ISO 37001: 2016

Implementor Training
2

What is Implementor Training?

Implementation Training refers to training program

designed to educate individuals within an organization
on how to effectively implement and maintain an anti-
bribery management system based on the ISO 37001
standard
3

Outline of the Training

Key components of ISO 37001 Implementation Training include:
• Understanding ISO 37001:
• Comprehensive overview of the ISO 37001 standard.
• Explanation of key principles, requirements, and clauses.
• Implementation guidelines:
• Risk Assessment:
• Techniques for identifying and assessing bribery risks.
• Methods for developing and implementing effective risk mitigation strategies.
• Documentation and Record-Keeping:
• Guidance on creating the necessary documentation to demonstrate compliance.
• Best practices for maintaining accurate records related to anti-bribery efforts.
• Communication and Training:
• Strategies for communicating anti-bribery policies and procedures throughout the
organization.
• Training employees at all levels on their roles and responsibilities in preventing bribery.
Establishing the
Context of ISO 37001
Standard
5

What is Bribery?
▸ Transparency International

”offering, promising, giving, accepting or soliciting of an

advantage as an inducement for an action which is illegal,
unethical or a breach of trust”

▸ ISO 3700:2016 Standard

“offering promising, giving, accepting or soliciting of an undue

advantage of any value (which could be financial or non-financial),
directly or indirectly and irrespective of location, in violation of
applicable laws, as an inducement or reward for a person acting or
refraining from acting in relation to performance of that person’s
duties”
6

What may Constitute Bribery?

▸ Cash payments (directly or via agents etc)
▸ Items of value disguised as gifts
▸ Hospitality or travel
▸ Jobs, contracts and benefits to family members or friends
▸ Payments disguised as charitable donations
▸ Concealed payments (false invoices and consultant fees
etc)
▸ Hiring individuals in return for receiving a favour
▸ Facilitation payments
7

How Bribery Impacts Society?

▸ Bribery raises serious social, moral, economic and political
concerns
▸ Undermines good governance, hinders development and distorts
competition
▸ It erodes justice, undermines human rights and is an obstacle to
the relief of poverty
▸ It also increases the cost of doing business, introduces
uncertainties into commercial transactions, and increases the
cost of goods and services
▸ Diminishes the quality of goods and services which can lead to
loss of life
▸ Destroys trust in the institutions and interferes with the efficient
operations of the market
8
Potential Consequences for
Organisations
▸ Ethical Factors - Bribery is now widely regarded as unethical
and unacceptable
▸ Legal Risks - Bribery is a crime worldwide
▸ Safety and Quality – Can adversely impact on its safety and
quality
▸ Financial Risks:
▹ Fines levied by prosecutors or regulators
▹ Compensation paid to other parties affected by the bribery
▹ Internal and external costs including payments for legal procedures
▹ Claims for death or personal injury resulting from bribery
▹ Higher costs of goods and services
▸ Reputational Risks - Implication in bribery can result in loss
of business and even employees
9
World CPI Chart – Transparency
International 2022
10

Journey to ISO 37001:2016

11

What is ISO 37001 Standard?

▸ ISO 37001 is an anti-bribery management system Standard
published in October 2016 by International Standards
Organizations, which is a world-wide federation of national
standards bodies
▸ It conforms to ISO’s requirements for management system
standards. These requirements include a high-level
structure, identical core text, and common terms with core
definitions, designed to benefit users implementing multiple
ISO management system standards.
▸ ISO 37001 can be used in conjunction with other
management system standards like ISO 9001 and ISO
31000 etc.
▸ It includes a series of measures and controls that represent
12

Structure of ISO 37001 Standard

▹ Clause 1 – Scope of the Standard
▹ Clause 2 – Normative references
▹ Clause 3 – Terms and definitions
▹ Clause 4 – Context of the organization
▹ Clause 5 – Leadership
▹ Clause 6 – Planning
▹ Clause 7 – Support
▹ Clause 8 – Operation
▹ Clause 9 – Performance evaluation
▹ Clause 10 – Improvements
▹ Annexure A – Guidance on the use of the Standard
13

Clause 1: Scope of ISO 37001

ISO 37001 specifies requirements and provides guidance for establishing,
implementing, maintaining, reviewing and improving an anti-bribery management
system. The system can be stand-alone or can be integrated into an overall
management system. This document addresses the following in relation to the
organization’s activities:
▸ bribery in the public, private and not-for-profit sectors;
▸ bribery by the organization;
▸ bribery by the organization’s personnel acting on the organization’s behalf or
for its benefit;
▸ bribery by the organization’s business associates acting on the organization’s
behalf or for its benefit;
▸ bribery of the organization;
▸ bribery of the organization’s personnel in relation to the organization’s
activities;
▸ bribery of the organization’s business associates in relation to the organization’s
activities;
14
Clause 1: Scope of ISO 37001
Contd…
▸ The Standard is only applicable to bribery. It sets out requirements and
provides guidance for a management system designed to help an
organization prevent, detect and respond to bribery and comply with
anti-bribery laws and voluntary commitments.

