“Trust is not knowing everything about someone. Trust is not having to know anything”. The missing of trust is strongly affecting the dynamic of the market, especially on those markets more affected by corruption.
The idea of a simple tool that could proper demonstrate the conformity against specific requirements, in special, those related to the assessment and control of risks that can affect the effectiveness and confidence of the business, is becoming a necessity, in special in a world were each actor (govern, companies, financial institutions, society) is strictly focused on own core needs, and cannot loose time, money and efforts controlling their business partners, in special, where these partners operates on scenarios completely unknown (whether due to legal, technologic or other aspects), requiring competences not available inside.
ISO 37001:2016 Anti-bribery Management System – Requirements (ABMS) can be understood as a structured mechanism, among the framework of tools applied to combating bribery, and to support the compliance programs to combating corruption. This is possible since is covered by an accredited certification.
It is presented below a brief technical contextualization about ISO 37001 accredited certification and related added value:
a) Legitimacy: ISO 37001 was developed based on an international mechanism managed by ISO – International Organization for Standardization (www.iso.org), through a transparent and democratic methodology (Technical Committee) with voluntary and opened participation of organized society (37 country members, 19 Associations – covering several specialists, including lawyers) during 3 years of periodical meetings and 4 steps of global public consultation;
b) Systematization: A management system standard, like ISO 37001, defines requirements to support the organization in to implement a management system in order to comply with the organization´s applicable requirements, legal requirements, standard requirements itself, addressing of related risks to conformity and achieve the objectives and targets defined, related to the scope of the standard (in this case: anti-bribery);
c) Integration: an ABMS according to ISO 37001 does not disrupts the Compliance Program implemented by an organization. In fact, even the scope of standard is anti-bribery, a Compliance Program is the basis (as it is possible to confirm in the ISO 37001 clauses), and the ABMS shall takes into consideration the own organization´s management structure, as well as, their technical, regulatory and cultural framework, otherwise, will be never effective;
d) Focus: The scope of ISO 37001 certification is restricted to anti-bribery in order to give a focus to the audits done by the Certification Accredited Bodies (CABs), allowing to define a standard audit duration in terms of men-days (otherwise the audit duration could be very long to cover evidences of all compliance aspects), besides, it is checked by CAB, the presence of a Compliance Program, as clarified on item “c” above. The Accreditation Bodies have developed an international auditing duration table (based on aspects as: size of organization, risks of market, relationship with authorities and others), being possible to apply a systematic approach in terms of audit duration by the CABs along with the world.
e) Accessibility: ISO 37001 can be implemented by any formal organization, independent of the legal structure (Corp., Inc. Ltd. etc.), size, number of employees, number of sites, market, being public or private.
f) Confidence: The global need to mitigate risks related to bribery on business transactions (on public-private and private-private relations) as part of international policies, legal requirements, or only to avoid damages, has become a recent demand. However, even is required to the business partner to implement an anti-bribery program, the following questions remain as uncertain (in addition to aspects of local language, local risks and local legislation):
- Is the anti-bribery program complete?
- Is the anti-bribery program implemented?
- Is the anti-bribery program effective?
ISO 37001 can support to answer above questions, as following:
f.1) is the anti-bribery program complete? ISO 37001 defines requirements to support the development of an ABMS. Independent of the structure of the organization´s (documentation, processes, risks, as well as, technical, cultural and regulatory framework and other aspects), in case all requirements of ISO 37001 are implemented, an ABMS is available.
f.2) is the anti-bribery program implemented? It is possible to confirm the implementation and effectiveness of an ABMS through an independent thirty part audit, performed by a Certification Accredited Body (CAB). The certification audit is a systematic, planned and sampling process performed according to international standards (E.g.: ISO 17021-1 – Conformity assessment – Requirements for bodies providing audit and certification of management systems – Part 1; ISO/IEC TS 17021-9 Requirements and ISO Conformity assessment – Requirements for bodies providing audit and certification of management systems – Part 9: Competence requirements).
f.3) is the anti-bribery program effective? Accredited certification ensures a systematic control of the certified organizations, since, to remain valid the certificate ISO 37001, mandatory annual audits shall be performed by the CAB. The level of confidence in the CAB´s certification process is confirmed through the accreditation process, based on annual audits (document review, on site audits, witness audits) performed by an Accreditation Body, according to international standards (E.g.: ISO/IEC 17011 – Conformity assessment – Requirements for accreditation bodies accrediting conformity assessment bodies) who evaluates technical competence and structure, as well as, the CAB´s processes to ensure proper independence, impartiality, objectivity and absence of conflict of interest.
g) Governance: The interested parties (public authorities, clients, society etc.) can address concerns and complaints about certified organizations to the CAB (who shall manage it according to accreditation rules), or even address concerns and complaints about CAB to the Accreditation Body. In both cases, procedures of investigations of the concerns addressed can results in sanctions (to certified organization or to CAB).
h) Recognition: There are some Accreditation Bodies who already developed accreditation programs to ISO 37001 certification (e.g.: ACCREDIA in Italy – www.accredia.it, INMETRO in Brazil – www.inmetro.gov.br, ANAB in USA – www.anab.org). Normally, an accreditation program is valid globally, independent of the Accreditation Body who developed the program, since the acceptance of accredited certificates with foreign accreditation regards to a local market or public authority decision. From the moment a certification gains importance, the International Accreditation Forum – IAF (www.iaf.nu) can develop a Multi-Lateral Agreement – MLA between the Accreditation Bodies to align standard methods for accreditation and certification procedures, to allow the mutual recognition of accredited certificates around the world. MLA are already available to ISO 9001 and ISO 14001 standards.
i) Pragmatism: As mentioned in the ISO 37001 itself, the implementation of an ABMS does not eliminate the bribery, but ensure that an ABMS is implemented and is effective (based on the sampled evidences checked during the certification audit). For this purpose, it is important to highlight that to any program applied to any scope, the good practices for risk assessment (e.g.: ISO 31000:2009 Risk Management – Principles and Guidelines) defines that, to eliminate a risk, it is necessary to eliminate the source, otherwise, a residual risk will always remain, shall the program implemented by the Organization, be able to continuous monitoring the effectiveness of risk assessment and related controls, and implement the necessary corrective and improvement actions.
The challenge at the moment is encourage an structured agenda, in order that public authorities, market, financial institutions and society understand the scope of ISO 37001, creating a real perception about added value of this accredited certification, allowing to make a cross reference against their needs and risks to be managed and certification benefits, resulting in internal policies (e.g.: purchasing procedures) or public policies (e.g.: laws for public bids or relations with the public authorities), where necessary, to require, promote or recognize ISO 37001 accredited certification as a mechanism (among others) to proper demonstrate the effectiveness of own or business partners ABMS.
Article by: Jefferson Carvalho