AD (728x60)

ISO 37001: Tool for Compliance Management

Share & Comment
By Mr.Rutthaporn Malayaphun
Bureau Veritas Certification (Thailand) Ltd.*

Having a chance to have a discussion with the compliance management personnel in Thailand implicitly reveals their concerns and misperception that ISO 37001: 2016 Anti-bribery management system is additional burden to the existing compliance responsibility. ISO 37001:2016 is in fact usefully instrumental for and critical of the compliance management as stated in the introduction of the standard that “A well–managed organization is expected to have a compliance policy supported by appropriate management system to assist it in complying with its legal obligations and commitment to integrity. An anti-bribery policy is a component of an overall compliance policy.”

Emphasis on the Importance of the Anti-bribery Compliance Function:
The standard requires the top management to “assign to an anti-bribery compliance function the responsibility and authority….”

Those who are familiar with ISO 9001 may comment that this is not the distinctive requirement from the previous version of ISO 9001: 2008 that also requires the top management to “appoint a member of the organization's management who, irrespective of other responsibilities, shall have responsibility and authority….”

The meaning of ‘Appoint’ and ‘Assign’ is subtly different. With reference to Cambridge Dictionary (on-line version), ‘Appoint’ is to choose someone officially for a job or responsibility, whereas ‘Assign’ is to give a particular job or piece of work to someone.

The requirement on appointing the management representative was removed from the existing version of ISO 9001:2015. By contrast, it is emphasized in ISO 37001: 2016, which was published a year later, the importance of the anti-bribery compliance function as “person(s) with responsibility and authority for the operation of the anti-bribery management system,” and “…shall be adequately resourced and assigned to person (s) who have the appropriate competence, status, authority and independence.”

Removing the management representative from ISO 9001 which had been required since 2000 version is criticized as the way to emphasize the responsibility and commitment of the top management. Some organizations appointed the management representatives who are not in the position to make the strategic improvement decision. With the anti-bribery compliance function, ISO 37001:2017 requires the top management to “have overall responsibility for the implementation of, and compliance with, the anti-bribery management system.” Also, “Delegation of decision-making does not exempt top management or the governing body (if any) of their duties and responsibilities…, not does it necessarily transfer to the delegated personnel potential legal responsibilities.”

Role, Responsibility and Authority of the Anti-bribery compliance function:
Most importantly, the standard requires the inclusion of the explanation of the authority and independence of the anti-bribery compliance function into the organization’s anti-bribery policy which must be communicated internally and externally.

The standard clearly defines the responsibility and authority of the anti-bribery compliance function as follows:

☑ Overseeing the design and implementation of the Anti-bribery management system (ABMS) on the continual basis that is adequate to manage effectively the bribery risk and effectively implemented.

☑ Providing advice to personnel on the issues concerning bribery. Concerns on potential or actual bribery (whistle blower) can be raised to the anti-bribery compliance function.

☑ Ensuring the conformance to the ABMS. The status and result of the investigation on bribery and internal audit are to be reported to the anti-bribery compliance function. The anti-bribery compliance function can take part in the internal audit as long as the scope of the audit does not cover the work the anti-bribery compliance function is responsible for.

☑ Reporting on the performance of the ABMS – the adequacy and implementation of the ABMS and the results of the bribery investigation and audits - - to the governing body, if any, and the top management as well as other compliance functions.

It is required by the standard to enable the anti-bribery compliance function to not only have direct, but also prompt access to the governing body (if any) and top management.

Bribery is the crime by many national laws with the extraterritorial enforcement. The standard requires that that “the governing body (if any), top management and all other personnel shall be responsible for understanding, complying with and applying the anti-bribery management system requirements, as they relate to their role in the organization” to avoid the confusion and over expectation that the anti-bribery compliance function is solely responsible for both anti-bribery performance and compliance with ethical conducts and applicable anti-briery laws.

Qualification of the Anti-bribery compliance function:
Depending on the characteristic of the organization such as size, the extent of the complication of the business process and bribery risks profile, the anti-bribery compliance function can be one person or a group of persons, full or part-time or the external party with the appropriate competence, status, authority and independence and free of the actual or potential conflict of interest.

The due diligence is required to be conducted on the candidate for the anti-bribery compliance function to ensure that the person will comply with the ABMS requirements and meet the qualification criteria.

ISO 37001: the tool for compliance, not burden.
The clarity and empowerment of the responsibility and authority of the anti-bribery compliance function facilitate the compliance management. The compliance, risk, legal, audit, ethic departments, whichever can be named, should study the standard in detail and conduct the gap analysis to benchmark the extent of the compliance with the standard. The standard can be used as the guidance for implementing the international good practice, and/or the requirements for the anti-bribery management system certification. While certification is the optional and voluntary for the organization, convincingly proving that the organization has the ‘appropriate internal control measures’ or ‘appropriate procedure’ in preventing the bribery offense is the legal enforcement under Thailand Organic Act on Counter Corruption, B.E. 2561 (2018), or “appropriate procedure” required by the UK Bribery Act 2010, respectively. ISO 37001:2017 can be one of the useful tools for the preventive measures. The compliance function can convince the top management on the adoption of the standard as the concrete evidence on the culture of compliance.

* Mr.Rutthaporn Malayaphun is the ISO 9001 and ISO 37001 lead auditor and instructor. He is currently working with Bureau Veritas Certification (Thailand) Ltd. He can be reached at,, or 02 670 4878, 089 204 9146.

Copyright © PACT Network