▸ The requirements of the Standard are generic and are intended to be

applicable to all organizations regardless of type, size and nature of
business activities, whether in public or private sector or not-for-profit
sectors. The extent of application of these requirements depends on the
factors specified in 4.1 (Context of the Org), 4.2 (Needs and
Expectations of Stakeholders) and 4.5 (Bribery Risk Assessment).
15

Clause 2: Normative References

ISO 31000 ISO 27001

ISO 37301
Risk Information
Compliance
Manageme Security
Manageme
nt Manageme
nt system
Guidelines nt System
16

Clause 3 : Terms and Definitions

This clause references the terms and definitions that need to be understood
in relation to this standard. Some of the important definitions are:
• Organization: person or group of people that has its own functions with
responsibilities, authorities and relationships to achieve its objectives.
• Interested Party/Stakeholder: person or organization that can affect, be
affected by, or perceive itself to be affected by a decision or activity.
• Requirement: a need that is stated and is obligatory.
• Management System: set of interrelated or interacting elements of an
organization to establish policies and objectives and processes to
achieve those objectives
• Anti-bribery Compliance Function: person with responsibility and
authority for the operation of the anti-bribery management system
17

Clause 3 : Terms and Definitions Contd…

• Objectives: specific, measurable result to be achieved
• Policy: intentions and direction of an organization, as formally expressed by its
top management or its governing body
• Process: set of interrelated or interacting activities which transforms inputs into
outputs
• Procedures: procedures, often referred to as a Standard Operating Procedures
(SOPs), are a documented set of step-by-step instructions and guidelines that
outline how specific tasks, activities, or processes should be performed within an
organization.
• Risk: effect of uncertainty on objectives
• Audit: systematic, independent and documented process for obtaining audit
evidence and evaluating it objectively to determine the extent to which the
audit criteria are fulfilled
• due diligence: process to further assess the nature and extent of the bribery
risk and help organizations make decisions in relation to specific transactions,
projects, activities, business associates and personnel
18

Clause 4 : Context of the Organization

4.1 Understanding the organization and its context

4.2 Understanding the needs and expectations of stakeholders

4.3 Determining the scope of anti-bribery management systems

4.4 Anti-bribery management system

4.5 Bribery risk assessment

19

Clause 5 : Leadership

• 5.1 Leadership and commitment

• 5.1.1 Governing body
• 5.1.2 Top management

• 5.2 Anti-bribery policy

• 5.3 Organization roles, responsibilities and authority
• 5.3.1 Roles and responsibilities
• 5.3.2 Anti-bribery compliance function
• 5.3.3 Delegated decision making
20

Clause 6: Planning

6.1 Actions to address risks

and opportunities

6.2 Anti-bribery Objectives

and planning to achieve them
21

Clause 7: Support

7.1 Resources: determine the resources needed and provide.

7.2 Competence:
7.2.1 Determine competence and if req acquire or train
7.2.2 Employment process, Emp contract clause, due diligence
7.3 Awareness training. Appropriate, adequate and regular
7.4 Communication . external/internal, how, to whom and who
7.5 Documented information:
7.5.1 ABMS should include doc info required by the Standard and
determined by the Organisation.
7.5.2 Creating and up-dating – date, title, format
7.5.3 Control of documented information – available when needed
22
Clause 8: Operation

8.1 Operational planning and control

8.2 Due diligence
8.3 Financial controls
8.4 Non-financial controls
8.5 Implementation of anti-bribery controls by controlled orgs and BAs
8.6 Anti-bribery commitments
8.7 Gifts, hospitability, donations and similar benefits
8.8 Managing inadequacy of anti-bribery controls
8.9 Raising concerns
8.10 Investigating and dealing with bribery
23

Clause 9: Performance Evaluation

9.1 Monitoring, measurement, analysis and evaluation

9.2 Internal audit
9.2.1 The organization shall conduct internal audit at planned
intervals
9.2.2 The organization shall plan, implement and maintain
audit programs
9.2.3 The audit shall be reasonable, proportionate and risk-based
9.2.4 The organization shall ensure impartiality of these audits
9.3 Management review
9.3.1 Top management review
9.3.2 Governing body review
24

Clause 10: Improvement

10.1 Non-conformity and

corrective action

10.2 Continual
improvement
Implentation
Journey
26

How ISO 37001 Works?

27

Workflow of ISO 37001

PLAN DO CHECK ACT

Clause 4 Clause 8
4 Clause 4 Clause 5
ClauseOrganization Clause 6 Clause 7 Clause 8
Operation Clause 9 Clause 10
Organization
Context\ Leadership Planning Support Operations Evaluation Improvement
28

Steps for ABMS Certification

The usual path for an organization that wishes to be ISO 37001 certified is as
under:
▸ Implementation of the management system: Before being audited, a management
system must be in operation for some time. Usually, the minimum time required by the certification
bodies is 3 months.
▸ Internal audit and review by top management: Before a management system can
be certified, it must have had at least one internal audit report and one management review.
▸ Selection of the certification body (registrar): Each organization can select the
certification body (registrar) of its choice
▸ 4. Pre-assessment audit (optional): An organization can choose to perform a pre-audit to
identify any possible gap between its current management system and the requirements of the
standard
▸ Stage 1 audit: A conformity review of the design of the management system.
▸ Stage 2 audit (On-site visit): The Stage 2 audit objective is to evaluate whether the declared
management system conforms to all requirements of the standard,

▸ Confirmation of registration: If the organization is compliant with the conditions of the

standard, the Registrar confirms the registration and publishes the certificate.
▸ 9. Continual improvement and surveillance audits: Surveillance Audit I after
29
Essential Elements for Success of
ABMS

▸ Top Management Commitment

▸ Bribery risk assessment

▸ Anti-bribery culture

▸ Implementations of effective controls and monitoring

▸ Effective internal audits

▸ Effective investigation and corrective action process

Challenges and
Benefits
31

Challenges

▸ Getting the buy-in from all

levels of the
organizations.

