligence investigations of anti-corruption, assessing corruption risks in their projects, partnerships, and activities. The structure of the standard offers a way to establish a valid checklist on key aspects to consider in this area. This could be useful for development aid agencies when they use cash transfers or provide core support to NGOs.

Another aspect to contemplate is the use of ISO 37001 within the implementation plan of development programmes. While it would be impossible to cover the interests for each sector, the short case study below shows one example of how ISO 37001 was used in a UNDP good governance programme in Tunisia:

According to this case study, results from the use of ISO 37001 within an implementation plan may be contradictory. On the one hand, the standard can legitimise and frame reforms to support capacity building for organisations in a progressive manner. On the other, ISO 37001 is not well adapted to certain working conditions, in particular when quick and visible changes are needed. Yet, it can be kept as a reference point, which may be its main strength.

The relevance of ISO 37001 for development aid agencies

The ISO 37001 standard is a tool that can help an organisation implement a complete anti-bribery management system. As the standard aims to enhance compliance within an organisation, ISO 37001 also helps uncover and limit the risk of bribery. One important characteristic is its certifiability. This means it can be used by organisations to communicate on the quality of their anti-bribery programme, their revenues, and spending. It demonstrates commitment from top management and employees to maintain that certification.

The ISO 37001 standard may be of more limited use to development programmes and projects. This is because it is not adapted to time constraints, budget considerations, or the governance structure of development projects or programmes. Accordingly, development aid agencies are likely to be less interested in fully implementing the standard to manage risk in their programmes nor in achieving ISO 37001 certification.

Nonetheless, the standard is useful as a benchmark to develop an ABMS at headquarters or to improve parts of such a system. Especially helpful might be the standard’s focus on communication and training, its capacity to distinguish the role of all stakeholders, and its attention to the commitment of top leaders. It provides a comprehensive framework to ensure the efficiency of procedures and capacities to manage corruption risks. In particular, the standard can be useful for aid agencies to improve due diligence operations when using cash transfers or core support to NGOs; or to improve the anti-bribery management system of a multi-stakeholder partnership.

Development programmes have limited interest in including the standard in their implementation plans. This is because they often need to demonstrate tangible – but not too costly – outcomes that can be achieved fast, which ABMS is not designed to attain.

In most developing countries, there are fewer positive effects of ISO 37001 in terms of curbing bribery risks. This is because there is less expertise for certification and the low diffusion of the standard might reduce developing states’ capacity to catch up with developed countries in this area. This trend is not likely to change any time soon. The costs for implementing an ABMS are too high for the majority of developing country organisations compared to the benefits. And yet, the introduction of anti-bribery management systems within private organisations, as well as NGOs and the public sector, would help prevent corruption risks and curb corrupt practices.

Finally, the wide range and complexity of different bribery risks makes it impossible to define standard thresholds which could apply to all circumstances. Accordingly, ISO 37001 does not provide indicators to ease risk identification and evaluation. What is more, the complexity of bribery risks is not fully accounted for by the standard. ISO 37001 is also based on a legal approach and does not adequately promote a culture of integrity within organisations. Despite this, the standard is adaptable and could be extended to ethical aspects. Additionally, it provides a reference to establish a compliance framework, a summary of the best tools available for bribery risk management.

Recommendations for development aid agencies

• The ISO 37001 certification process is of only limited interest to development aid agencies. Nor is the standard particularly useful for the implementation plans of development programmes.
• However, aid agencies can use ISO 37001 as a benchmark to implement an entire or parts of an anti-bribery management system at the headquarters level. They can also use it to improve their own anti-corruption strategy or as a check list for due diligence operations.
• Development aid agencies could also recommend the introduction of the ISO 37001 standard to pooled funds, multi-stakeholder partnerships, or blended finance mechanisms they are involved in to ensure proper management of bribery risks. If a permanent multi-stakeholder partnership is evolving in an environment that presents significant bribery risks, ISO 37001 certification with accreditation could add value.

