The two most frequently asked questions by clients are “Why should I implement an ABMS?” and “How do I implement an ABMS and get it certified?” This article will answer those very questions!
Why Should I Implement an ABMS in Accordance with the Requirements of ISO 37001?
When approaching us, besides the abovementioned questions, our clients also ask: “What added value does the implementation of the standard bring to my organization?” or “We have a code of ethics and our finances are audited annually by external auditors! We have not been involved in any corruption scandals! So, why implement an ABMS in our organization?”
Having a code of ethics and having the financial results audited are not enough to prevent and detect acts of corruption. Experience shows precisely the opposite!
Several organizations that were involved in corruption scandals had codes of ethics and had their finances regularly audited. However, no corruption risk assessment had been carried out and the controls to ensure compliance with the code of ethics were at best ineffective or at worst nonexistent.
A code of ethics is certainly a key element of sound management in an organization. However, it still needs to be supported by policies, procedures, and ethical and disciplinary processes to prevent corruption and take corrective actions.
As for financial audits, they are mainly used as an aid to take business decisions and to ensure the accuracy of accounting information.
Since the adoption of the ISO 37001 standard by all ISO member countries, several organizations have implemented an ABMS in response to allegations (real or suspected) of corruption by their leaders or representatives.
However, we are noticing a trend on the part of heads of government bodies and businesses that favor the implementation of an ABMS to prevent and detect in a timely fashion behavior that could be interpreted as wrongdoing, corruption, or collusion.
Corruption scandals reported in the media often cause irreparable damage to the organizations associated with them. In addition, social acceptability for business strategies based on cheating, corruption, or collusion is rapidly declining. What once was considered “the way of doing business” is now openly criticized and subject to investigation resulting in significant financial and personal penalties.
How Do I Implement an ABMS and Get It Certified?
The effective and efficient implementation of a management system in an organization is a major challenge, regardless of the nature or the objectives of the management system.
Depending on the context, policymakers will seize an opportunity brought by a crisis or opt for change dictated by the business environment or new regulatory standards. In any case, unlike other types of management systems, an ABMS addresses directly the organizational culture and the behavior of the leaders and representatives of the organization.
The implementation of an ABMS can also be the result of negotiations between the leaders of an organization and the judicial authorities of a country to right the wrongs caused by illegal business practices such as corruption. Regardless of the reasons underlying the implementation of an ABMS, the leaders of the organizations must be willing and ready to answer the questions raised by the project in order to engage all employees, partners, and customers in its success.
Here is the proposed roadmap for the planning, implementation, deployment, and control phases of an ABMS in an organization. The content of this roadmap is based on best practices in project management, interpretation of the requirements of ISO 37001:2016, and experiences of implementing new processes in organizations.
Each organization has its own ways of doing things and unique business processes. It is therefore important to remember that the person in charge of the ABMS implementation project must first take the time to fully understand the structure and functioning of the organization, its managerial culture as well as the context in which this project takes place.
For a successful implementation project, we suggest four (4) phases:
- The planning phase during which the project manager must understand and document the managerial processes of the organization, its partner and customer relationships as well as its business objectives.
- The development phase during which an organizational diagnosis must be carried out in order to assess the gaps between the policies, procedures, and means of control in place in the organization and the requirements of the ISO 37001 standard. A risk assessment must also be carried out in order to identify and assess corruption risk.
- The deployment phase during which the ABMS is operationalized in the organization. This phase can take place over several months during which training and awareness activities will be conducted and monitored.
- The control phase during which the internal audit and the reviews by the anti-bribery compliance function, management, and governance will be carried out. These reviews will result in the adoption of a continuous improvement plan.
Depending on the objectives of the organization’s management, a fifth phase may be added, the certification phase. During this phase, the top management in collaboration with the anti-bribery compliance function will choose a certification body that has accreditation for ABMS.
Each of the phases briefly described above must be the subject of detailed planning according to best project management practices. All activities must be:
- Listed and grouped into lots (if applicable)
- Linked to each other according to a path that takes into account their hierarchy in the critical path of the project (concomitant activities vs. preliminary activities)
- Recorded in an implementation schedule (Gantt chart or similar tool)
- Monitored and evaluated to ensure compliance with deadlines and expected results
1. Planning Phase
Understanding of the organization
- Describe the organization (mission, objectives, values, business strategies, regulatory history, number of employees, number of sites, material resources, summary of the organization’s performance, and previous situations which had negative consequences on its reputation)
- Describe the external environment (strengths, weaknesses, opportunities and threats, direct and indirect competitors, presence of controversies in the industry or business area, etc.)
