4 Context .gif)
4.1 Issues
External and internal issues that can influence the ABMS
Requirement 1 (see also the quiz)
The two most important things in a company do not appear in its balance sheet: its reputation and its people. Henry Ford
To successfully implement an anti-bribery management system, it is necessary to understand and assess everything that can influence the purpose and performance of the organizationa structure that satisfies a need (see also ISO 9000, 3.3.1). It is advisable to engage in in-depth reflection after a few essential activities:
- draw up an in-depth diagnosis of the unique context in which the organization finds itself, taking into account:
- external issues such as the environment like:
- social
- regulatory
- economical (partners)
- technological
- entities that exercise control over the organization
- internal issues like:
- specific aspects of corporate culture:
- vision
- reason to exist, purpose, mission
- core values
- staff
- complexity of activities
- products and services
- infrastructure
- entities over which the organization exercises control
- specific aspects of corporate culture:
- external issues such as the environment like:
- monitor and regularly review all information relating to external and internal issues
- analyze the factors that may influence the achievement of the organization's objectives
PESTEL and SWOT analyses can be useful for a relevant analysis of the context of the organizationa structure that satisfies a need (see also ISO 9000, 3.3.1). Annex 07 shows the SWOT analysis tool (Strengths and Weaknesses, Opportunities and Threats).
A list of external and internal issues is compiled by a multidisciplinary team. Each issue is identified by its level of influence and control. Priority is given to issues that are very influential and not at all mastered.
.jpg)
Minute of relaxation. Game: Context of the company
- diagnosis of the context includes the main external and internal issues
- the list of external and internal issues is exhaustive
- the core values as part of the corporate culture are taken into account in the context of the company
- the results of the context analysis are widely diffused
- the SWOT analysis includes many relevant examples
- the SWOT analysis is a powerful tool for identifying the main threats and opportunities
- the issues of the context of the company, such as the competitive environment, are not taken into account
- in some cases, the corporate culture is not taken into account
- the analysis of issues does not take into account strategic issues
- no clear link between the SWOT analysis and the actions undertaken
- the threats and weaknesses identified in the SWOT analysis remain without action
4.2 Stakeholders
Understand the requirements of stakeholders
The purpose of business is to improve our lives and to create value for stakeholders. John Mackey
To fully understand the needs and expectations of stakeholders, it is necessary to start by determining those who may be affected by the anti-bribery management system, for example:
- employees
- top management
- customers
- external providers (suppliers, subcontractors, consultants)
- owners
- shareholders
- bankers
- distributors
- competitors
- social and political organizations
"In a typical company, if you have a meeting, no matter how important, there is always a part that is not represented: the customer. It is very easy within the company to forget the customer." Jeff Bezos.
To address this concern, it became customary to place an empty chair at every meeting.
The list of stakeholders is created by a multidisciplinary team. Every stakeholder is identified by its bribery risk level. Priority is given to stakeholders with the highest bribery risk level.
Stakeholder: person, group or organization that can affect or be affected by an organization
Anticipating the needs and expectations or in other words the requirementsexplicit or implicit need or expectation (see also ISO 9000, 3.1.2) of stakeholders means:
- preparing to address bribery risks
- seizing improvement opportunities of the ABMS
The signature of the contract was delayed for a few weeks because we had forgotten to translate part of the documentation into the local language.
Forgetting a stakeholder (and their specific need) can create a lot of worries!
- the list of stakeholders is updated
- the needs and expectations of interested parties are established through meetings on-site, surveys, roundtables and meetings (monthly or frequent)
- the application of statutory and regulatory requirements is a prevention approach and not a constraint
- statutory and regulatory requirements are not taken into account
- the expectations of stakeholders are not determined
- the list of stakeholders does not contain their area of activity
4.3 Scope
Define the scope of the ABMS
No area is immune to the risk of bribery
The scope (or in other words the perimeter) of the ABMS delimits what enters and what does not enter the systemset of interacting processes (see also ISO 9000, 3.2.1). The ABMS takes into account:
- the purpose of the organization
- internal and external issues, cf. sub-clause 4.1
- stakeholder expectations, cf. sub-clause 4.2
- the conclusions of the bribery risk assessment, cf. sub-clause 4.5
The processes, functions and departments most at risk are specifically targeted, such as purchasing, sales and personnel management.
For a new market, a mining company carried out an inventory of the permits and licenses required to exercise its activities. In total, it turned out that nearly 20 permits and licenses were needed, involving several central and local agencies.