▸ Budget and resources

needed to implement and
maintain the system.

▸ System too much

dependent on integrity of
32

Benefits

▸ Enhances company’s reputation for integrity

▸ Competitive advantage for the organization
▸ Reduced cost of operations
▸ Prevent, detect and address bribery risks
▸ Promote trust and confidence in business
▸ Protects organization from adverse effects of bribery
▸ Results in more effective business processes for the
company
▸ Strengthens third party management
MANY THANKS
Clause 4.1 Understanding the Org and its Context

a) Size, structure and delegated decision making

b) Location and sectors
c) Nature, scale and complexity
d) Business model
e) Controlled and controlling entities
f) Business associates
g) Nature and extent of interaction with public officials
h) Applicable statutory, regulatory, contractual and
professional obligations
Clause 4.2 Needs and Expectations of Stakeholders

 Determine;
a) The stakeholders that are relevant to ABMS

b) Relevant requirements of these stakeholders

Distinguish between mandatory requirements, and non-

mandatory expectations and voluntary commitments to
stakeholders

What is difference between Interested Parties and

Stakeholders?
Clause 4.3 Determining Scope of ABMS
Determine the boundaries and applicability of ABMS while
keeping in consideration:
a) Context of the organization
b) Expectations of the stakeholders
c) The results of bribery risk assessment

The scope shall be available as documented information

Clause 4.4 Anti-Bribery Management System

An Anti-Bribery Management System is the

establishment of a closed-loop control architecture that
establishes, implements, maintains, reviews and
improves management strategies and objectives which
address the specific requirements of ISO 37001 Standard
Clause 4.5 Bribery Risk Assessment
 4.5.1 Undertake regular bribery risk assessment (identify, analyze, assess and
prioritize the risks and evaluate the effectiveness of existing controls)
 4.5.2 Establish criteria for evaluating bribery risks taking into account
organization’s policies and objectives
 4.5.3 Review bribery risk assessment on regular basis(to assess impact of
changes in the org and new information) and in the event of significant change to
the structure or activities of the organization
 4.5.4 Retain documented record which shows that bribery risk assessment has
been conducted and used to design or improve anti-bribery management system

Note: Clause A.4 for guidance.

Clause 5.1: Leadership and Commitment
5.1.1 Governing Body should demonstrate leadership
and commitment with regard to ABMS by;
a. Approving ABMS
b. Ensuring org strategy and ABMS are aligned
c. Regularly receiving and reviewing the info about the
content and operations of ABMS
d. Requiring that adequate and appropriate resources
needed for effective operation of the ABMS are allocated
and assigned
e. Oversight over implementation of ABMS by the top
management and its effectiveness
Clause 5.1 Leadership and Commitment
5.1.2Top Management should demonstrate leadership
and commitment with regard to ABMS by:
a. ensuring that ABMS, including policy and objectives, is
established, implemented, maintained and reviewed to
adequately address the organization’s bribery risks
b. ensuring the integration of ABMS requirements into the
organization’s processes;
c. deploying adequate and appropriate resources for the
effective operation of ABMS;
d. communicating internally and externally regarding the
anti-bribery policy;
e. communicating internally the importance of effective anti-
bribery management and of conforming to the ABMS
requirements;
Clause 5.1 Leadership and
Commitment…
f. ensuring that the ABMS is appropriately designed to
achieve its objectives;
g. directing and supporting personnel to contribute to the
effectiveness of the ABMS;
h. promoting an appropriate anti-bribery culture within the
organization
i. promoting continual improvement;
j. supporting other relevant management roles to
demonstrate their leadership in preventing and detecting
bribery as it applies to their areas of responsibility;
k. encouraging the use of reporting procedures for
suspected and actual bribery;
Clause 5.1 Leadership and
Commitment…
l. ensuring that no personnel will suffer retaliation,
discrimination or disciplinary action for reports made in
good faith, or on the basis of a reasonable belief of
violation or suspected violation of organization’s ABMS
policy, or refusing to engage in bribery, even if such
refusal can result in organization losing business (except
where the individual participated in violation);