Annex 1: Summary of ISO 37001 requirements

1) Context of the organisation

An organisation needs first to examine its internal and external context, to determine the objectives and the parameters of its anti-bribery management system (ABMS). This includes the size and structure of the organisation, its partners, its legal environment, etc. The ABMS design, its scope, and boundaries should align with the needs and expectations of stakeholders.

Once the organisation has determined the design of the ABMS, it should perform a risk analysis to identify and assess existing risks to the organisation. Based on the context of the organisation and integrating this risk analysis, the organisation can establish a ‘reasonable’ and ‘proportionate’ (ISO 2016) ABMS.

The organisation should undertake regular bribery risk assessments to identify, analyse, assess, and prioritise those risks. This will also ensure that the organisation has the capacity to mitigate assessed bribery risks.

The criteria for evaluating risk levels should consider the organisation's policies and objectives.

The organisation should document all processes in the design, implementation, and running of the ABMS.

2) The role of the leadership

The standard clearly distinguishes roles within the organisation. The governing body is responsible for oversight of the ABMS, by approving the ABMS and the anti-bribery policy; ensuring that enough resources are dedicated to the ABMS; and reviewing information on operations. Top management ensures the ABMS is well designed and well implemented. It should take measures to contribute to the system’s effectiveness, not only materially but also via an ‘appropriate anti-bribery culture within the organisation’ (ISO 2016: 8).

Top management should ‘demonstrate its leadership in preventing and detecting bribery’ (ISO 2016: 8) and by encouraging reporting measures, as well as safeguards for personnel who report breaches.

3) Planning

Planning is based on the context of the organisation, the needs and expectations of stakeholders, the requirements for bribery risk assessment, as well as opportunities for improvement.

Good planning considers objectives, actions and resources needed, different levels of responsibility, the reporting and evaluation of results, and a strategy for sanctions and penalties.

The organisation should also plan actions to address bribery risks and to evaluate the effectiveness of those actions.

4) Support to enhance the implementation process

The organisation should appoint enough competent persons to ensure the performance of the ABMS. Personnel throughout the organisation should know about anti-corruption policies and comply with the ABMS. The organisation should put in place a disciplinary system to ensure compliance.

For all positions exposed to more than a low bribery risk, the organisation should review incentivising elements to prevent bribery risks and conduct due diligence on new employees. An anti-bribery compliance declaration is required for any persons at risk, including top management and the governing body.

The organisation should implement an appropriate anti-bribery awareness and training programme for all personnel. This will be updated regularly, providing knowledge on the ABMS, bribery and bribery risks, prevention, etc. When necessary, training shall be opened to partners and stakeholders.

Internal and external communications should be relevant to the anti-bribery management system, considering who, how, when, and what will be communicated. Moreover, the anti-bribery policy should be communicated well, internally but also externally, to partners facing at least a low bribery risk.

Documented information on the ABMS is required to ensure its effectiveness. The organisation should control this information, to ensure its suitability, availability, and adequate security (to ensure confidentiality, integrity, and proper use). Distribution, access, storage and preservation, and control of changes are all aspects to consider.

5) Operational aspects

The organisation should put processes in place to meet ABMS requirements, with specific criteria and corresponding control mechanisms. It should plan any necessary changes, and review their consequences (with mitigation actions in case of adverse effects).

Where a bribery risk assessment has measured more than a low bribery risk, due diligence should take place for corresponding categories of transactions, projects, or activities, and for relationships with partners as well as the personnel concerned. This due diligence is a way to collect data on specific bribery risks; it should be regularly updated.

The organisation should implement financial and non-financial controls to manage bribery risks. This could be, for example, in procurement, human resources, legal and regulatory activities, etc.

