An overview of ISO Anti-bribery management system standard WORKSHOP

Transcription

1 Committee o Ati-Corruptio (CAC) Lima, Peru 2016 A overview of ISO Ati-bribery maagemet system stadard WORKSHOP Marti Mauhwa & Jaime Satamaria [07 December 2016] 2016 GIACC 1

2 Subjects to be covered 1. What is ISO 37001? This sectio looks at: The chages to the iteratioal legal ad ethical eviromet which have led to ISO How ISO was developed The purpose ad scope of ISO The beefits of ISO Implemetig ISO This sectio looks at: The decisio to implemet ISO The requiremets of ISO GIACC 2

3 What is ISO 37001? 2016 GIACC 3

4 Bribery is a sigificat busiess risk Bribery is widely ackowledged as a sigificat busiess risk i may coutries ad sectors. Previously, bribery has i may cases bee tolerated as a ecessary part of doig busiess. Now, icreasig awareess of the damage caused by bribery to coutries, orgaizatios ad idividuals has resulted i calls at iteratioal ad atioal level for effective actio to be take to prevet bribery GIACC 4

5 Iteratioal treaties May iteratioal treaties have bee siged durig the last 20 years requirig member states to implemet ati-bribery laws ad procedures: Most iteratioally sigificat: The Uited Natios Covetio agaist Corruptio (2003) The OECD Covetio o Combatig Bribery of Foreig Public Officials i Iteratioal Busiess Trasactios (1999) GIACC 5

6 Laws Most coutries have chaged their laws i accordace with treaty requiremets. Bribery ad other corruptio offeces are therefore crimes worldwide. All OECD coutries have ow made it a crime for their atioals ad orgaizatios to bribe overseas. As a result, a perso or orgaizatio may be liable for bribery both: I the coutry where the bribery took place; ad I the perso or orgaizatio s home coutry GIACC 6

7 Prosecutio Prosecutio agecies worldwide are ow startig to ivestigate ad prosecute compaies ad idividuals for bribery. There have bee may recet major cases GIACC 7

8 Corporate ati-bribery programme (1) While good laws ad eforcemet are vital, it is also importat that orgaizatios implemet ati-bribery measures. Bribery prevetio is icreasigly see as a maagemet issue. Good maagemet i govermet, i compaies ad o projects ca materially reduce bribery. Bribery prevetio should be treated i a similar maer to safety, quality ad evirometal maagemet GIACC 8

9 Corporate ati-bribery programme (2) Sigificat umber of orgaizatios iteratioally have respoded to the chagig legal ad ethical eviromet by implemetig atibribery maagemet systems withi their orgaizatios. Ethical orgaizatios also eed to esure that their parters ad supply chai implemet appropriate cotrols. Govermet departmets, fuders, ad compaies should all adopt ati-bribery measures withi their orgaizatio GIACC 9

10 BS Orgaizatios are ow requirig proof that their ow orgaizatio, ad their cliets, agets, joit veture parters, ad major subcotractors, suppliers ad cosultats have implemeted adequate ati-bribery measures. This led to a call for a stadard which provides miimum requiremets ad allows idepedet verificatio. This led to developmet of British Stadard BS Specificatio for ati-bribery maagemet system. Published BS successfully adopted by umerous compaies. May are ow certified to it o a similar basis to IS ad GIACC 10

11 Developmet of ISO 37001(1) ISO i 2013 established a Project Committee to publish a ew ISO ati-bribery maagemet system stadard, ISO Participatig coutries (37): Australia, Austria, Brazil, Cameroo, Caada, Chia, Colombia, Croatia, Czech Republic, Demark, Ecuador, Egypt, Frace, Germay, Guatemala, Idia, Iraq, Israel, Keya, Lebao, Malaysia, Mauritius, Mexico, Morocco, Nigeria, Norway, Pakista, Saudi Arabia, Serbia, Sigapore, Spai, Swede, Switzerlad, Tuisia, UK, USA, Zambia. Observig coutries (22): Argetia, Armeia, Bulgaria, Chile, Cyprus, Cote d Ivoire, Filad, Hog Kog, Hugary, Italy, Japa, Korea, Lithuaia, Macau, Mogolia, Netherlads, New Zealad, Polad, Portugal, Russia, Thailad, Uruguay GIACC 11

12 Developmet of ISO 37001(2) Liaiso orgaizatios (8): ASIS, Europea Costructio Idustry Federatio (FIEC), Idepedet Iteratioal orgaizatio for Certificatio (IIOC), Iteratioal Federatio of Cosultig Egieers (FIDIC), IQNet, OECD, Trasparecy Iteratioal, World Federatio of Egieerig orgaizatios (WFEO). Committee Secretariat ad Chair: UK GIACC 12

13 Developmet of ISO 37001(3) First draft of ISO based o cotet of BS merged ito ISO stadard maagemet systems template. Uses same template as ISO 9001 ad 14001, so is cosistet with these stadards. The drafts were circulated for iteratioal commet, ad were modified at six iteratioal draftig meetigs over three years to take accout of iteratioal commets. Over 80 experts from over 20 coutries participated i these meetigs, which were held i Lodo, Madrid, Miami, Paris, Kuala Lumpur ad Mexico City. Decisios o text made by cosesus of participatig coutries GIACC 13

14 Developmet of ISO 37001(4) ISO was published o 15 th October ISO replaces BS Is a Type A requiremets stadard, so ca be idepedetly certified. Cotais supportig guidace to help with implemetatio. Focuses o bribery, but ca be expaded to iclude other corruptio offeces GIACC 14

15 Purpose ad scope of ISO (1) ISO is iteded to help a orgaizatio to implemet a effective ati-bribery maagemet system. It requires orgaizatios to implemet various ati-bribery measures i a reasoable ad proportioate maer accordig to the type ad size of the orgaizatio, ad the ature ad extet of bribery risks faced. Requiremets of iteratioally recogised good practice are take ito accout. It is applicable to small, medium ad large orgaizatios i the public, private ad volutary sectors GIACC 15