m. at planned intervals, reporting to the governing body (if

any) on the content and operation of the anti-bribery
management system and of allegations of serious or
systematic bribery.
Clause 5.2 Anti-Bribery Policy
Top management shall establish, maintain and review
an anti-bribery policy that:
a. prohibits bribery;
b. requires compliance with anti-bribery laws that are
applicable to the organization;
c. is appropriate to the purpose of the organization;
d. provides a framework for setting, reviewing and achieving
anti-bribery objectives;
e. includes a commitment to satisfy ABMS requirements;
f. encourages raising concerns in good faith, or on the basis
of a reasonable belief in confidence, without fear of
reprisal;
Clause 5.2 Anti-Bribery Policy…
g. includes a commitment to continual improvement of the
ABMS;
h. explains the authority and independence of the anti-
bribery compliance function;
i. explains the consequences of not complying with the anti-
bribery policy.
The anti-bribery policy shall:
- be available as documented information;
- be communicated in appropriate languages within the organization
and to business associates who pose more than a low risk of
bribery;
- be available to relevant stakeholders, as appropriate.
Clause 5.3 Organizational roles,
responsibilities and authorities
5.3.1 Roles and responsibilities:
a. Top management shall have overall responsibility for the
implementation of, and compliance with the ABMS.
b. Top management shall ensure that the responsibilities and
authorities for relevant roles are assigned and
communicated within and throughout every level of the
organization.
c. Managers at every level shall be responsible for requiring
that the ABMS requirements are applied and complied
with in their department or function.
d. The governing body (if any), top management and all
other personnel shall be responsible for understanding,
complying with and applying the ABMS, as they relate to
Clause 5.3 Organizational roles,
responsibilities and authorities
5.3.2 Anti-bribery Compliance Function.
Top management shall assign to an anti-bribery compliance
function the responsibility and authority for:
a. overseeing the design and implementation by the
organization of the ABMS;
b. providing advice and guidance to personnel on the ABMS
and issues relating to bribery;
c. ensuring that the ABMS conforms to the requirements of
this document;
d. reporting on the performance of the ABMS to the
governing body (if any) and top management and other
compliance functions, as appropriate.
Clause 5.3 Organizational roles,
responsibilities and authorities…
The anti-bribery compliance function shall be adequately
resourced and assigned to person(s) who have the appropriate
competence, status, authority and independence.
The anti-bribery compliance function shall have direct and
prompt access to the governing body (if any) and top
management in the event that any issue or concern needs to be
raised in relation to bribery or the anti-bribery management
system.
Top management can assign some or all of the anti-bribery
compliance function to persons external to the organization. If it
does, top management shall ensure that specific personnel
have responsibility for, and authority over, those externally
assigned parts of the function.
Clause 5.3 Organizational roles,
responsibilities and authorities
5.3.3 Delegated decision making
Where top management delegates to personnel the authority
for the making of decisions in relation to which there is more
than a low risk of bribery risk, the organization shall establish
and maintain a decision-making process or set of controls which
requires that the decision making process and the level of
authority of the decision-maker(s) are appropriate and free of
actual or potential conflicts of interest. Top management shall
ensure that these processes are reviewed periodically as part of
its role and responsibility for implementation of, and compliance
with, the ABMS.
NOTE Delegation of decision-making does not exempt top
management or the governing body (if any) of their duties and
responsibilities nor does it necessarily transfer to the delegated
Clause 6.1 Actions to Address Risks and
Opportunities
When planning for the ABMS, the organization shall consider
context of the organization, expectations of the stakeholders,
bribery risk assessed and opportunities for improvement that
need to be addressed to:
a. give reasonable assurance that the ABMS can achieve its
objectives;
b. prevent, or reduce, undesired effects relevant to the anti-
bribery policy and objectives;
c. monitor the effectiveness of the ABMS;
d. achieve continual improvement
Clause 6.1 Actions to Address Risks and
Opportunities…
The organization shall plan:
 actions to address these bribery risks and
opportunities for improvement; and
 how to:
 integrate and implement these actions into its ABMS
processes;
 evaluate the effectiveness of these actions
Clause 6.2 Anti-bribery Objectives and
Planning to Achieve them
The organization shall establish ABMS objectives at
relevant functions and levels. The anti-bribery
management system objectives shall:
a. be consistent with the anti-bribery policy;
b. be measurable (if practicable);
c. take into account context of the org, expectations of
stakeholders bribery risks identified;
d. be achievable;
e. be monitored;
f. be communicated;
g. be updated as appropriate.
Clause 6.2 Anti-bribery Objectives and
Planning to Achieve them
The organization shall retain documented information on the
ABMS objectives.
When planning how to achieve its ABMS objectives, the
organization shall determine:
• what will be done;
• what resources will be required;
• who will be responsible;
• when the objectives will be achieved;
• how the results will be evaluated and reported;
• who will impose sanctions or penalties.
Clause 7.1 Resources
The organization shall determine and provide the resources needed
for the establishment, implementation, maintenance and continual
improvement of the anti-bribery management system
Resources needed depend on factors such as the size of the
organization, the nature of its operations, and the bribery risks it
faces. Examples of resources include the following:
• Human resources: There should be sufficient personnel who are able to
apply sufficient time to their relevant anti-bribery responsibilities so that
the anti-bribery management system can function effectively. This includes
assigning sufficient person(s) (either internal or external) to the anti-
bribery compliance function.
• Physical resources: There should be the necessary physical resources in
the organization, including in the anti-bribery compliance function, for the
anti-bribery management system to function effectively, e.g. office space,
furniture, computer hardware and software, training materials, telephones,
stationery.
• Financial resources: There should be a sufficient budget, including in the
Clause 7.2 Competence