All entities under the control of the organisation (such as subsidiaries, branches, divisions) should implement processes related to the ABMS. This should be in addition to their own anti-bribery controls (so long as these are reasonable and proportionate to the bribery risks the controlled entity faces).

For partners and entities not controlled by the organisation and facing more than a low bribery risk, the organisation should check the adequacy of their anti-bribery controls. If their controls are not adequate, the organisation should require its partners to put in place anti-bribery controls for activities related to the organisation. When this is not possible, then the organisation should report this in its bribery risk evaluation. It should also determine how such risks will be managed.

The organisation should have procedures in place for partners posing more than a low bribery risk. Examples include a commitment by that partner to prevent bribery or the termination of the relationship in the event of bribery. Moreover, when bribery risks related to partners cannot be managed by existing anti-bribery controls and it is not possible to upgrade the controls or otherwise reduce the risks, then the organisation should terminate or suspend the project or relationship as soon as practicable. If a new proposal emerges where the bribery risks cannot be suitably controlled, this should be declined or postponed.

In relation to gifts, hospitality, donations, and similar benefits, the organisation should implement procedures to prevent the offering, provision, or acceptance of those benefits when it ‘could reasonably be perceived as bribery’ (ISO 2016: 39).

The organisation should implement specific procedures for raising concerns, allowing anonymous reporting. It should also ensure confidentiality, protect whistle-blowers, encourage reporting in good faith, and enable personnel to get help when involved in a situation of bribery. All personnel should be aware of reporting procedures and how to use them; each employee should be aware of their rights and protections.

There should be procedures for assessing and taking appropriate action when bribery or a violation of the ABMS and/or the anti-bribery policy is reasonably suspected, reported, or detected. Procedures should ensure the effective work of investigators, as well as the cooperation of relevant personnel within investigations. The organisation should ensure the confidentiality of investigations and their results. Processes should ensure that the status and results of investigations are reported to the anti-bribery compliance function and related functions.

6) Performance evaluation

The organisation should determine: who is responsible for monitoring; what needs to be monitored; with what means (methods, measurement, analysis, evaluation); when monitoring should be performed; when the results will be analysed; and ‘to whom and how such information shall be reported’ (ISO 2016: 19). Appropriate documented information should be available to review the effectiveness and efficiency of the ABMS (and its monitoring and evaluation process).

Regular audits should take place, to ensure that the ABMS is effectively implemented and that the organisation is compliant with ABMS requirements. These audits should be performed by competent and impartial auditors. Audit results should be communicated to top management, the governing body, and the ABMS functions. Audits should be planned, defining the criteria and scope for each one. Audits should be reasonable, proportionate, and risk based. They should be used to review procedures, controls, and systems related to bribery risks, violations of the ABMS or the anti-corruption policy, as well as weaknesses of the ABMS.

To ensure objectivity and impartiality of audits, an independent person or a third party should be established or appointed for this process.

The anti-bribery compliance function should continuously assess whether the ABMS is well implemented and adequate to manage bribery risks. Audit and investigation reports should be made available to the governing body and top management, on a regular basis (at least once a year). ABMS performance should also be reviewed regularly by top management, considering non-conformities and corrective actions, audit results, the monitoring and evaluation process, reports of bribery, investigations, the nature of bribery risks and actions to address them, as well as opportunities for improvement. The governing body should be informed of the result of these reviews and should produce its own periodic assessment of the ABMS.

7) Corrective action and continual improvement

When a non-conformity (a breach of the ABMS) occurs, the organisation should quickly take action to control and correct the non-conformity and deal with its consequences. Corrective actions should be proportionate to non-conformities.

Based on documentation, a review of the effectiveness of any corrective action will then need to take place. Procedures should be in place to ensure that the organisation reviews the case, determines causes for non-conformity, and checks if similar cases might occur. Where necessary, appropriate changes in the ABMS should be made.The suitability, adequacy, and effectiveness of the ABMS should be continually improved.

Informative annexes also provide guidance on the use of the document.