ISO 37001: Board, Top Management and Anti-Bribery Compliance Responsibilities (Part III of V)
In Part III of my continuing series on ISO 37001, today I examine the board and top management’s respective responsibilities in the implementation and oversight of an anti-bribery management system.
ISO 37001 defines a “governing body” to include a supervisory board or board committee as having the ultimate responsibility for company activities, governance and policies of its anti-bribery management system. “Top management” is responsible for reporting to the governing board and held accountable for its responsibilities in implementing the company’s anti-bribery management system. A person or group of persons responsible for the operation of the anti-bribery management system carries out the anti-bribery compliance function.
The company’s anti-bribery management system shall include measures designed to identify and evaluate the risk or, and to prevent, detect and respond to, bribery.
Under Section 5 of ISO 37001, the roles and responsibilities of each constituency are outlined. While many of these appear to restate existing practices, the standards themselves create specific obligations for compliance program actors.
The governing body “shall demonstrate leadership and commitment” to the company’s anti-bribery management system by: approving the company’s anti-bribery policy; ensuring that the strategy and policy are aligned; receiving and reviewing information, at planned intervals, about the operation of the anti-bribery management system; requiring assignment of adequate and appropriate resources to the compliance program; and exercising reasonable oversight of the company’s anti-bribery management system.
ISO 37001 requires that top management shall “demonstrate leadership and commitment” to the company’s anti-corruption management system by:
- ensuring that the program is established, implemented, maintained and reviewed to address the company’s bribery risks;
- deploying adequate and appropriate resources to operate the system;
- communicating internally and externally concerning the anti-bribery management system;
- emphasizing the importance of the anti-bribery management system to internal audiences;
- ensuring the system is appropriately designed to achieve its objectives; directing and supporting personnel to contribute to the effectiveness of the system;
- promoting an appropriate anti-bribery culture; promoting continual improvement; supporting other relevant management roles to demonstrate leadership in preventing and detecting bribery as it applies to their areas of responsibility;
- encouraging the reporting for suspected and actual bribery;
- ensuring that no personnel suffer retaliation, discrimination or disciplinary action for reports made in good faith or on the basis of a reasonable belief of a violation, or for refusing to engage in bribery; and
- reporting to the governing body, at planned intervals, on the operation of the management system and any allegations of serious or systemic bribery.
Top management shall ensure that the responsibilities and authorities for relevant roles are assigned and communicated throughout the organization. Managers at every level are responsible for ensuring that anti-bribery management system requirements are complied with in their department or function.
The anti-bribery compliance function shall possess the responsibility and authority for:
Overseeing the design and implementation of the anti-bribery management system by the company; providing advice and guidance to personnel on the management systems and issues relating to bribery; ensuring that the anti-bribery management system conforms to requirements of ISO 37001; reporting to the governing body and top management as appropriate; maintaining direct and prompt access to the governing body and top management if any issue or concerns needs to be raised; and ensuring that the anti-bribery risk management system is adequately resourced and assigned to person(s) who have the appropriate competence, status, authority and independence.
Section 9.3 of ISO 37001 sets out review requirements for top management, the governing body and the compliance function person(s).
Top management is required to review the anti-bribery management system, at planned intervals, to ensure its continuing suitability, adequacy and effectiveness. A specific list of subject areas is included for such reviews. The governing body is required to conduct periodic reviews of the anti-bribery management system. The responsible anti-bribery compliance function is required to “assess on a continual basis” whether the system is adequate and effectively implemented. The anti-bribery compliance function shall report to top management and the governing body at planned intervals and an ad hoc basis, as appropriate but at least annually. Each constituency is required to document its review process, the results of its review and specific follow up actions.
ISO 37001 includes a lengthy Informative Guidance as an annex to the document. The Informative Guidance contains important additions and suggestions in each of the topic areas and addresses some other issues as well (e.g. facilitation payment prohibition).
ISO 37001’s Informative Guidance directs that the governing body should be “knowledgeable about the content and operation of the management system,” and “should exercise reasonable oversight with respect to the adequacy, effectiveness and implementation of the management system.” Further, the governing board “should regularly receive information [directly from the anti-bribery compliance function] regarding the performance of the management system through the management review process.”
The anti-bribery compliance function must be staffed by individual(s) who have the appropriate “competence, status, authority and independence.” In addition, the anti-bribery function should have direct access to top management and the governing body to communicate relevant information. In other words, the anti-bribery compliance function should not report to another manager, who in turn, reports to top management or the governing body.