Continual Improvement for ISO 37001 Anti-Bribery

ISO 37001 Clause 10.1

Continual improvement of the suitability, adequacy and effectiveness of the ABMS.

ISO 37001 Clause 10.1 - Continual Improvement

Clause 10.1 is a short clause with a wide scope. The organisation continually improves the suitability, adequacy and effectiveness of the ABMS. Three properties, all of which must be improved over time.

What Suitability, Adequacy and Effectiveness Mean

The three terms are not synonyms - each captures a different test of the ABMS:

Suitability - the ABMS is appropriate for the organisation's context, scale and bribery risk profile. A change in any of these (a new market, an acquisition, a regulatory change) can make a previously suitable ABMS less suitable.
Adequacy - the ABMS has enough in it to address the requirements - enough resources, enough controls, enough oversight. An ABMS that was adequate for ten employees may not be adequate for a hundred.
Effectiveness - the ABMS achieves its intended results. Suitable and adequate are about design; effective is about outcome.

Continual improvement applies to all three. The improvement might be redesigning a control because suitability has changed, adding resource because adequacy is stretched, or changing how a control operates because it is not effective in practice.

Where Improvement Decisions Come From

The inputs to continual improvement are mostly the outputs of Clause 9. Monitoring data identifies trends. Internal audit findings identify gaps. Management review decisions specify changes. The anti-bribery function's continual review identifies issues that need a structural response. Concerns received under Clause 8.9 and investigations under Clause 8.10 often surface the kind of pattern that needs an improvement decision rather than a corrective action.

External inputs matter as well - changes in the regulatory landscape, lessons from enforcement cases in the sector, updates to ISO 37001 itself, new guidance from regulators or industry bodies. The function plays a central role in surfacing these and bringing them into the ABMS.

Continual improvement is not the same as constant change. Some controls work and should be left alone. The point of 10.1 is that the organisation reviews and adjusts when there is reason to, and does so in a structured way. Random tinkering with controls can be as damaging as never changing them at all.

The strongest organisations treat continual improvement as a stream rather than an event. Each management review produces some improvement decisions. The function generates more between reviews. Audit cycles add to the list. Improvement requests on F-Q16 capture them all and the ones that get implemented produce a visible audit trail of how the ABMS has evolved.

I look for the trail - improvement requests raised, decisions made, changes implemented, results checked. An ABMS that has not changed at all in two or three years is unlikely to be the strongest fit for a changed risk environment, and that itself is a finding. What I want to see is dated evidence of structural improvements to the system over time.

Practical Compliance Guidance

Improvement is captured on F-Q16 Improvement Request, drawn from monitoring data, audit findings, management review outputs, and the anti-bribery function's continual review under 9.4.

The documents below support the continual improvement activities required by Clause 10.1.

alphaZ document	How to use it
ISO 37001 Toolkit	Complete documentation set for ISO 37001:2025 compliance, including the anti-bribery policy, the PP-1-19 Anti-bribery procedure, audit checklists, risk assessment and all supporting registers and anti-bribery forms.
F-Q16 Improvement Request	The form used to capture improvement requests from any source.
ER1 Issues and Actions Register	Tracks improvement actions through to closure.
F-Q3 Anti-bribery Management Review	Improvement decisions are captured as outputs of management review.
F-IMS34 Anti-bribery Compliance Register	Provides the trend data that informs improvement decisions.
PP-1-19 Anti-bribery Procedure	The procedure that gets updated when improvement decisions affect the operational ABMS.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

Does Clause 10.1 require a specific number of improvement actions per year?

No. The standard requires continual improvement but does not prescribe a quantity. What matters is that improvement is genuinely happening over time and there is evidence of structural changes to the ABMS in response to inputs from monitoring, audit, management review and the function review.

How does continual improvement differ from corrective action?

Corrective action under 10.2 is the specific response to a non-conformity. Continual improvement under 10.1 is broader - it covers planned changes to improve the ABMS whether or not a non-conformity has occurred. Many improvement decisions are made because the organisation has identified a better way to operate, not because something has gone wrong.

Where do improvement ideas come from in practice?

Mostly from the Clause 9 mechanisms - monitoring data, internal audit findings, management review outputs and the continual review by the anti-bribery function. Concerns received under 8.9 and investigations under 8.10 also surface patterns that drive improvement. External inputs - regulatory developments, sector enforcement, ISO updates - feed in as well, usually through the function.

UK Legislation

Continual improvement of bribery controls supports the corporate due-diligence framework in UK legislation.

Further Resources