16 Purpose ad scope of ISO (2) ISO caot provide absolute assurace that o bribery will take place i relatio to a orgaizatio. But it ca help establish that the orgaizatio has implemeted reasoable ad proportioate measures desiged to prevet bribery. orgaizatio ca obtai certificatio to ISO i a similar way to obtaiig certificatio to 9001ad Provides assurace to owers, directors, employees ad busiess associates that orgaizatio is takig steps to prevet bribery. Ca be used as project pre-qualificatio requiremet. Ca ehace orgaizatio s reputatio GIACC 16

17 Cost of Certificatio Cost of certificatio is likely to vary accordig to the size of the orgaizatio (which is the same as with e.g. ISO 9001). Cost is ulikely to be a competitive disadvatage. Likely to be a advatage if: a procurig etity requires all its bidders to be certified to ISO 37001; or additioal poits give i the procuremet evaluatio for evidece of ati-bribery policies. Cost of implemetig system likely to be miimal whe compared to loss ad damage which could be suffered by orgaizatio which gets ivolved i bribery. System ca help prevet loss GIACC 17

18 Outcome ISO caot provide absolute assurace that o bribery will occur. But ca help establish that orgaizatio has implemeted reasoable ad proportioate ati-bribery measures. The risk of bribery is reduced ad the playig field is levelled for orgaizatios if certificatio to ISO is a project prequalificatio requiremet. The risk of corrupt or egliget certificatio is reduced by the use of major, well kow, accredited iteratioal certifiers. The publicatio ad use of ISO is therefore a major step forward i the fight agaist bribery GIACC 18

19 Implemetig ISO GIACC 19

20 Geeral priciples (1) ISO specifies various ati-bribery policies ad procedures which a orgaizatio must implemet to assist it prevet bribery, ad idetify ad deal with ay bribery which does occur. A orgaizatio is oly compliat with ISO if it has implemeted all of the required measures. However, these measures should be implemeted by the orgaizatio i a reasoable ad proportioate maer accordig to the type ad size of the orgaizatio, ad the ature ad extet of bribery risks it faces GIACC 20

21 Geeral priciples (2) A orgaizatio caot achieve compliace with ISO just by tickig boxes. It requires: The developmet of policies ad procedures desiged to prevet bribery. The geuie commitmet of the orgaizatio s top maagemet to make the system work. The effective implemetatio of these policies ad procedures by the orgaizatio. Moitorig ad review by the orgaizatio of the effectiveess of these policies ad procedures. Cotiual improvemet of the policies ad procedures to esure their effectiveess GIACC 21

22 The methodology used i these slides The followig slides examie the differet requiremets of ISO which eed to be plaed, desiged ad implemeted. The key requiremets of ISO are icluded i summary form i the followig slides i red text. GIACC commets o the relevat requiremets are icluded i blue text. Cross refereces to the relevat ISO clause umber ad to GIACC s free o-lie guidace materials are cotaied i grey text. Refereces to ABMS mea a ISO compliat ati-bribery maagemet system GIACC 22

23 ISO restrictios NOTE: Ay orgaizatio implemetig ISO 37001: must purchase its ow copy of ISO from ISO s web-site*; ad should rely o the full text of ISO 37001, ot o the summary i these slides. * Cost = 158 Swiss Fracs 2016 GIACC 23

24 Decisio to implemet the ABMS The orgaizatio s goverig body or top maagemet must take the decisio whether to implemet a ABMS. I makig this decisio it will cosider: Does the orgaizatio face bribery risk, ad what are the possible cosequeces of this risk? Should the orgaizatio implemet a ABMS i order to maage this risk? What are the costs ad beefits to the orgaizatio of implemetig a ABMS? 2016 GIACC 24

25 Who should lead implemetatio If the orgaizatio decides to implemet a ABMS, the orgaizatio s goverig body or top maagemet must appoit a appropriate perso(s) to lead the desig ad implemetatio of the ABMS. I makig this decisio it will cosider: Who is the appropriate perso(s). This perso must have the authority ad commitmet to be able to do so effectively. What support this perso(s) eeds. This could iclude supportig persoel, expert outside advice, ad resources (office, computers etc.) GIACC 25

26 Plaig ad desigig the ABMS Before the ABMS ca be implemeted, it eeds to be plaed ad desiged. This icludes the followig steps: Determiig what ati-bribery laws are applicable. Determiig what types of bribery the ABMS should be desiged to prevet. Uderstadig the ature of the orgaizatio ad its activities. Uderstadig the orgaizatio s stakeholder requiremets. Assessig the bribery risks faced by the orgaizatio. Determiig the scope ad objectives of the ABMS. Plaig ad desigig the ecessary ati-bribery cotrols (these are listed i the followig slides) GIACC 26

27 Ati-bribery policy (1) The orgaizatio shall establish a ati-bribery policy that: prohibits bribery; requires compliace with applicable ati-bribery laws; requires compliace with the ABMS. The ati-bribery policy commits the orgaizatio, its persoel ad relevat busiess associates to avoid bribery ad to comply with the ABMS. The policy shall be approved by the goverig body (or by top maagemet if o separate goverig body (5.1.1 a)) GIACC 27

28 Ati-bribery policy (2) Persoel shall be required by their coditios of employmet to comply with the policy ( a)). More tha low bribery risk persoel must sig a cofirmatio of compliace with the ati-bribery policy ( c)). The orgaizatio shall where practicable require its more tha low bribery risk busiess associates (suppliers, sub-cotractors, cosultats, agets etc.) to commit to prevet bribery (8.6). The ati-bribery policy shall be published through the orgaizatio s iteral ad exteral commuicatio chaels (7.4.2). ISO 37001: Clause GIACC 28

