Understand the 3 pillars of ISO 37001:2016 and learn how it can help combat bribery and corruption practices in companies!
The ISO 37001 was released in 2016 and generated some buzz in the market. However, here at QMS, we believe that certifications and management systems have the power to change the reality of the country. That is why we believe that this standard is important!
37001 can be a powerful weapon for organizations to improve their performance and contribute to maintaining the integrity of their management. So in today’s article, I’m going to talk about the 3 pillars of ISO 37001:2016. I also want to talk about the scope of the standard and about a somewhat controversial issue.
First of all, let’s look at the 3 pillars:
Prevention
37001 is a propositional standard, so it contains requirements that are intended to attack and combat bribery. So it seems logical that one of the pillars of the standard is to prevent, that is, to try to prevent bribery from occurring.
Detection
We will talk about this later, but obviously a standard (no matter how good and robust it is) is no incontrovertible guarantee that bribery will not occur. In addition, there may be cases where the implementation of the standard occurs after the incidence of corruption and bribery cases.
Therefore, the standard needs to contain requirements that assist in the detection, i.e. discovery of possible bribery occurrences.
Response
There is no point in detecting cases of bribery if the organization does not take effective action against it. Therefore, one of the pillars of ISO 37001:2016 is to help companies create responses and action plans for possible cases of bribery. Combined with the previous pillars, the Response helps create a complete Anti-Bribery System.
Does ISO 37001:2016 act only against Bribery?
A common question from professionals who are just beginning to delve into ISO 37001 is whether it only acts against bribery. To answer this question, I want to turn to an excerpt from the Scope of the standard. Let’s see the text in full:
“This Document is applicable only to bribery. It sets requirements and provides guidance for a management system designed to help an organization prevent, detect, and respond to bribery and comply with anti-bribery laws and voluntary commitments applicable to its activities.
This Document does not specifically address fraud, cartels and other antitrust/anti-trust offenses, money laundering, or other activities related to corrupt practices, although an organization may choose to broaden the scope of the management system to include these activities.”
So, to answer the question: the standard was created to act against bribery practices. However, it is up to the organization to define what the greatest threat is that surrounds it, in other words, what risks it wants to manage. It can then address topics such as:
- Fraud;
- Money laundering;
- Other activities related to corrupt practices.
Therefore, defining the scope is extremely important when designing and implementing an ISO 37001:2016 Management System. It is the scope that defines the limits and applicability of the management system. This in turn will impact on defining the context of the organization, the stakeholders, and of course the risk assessment.
Will organizations that correctly implement the pillars of 37001:2016 extinguish bribery?
This is another question on the minds of many professionals. Likewise, it is also something that generates controversy and even disbelief about the standard. After all, is implementing 37001:2016 a guarantee that bribery and corruption will cease to exist? Let’s see what the standard itself has to say:
“Compliance with this Document cannot provide assurance that no bribery has occurred or will occur in relation to the organization, as it is not possible to completely eliminate the risk of bribery. However, this Document can help the organization implement reasonable and proportionate measures designed to prevent, detect and respond to bribery.”
It would be immature, to say the least, to believe that a system can guarantee 100% tamper-proofness. Especially when the subject is such serious problems in our culture. However, as the standard itself says, an Anti-Bribery Management System provides systemic tools and actions that help address risks of this kind.
Compliance, Case or Chance?
With this in mind, I then leave a provocation: even if we cannot provide guarantees that “no bribery has occurred or will occur,” which companies will be most vulnerable to perish in the face of bribery? Which companies will suffer the most and be hurt the most by this practice? Let’s look at the options:
- Option A: those that have an Anti-bribery Management System consolidated in place, with actions established to Prevent, Detect and Respond to such occurrences?
- Option B: companies that have no initiative in this area?
- You don’t need to be a Guru or an expert in management systems to understand that alternative A is the best of the choices. In it, we will have something concrete and tangible, a system that runs, acts, and improves constantly.
- In option B, we keep Anti-Corruption to chance. We often rely on the good faith of our organizations because we know how the processes we manage work. However, the larger our companies are, the more relationships we have with other companies. In such cases, is it worth leaving the risks of Bribery and Corruption to chance?