7.2.1 General
The organization shall:
a. determine the necessary competence of person(s) doing
work under its control that affects its anti- bribery
performance;
b. ensure that these persons are competent on the basis of
appropriate education, training, or experience;
c. where applicable, take actions to acquire and maintain
the necessary competence, and evaluate the
effectiveness of the actions taken;
d. retain appropriate documented information as evidence
of competence.
Clause 7.2 Competence…
7.2.2 Employment process
7.2.2.1 In relation to all of its personnel, the organization shall implement
procedures such that:
a. conditions of employment require personnel to comply
with the anti-bribery policy and anti- bribery management
system, and give the organization the right to discipline
personnel in the event of non-compliance;
b. within a reasonable period of their employment
commencing, personnel receive a copy of, or are provided
with access to, the anti-bribery policy and training in
relation to that policy;
c. the organization has procedures which enable it to take
appropriate disciplinary action against personnel who
violate the anti-bribery policy or anti-bribery management
system;
Clause 7.2 Competence…
7.2.2 Employment process
7.2.2.1 In relation to all of its personnel, the organization shall
implement procedures such that:
d. personnel will not suffer retaliation, discrimination or disciplinary
action (e.g. by threats, isolation, demotion, preventing advancement,
transfer, dismissal, bullying, victimization, or other forms of
harassment) for:
I) refusing to participate in, or turning down, any activity in respect
of which they have reasonably judged there to be a more than
low risk of bribery that has not been mitigated by the
organization; or
II) concerns raised or reports made in good faith, or on the basis of a
reasonable belief, of attempted, actual or suspected bribery or
violation of the anti-bribery policy or the anti- bribery
management system (except where the individual participated in
the violation).
Clause 7.2 Competence…
7.2.2 Employment process
7.2.2.2 In relation to all positions which are exposed to more than a low
bribery risk, as determined in the bribery risk assessment, and to the anti-
bribery compliance function, the organization shall implement procedures
which provide that:
a. due diligence is conducted on persons before they are employed,
and on personnel before they are transferred or promoted by the
organization, to ascertain as far as is reasonable that it is
appropriate to employ or redeploy them and that it is reasonable to
believe that they will comply with the anti-bribery policy and anti-
bribery management system requirements;
b. performance bonuses, performance targets and other incentivizing
elements of remuneration are reviewed periodically to verify that
there are reasonable safeguards in place to prevent them from
encouraging bribery;
c. such personnel, top management, and the governing body (if any),
file a declaration at reasonable intervals proportionate with the
identified bribery risk, confirming their compliance with the anti-
Clause 7.3 Awareness Training
The organization shall provide adequate and appropriate anti-bribery
awareness and training to personnel. Such training shall address the
following issues, as appropriate, taking into account the results of the bribery
risk assessment:
a. the organization’s anti-bribery policy, procedures and ABMS, and their
duty to comply;
b. the bribery risk and the damage to them and the organization which
can result from bribery;
c. the circumstances in which bribery can occur in relation to their
duties, and how to recognize these circumstances;
d. how to recognize and respond to solicitations or offers of bribes;
e. how they can help prevent and avoid bribery and recognize key
bribery risk indicators;
f. their contribution to the effectiveness of the ABMS, including the
benefits of improved anti-bribery performance and of reporting
suspected bribery;
g. the implications and potential consequences of not conforming with
Clause 7.3 Awareness Training…
h.how and to whom they are able to report any concerns;
i. information on available training and resources.
Personnel shall be provided with anti-bribery awareness and training on a regular
basis (at planned intervals determined by the organization), as appropriate to their
roles, the risks of bribery to which they are exposed, and any changing circumstances.
The awareness and training programmes shall be periodically updated as necessary to
reflect relevant new information.
Taking into account the bribery risks identified, the organization shall also implement
procedures addressing anti-bribery awareness and training for business associates
acting on its behalf or for its benefit, and which could pose more than a low bribery
risk to the organization. These procedures shall identify the business associates for
which such awareness and training is necessary, its content, and the means by which
the training shall be provided.
The organization shall retain documented information on the training procedures, the
content of the training, and when and to whom it was provided.
NOTE 1 The awareness and training requirements for business associates can be
communicated through contractual or similar requirements, and be implemented by
the organization, the business associate or by other parties appointed for that
purpose.
Clause 7.4 Communication
7.4.1 The organization shall determine the internal and external
communications relevant to the anti-bribery management
system including:
a. on what it will communicate;
b. when to communicate;
c. with whom to communicate;
d. how to communicate;
e. who will communicate;
f. the languages in which to communicate.
7.4.2 The anti-bribery policy shall be made available to all the
organization’s personnel and business associates, be
communicated directly to both personnel and business
associates who pose more than a low risk of bribery, and shall
be published through the organization’s internal and external
communication channels, as appropriate.
Clause 7.5 Documented Information
7.5.1 General
The organization’s ABMS shall include:
a. documented information required by this document;
b. documented information determined by the organization as being
necessary for the effectiveness of the ABMS.
NOTE 1: The extent of documented information for an anti-bribery
management system can differ from one organization to another due to:
- the size of organization and its type of activities, processes, products and
services;
- the complexity of processes and their interactions;
- the competence of personnel.
NOTE 2: Documented information can be retained separately as part of
the anti-bribery management system, or can be retained as part of other
management systems (e.g. compliance, financial, commercial, audit).
NOTE 3: See Clause A.17 for guidance.
Clause 7.5 Documented Information…