29 Leadership ad resposibility (L&R) (1) Resposibility for implemetig ad complyig with the ati-bribery policy ad ABMS are specifically allocated betwee: goverig body; top maagemet; compliace fuctio; maagers; persoel. Uder this allocated structure of compliace, it is ot possible for a actio to occur which is o-oe s maagemet resposibility. ISO 37001: Clauses 5.1 ad GIACC 29

30 L&R (2) Goverig body/top maagemet (1) The orgaisatio s goverig body shall: approve the ati-bribery policy; review the cotet of the ABMS; exercise reasoable oversight over the implemetatio ad effectiveess of the ABMS. The orgaisatio s top maagemet shall: have overall resposibility for the implemetatio of, ad compliace with, the ABMS; esure that resposibilities for relevat roles are assiged ad commuicated throughout the orgaizatio GIACC 30

31 L&R (3) Goverig body/top maagemet (2) The ati-bribery policy ad ABMS must be supported by ad led from the top. The goverig body ad top maagemet are ultimately resposible for the success of the programme. ISO distiguishes betwee goverig body (o-executive supervisory body (e.g. board of directors)) ad top maagemet (executive body) (e.g. chief executive)). The goverig body is resposible for approvig ad supervisig the ABMS (5.1.1), ad top maagemet for implemetig it (5.1.2). If the orgaizatio does ot have two separate bodies, the top maagemet will fulfil the obligatios allocated both to the goverig body ad top maagemet GIACC 31

32 L&R (4) Compliace fuctio (1) Top maagemet shall assig to a ati-bribery compliace fuctio the resposibility ad authority for: overseeig desig ad implemetatio of the ABMS; providig advice ad guidace to persoel o the ABMS ad issues relatig to bribery; esurig that the ABMS coforms to the requiremets of ISO The ati-bribery compliace fuctio shall be adequately resourced ad be assiged to perso(s) who have appropriate competece, status, authority ad idepedece GIACC 32

33 L&R (5) Compliace fuctio (2) The compliace fuctio shall have direct ad prompt access to the goverig body ad top maagemet i the evet that ay cocer eeds to be raised i relatio to bribery or the ABMS. I a large orgaizatio, the compliace fuctio may be several people. I a medium size orgaizatio, it may be oe perso full time. I a smaller orgaizatio, it may be oe perso part time, who combies the compliace fuctio with other fuctios. ISO 37001: Clause GIACC 33

34 L&R (6) Maagers ad persoel Maagers at every level shall be resposible for requirig that the ABMS requiremets are applied ad complied with i their departmet or fuctio. All persoel shall be resposible for uderstadig, complyig with ad applyig the ABMS requiremets, as they relate to their role i the orgaizatio. ISO 37001: Clause GIACC 34

35 L&R (7) Delegatio of decisios (1) Where top maagemet delegates to persoel the authority for makig decisios i relatio to which there is more tha a low risk of bribery, the orgaizatio shall esure that cotrols are i place which require that the decisio process ad the level of authority of the decisio-maker(s) are: appropriate to the level of bribery risk free of actual or potetial coflicts of iterest. There are three elemets to this process: Seiority of decisio maker Number of decisio makers Absece of coflict of iterest i relatio to decisio makers 2016 GIACC 35

36 L&R (8) Delegatio of decisios (2) The orgaizatio ca develop a decisio matrix, which grades decisios accordig to bribery risk. This matrix may also take accout of other risks, such as techical cotractual ad fiacial. The matrix may provide for example that: A very low value ad low risk decisio ca be take by oe juior maager. A slightly higher value ad/or higher risk decisio ca be take by oe seior maager. A medium value ad / or medium risk decisio must be take by two or more seior maagers. A high value ad / or high risk decisio must be take by the board GIACC 36

37 L&R (9) Delegatio of decisios (3) The orgaizatio should idetify the risk of coflicts of iterest: E.g. whe the orgaizatio s sales maager is related to a customer s procuremet maager, or whe a orgaizatio s lie maager has a persoal fiacial iterest i a competitor s busiess. The orgaizatio should iform all persoel of their duty to report ay actual or potetial coflict of iterest. The orgaizatio should keep a record of ay circumstaces of actual or potetial coflicts of iterest. ISO 37001: Clause GIACC 37

38 Resources (1) The orgaizatio shall determie ad provide the resources eeded for the establishmet, implemetatio, maiteace ad cotiual improvemet of the ABMS. Huma resources: There should be sufficiet persoel who are able to apply sufficiet time to their relevat ati-bribery resposibilities so that the ABMS ca fuctio effectively. This icludes assigig sufficiet perso(s) (either iteral or exteral) to the compliace fuctio GIACC 38

39 Resources (2) Physical resources: There should be the ecessary physical resources i the orgaizatio for the ABMS to fuctio effectively, e.g. office space, furiture, computer hardware ad software, traiig materials, telephoes, statioery. Fiacial resources: There should be a sufficiet budget for the ABMS to fuctio effectively. ISO 37001: Clause GIACC 39

40 Competece The orgaizatio shall: determie what level of competece persoel ad busiess associates require from a ati-bribery perspective; esure that persoel ad busiess associates are competet o the basis of appropriate educatio, traiig, or experiece. Appoitig icompetet persos to a role ca result i weakess i cotrols which ca result i bribery. (E.g. a icompetet procuremet maager may ot implemet effective procuremet cotrols, which could result i the deputy procuremet maager beig able to receive bribes i retur for appoitig suppliers). ISO 37001: Clause GIACC 40

41 Employmet process (1) The success of the orgaizatio s ati-bribery policy ad ABMS depeds primarily o it havig ethical persoel who ca comply with, implemet ad eforce the policy ad ABMS. Therefore, it is imperative that the orgaizatio carefully cotrols its employmet ad promotio processes to esure as far as practicable that it oly employs or promotes ethical persoel. These employmet process requiremets work i parallel with the: competece requiremets (7.2.1); ad traiig requiremets (7.2.3) GIACC 41

