ISO 37001:2016 provides an organization some flexibility on how to document its anti-bribery management system (ABMS). There is no clear specification on what is the needed amount of documented information in order is to achieve the conformity assessment certification of your ABMS. No matter what is the set of documents you are going to prepare, it is very important that you consider an approachable documented anti-bribery management system and not a bureaucratic system of documents presented in a rigid manner. This will help you to achieve effectiveness in the planning, implementation and improvement of your ABMS as part of your ISO 37001 certification success.
What is documented information?
The documented information within your formal anti-bribery program is needed as a communication instrument of information, and a tool for transmission of determined policies, practices, for distribution of knowledge and relevant messages, for specifying requirements as stated in the field of your bribery or corruption prevention and mitigation system. It is widely accepted by ISO 37001 accredited certification bodies and much appreciated by auditors as the objective evidence of conformity with the specified standard requirements. Documented information are policies and manuals, operating procedures and instructions (i.e. documentation), records and data sets (i.e. evidence of results achieved), on paper or digital format, from internal or external sources.
Can the ISO 37001 set of documents vary from one organization to another?
The answer is yes. The size of your organization is the most common factor which influences the extent of your anti-bribery management system documentation. The nature of your bribery risks and their grading does also play a significant role because it determines the operational controls to be established and communicated to personnel. The documents and information within should be kept plain and simple as the level of complexity is highly dependent on the level of competence of personnel.
What is the minimum set of documents required by the ISO 37001 standard?
In order to provide evidence of conformity to Anti-Bribery Synergy Certification Body, the applicant or the ISO 37001 certified organization needs to consider and retain following minimum documented information:
- the scope of the anti-bribery management system i.e. the certification scope (clause 4.3);
- identification, review and assessment of the bribery risks (clause 4.5);
- the anti-bribery policy, available in appropriate languages (clause 5.2);
- the measurable and achievable anti-bribery objectives (clause 6.2);
- competence of personnel (clause 7.2.1);
- awareness and training provided to employees and business associates (clause 7.3);
- evidence that processes have been carried out as planned (clause 8.1.);
- methods and result for monitoring, measurement, analysis and evaluation (clause 9.1.);
- the internal audit (clause 9.2);
- results of the top management reviews (clause 9.3.1);
- results of the governing body reviews (clause 9.3.2);
- control of nonconformities and corrective actions (clause 10.1).
What documented information is found in practice by Anti-Bribery Synergy ?
In our experience as an accredited ISO 37001 certification body we have encountered various approaches towards the way and anti-bribery management system have been designed. Following documents and records are commonly used:
- manual or handbook, policies, procedures and controls of the anti-bribery management system;
- receipt of anti-bribery policy by personnel;
- provision of anti-bribery policy to business associates who pose more than a low risk of bribery;
- bribery risk assessment;
- anti-bribery training provided;
- due diligence carried out for business associates or personnel, for specific transactions, projects, activities or agreements;
- the measures taken to implement the anti-bribery management system;
- approvals and records of gifts, hospitality, donations and similar benefits given and received;
- the actions and outcomes of concerns raised in relation to:
- any weakness of the anti-bribery management system;
- incidents of attempted, suspected or actual bribery;
- the results of monitoring, inspections, investigations or auditing carried out by the organization or third parties;
- internal audits programs;
- inputs and outputs of management system review meetings.