7.5.2Creating and Up-dating

When creating and updating documented information
the organization shall ensure appropriate:
a. identification and description (e.g. a title, date, author, or
reference number);
b. format (e.g. language, software version, graphics) and
media (e.g. paper, electronic);
c. review and approval for suitability and adequacy.
Clause 7.5 Documented Information…
7.5.3 Control of Documented Information
Documented information required by the anti-bribery management system
and by this document shall be controlled to ensure:
a. it is available and suitable for use, where and when it is needed;
b. it is adequately protected (e.g. from loss of confidentiality, improper use, or loss
of integrity).
For the control of documented information, the organization shall address the
following activities, as applicable:
• distribution, access, retrieval and use;
• storage and preservation, including preservation of legibility;
• control of changes (e.g. version control);
• retention and disposition.
Documented information of external origin determined by the organization to be
necessary for the planning and operation of the anti-bribery management system
shall be identified as appropriate, and controlled.
NOTE Access can imply a decision regarding the permission to view the
documented information only, or the permission and authority to view and change
the documented information.
Clause 8.1 Operational Planning and Control
The organization shall plan, implement, review and control the
processes needed to meet requirements of the ABMS, and to
implement the actions determined in 6.1, by:
a.establishing criteria for the processes;
b.implementing control of the processes in accordance with
the criteria;
c.keeping documented information to the extent necessary
to have confidence that the processes have been carried
out as planned.
These processes shall include the specific controls referred to in
8.2 to 8.10.
The organization shall control planned changes and review the
consequences of unintended changes, taking action to mitigate
any adverse effects, as necessary.
Clause 8.2 Due Diligence
Where the organization’s bribery risk assessment, has assessed a more than
low
bribery risk in relation to:
a. specific categories of transactions, projects or activities,
b. planned or on-going relationships with specific categories of business
associates, or
c. specific categories of personnel in certain positions (7.2.2.2),
the organization shall assess the nature and extent of the bribery risk in
relation to specific transactions, projects, activities, business associates and
personnel falling within those categories. This assessment shall include any
due diligence necessary to obtain sufficient information to assess the bribery
risk. The due diligence shall be updated at a defined frequency, so that
changes and new information can be properly taken into account.
Note 1: The organization can conclude that it is unnecessary, unreasonable or
disproportionate to undertake due diligence
Note 2: See Clause A.10 for guidance.
Clause 8.3 Financial Controls
The organization shall implement financial controls that manage
bribery risk.
NOTE See Clause A.11 for guidance
Financial Controls
 Checks and Balances:
 Assignment of authorities: clearly define the scope of authority
 Separation of functions: no employee should have responsibility for more than one step in a
transaction from approval to review.
 Counter signatures on approval or change of contract and on approval of work undertaken or
supplies made
 Financial thresholds for approval to ensure approving authority is appropriate to the value of
contract or supplies etc
 Cash controls: eliminate cash use where possible and set upper limit for cash
transaction where unavoidable
 Ensure payee’s appointment, work, services or supplies have been approved by
relevant approval mechanism. Appropriate supporting documentation to be
annexed to approvals
 Avoid payments to off-shore jurisdictions
 Ensure the payments are made to a payee in the same location in which the payee
resides and/or carries on business
 Ensue that payments are recorded accurately and clearly
 Periodic management review of significant business transactions
 Implement periodic financial audit
Clause 8.4 Non-Financial Controls
The organization shall implement non-financial controls that manage bribery risk with respect to
such areas as procurement, operational, sales, commercial, human resources, legal and
regulatory activities.
NOTE 1 Any particular transaction, activity or relationship can be subject to financial as well as
non-financial controls.
NOTE 2 See Clause A.12 for guidance.
Non-Financial Controls
 Management systems and processes to help it ensure that the
procurement, operational, commercial and other non-financial
aspects of its activities are being properly managed. The non-
financial controls which can reduce bribery risk could include:
 using approved contractors, suppliers etc. that have undergone a pre-
qualification process;
 awarding contracts, where possible and reasonable, only after a fair and
competitive tender process between at least three competitors has taken
place;
 requiring at least two persons to evaluate the tenders and approve the
award of a contract; assessing:
 the necessity and legitimacy of the services to be provided by a business
associate to the organization;
 whether the services were properly carried out;
 whether any payments to be made to the business associate are reasonable
and proportionate to the services provided.
Non-Financial Controls…
 implementing a separation of duties, so that personnel who
approve the placement of a contract are different from
those requesting the placement of the contract and are
from a different department or function from those who
manage the contract or approve work done under the
contract;
 requiring the signatures of at least two persons on
contracts, and on documents which change the terms of a
contract or which approve work undertaken or supplies
provided under the contract;
 placing a higher level of management oversight on
potentially high bribery risk transactions;
 protecting the integrity of tenders and other price-sensitive
information by restricting access to appropriate people;
Clause 8.5 Implementation of Anti-Bribery Controls by Controlled
Organizations and by Business Associates

8.5.1 The organization shall implement procedures which

require that all other organizations over which it has control
either:
a. implement the organization’s anti-bribery management system, or
b. implement their own anti-bribery controls,
in each case only to the extent that is reasonable and
proportionate with regard to the bribery risks faced by the
controlled organizations, taking into account the bribery risk
assessment conducted in accordance with 4.5.
NOTE An organization has control over another organization if it
directly or indirectly controls the management of the
organization (see A.13.1.3).
Clause 8.5 Implementation of Anti-Bribery Controls by Controlled
Organizations and by Business Associates…