42 Employmet process (2) I relatio to all of its persoel, the orgaizatio shall implemet procedures such that: coditios of employmet: require persoel to comply with the ati-bribery policy ad ABMS, ad give the orgaizatio the right to disciplie persoel i the evet of o-compliace; persoel receive a copy of the ati-bribery policy ad traiig i relatio to that policy; the orgaizatio ca take appropriate discipliary actio agaist persoel who violate the ati-bribery policy or ABMS; 2016 GIACC 42

43 Employmet process (3) persoel will ot suffer retaliatio (e.g. by threats, demotio, prevetig promotio, trasfer, dismissal, bullyig) for: refusig to participate i ay activity i respect of which they have reasoably judged there to be a more tha low risk of bribery; or cocers raised i good faith of attempted, actual or suspected bribery or violatio of the ati-bribery policy or ABMS. ISO 37001: Clause GIACC 43

44 Employmet process (4) I relatio to persoel positios exposed to more tha a low bribery risk, the orgaizatio shall implemet procedures by which: due diligece is coducted o persoel before they are employed, trasferred or promoted by the orgaizatio, to ascertai as far as is reasoable: that it is appropriate to employ or redeploy them; ad that it is reasoable to believe that they will comply with the ati-bribery policy ad ABMS requiremets; 2016 GIACC 44

45 Employmet process (5) performace bouses ad targets are reviewed periodically to verify that there are reasoable safeguards i to prevet them from ecouragig bribery; such persoel, top maagemet, ad the goverig body file a declaratio at reasoable itervals cofirmig their compliace with the ati-bribery policy. ISO 37001: Clause GIACC 45

46 Traiig (1) The orgaizatio shall provide adequate ad appropriate atibribery traiig to persoel, which shall cover: the orgaizatio s ati-bribery policy ad ABMS, ad their duty to comply; the bribery risk ad damage to them ad the orgaizatio which ca result from bribery; the circumstaces i which bribery ca occur i relatio to their duties, ad how to recogize, prevet ad avoid these circumstaces; 2016 GIACC 46

47 Traiig (2) the cosequeces of ot coformig with the ABMS requiremets; how they are able to report ay cocers. Persoel shall be provided with ati-bribery traiig o a regular basis, as appropriate to their roles ad the risks of bribery to which they are exposed. The traiig programmes shall be periodically updated as ecessary to reflect relevat ew iformatio GIACC 47

48 Traiig (3) The orgaizatio shall implemet procedures addressig atibribery traiig for busiess associates actig o the orgaizatio s behalf or for its beefit, ad which could pose more tha a low bribery risk to the orgaizatio. These procedures shall idetify the busiess associates for which such traiig is ecessary, its cotet, ad the meas by which the traiig shall be provided. The traiig requiremets for busiess associates ca: be commuicated through cotractual or similar requiremets, be implemeted by the orgaizatio, the busiess associate or by other parties appoited for that purpose GIACC 48

49 Traiig (4) The formality ad extet of the traiig depeds o the size of the orgaizatio ad the bribery risks faced. It could be coducted as a olie module, or by i-perso methods (e.g. classroom sessios, workshops, roudtable discussios betwee relevat persoel, or by oe-to-oe sessios). The iteded outcome of the traiig is that all relevat persoel ad busiess associates should uderstad the bribery risk, ad their obligatios to comply with the ati-bribery policy ad ABMS. ISO 37001: Clause GIACC 49

50 Commuicatio The orgaizatio shall determie the ecessary iteral ad exteral commuicatios relevat to the ABMS. The ati-bribery policy shall: be made available to all the orgaizatio s persoel ad busiess associates; be commuicated directly to both persoel ad busiess associates who pose more tha a low risk of bribery; ad be published through the orgaizatio s iteral ad exteral commuicatio chaels, as appropriate. ISO 37001: Clause GIACC 50

51 Documeted iformatio The orgaizatio shall retai appropriate documetatio i relatio to the ati-bribery policy ad desig ad implemetatio of ABMS: Documetatio ca be retaied separately as part of ABMS, or ca be retaied as part of other maagemet systems (e.g. compliace, fiacial, commercial, audit). ISO 37001: Clause GIACC 51

52 Risk assessmet ad due diligece (1) ISO has two levels of risk assessmet: overview risk assessmet uder 4.5; ad detailed risk assessmet ad due diligece uder 8.2. Overview risk assessmet (4.5): The orgaizatio takes a overview of its whole busiess, where it works, its busiess associates etc., ad assesses the overall bribery risks facig the orgaizatio. I doig so, it assesses the risk of categories of trasactio or busiess associates. E.g. All trasactios i certai coutries where bribery is commo may be treated as high risk. All agets ad itermediaries may be treated as high risk GIACC 52

53 Risk assessmet ad due diligece (2) All suppliers who supply goods over a specified fiacial threshold may be treated as medium risk. All suppliers who supply goods below a specified low fiacial threshold ad which have o iteractio with the customer or govermet officials may be treated as low risk. The ABMS must be plaed ad desiged to take accout of these assessed bribery risks. A higher level of cotrols is likely to be required i relatio to bribery risk which are more likely to occur, or which are likely to have a more sigificat adverse impact o the orgaisatio GIACC 53

54 Risk assessmet ad due diligece (3) Detailed risk assessmet ad due diligece (8.2): Where the orgaizatio is to eter ito a trasactio with a specific busiess associate (e.g. aget, supplier etc.) which falls withi a more tha low risk category idetified uder the overview risk assessmet (4.5), the orgaizatio will udertake a detailed risk assessmet of that trasactio. I doig so, it will udertake ay ecessary specific due diligece o the busiess associate. The purpose of the due diligece is to lear more about the relevat busiess associate, ad the possible bribery risks it may pose to the orgaizatio GIACC 54

55 Risk assessmet ad due diligece (4) Due diligece may iclude, e.g. a questioaire set to the busiess associate; a web-search o the busiess associate ad its shareholders ad top maagemet to idetify ay bribery-related iformatio; searchig appropriate govermet, judicial ad iteratioal resources for relevat iformatio; checkig publicly available debarmet lists of orgaizatios that are prohibited from cotractig with public etities makig equiries of appropriate other parties about the busiess associate s ethical reputatio GIACC 55

