Standard UNI ISO 37001:2016, published in the Italian language last December, specifies the necessary requirements of management systems to ensure compliance with anti-bribery international standards and describes how to plan and operate them. Which are exactly the contents of the standard and which are the advantages resulting form the adoption of an anti-bribery management system, also compared to the models of organisation, management and control adopted pursuant to Legislative Decree 231/2001 on administrative liability of entities?
The new standard UNI ISO 37001:2016
On 20 December 2016 standard UNI ISO 37001:2016 was published, which represents the national adoption (in the Italian language) of international standard ISO 37001 on anti-bribery management system that may be adopted by any public or private entity.
The standard, developed by the International Organization for Standardization (from which the acronym ISO is derived), describes the necessary requirements for a management system to ensure compliance with anti-bribery international standard. Like any other management system, also the one under examination is subject to certification by the relevant authorities.
Contents of the standard
What must an anti-bribery management system contemplate?
First of all, it is necessary to carry out an analysis of the reference context and to assess the risk of bribery. Namely, it is necessary to understand, based on the characteristics of the organisation (size, activity, reference stakeholder, countries and markets in which it operates, etc.), which is the bribery risk to which it is exposed in order to structure the management system accordingly.
In the second place it is necessary to identify, within the organisation, the functions in charge of the functioning of the system and to check that they have the subjective requirements required. The standard specifies three functions: the governing body (corresponding to our board of directors), the top management (corresponding to the role of the managing director) and the anti-bribery compliance function. The governing body has, in particular, the task of defining strategies and objectives of the system; the top management has the task to assure the implementation of the system; finally the anti-bribery compliance function has the task to supervise the effectiveness of the system and to monitor its compliance with the standard.
Thereafter, it is necessary to define the principles on which the system is based and the objectives that it must achieve. Principles and objectives are summarised in the anti-bribery policy adopted by the organisation. In particular, the anti-bribery policy must provide for the general prohibition to carry out corruption practices, require that the addressees comply with the laws, include commitment to continual improvement, encourage the reporting of unlawful behaviours as well as illustrate sanctions in case of non-compliance.
Once policy and objectives have been outlined, it is necessary to structure the processes involving activities carried out by the organisation that are exposed to bribery risks, establishing the operational requirements indicated in the standard.
Such requirements are different and refer to specific processes and activities, by way of example:
- as regards management of the relationships with customers, the standard requires that the organisation carries out, through a due diligence process, preventive checks aimed at obtaining a deep knowledge of each customer and, in particular, information as to the countries and markets where the customer operates, existence of criminal proceedings against the customer for corruption offences, the customer’s adoption of an anti-bribery management system, existence of the customer’s (or directors’, in case of companies) (direct or indirect) relationships with public officers or persons connected to the same, etc.;
- as regards management of personnel, the standard requires that the latter inform the organisation of any conflict of interest, even only potential, in which the employee is or may be involved. This is the case, by way of example, of a sales manager bound to a purchasing manager of another organisation or of a director who has an economic interest in the business activities of a competing company.
Finally, a control system must be provided that allows to constantly monitor the system functioning and to identify any non-compliance and the necessary corrective actions to achieve the objectives set.
Main issues connected to the adoption of anti-bribery management systems.
The issues of greatest interest to sector operators after the publication of the standard are basically three.
The first one concerns the advantages connected to the adoption of an anti-bribery system. In such respect, it should be reminded that, pursuant to Article 30 of Legislative Decree no. 81/2008, the models of organisation established in compliance with standard BS OHSAS 18001:2007 shall be suitable to exclude administrative liability of entities pursuant to Legislative Decree no. 231/2001. The question is whether the certification of an anti-bribery management system entails an advantage similar to the one resulting from the adoption of occupational health and safety management systems certified to BS OHSAS 18001. The answer is negative. Both because there is no provision of law in such respect and because ISO 37001 itself acknowledges, in its introduction, that the adoption of the system is not sufficient to completely eliminate the risk of bribery.
The second issue concerns instead the relationship between the anti-bribery management system and the models of organisation, management and control, adopted pursuant to legislative decree no. 231/2001. As regards this aspect, many have noticed that, in most cases, operational requirements required by standard UNI ISO 37001:2016 are more rigid (especially in cases with a high risk of bribery) compared to protocols generally provided for by organisation models under Legislative Decree no. 231/2001 drawn up on the basis of Confindustria Guidelines. Therefore, in the writer’s opinion, in these cases it would be appropriate to conform the content of the organisation model already adopted to the standards of the anti-bribery management system.
The third and last issue concerns the anti-bribery compliance function role: is it to be assigned to a person specifically appointed in such respect or can it be assigned to functions already existing within the organisation? According to the content of standard UNI ISO 37001:2016, such anti-bribery function may be assigned to persons already carrying out similar functions internally such as, by way of example, the compliance function and the person responsible for bribery prevention. The subject may be more complex with regard to the supervisory body, where one may speculate the assignment of the anti-bribery conformity function in the case of a multi-member body and limited to its internal members.