8.5.2 In relation to business associates not controlled by the organization

for which the bribery risk assessment or due diligence has identified a more
than low bribery risk, and where anti-bribery controls implemented by the
business associates would help mitigate the relevant bribery risk, the
organization shall implement procedures as follows:
a. the organization shall determine whether the business associate has in
place anti-bribery controls which manage the relevant bribery risk;
b. where a business associate does not have in place anti-bribery
controls, or it is not possible to verify whether it has them in place:
• where practicable, the organization shall require the business associate to
implement anti-bribery controls in relation to the relevant transaction,
project or activity; or
• where it is not practicable to require the business associate to implement
anti-bribery controls, this shall be a factor taken into account in evaluating
the bribery risk of the relationship with this business associate and the way
in which the organization manages such risks.
NOTE See Clause A.13 for guidance
Clause 8.6 Anti-Bribery Commitments
For business associates which pose more than a low bribery risk, the
organization shall implement procedures which require that, as far as
practicable:
a. business associates commit to preventing bribery by, on behalf
of, or for the benefit of the business associate in connection with
the relevant transaction, project, activity, or relationship;
b. the organization is able to terminate the relationship with the
business associate in the event of bribery by, on behalf of, or for
the benefit of the business associate in connection with the
relevant transaction, project, activity, or relationship.
Where it is not practicable to meet the requirements of a) or b) above,
this shall be a factor taken into account in evaluating the bribery risk of
the relationship with this business associate and the way in which the
organization manages such risks.
NOTE See Clause A.14 for guidance
Clause 8.7 Gifts, Hospitality, Donations and Similar
Benefits
The organization shall implement procedures that are designed
to prevent the offering, provision or acceptance of gifts,
hospitality, donations and similar benefits where the offering,
provision or acceptance is, or could reasonably be perceived as,
bribery.
NOTE See Clause A.15 for guidance
Clause 8.8 Managing Inadequacy of Anti-Bribery
Controls
Where the due diligence conducted on a specific transaction,
project, activity or relationship with a business associate
establishes that the bribery risks cannot be managed by existing
anti-bribery controls, and the organization cannot or does not
wish to implement additional or enhanced anti-bribery controls or
take other appropriate steps (such as changing the nature of the
transaction, project, activity or relationship) to enable the
organization to manage the relevant bribery risks, the
organization shall:
a. in the case of an existing transaction, project, activity or
relationship, take steps appropriate to the bribery risks and
the nature of the transaction, project, activity or
relationship to terminate, discontinue, suspend or withdraw
from it as soon as practicable;
b. in the case of a proposed new transaction, project, activity
or relationship, postpone or decline to continue with it.
Clause 8.9 Raising Concerns
Clause 8.9 Raising Concerns
The organization shall implement procedures which:
a. encourage and enable persons to report in good faith or on the basis of a
reasonable belief attempted, suspected and actual bribery, or any violation of
or weakness in the anti-bribery management system, to the anti-bribery
compliance function or to appropriate personnel (either directly or through an
appropriate third party);
b. except to the extent required to progress an investigation, require that the
organization treats reports confidentially, so as to protect the identity of the
reporter and of others involved or referenced in the report;
c. allow anonymous reporting;
d. prohibit retaliation, and protect those making reports from retaliation, after
they have in good faith, or on the basis of a reasonable belief, raised or
reported a concern about attempted, actual or suspected bribery or violation of
the anti-bribery policy or the anti-bribery management system;
e. enable personnel to receive advice from an appropriate person on what to do
if faced with a concern or situation which could involve bribery.
Note: The organization shall ensure that all personnel are aware of the reporting
procedures and are able to use them, and are aware of their rights and protections
under the procedures.
Clause 8.10 Investigating and Dealing with
Bribery
The organization shall implement procedures that:
a.require assessment and, where appropriate, investigation of any bribery, or violation
of the anti- bribery policy or the anti-bribery management system, which is reported,
detected or reasonably suspected;
b.require appropriate action in the event that the investigation reveals any bribery, or
violation of the anti-bribery policy or the anti-bribery management system;
c. empower and enable investigators;
d.require co-operation in the investigation by relevant personnel;
e.require that the status and results of the investigation are reported to the anti-
bribery compliance function and other compliance functions, as appropriate;
f. require that the investigation is carried out confidentially and that the outputs of the
investigation are confidential.
The investigation shall be carried out by, and reported to, personnel who are not part
of the role or function being investigated. The organization can appoint a business
associate to conduct the investigation and report the results to personnel who are not part
of the role or function being investigated.
NOTE 1 See Clause A.18 for guidance
Clause 9.1 Monitoring, Measurement, Analysis and
Evaluation
The organization shall determine:
a.what needs to be monitored and measured;
b.who is responsible for monitoring;
c. the methods for monitoring, measurement, analysis and evaluation, as
applicable, to ensure valid results;
d.when the monitoring and measuring shall be performed;
e.when the results from monitoring and measurement shall be analyzed and
evaluated;
f. to whom and how such information shall be reported.
The organization shall retain appropriate documented information as evidence
of the methods and results.
The organization shall evaluate the anti-bribery performance and the
effectiveness and efficiency of the anti-bribery management system.
NOTE See Clause A.19 for guidance.
Clause 9.2 Internal Audit

9.2.1 The organization shall conduct internal audits at

planned intervals to provide information on whether the
anti-bribery management system:
a. conforms to the organization’s own requirements for
its anti-bribery management system and the requirements of
this document;
b. is effectively implemented and maintained.