56 Risk assessmet ad due diligece (5) The results of the due diligece would be fed back ito the relevat risk assessmet. The itetio of the bribery risk assessmet ad due diligece is ot to elimiate all possible risk of bribery. The purpose is to idetify, after makig reasoable ad proportioate equiries ad givig the issue appropriate cosideratio, whether the risk of bribery appears to be sufficietly low that it is reasoable to allow the busiess relatioship, trasactio or project to proceed or cotiue. ISO 37001: Clauses 4.3, 8.2 ad A GIACC 56

57 Fiacial cotrols (1) The orgaizatio shall implemet fiacial cotrols that maage bribery risk. Fiacial cotrols are the maagemet systems ad processes implemeted by the orgaizatio to maage its fiacial trasactios properly ad to record these trasactios accurately, completely ad i a timely maer. Depedig o the size of the orgaizatio ad trasactio, the fiacial cotrols could iclude, e.g.: implemetig a separatio of duties, so that the same perso caot both iitiate ad approve a paymet; 2016 GIACC 57

58 Fiacial cotrols (2) implemetig tiered levels of authority for paymet approval (so that larger trasactios require more seior maagemet approval); verifyig that the payee s appoitmet ad work or services carried out have bee approved by the orgaizatio s relevat approval mechaisms; requirig at least two sigatures o paymet approvals; requirig the appropriate supportig documetatio to be aexed to paymet approvals; restrictig the use of cash ad implemetig effective cash cotrol methods; 2016 GIACC 58

59 Fiacial cotrols (3) requirig that paymet categorizatios ad descriptios i the accouts are accurate ad clear; implemetig periodic maagemet review of sigificat fiacial trasactios; implemetig periodic ad idepedet fiacial audits ad chagig, o a regular basis, the perso or the orgaizatio that carries out the audit. ISO 37001: Clause GIACC 59

60 No-fiacial cotrols (1) The orgaizatio shall implemet o-fiacial cotrols that maage bribery risk with respect to such areas as procuremet, operatioal, sales, commercial huma resources, legal ad regulatory activities. No-fiacial cotrols are the maagemet systems ad processes implemeted by the orgaizatio to help it esure that the procuremet, operatioal, commercial ad other o-fiacial aspects of its activities are beig properly maaged GIACC 60

61 No-fiacial cotrols (2) The o-fiacial cotrols which ca reduce bribery risk could iclude, for example: usig approved cotractors, suppliers etc. that have udergoe a pre-qualificatio process uder which the likelihood of their participatig i bribery is assessed; awardig cotracts, where possible ad reasoable, oly after a fair ad competitive teder process betwee at least three competitors has take place; requirig at least two persos to evaluate the teders ad approve the award of a cotract; 2016 GIACC 61

62 No-fiacial cotrols (3) assessig: the ecessity ad legitimacy of the services to be provided by a busiess associate to the orgaizatio, whether the services were properly carried out; whether ay paymets to be made to the busiess associate are reasoable ad proportioate to the services provided. implemetig a separatio of duties, so that persoel who approve the placemet of a cotract are differet from those requestig the placemet of the cotract ad are from a differet departmet or fuctio from those who maage the cotract or approve work doe uder the cotract; 2016 GIACC 62

63 No-fiacial cotrols (4) requirig the sigatures of at least two persos o cotracts, ad o documets which chage the terms of a cotract or which approve work udertake or supplies provided uder the cotract; placig a higher level of maagemet oversight o potetially high bribery risk trasactios; protectig the itegrity of teders ad other price-sesitive iformatio by restrictig access to appropriate people; ISO 37001: Clause GIACC 63

64 Cotrols of cotrolled orgaizatios (1) The orgaizatio shall implemet procedures which require that all other orgaizatios over which it has cotrol either: implemet the orgaizatio s ati-bribery maagemet system, or implemet their ow ati-bribery cotrols, i each case oly to the extet that is reasoable ad proportioate with regard to the bribery risks faced by the cotrolled orgaizatios. A orgaizatio has cotrol over aother orgaizatio if it directly or idirectly cotrols the maagemet of the orgaizatio GIACC 64

65 Cotrols of cotrolled orgaizatios (2) A orgaizatio which is geuie i its desire to prevet bribery must esure that this commitmet is shared by its cotrolled orgaizatios. Otherwise, a paret compay could claim to be bribery free at the same time as its subsidiary or cotrolled joit veture participates i bribery. Cotrolled orgaizatios may also pose a bribery risk to the orgaizatio. E.g.: a subsidiary of the orgaizatio payig a bribe with the result that the orgaizatio ca be liable; a joit veture or joit veture parter payig a bribe to wi work for a joit veture i which the orgaizatio participates GIACC 65

66 Cotrols of cotrolled orgaizatios (3) Cotrols implemeted by the cotrolled orgaizatio may help reduce these risks. ISO therefore requires the orgaizatio to esure that all orgaizatios which it cotrols implemets its ow reasoable ad proportioate ati-bribery cotrols. These could be either: A full ISO ABMS; or A more limited set of cotrols (provided that these cotrols adequately take accout of the cotrolled orgaizatio's bribery risk). ISO 37001: Clause GIACC 66

67 Cotrols of busiess associates (1) I relatio to busiess associates ot cotrolled by the orgaizatio for which the bribery risk assessmet (4.5) or due diligece (8.2) has idetified a more tha low bribery risk, ad where ati-bribery cotrols implemeted by the busiess associates would help mitigate the relevat bribery risk, the orgaizatio shall implemet procedures as follows: the orgaizatio shall determie whether the busiess associate has i place ati-bribery cotrols which maage the relevat bribery risk; 2016 GIACC 67

