Last month we became one of the first companies in the world to obtain the ISO 37001 Anti-Bribery Management Systems certification. In 2016, the ISO 37001 standard was established to raise the level of awareness and compliance with anti-bribery best practices on an international scale. This standard specifies requirements for establishing, implementing, and continually improving anti-bribery management systems. The system can be stand-alone or integrated into an overall management system.
Diana Trevley is the West Coast Director of Spark Compliance Consulting. She served as lead consultant for our ISO 37001 certification and provides training, readiness assessments, mock audits and consulting services for the ISO 37001 standard. Diana recently outlined how the certification process works and shared her five top tips for ensuring best practices are embedded into a business.
1) Preparation is key
Businesses should go into the certification process only when completely ready. It is easy to assume that a company committed to good business practices will not need to prepare, but this is not always true. Every requirement of ISO 37001 must be met to achieve certification, and even the best programme will have areas for preparation or improvement. A readiness assessment is a great way to be certain of passing before undertaking an audit.
2) Get everyone involved
The auditor’s job is to see how the anti-bribery programme works throughout the entire organisation - achieving ISO 37001 certification is a company-wide endeavour. They will interview members of management, legal, sales, finance, procurement, human resources, and communications to be certain that all departments understand their organisation’s bribery risks and are implementing appropriate anti-bribery procedures and controls.
3) Know what to expect
Your ISO 37001 auditor will be polite, but they will not always be easy to impress. The auditors are trained anti-bribery experts who do not take anything at face value. Interviewees are asked in-depth questions about processes and procedures and then asked to show the auditor proof they exist and are being followed. Interviewees need to be reminded that the process is not personal and that they should simply answer to the best of their ability.
4) Failure is not fatal
If the company fails to meet a requirement during the audit (a “major non-conformity”), certification bodies will hold the process open for a period of time while the major non-conformity is corrected. Partial failure to meet a requirement is considered a minor non-conformity. Companies will have 90 days following the end of the audit to conduct a root cause analysis and provide a corrective action plan.
5) Commitment to continuous improvement
A programme does not need to be perfect to achieve ISO 37001 certification, but it should be committed to becoming more efficient and effective throughout the life of its certification. The auditor will return the year after certification for a brief surveillance audit to look at what has been done to make the programme even better.