This knowledge has enabled the company to effectively manage its bribery prevention actions.
Fraud, agreements between companies, money laundering, influence peddling and other crimes are not directly addressed by ISO 37001, but may be included in your ABMS.
The scope is available internally and to stakeholders as a record, cf. § 7.5.
- all group subsidiaries are included in the scope of the ABMS
- the scope is relevent and available upon request
- a subsidiary of the group does not fall within the scope of the ABMS
- the subsidiary does not have its own anti-bribery controls
- certain activities are outside the scope of the ABMS without justification
4.4 ABMS
ABMS requirements, processes and interactions
Quality management, in its essence, concerns the description of processes, then their improvement. Isaac Getz
The requirementsexplicit or implicit need or expectation (see also ISO 9000, 3.1.2) of the ISO 37001 standard are related to:
- the anti-bribery management system and
- necessary processes
To do this:
- the anti-bribery management system (ABMS) is:
- reasonable and appropriate
- established
- documented (a simple and sufficient documentary system is in place)
- set up and
- continually improved
- the ABMS takes into account:
- internal and external issues (cf. sub-clause 4.1)
- stakeholder’s needs and expectations (cf. sub-clause 4.2)
- identified bribery risks (cf. sub-clause 4.5)
- the anti-bribery policy, objectives, indicators and resources are determined
- threats are determined and actions to reduce them are established (cf. sub-clauses 4.5 and 6.1)
- the essential processes necessary for the ABMS are controlled:
- the owners are assigned
- the corresponding resources are assured
- the inputs and outputs are identified
- the necessary information is available
- the sequences and interactions are established
- each process is measured and monitored (criteria established), objectives are established and performance indicators analyzed
- actions to obtain the continual improvement of processes are established
- the strict minimum necessary ("as much as necessary") of process documents is maintained and retained (
)
The anti-bribery manual is not a requirementexplicit or implicit need or expectation (see also ISO 9000, 3.1.2) of the ISO 37001 standard version 2016, but it is always a possible method to present the organizationa structure that satisfies a need (see also ISO 9000, 3.3.1), its ABMS and its procedures, policies and processes (see annex 08).
The ISO guide “The integrated use of management system standards” of 2018, contains relevant recommendations on the integration of management systems.
.jpeg)
Pitfalls to avoid:
- going overboard on quality:
.jpg)
- a useless operation is performed without adding value and without the customer asking for it - it is a waste, cf. quality tools D 12
- having all procedures written by the quality manager:
- bribery prevention is everybody's business, "the staff is conscious of the relevance and importance of each to the contribution to anti-bribery objectives", which is even more true for department heads and process pilots
- forgetting to take into account the specificities related to the corporate culture:
- innovation, luxury, secrecy, authoritarian management (Apple)
- strong culture related to ecology, action and struggle, while cultivating secrecy (Greenpeace)
- fun and quirky corporate culture (Michel & Augustin)
- liberated company, the man is good, love your customer, shared dream (Favi)
The requirementsexplicit or implicit need or expectation (see also ISO 9000, 3.1.2) of the ISO 9001 standard are shown in figures 4-1:
Figure 4-1. The requirements of the ISO 37001:2016 standard
The implementation of the ABMS and good practices are verified by a pre-audit.
- the process map has enough arrows to show who is the customer (internal or external)
- for a process, it is better to use a lot of arrows (several customers) rather than to forget one
- reveal the added value of the process during the process review
- the analysis of processes performance is an example of continual improvement evidence of the effectiveness of the ABMS
- top management regularly monitors the objectives and action plans
- top management commitments to continual improvement are widely communicated
- the purpose of each process is clearly defined
- some process outputs are not set correctly (customers not considered)
- the process owners are not formalized
- outsourced processes are not determined
- sequences and interactions of certain processes are not determined
- monitoring the effectiveness of certain processes is not established
- the ABMS is not updated (new processes are not determined)
4.5 Bribery risks
Bribery risks, criteria, assessment, treatment, records
Any decision involves a risk. Peter Barge
Risk management has in the past been viewed by some managers as superfluous. These people believed that the main objective was to avoid risk. Many have since understood that risk is inevitable and intrinsic to any activity but must be reduced to an acceptable level.