68 Cotrols of busiess associates (2) where a busiess associate does ot have i place ati-bribery cotrols, or it is ot possible to verify whether it has them i place: where practicable, the orgaizatio shall require the busiess associate to implemet ati-bribery cotrols i relatio to the relevat trasactio, project or activity; or where it is ot practicable to require the busiess associate to implemet ati-bribery cotrols, this shall be a factor take ito accout i evaluatig the bribery risk of the relatioship with this busiess associate (4.5 ad 8.2) ad the way i which the orgaizatio maages such risks (8.3, 8.4, 8.5) GIACC 68

69 Cotrols of busiess associates (3) Busiess associates may pose a bribery risk to the orgaizatio. E.g.: a procuremet maager of a customer demadig a bribe from the orgaizatio i retur for a cotract award; a aget of the orgaizatio payig a bribe to a maager of the orgaizatio s customer o behalf of the orgaizatio; a supplier or sub-cotractor to the orgaizatio payig a bribe to the orgaizatio s procuremet maager i retur for a cotract award. Cotrols implemeted by the busiess associate may help reduce these risks GIACC 69

70 Cotrols of busiess associates (4) Recogisig the reasoable ad proportioate basis of ISO 37001, the orgaizatio is oly required: to implemet this measure i relatio to busiess associates which the bribery risk assessmet (4.5) has idetified as posig more tha a low bribery risk; to isist o busiess associate cotrols, or to verify the cotrols, if it is practicable for the orgaizatio to do so. ISO 37001: Clause GIACC 70

71 Ati-bribery commitmets (1) For busiess associates which pose more tha a low bribery risk, the orgaizatio shall implemet procedures which require that, as far as practicable: a) busiess associates commit to prevetig bribery by, o behalf of, or for the beefit of the busiess associate i coectio with the relevat trasactio, project, activity, or relatioship; b) the orgaizatio is able to termiate the relatioship with the busiess associate i the evet of bribery by, o behalf of, or for the beefit of the busiess associate i coectio with the relevat trasactio, project, activity, or relatioship GIACC 71

72 Ati-bribery commitmets (2) Where it is ot practicable to meet the requiremets of a) or b) above, this shall be a factor take ito accout i evaluatig the bribery risk of the relatioship with this busiess associate (4.5, 8.2) ad the way i which the orgaizatio maages such risks (8.3, 8.4, 8.5). It is importat that the orgaizatio obtais a cotractual atibribery commitmet from its more tha low bribery risk busiess associates as: the commitmet alerts the busiess associate to the importace of compliace; ad the orgaizatio would be etitled to claim damages for breach of cotract if the busiess associate participates i bribery GIACC 72

73 Ati-bribery commitmets (3) It is also importat that the orgaizatio obtais the cotractual right to termiate the cotract i the evet of bribery by the busiess associate; as: the orgaizatio may ot wish to cotiue with the cotract if the busiess associate has bee ivolved i bribery; ad uder requiremet 8.8, the orgaizatio eeds the ability to be able to withdraw from a corrupt trasactio GIACC 73

74 Ati-bribery commitmets (4) Recogisig the reasoable ad proportioate basis of ISO 37001, the orgaizatio is oly required: to implemet this measure i relatio to busiess associates which the bribery risk assessmet (4.5) has idetified as posig more tha a low bribery risk; to isist o this cotract clause if it is practicable for the orgaizatio to do so GIACC 74

75 Ati-bribery commitmets (5) It will ormally be practicable to require these commitmets whe the orgaizatio has ifluece over the busiess associate ad it ca isist o the busiess associate givig these commitmets. The orgaizatio is likely to be able to require these commitmets, for example, where the orgaizatio is appoitig a aget to act o its behalf i a trasactio, or is appoitig a sub-cotractor with a large scope of work GIACC 75

76 Ati-bribery commitmets (6) The orgaizatio may ot have sufficiet ifluece to be able to require these commitmets i relatio to, e.g.: dealigs with customers or cliets, or whe the orgaizatio is buyig compoets from a major supplier o the supplier s stadard terms. I these cases, the absece of such provisios does ot mea that the project or relatioship should ot go ahead, but the absece of such commitmet should be regarded as a relevat factor i the bribery risk assessmet ad due diligece (4.5 ad 8.2). ISO 37001: Clause GIACC 76

77 Gifts, hospitality, beefits (1) The orgaizatio shall implemet procedures that are desiged to prevet the offerig, provisio or acceptace of gifts, hospitality, doatios ad similar beefits where the offerig, provisio or acceptace is, or could reasoably be, perceived as bribery. These could iclude, for example: gifts, etertaimet ad hospitality; political or charitable doatios; cliet represetative or public official travel; sposorship; commuity beefits GIACC 77

78 Gifts, hospitality, beefits (2) The procedures implemeted by the orgaizatio could cotrol the extet ad frequecy of gifts ad hospitality by e.g.: a total prohibitio o all gifts ad hospitality; or permittig gifts ad hospitality, but limitig them by, e.g.: a maximum expediture (which may vary accordig to the locatio ad the type of gift ad hospitality); frequecy (relatively small gifts ad hospitality ca accumulate to a large amout if repeated); timig (e.g. ot durig, or immediately before/after teder); reasoableess (takig accout of the locatio, sector ad seiority of the giver or receiver); 2016 GIACC 78

79 Gifts, hospitality, beefits (3) idetity of recipiet (e.g. those i a positio to award cotracts or approve permits, certificates or paymets); the legal ad regulatory eviromet (some locatios ad orgaizatios may have prohibitios or cotrols i place). The orgaizatio may require persoel to record all gifts, hospitality ad beefits received or give o a register, so that they ca be verified by the compliace fuctio ad be audited. Perceptio is importat. A gift could be perceived to be corrupt eve if ot iteded to be. What would it look like i ewspaper? ISO 37001: Clause GIACC 79

