ISO 37001: Risk Assessments, Employees, and Due Diligence Requirements (Part IV of V)
In Part IV of my series on ISO 37001, I examine requirements relating to risk assessments, design of policies and procedures, and due diligence requirements.
Section 4.5 sets out requirements for conducting risk assessments. ISO 37001 requires companies to conduct regular risk assessments in order to identify the bribery risks the company might reasonably anticipate; analyze, assess and prioritize the identified bribery risks; and evaluate the company’s existing controls to mitigate the assessed risks. A company is required to review the risk assessment on a regular basis so that changes and new information can be properly assessed or in the event of a significant change to the structure or activities of the company.
Under Section 6.1, a company is required to design an anti-bribery risk management system that can provide reasonable assurance that the system can achieve its objectives.
Section 6.2 requires a company’s risk management system has to be: measurable; tailored to the company’s risk profile; monitored; communicated internally and externally; and updated as appropriate.
Section 7.1 requires that a company shall determine and provide the resources needed to establish, implement, maintain, and improve its anti-bribery management system.
Employees and Conflicts of Interest
Under Section 7.2, a company must ensure that its employees whose activities may impact its anti-bribery performance are competent on the basis of education, training and experience.
With respect to its employment procedures, companies are required to implement procedures to ensure that: as a condition of employment, all employees must comply with the company’s anti-bribery policy and risk management system; personnel receive a copy of the company’s anti-bribery policy and attend training in relation to the policy; personnel are subject to discipline for violating the company’s policy; and employees are not subjected to any form of retaliation for reporting suspected violations or raising concerns.
Significantly, a company is required to conduct due diligence of prospective employees before they are employed or existing employees that may be transferred to positions in which they may face anti-bribery risks to determine that it is reasonable to believe that such employees will comply with the company’s anti-bribery requirements.
The Illustrative Guidance includes suggested steps prior to hiring, depending on the persons’ proposed functions, including:
- Discussing the company’s anti-bribery policy during the interview process and confirm that the prospective employee understands and accepts such a policy; and
- Taking reasonable steps to: (i) verify the prospective employee’s qualifications; (ii) obtain satisfactory references from a prospective employee’s previous employers; (iii) determine whether prospective employee has been involved in bribery; (iv) verify that the prospective employee is not being offered employment in return for improperly favoring the company while working for another company; (v) verify that the prospective employee is being offered a position in order to favor the company; and (vi) verifying the prospective employee’s relationships with public officials.
As an additional requirement, the company is required to review periodically its performance bonuses, targets and other incentives to verify that there are reasonable safeguards to prevent incentives that encourage bribery. The Illustrative Guidance also notes that personnel evaluations, promotions, bonuses and other rewards could be used as incentives for personnel to act in accordance with the company’s anti-bribery policy and management system. Conversely, the Illustrative Guidance notes that companies should inform personnel of the consequences of violating its anti-bribery policy and anti-bribery management system.
The Illustrative Guidance includes discussion of conflicts of interest and suggests that companies identify and evaluate the risk of internal and external conflicts of interest. Such conflicts may create incentives for an employee to facilitate bribery or fail to prevent or report bribery.
ISO 37001 sets out an interesting approach to due diligence and relationships with business associates. Interestingly, ISO 37001 permits exclusion of low risk transactions, business associate classifications (e.g. low spend vendors or suppliers) specific business associates or employees. Under Section 8.2, a company shall assess the nature of the bribery risks in relation to specific transactions, projects, activities, business associates and personnel, and shall be updated at a defined frequency, so that new information can be taken into account.
For each business associate with more than a low bribery risk, a company must assess the business associates’ anti-bribery risk management system and require the business associate to implement adequate controls. Additionally, the company must secure the right to terminate the relationship with the business associate in the event that the business associate engages in bribery.