To identify and limit the bribery risks, an anti-bribery management system based on risk assessment and treatment should be established. A few steps:
- identify situations at risk of bribery
- review all:
- trades
- high-risk positions
- past incidents
- audit results
- analyze the impact and the likelihood of the risk appearing
- assess the risks by prioritizing the risks of the most critical situations
- put in place an action plan to act on priority situations
- determine the acceptable threshold of residual risk
- strengthen accounting controls for risky situations
- assess the controls put in place
- update the action plan regularly
- raise staff awareness and training, cf. sub-clause 7.3
- carry out due diligence on partners, cf. sub-clause 8.2
- set up the reporting mechanism, cf. sub-clause 8.9
The criteria for assessing the level of bribery risk are defined and take into account the anti-bribery policy and the objectives to be achieved.
“Risk positions” are those with:
- regular contacts with customers
- regular contacts with suppliers
- conflicts of interest
- the company's decision-making responsibilities
- financial responsibilities
- budget management facilities for distributing gifts, making discounts, sponsorship
A risk map is shown in annex 02.
A risk can be classified as:
- negligible
- low (limited)
- moderate
- high (significant)
- critical
In annex 09 you can find 19 PRS tools (problem, risk, safety). For more tools please see the D 12 Quality tools set.
The Excel file (annex 10) allows risk management with spreadsheets:
- identify
- analyze
- assess
- treat and
- monitor
For more information on risk assessment and treatment, see training T 51 Risk management.
In company ABC, each batch is validated by a quality operator. One batch was refused (the sample taken exceeded the authorized threshold of nonconformities). The production manager, in order not to lose his monthly bonus, asked the operator to close his eyes and validate the batch in exchange for an envelope with a few notes. The quality operator refused the envelope and reported the attempted bribery to his manager, who informed the anti-bribery manager.
The director demanded an exemplary sanction and asked to update the risk map, which was mainly oriented towards risky positions in purchasing, sales and recruiting.
Risk management tools are used for all stages of the "Manage risk" processactivities which transform inputs into outputs (see also ISO 9000, 3.4.1), cf. annex 11.
The ISO 31010 standard describes the most widely used risk assessment tools or techniques.
A risk can have negative impacts (we talk about threats) or positive impacts (we talk about opportunities).
Often risk is equated with hazard and commonly used in place of threat.
Any threat that can disrupt normal business operations is:
- determined
- analyzed
- assessed and
- appropriate actions are taken to prevent or reduce adverse effects
The risk-based approach allows us to prepare the action to be taken if an output element of the processactivities which transform inputs into outputs (see also ISO 9000, 3.4.1) does not meet a requirementexplicit or implicit need or expectation (see also ISO 9000, 3.1.2). In other words, be ready in case something does not work out (well).
Any opportunity that can increase desirable effects on the anti-bribery management system is supported with continual improvementpermanent process allowing the improvement of the global performance of the organization (see also ISO 9000, 3.2.13 and ISO 14 001, 3.2) actions.
The nature of actions is proportional to the potential impact of threats and opportunities. Some examples of risks are listed in annex 12.
An example of a “Risk Management” procedure is shown in annex 13.
Records of the results of the risk assessment are kept.
The risk reduction action plan, cf. annex 14, includes the following options:
- avoid the risk (refuse the risky activity)
- accept risk to gain an opportunity
- eliminate the source of the risk
- modify the likelihood of occurrence of the risk
- react to the consequences of the risk
- share the risk with other interested parties
- maintain the residual risk (acceptable level)
Example of an unidentified risk:
- the list of risks taken into account is exhaustive and up-to-date
- the list of risks is communicated to all staff
- bribery risks are prioritized in an updated list
- the action plan to fight priority risks is implemented
- the effectiveness of preventive actions has been assessed
- the new level of residual risk is updated
- actions to reduce certain risks are integrated into key processes
- the action plan includes a column used for monitoring the effectiveness of actions
- the action plan takes into account the results of internal audit
- some stakeholder requirements are not taken into account when planning actions to address risks
- some bribery risks are not identified
- risks are not prioritized
- the risks of salespeople are not a priority
- no preventive action has been implemented
- the residual risk level is not updated
- no planning of actions to reduce negative impacts
- no opportunity to increase desirable effects
- threats and opportunities are not identified and assessed for certain processes
- the list of risks has not changed since its creation
The rest of the T 25v16 ISO 37001 readiness version 2016 training is accessible on this page.
See also the training T 55v16 internal audit ISO 37001 and the training package ISO 37001.