80 Maagig iadequacy of cotrols (1) I cases where: the due diligece (8.2) coducted o a specific trasactio, project, activity or relatioship with a busiess associate establishes that the bribery risks caot be maaged by existig ati-bribery cotrols, ad the orgaizatio caot or does ot wish to: implemet additioal or ehaced ati-bribery cotrols; or take other appropriate steps (such as chagig the ature of the trasactio, project, activity or relatioship) to eable the orgaizatio to maage the bribery risks, the the orgaizatio shall take the followig steps: 2016 GIACC 80

81 Maagig iadequacy of cotrols (2) i the case of a existig trasactio, project, activity or relatioship, the orgaizatio shall take steps appropriate to the bribery risks ad the ature of the trasactio, project, activity or relatioship to termiate, discotiue, susped or withdraw from it as soo as practicable; i the case of a proposed ew trasactio, project, activity or relatioship, the orgaizatio shall postpoe or declie to cotiue with it. ISO 37001: Clause GIACC 81

82 Maagig iadequacy of cotrols (3) Uder ISO 37001, the orgaizatio must prohibit ay ivolvemet i bribery, ad take reasoable ad proportioate steps to prevet bribery. Therefore, it is a logical cosequece of this that if the orgaizatio does ot believe that its ati-bribery cotrols i relatio to a specific trasactio or busiess associate are likely to be effective to prevet bribery, the it should ot participate i, or should withdraw from, that trasactio or relatioship. ISO 37001: Clause GIACC 82

83 Raisig cocers (1) The orgaizatio shall implemet procedures which: ecourage ad eable persos to report i good faith suspected bribery, or ay violatio of or weakess i the ABMS, to the compliace fuctio or to appropriate persoel; require that the orgaizatio treats reports cofidetially (uless this is prohibited by applicable law); allow aoymous reportig (uless this is prohibited by applicable law); prohibit retaliatio agaist persos who make reports i good faith; 2016 GIACC 83

84 Raisig cocers (2) eable persoel to receive advice from a appropriate perso o what to do if faced with a cocer or suspected bribery. The orgaizatio shall esure that all persoel are aware of the reportig procedures ad are able to use them, ad are aware of their rights ad protectios uder the procedures. These procedures ca be the same as, or form part of, those used for the reportig of other issues of cocer (e.g. safety, malpractice, wrogdoig or other serious risk). The orgaizatio ca use a busiess associate to maage the reportig system o its behalf GIACC 84

85 Raisig cocers (3) It is vital for the success of a ABMS that procedures are i place to allow reportig of cocers by persoel ad other iterested parties (sometimes called whistle-blowig ). Persoel must be aware that, if they use these procedures i good faith, they will ot be victimised as a result (8.9 d). Top maagemet must promote the use of these procedures (5.1.2 k), ad protect persoel from victimisatio (5.1.2 l)). The orgaizatio must ivestigate the report uder Reports of the outcome will be made to top maagemet (9.3) ISO 37001: Clause GIACC 85

86 Ivestigatig ad dealig with bribery (1) The orgaizatio shall implemet procedures that: require assessmet ad, where appropriate, ivestigatio of ay suspected bribery, or violatio of the ati-bribery policy or the ABMS; require appropriate actio i the evet that the ivestigatio reveals ay bribery, or violatio of the ati-bribery policy or the ABMS; empower ad eable ivestigators; require co-operatio i the ivestigatio by relevat persoel; 2016 GIACC 86

87 Ivestigatig ad dealig with bribery (2) require that the status ad results of the ivestigatio are reported to the ati-bribery compliace fuctio ad other compliace fuctios, as appropriate; require that the ivestigatio is carried out cofidetially ad that the outputs of the ivestigatio are cofidetial. The ivestigatio shall be carried out by, ad reported to, persoel who are ot part of the role or fuctio beig ivestigated. The orgaizatio ca appoit a busiess associate to coduct the ivestigatio ad report the results to persoel who are ot part of the role or fuctio beig ivestigated GIACC 87

88 Ivestigatig ad dealig with bribery (3) It is vital for the success of ABMS that the orgaizatio implemets procedures to ivestigate suspicios of bribery or breach of ABMS, ad takes appropriate actio i the evet that ay bribery or breach of ABMS is idetified. If persoel or busiess associates are aware that breaches are ot ivestigated ad dealt with, or are covered up, the the ABMS will be regarded as a smokescree ad will ot be complied with. Reports of the outcome of ivestigatios will be made to top maagemet (9.3). ISO 37001: Clause GIACC 88

89 Moitorig, measuremet ad evaluatio (1) The orgaizatio shall determie: what eeds to be moitored ad measured; who is resposible; the methods for moitorig ad measuremet; The orgaizatio shall evaluate the orgaizatio s ati-bribery performace ad the effectiveess ad efficiecy of the ABMS GIACC 89

90 Moitorig, measuremet ad evaluatio (2) It is importat to the success of the ABMS that the orgaizatio takes reasoable ad proportioate steps to moitor, measure ad evaluate the ati-bribery cotrols. Is the ABMS workig? Examples: Record gifts ad hospitality i a register. Compliace maager moitors the register for uusual treds. Audit some expeses o a sample basis. Record reports made by persoel uder reportig procedures. Moitor success of ivestigatios. Moitor treds i reportig (goig up or dow?). Ay uusual treds? 2016 GIACC 90

91 Moitorig, measuremet ad evaluatio (3) Record traiig give to persoel. Questio persoel o a sample basis o how effective they foud traiig. Udertake surveys of persoel of how effective they believe the ABMS is, ad ay suggestios for improvemet. The moitorig should be udertake o a plaed basis, with specific maagers made resposible, with the results beig reported to top maagemet. The reviews by iteral audit (9.2), top maagemet (9.3) ad the compliace fuctio (9.4) also form part of this evaluatio process. ISO 37001: Clause GIACC 91

92 Iteral audit (1) The orgaizatio shall coduct iteral audits at plaed itervals to provide iformatio o whether the ati-bribery maagemet system: coforms to: the orgaizatio s ow requiremets for its ABMS; the requiremets of ISO 37001; is beig effectively implemeted ad maitaied GIACC 92