- Describe the main governance processes (strategic, tactical, and operational) Identify the interested parties (donors, shareholders, unions, pressure groups, watchdogs, media, etc.) and their expectations, if applicable Describe the legal, regulatory, and contractual obligations (which are related to the prevention of corruption)
Analysis of existing systems
- Describe the management and control systems in place
- Describe the human resources processes (hiring, due diligence, staffing, performance evaluation, promotion)
- Describe the disciplinary processes (analysis of complaints, investigations, decisions)
- Describe the process for reporting concerns and, where applicable, whistleblower protection programs
- Conduct a gap analysis between the management and control processes in place and the requirements of the ISO 37001 standard
Determination of the (initial) scope of application of ABMS
- Describe an initial scope for the implementation of the ABMS
- Validate the description of the proposed scope with management and governance
- Obtain governance commitment (documented decision, allocation of necessary resources)
2. Development Phase
Organization of the project team
- Appoint the person in charge of the implementation project
- Assign the required human, financial, and material resources (offices, ICT)
- Train members of the project team on the requirements of the standard and best anti-bribery practices
- Review the implementation plan, its objectives, and its timeline with the members of the project team
- Assign tasks and deliverables to members of the project team
- Establish a detailed schedule of the stages of the project
- Monitor project activities, timelines, and budgets
- Report on the progress of the project to management and, if applicable, to governance
Risk assessment
- Choose a recognized risk assessment method that corresponds to the particularities of the organization
- Prepare the documents necessary for the risk assessment process (information to participants, assessment grids, meaning of assessment criteria)
- Obtain approval of the results of the risk assessment from management and, where applicable, governance (documented decision)
- Obtain acceptance by management or, if applicable, governance for the list of residual risks (documented decision)
Develop the anti-bribery policy
- Write a policy according to the requirements of the standard (clause 5.2)
- Present the policy to management and, if applicable, to governance
- Obtain approval from management and, if applicable, governance (documented decision)
- Develop an internal and external communication plan to publish the policy (documented plan)
- Evaluate the performance of the publishing strategy according to the objectives set out in the communication plan
Determine the control processes and operational procedures necessary to mitigate medium and high corruption risks
- Facilitate meetings with managers or targeted departments to identify effective control processes and procedures for each of the medium and high risks identified
- Identify performance indicators
- Write the procedures and directives necessary for the implementation of control measures
- Obtain approval for procedures and guidelines from management or, where applicable, governance (documented decision)
- Prepare guides and content of training sessions (if necessary) for managers and users of forms
Establish relevant mechanisms for reporting concerns and protecting whistleblowers
- Determine what means of reporting concerns will be put in place
- Establish analysis and investigation procedures relating to reports
- Prepare a communication and awareness plan regarding the means of communicating concerns to all staff of the organization
- Evaluate the performance of the communication plan
Structure the ABMS
- Establish the roles and responsibilities of management and employees in the operation of the ABMS
- Revise the organizational chart to reflect anti-bribery responsibilities
- Review job descriptions and responsibilities for all relevant hierarchical levels
- Review the performance appraisal process to include responsibilities and tasks related to the ABMS
- Develop supporting documents for changes to the performance appraisal process
3. Deployment Phase
Deploy the ABMS in the organization
- Determine the date of deployment (D-Day)
- Establish the roles and responsibilities of project team members during the deployment phase
- Monitor deployment activities
- Document the activities of the deployment phase (reports, monitoring forms)
- Report the performance of the deployment phase to management and, if applicable, to governance (document decisions, if applicable)
Monitor operational procedures
- Monitor the performance of all the control measures put in place according to the performance indicators of the ABMS
- Financial controls
- Non-financial controls
- Human resource control
- Reasonable due diligence
- Anti-bribery commitments
- Documented information
- Gifts, hospitality, donations, and similar benefits
- Training and awareness
- Management of inadequacies
- Reporting concerns
- Analysis of reports and investigations
- Obtain the reports scheduled for ABMS (daily, weekly, monthly)
- Analyze reports according to procedures and guidelines
- Propose fixes and modifications if necessary
- Write periodic performance reports of the ABMS
- Communicate performance reports to managers according to agreed procedures (dashboards)
- Document the follow-ups and the transmission of reports
4. Control Phase
Internal audit
- Establish the internal audit program
- Create audit tools
- Identify auditors
- Train auditors (if necessary)
- Plan audit activities
- Allocate resources for audit activities
- Audit all ABMS criteria
- Write the audit report
- Write nonconformity reports (if applicable)
- Analyze and correct nonconformities (if applicable)
- Monitor the nonconformities (if applicable)
- Document the audit process
Review by the Anti-bribery Compliance Function
- Document the monitoring procedures, as well as the difficulties encountered
- Record the conclusions of periodic checks and internal audit
- List the reports of concerns and the measures taken (analysis, investigation, decision)
- Describe the observations made and the areas for improvement identified
- Prepare a report for management and, if applicable, governance
- Prepare a continuous improvement plan containing objectives and deadlines
Management review
- Plan with management the presentation of the review report of the Anti-bribery Compliance Function
- Present and comment on the review report
- Obtain approval for the report (documented decision)
- Present the continuous improvement plan
- Obtain approval for the continuous improvement plan (documented decision)
- Implement the continuous improvement plan (if applicable)
Governance review
- Plan with management the presentation of the review report of the
- Anti-bribery Compliance Function
- Present and comment on the review report
- Obtain approval for the report (documented decision)
- Present the continuous improvement plan
- Obtain approval for the continuous improvement plan (documented decision)
- Implement the continuous improvement plan (if applicable)
All the activities described above require adaptation to the specific internal and external environments of an organization. Depending on the nature of the organization and its operations, it is necessary to review each of the activities indicated and, if necessary, add or subtract from them.
The implementation of the anti-bribery management system based on the requirements of ISO 37001 allows the organizations and its leaders to promote stakeholders, suppliers, and customers confidence and demonstrate to regulatory bodies their commitment to transparent and ethical business processes.
