top of page

How ISO 37001 Can Help Reduce Internal Corruption Risks

For senior executives, it can be difficult to walk the line between running a competitive business while also enforcing strong measures to reduce potential risks of bribery, fraud or corruption activity. Some said that such illicit activity was occasionally needed to keep pace with competitors in global markets.

While ISO 37001: Anti-Bribery Management Systems should not be regarded as a silver bullet, its framework was drafted over a three-year period by business leaders from 37 countries.

As a result, it is a well-designed tool that can be applied as a stand-alone certification device, or as a blueprint to improve or strengthen integrated prevention programs a company may already have in place.

While many of the concepts are not new, ISO 37001 provides a sequential approach for “reasonable and proportionate” current-state evaluation and risk assessment, which can shape the design of anti-bribery measures.

The standard requires organizations to develop systems to address both public and private bribery, active and passive bribery, direct and indirect bribery and facilitation payments.

An organization also must establish safeguards to satisfy itself that third parties do not engage in bribery on its behalf.

Combating the growing threat of foreign bribery and corruption

Interestingly, companies that have implemented compliance programmes tend to have greater exposure through parts of their business that operate in countries where the anti-bribery legislation is significantly harsher, like the US Foreign Corrupt Practices Act 1977 (FCPA) or the UK Bribery Act 2010. Given that violation of books and records provisions have led to the actual enforcement under the FCPA of bribes paid, it’s clear that a books and records provision also needs to be incorporated in foreign bribery legislation so its obligations under OECD Conventions can be met.

What are the preventative measures?

What protects the whistleblowers? While a whistleblower protection does exist in the public service, to certain extent, this does not currently apply to the private sector, although PLCs has committed to improving its protection with the requirement imposed by OJK (Indonesia Financial Services), the enforcement might not have been strongly in place.

The importance of robust internal control systems. The evolving perceptions as to the threat of foreign bribery and corruption in Indonesia, underscores the role leading practice standards play in assisting organisations in the development of a sound internal control systems. The UK Bribery Act 2010 and the FCPA resource guide outline the fundamental principles of a robust anti-bribery management system. The International Organisation for Standardisation International Standard 37001 – Anti-bribery management systems (ISO 37001), which was issued just recently, is designed to provide a consistent framework, applicable to all jurisdictions and reflects the guidance of the UK Bribery Act 2010 and FCPA. ISO 37001 sets out comprehensive guidelines for preventing, detecting and responding to foreign bribery and corruption both at the governance and business operational level. An appreciation of the elements of a good anti-bribery management system under IS0 37001 builds an understanding of the potential foreign bribery and corruption risks faced by a client and as a result, the design of suitable audit testing procedures.

Key advantages to ISO 37001 compliance

A careful look at the ISO standard reveals several benefits for business leaders, including:

  1. Clear language. Unlike both the FCPA and the UK Bribery Act, both of which are heavy on regulatory and legal jargon and light on implementation support, ISO 37001 is written in straightforward, easy-to-follow terms, providing direction on leadership, planning, support operations and performance evaluation aspects of a comprehensive anti-fraud approach.

  2. Strong direction for risk assessments. Unlike many other anti-bribery advisory materials, ISO 37001 provides significant guidance on how to design and implement a bribery risk assessment, including examples of how an organization can choose to undertake a risk assessment and how to examine an organization’s types of business associates by category, and assess the bribery risk they pose. It helps senior leaders identify and prioritize risks, which can then be matched with appropriate controls and anti-bribery resources. Overall, this guidance is straightforward and focused more on sound processes that each business can tailor to their own specific issues and anti-bribery objectives.

  3. Additional operational guidance. ISO 37001 further covers the various operational parameters for an anti-bribery program, including planning, due diligence (factors for evaluation), financial and nonfinancial controls (examples of key controls), control implementation advice, the use of gifts (examples of procedures to implement) and investigations (factors to consider from inception through completion).

  4. Certification as added credibility. As an independent international standard with clear, auditable procedures, compliance with ISO 37001 can provide companies with a stronger position against corruption inquiries made by regulatory authorities.

  5. Certification as an investigational asset. Companies with a documented response strategy to fraudulent activity were more likely to initiate follow-up investigations versus firms that had no such road map. Clearly, an ISO 37001 certification can greatly enhance a company’s ability to detect and investigate these illicit acts.

  6. Competitive advantage. In a world where credible third-party validations are increasingly useful for businesses, an ISO 37001 certification may be well worth the effort.

Tips to Pursue Compliance

Conducting an internal assessment. This is an important first step, because it analyzes existing anti-fraud policies, procedures and practices against standards prescribed in ISO 37001. This exercise–when coupled with the bribery risk assessment called out in section 4.5 of the ISO standard–will reveal any alignment gaps or critical areas of nonconformance. While this assessment can be performed by internal staff, the better choice may be a qualified third party with solid anti-fraud compliance expertise.

Making needed changes. After the internal assessment, leaders can use the findings to inform a corrective action plan. If done well, this plan should detail priorities, schedules and project owners for each identified change, with each action tied to how it addresses ISO gaps or non-conformances. This activity is all directed toward successful creation of an anti-bribery management system.

Auditing systems for review. Once a company has aligned its processes with the ISO standard, a qualified outside auditor should be engaged to determine if the revised controls are “reasonable, proportionate and risk based.” Provided the audits demonstrate that the company has successfully achieved compliance, an ISO 37001 certification can be independently confirmed. It’s worth noting that these steps do entail additional staff and consulting costs for preparation and certification, so companies that already have a robust, proven anti-fraud program may not get the best return on an ISO 37001 investment.


bottom of page