In our last update we looked at the requirements for leadership and top level commitment in ISO37001, the new international standard for anti-bribery management systems. In this our final update we take a closer look at what is required in terms of operational controls and in particular due diligence requirements.

Section 8 of the standard focuses on the operational planning and implementation of an anti-bribery management system, following the risk assessment process already undertaken (see our previous blog here). It sets out requirements for:

  • Operational planning and control;
  • Due diligence;
  • Financial controls;
  • Non-financial controls;
  • Implementation of anti-bribery controls by organisations under its control and by business associates;
  • Anti-bribery commitments;
  • Gifts, hospitality, donations and similar benefits;
  • Managing inadequacy of anti-bribery controls;
  • Raising concerns;
  • Investigating and dealing with bribery.

Due diligence is a key element of any anti-bribery management system and Annex A provides additional guidance on this. It says that "the purpose of conducting due diligence ... is to further evaluate the scope, scale, and nature of the more than low bribery risks identified as part of the organisations risk assessment. It also serves the purpose of acting as an additional, targeted control in the prevention and detection of bribery risk, and informs the organisation’s decision on whether to postpone, discontinue, or revise those transactions, projects, or relationships with business associates or personnel.” Annex A goes on to provide guidance on what factors an organisation should evaluate when conducting due diligence in relation to projects, transactions and activities as well as business associates or counterparties. It suggests various ways in which to conduct due diligence on business associates, including: a questionnaire; a web search; a search of government, judicial and international resources; checking publicly available debarment lists or making enquiries about the business associate’s ethical reputation.

The standard does point out that due diligence is not a “perfect tool”. The absence of negative information does not necessarily mean that a counterparty poses no bribery risk, just as the presence of negative information does not mean that they do pose a bribery risk. The key is to ensure that an organisation makes reasonable and proportionate enquiries, taking into account the activities involved and the inherent bribery risk, so as to form a reasonable judgment on the level of bribery the organisation would be exposed to if it works with the counterparty.

Certification under the new standard will not guarantee that bribery will not occur within an organisation. However, it could go some way to illustrating that an organisation had “adequate procedures” in place should bribery be found to have occurred.

Now that the standard has been published this might be a good time to review your existing systems, or implement a system if you do not already have one in place.