ISO 37001: Training, Employee Concerns, and Internal Investigations (Part V of V)
In my final posting on ISO 37001, I review requirements for training, raising concerns and internal investigations as part of a company’s anti-bribery risk management system.
I could certainly write more on ISO 37001 because there are other issues that I have not addressed, including audits, assessments and reviews of the anti-bribery risk management system.
In this posting, it is important to identify and tailor training to the company’s specific risk profile. Again, this is nothing new, but it is the specific requirements set forth in the ISO 37001 guidance that provides more meat on the bones of an otherwise general requirement in other guidance sources.
A company is required to provide adequate and appropriate anti-bribery awareness and training to personnel on a regular basis (at planned intervals determined by the company), as appropriate for their respective roles in the company. Such training should address, depending on the company’s risk profile, the following:
- The company’s anti-bribery policy, procedures and anti-bribery management system and their duty to comply;
- The bribery risk and damage to employees and the company that can result from bribery;
- The circumstances in which bribery can occur in relation to their duties and how to recognize them;
- How to recognize and respond to solicitations or offers of bribes;
- How they can help prevent and avoid bribery and recognize key bribery indicators;
- Their contribution to the effectiveness of the anti-bribery management system, and the benefits of improved anti-bribery performance and of reporting suspected bribery;
- The implications and potential consequences of not conforming with the anti-bribery management system;
- How and to whom to report any concerns; and
- Information on available training and resources.
Companies shall also implement (directly or through the business associate) training and awareness programs for business associates that act on its behalf or for its benefit, and which could cause more than a low bribery risk.
Raising Bribery Concerns
A company is required to implement procedures to encourage and enable persons to report in good faith or on the basis of a reasonable belief, attempted, suspected or actual bribery, or any violation of weakness in the anti-bribery management system, to the anti-bribery compliance function or to appropriate personnel. Such reports shall be treated confidentially to protect the identity of the reporter and of others involved or referenced in the report.
The reporting system also should permit anonymous reporting, and prohibit retaliation against those making reports. Finally, the reporting system should enable personnel to receive advice from an appropriate person on what to do if faced with a concern or situation which could involve bribery.
Investigating Potential Bribery
A company is required to create an internal investigation system that assesses and, where appropriate, investigates any bribery, or violation of its anti-bribery policy or anti-bribery management system that is reported, detected or reasonably suspected.
If the investigation reveals bribery, or violation of the company’s anti-bribery policy or anti-bribery management system, the company shall take appropriate action.
The company’s internal investigation system should empower and enable investigators; require cooperation by relevant personnel; require that the status and results of the investigation are reported to the anti-bribery compliance function (and other compliance functions as appropriate); require that the investigation is carried out confidentially and the results reported confidentially; and require that the investigation be carried out by and reported to personnel who are not part of the role or function being investigated.