Bribery Risk Assessment for ISO 37001 Implementation

Bribery risk management

Bribery is a specific category of risk with its own legal framework, its own assessment methodology and its own ISO standard. ISO 37001 sets out anti-bribery management system requirements; the UK Bribery Act 2010 creates the legal duties; and risk-based thinking under any other ISO standard requires bribery risk to be considered where it is relevant.

For UK-based organisations and any organisation conducting business in the UK, the Bribery Act 2010 is the central legal framework. It creates four main offences - bribing another person, being bribed, bribing a foreign public official, and the corporate offence of failing to prevent bribery by associated persons. The corporate offence carries a strict liability standard with one defence: the organisation must have had adequate procedures in place to prevent bribery. The structured approach to bribery risk management is what evidences those adequate procedures.

Organisations operating internationally face additional regimes - the US Foreign Corrupt Practices Act, the French Sapin II law, and equivalent legislation in many other jurisdictions. The principles overlap considerably; the specifics vary.

What constitutes bribery risk

Bribery risk is the chance that someone associated with the organisation will offer, give, request or receive an undue advantage in connection with the organisation's business. The associated persons captured by the corporate offence include not just employees but agents, intermediaries, joint venture partners, suppliers and others performing services for or on behalf of the organisation.

The risk profile varies significantly by sector and geography. Higher-risk indicators include:

• Operations in jurisdictions with weak governance or high corruption indices
• Sectors with significant government interaction - defence, infrastructure, healthcare, energy, extractives
• Use of agents, intermediaries or third-party representatives
• Permits, licences, customs clearance, planning approvals or other regulatory interactions
• Business cultures involving substantial gifts, hospitality or facilitation payments
• Public procurement and large public-sector contracts
• Joint ventures and minority interests where control is shared

Lower-risk indicators are not the same as zero risk. Even office-based UK service businesses encounter bribery risk through staff hospitality, supplier relationships, recruitment intermediaries and procurement decisions. The exercise is to look honestly at where exposure exists rather than to conclude exposure is nil because the headline activities seem clean.

The six principles of adequate procedures

UK Ministry of Justice guidance on the Bribery Act sets out six principles that adequate procedures should reflect. They map directly onto how a bribery risk management system is structured.

• Proportionate procedures - the response is proportionate to the actual bribery risk faced and to the nature, scale and complexity of the organisation
• Top-level commitment - top management establishes a culture in which bribery is unacceptable, communicates that internally and externally, and supports the procedures with action
• Risk assessment - the organisation periodically and properly assesses the nature and extent of the bribery risks it faces
• Due diligence - the organisation applies due diligence procedures to people and organisations with which it does business, proportionate to the risk
• Communication and training - bribery prevention policies and procedures are communicated and embedded throughout the organisation
• Monitoring and review - the organisation monitors and reviews procedures and makes improvements where needed

The principles are not a checklist. An organisation with proportionate procedures appropriate to its risk profile satisfies them; an organisation with elaborate procedures that ignore its actual risk profile does not. Proportionality is the key concept.

Bribery risk assessment

The risk assessment is the foundation of the system. Without it, procedures cannot be proportionate because there is nothing for them to be proportionate to.

The assessment looks at the organisation's activities through a bribery lens. Where does the organisation interact with public officials. Where does it use agents or intermediaries. What jurisdictions does it operate in. What is the gift and hospitality culture. What is the procurement process. What contracts does it pursue and how. The output is a structured picture of where bribery risk is concentrated.

The strategic risks register holds the headline bribery exposure entries. The dedicated bribery register holds the operational detail - which controls apply, which roles have responsibility, what training has been delivered, what gifts and hospitality have been received and given. The combination gives top management visibility and operational management the working detail.

Due diligence on business associates

Due diligence is the practical tool for managing the part of bribery risk that arises from people and organisations the company works with. The Bribery Act's corporate offence makes the organisation liable for bribery by associated persons; due diligence is how the organisation evidences that it has tried to prevent that.

The depth of due diligence is proportionate to the risk. Categories typically include:

• Lower-risk associates - basic checks: company registration, ownership, sanctions screening, brief reference
• Medium-risk associates - additional checks: directors and beneficial owners, adverse media search, structured questionnaire on anti-bribery practices, written commitments
• Higher-risk associates - in-depth: enhanced background checks, on-site review where practical, contractual anti-bribery undertakings, ongoing monitoring

The risk rating drives the depth - it does not drive whether due diligence happens. Even lower-risk associates get the basic checks; the difference is the depth above that baseline.

For key suppliers, the same principles apply with additional weight given to the operational integration and the risk of bribery within the supplier's own operations affecting the organisation. Approved supplier status, probation periods and structured intervals for review give the relationship a managed cycle.

Gifts, hospitality and facilitation payments

Three specific issues come up in most bribery management systems and are worth setting out clearly because the rules differ.

Gifts and hospitality are not banned under UK law but are subject to the same general principles - they must be reasonable, proportionate, in good faith and not intended to improperly influence. A clear policy with thresholds for approval and recording, and a register of significant gifts received and given, evidences that the organisation has thought about the issue and applied controls.

Facilitation payments - small payments to public officials to expedite routine government action - are illegal under the UK Bribery Act regardless of size or local custom. This differs from the US Foreign Corrupt Practices Act which permits facilitation payments in narrow circumstances. UK organisations operating internationally need their procedures to reflect the more restrictive UK position.

Charitable donations and political contributions can mask bribery and need their own approval process. Most organisations require named individual approval at appropriate seniority, with the recipient and purpose recorded.

Communication, training and reporting

Adequate procedures only work when people know about them. Communication and training cover anti-bribery policy, the procedures expected, the consequences of breach, and the routes for raising concerns.

Reporting routes need particular attention. Staff need a way to raise bribery concerns that is independent of their line management, protected from retaliation, and trusted enough to be used. A whistleblowing arrangement under the Public Interest Disclosure Act provides one such route; specific bribery reporting through the anti-bribery function is another. Some organisations use external reporting services to maximise confidence.

Training is proportionate to role. All staff get awareness training. Roles in higher-risk areas (sales, procurement, government interaction) get more in-depth training. Senior staff and the anti-bribery function get specialist training. The training cycle should be at least annual with refresher content.

Monitoring, review and continuous improvement

The system is reviewed at the management review under Clause 9.3 with bribery-specific inputs - results of due diligence reviews, gifts and hospitality summary, training delivery, reports made and investigated, regulatory changes, audit findings. Where issues have surfaced they feed into the issues and actions register for treatment.

Internal audit covers anti-bribery controls as part of the broader internal audit programme. External certification audits under ISO 37001 add further scrutiny where the organisation pursues that certification.

UK Legislation relevant to bribery risk management

The UK has one of the strictest anti-bribery legal regimes in the world. The Bribery Act 2010 is the central instrument; other legislation supports the framework around money laundering, fraud and disclosure. Organisations operating internationally also need to consider equivalent legislation in each jurisdiction including the US Foreign Corrupt Practices Act and the French Sapin II law.

• Bribery Act 2010
• Proceeds of Crime Act 2002
• Fraud Act 2006
• Public Interest Disclosure Act 1998

Further Resources

• Risk and Opportunity Management
• Identifying Risks and Opportunities
• Treating Risks - Avoid, Reduce, Transfer, Accept
• Anti-Bribery and Corruption
• Fraud and Malpractice
• ISO 37001 Overview