93 Iteral audit (2) The orgaizatio shall: pla, establish, implemet ad maitai a audit programme(s); defie the audit criteria ad scope for each audit; select competet auditors ad coduct audits to esure objectivity ad the impartiality of the audit process; esure that the results of the audits are reported to relevat maagemet, the ati-bribery compliace fuctio, top maagemet ad the goverig body (if ay); 2016 GIACC 93

94 Iteral audit (3) These audits shall be reasoable, proportioate ad risk-based. Such audits shall cosist of iteral audit processes or other procedures which review procedures, cotrols ad systems for: bribery or suspected bribery; violatio of the ati-bribery policy or ABMS requiremets; failure of busiess associates to coform to the applicable atibribery requiremets of the orgaizatio; weakesses i, or opportuities for, improvemet to the ABMS GIACC 94

95 Iteral audit (4) To esure the objectivity ad impartiality of these audit programmes, the orgaizatio shall esure that these audits are udertake by oe of the followig: a idepedet fuctio established for this process; or the ati-bribery compliace fuctio; or a appropriate perso from a departmet or fuctio other tha the oe beig audited; or a appropriate third party; or a group comprisig ay of the above. The orgaizatio shall esure that o auditor is auditig his or her ow area of work GIACC 95

96 Iteral audit (5) The orgaizatio does ot eed to have its ow separate iteral audit fuctio. But, it must appoit a suitable, competet ad idepedet fuctio or perso with audit resposibility. A orgaizatio may use a third party to operate the whole or part of its iteral audit, provided that the results are reported to a appropriate maager i the orgaizatio. The frequecy of audit will deped o the orgaizatio s requiremets. Some sample projects, cotracts, procedures, cotrols ad systems may be selected for audit each year GIACC 96

97 Iteral audit (6) The sample selectio ca be risk-based. E.g. a high bribery risk project could be selected for audit i priority to a low risk project. The audits will ormally be plaed i advace. I some cases, the orgaizatio may udertake a surprise audit. The itetio of the audit is: to provide reasoable assurace that the ABMS has bee implemeted ad is operatig effectively; to help prevet ad detect bribery; to provide a deterret to ay potetially corrupt persoel (as they will be aware that their departmet could be audited). ISO 37001: Clause GIACC 97

98 Compliace fuctio review (1) The ati-bribery compliace fuctio shall assess o a cotiual basis whether the ABMS is: adequate to maage effectively the bribery risks faced by the orgaizatio; beig effectively implemeted. The compliace fuctio shall report to the goverig body ad top maagemet o the adequacy ad implemetatio of the ABMS. The frequecy of such reports depeds o the orgaizatio s requiremets, but is recommeded to be at least aually GIACC 98

99 Compliace fuctio review (2) The orgaizatio ca use a busiess associate to assist i the review, as log as the other busiess associate s observatios are appropriately commuicated to the compliace fuctio, top maagemet ad goverig body. The reviews by iteral audit ad the compliace fuctio are differet, but complemetary, i that: the iteral audit will review by way of sample specific projects, cotracts, procedures etc. at plaed itervals; the compliace fuctio review is a o-goig overall observatio of the effectiveess of the desig ad implemetatio of the whole ABMS GIACC 99

100 Compliace fuctio review (3) The compliace fuctio would choose the best way of udertakig this review, but it could be by: Routiely attedig departmetal ad project meetig where matters with a compliace impact could be discussed. Attedig ad observig o the effectiveess of persoel traiig workshops. Periodically reviewig relevat documetatio (e.g. risk assessmets, due diligece, cotracts) to esure that the ABMS requiremets are beig observed. Discussig with departmet heads how well they believe the ABMS is beig implemeted i their departmet. Moitorig gifts ad hospitality ad coflict of iterest registers GIACC 100

101 Compliace fuctio review (4) The compliace fuctio would report to top maagemet: O a routie basis (o less tha oce per year) o the overall performace of the ABMS; ad As ecessary if ay issues are idetified. ISO 37001: Clause GIACC 101

102 Top maagemet review (1) Top maagemet shall review the orgaizatio s ABMS, at plaed itervals, to esure its cotiuig effectiveess. The review shall iclude cosideratio of: the status of actios from previous maagemet reviews; chages i exteral ad iteral issues; iformatio o the performace of the ABMS; opportuities for improvemet to the ABMS (10.2). Top maagemet shall: take ay ecessary decisios o improvemet to the ABMS. report outcomes to the goverig body (if ay) GIACC 102

103 Top maagemet review (2) Top maagemet has overall resposibility for the effective desig ad implemetatio of the ABMS (as per 5.1.2), so must appropriately moitor ad review the ABMS. These top maagemet reviews should take place: At plaed itervals (at least aually); Wheever a matter requirig immediate top maagemet decisio arises GIACC 103

104 Top maagemet review (3) Top maagemet is likely to take accout of matters such as: Compliace fuctio report Iteral audit report Reports of bribery or breach of the ABMS Ivestigatio outcomes ISO 37001: Clause GIACC 104

105 Goverig body review (1) The goverig body (if ay) shall udertake periodic reviews of the ABMS based o iformatio provided by top maagemet ad the ati-bribery compliace fuctio ad ay other iformatio that the goverig body requests or obtais. The goverig body (if ay) has a supervisory resposibility for the ABMS (5.1.1). These goverig body reviews should take place: At plaed itervals (at least aually); Wheever a matter requirig immediate goverig body decisio arises GIACC 105

106 Goverig body review (2) The iformatio provided to the goverig body is likely to be less comprehesive tha that provide to top maagemet. It may comprise oly a summary report from top maagemet. However, the goverig body may also wish to see a report from the compliace fuctio ad from iteral audit, ad ay other relevat iformatio to help them udertake their supervisory role. If the orgaizatio does ot have a separate goverig body from top maagemet, the oly the top maagemet review (9.3.1) will take place. ISO 37001: Clause GIACC 106