Note 1: Guidance on auditing management systems is given in ISO 19011.

Note 2: The scope and scale of the organization’s internal audit activities can vary
depending on a variety of factors, including organization size, structure, maturity and
locations.
Clause 9.2 Internal Audit Contd…
9.2.2 The organization shall:
a. plan, establish, implement and maintain an audit programme(s),
including the frequency, methods, responsibilities, planning
requirements and reporting, which shall take into consideration the
importance of the processes concerned and the results of previous
audits;
b. define the audit criteria and scope for each audit;
c. select competent auditors and conduct audits to ensure objectivity and
the impartiality of the audit process;
d. ensure that the results of the audits are reported to relevant
management, the anti-bribery compliance function, top management
and, as appropriate, the governing body (if any);
e. retain documented information as evidence of the implementation of
the audit programme and the audit results.
Clause 9.2 Internal Audit Contd…

9.2.3 These audits shall be reasonable, proportionate and risk-

based. Such audits shall consist of internal audit processes or
other procedures which review procedures, controls and systems
for:
a. bribery or suspected bribery;
b. violation of the anti-bribery policy or anti-bribery
management system requirements;
c. failure of business associates to conform to the applicable
anti-bribery requirements of the organization;
d. weaknesses in, or opportunities for improvement to, the
anti-bribery management system.
Clause 9.2 Internal Audit Contd…
9.2.4 To ensure the objectivity and impartiality of these audit
programmes, the organization shall ensure that these audits are
undertaken by one of the following:
a. an independent function or personnel established or appointed
for this process; or
b. the anti-bribery compliance function (unless the scope of the
audit includes an evaluation of the anti-bribery management
system itself, or similar work for which the anti-bribery
compliance function is responsible); or
c. an appropriate person from a department or function other than
the one being audited; or
d. an appropriate third party; or
e. a group comprising any of a) to d).
The organization shall ensure that no auditor is auditing his or her own
area of work.
Nonte: See Clause A.16 for guidance.
Clause 9.3 Management Review
9.3.1 Top management review
Top management shall review the organization’s anti-bribery management system, at planned
intervals, to ensure its continuing suitability, adequacy and effectiveness. The top management
review shall include consideration of:
a. the status of actions from previous management reviews;
b. changes in external and internal issues that are relevant to the anti-bribery management
system;
c. information on the performance of the anti-bribery management system, including trends
in:
• nonconformities and corrective actions;
• monitoring and measurement results;
• audit results;
• reports of bribery;
• investigations;
• the nature and extent of the bribery risks faced by the organization;
d.effectiveness of actions taken to address bribery risks;
e. opportunities for continual improvement of the anti-bribery management system, as
referred to in 10.2.
The outputs of the top management review shall include decisions related to continual
improvement
Clause 9.3 Management Review

9.3.2 Governing body review

The governing body (if any) shall undertake periodic reviews of
the anti-bribery management system based on information
provided by top management and the anti-bribery compliance
function and any other information that the governing body
requests or obtains.
The organization shall retain summary documented information
as evidence of the results of governing body reviews.
Clause 9.4 Review by Anti-Bribery Compliance Function
The anti-bribery compliance function shall assess on a continual basis whether
the anti-bribery management system is:
a. adequate to manage effectively the bribery risks faced by the
organization;
b. being effectively implemented.
The anti-bribery compliance function shall report at planned intervals,
and on an ad hoc basis, as appropriate, to the governing body (if any) and
top management, or to a suitable committee of he governing body or top
management, on the adequacy and implementation of the anti-bribery
management system, including the results of investigations and audits.
Note 1: The frequency of such reports depends on the organization’s
requirements, but is recommended to be at least annually.
Note 2: The organization can use a business associate to assist in the review,
as long as the business associate’s observations are appropriately
communicated to the anti-bribery compliance function, top management and,
as appropriate, the governing body (if any).
Clause 10.1 Non-Conformity and Corrective Action
When a nonconformity occurs, the organization shall:
a. react promptly to the nonconformity, and as applicable:
• take action to control and correct it;
• deal with the consequences;
b. evaluate the need for action to eliminate the cause(s) of the nonconformity, in order that
it does not recur or occur elsewhere, by:
• reviewing the nonconformity;
• determining the causes of the nonconformity;
• determining if similar nonconformities exist, or could potentially occur;
• implement any action needed;
• review the effectiveness of any corrective action taken;
• make changes to the anti-bribery management system, if necessary.
c. Corrective actions shall be appropriate to the effects of the nonconformities encountered.
The organization shall retain documented information as evidence of:
• the nature of the nonconformities and any subsequent actions taken;
• the results of any corrective action.
NOTE See Clause A.20 for guidance.
Clause 10.2 Continual Improvement
The organization shall continually improve the
suitability, adequacy and effectiveness of the anti-
bribery management system.
NOTE See Clause A.20 for guidance.