4 Context .gif)
4.1 Issues
External and internal issues that can influence the ABMS
Requirements 1 to 2 (see also the quiz)
The two most important things in a company do not appear in its balance sheet: its reputation and its people. Henry Ford
To successfully implement an anti-bribery management systemset of processes to reduce bribery, it is necessary to understand and assess everything that can influence the purpose and performancemeasurable and expected results of the management system (see also ISO 9000, 3.7.8) of the organizationa structure that satisfies a need (see also ISO 9000, 3.2.1) . It is advisable to engage in in-depth reflection after a few essential activities:
- draw up an in-depth diagnosis of the unique context in which the organization finds itself, taking into account:
- external issues such as the environment like:
- social
- regulatory
- economical (partners)
- technological
- entities that exercise control over the organization
- internal issues like:
- specific aspects of corporate culture:
- vision
- reason to exist, purpose, mission
- core values
- staff
- complexity of activities
- products and services
- infrastructure
- entities over which the organization exercises control
- specific aspects of corporate culture:
- external issues such as the environment like:
- monitor and regularly review all information relating to external and internal issues
- analyze the factors that may influence the achievement of the organization's objectives
PESTEL and SWOT analyses can be useful for a relevant analysis of the context of the organizationa structure that satisfies a need (see also ISO 9000, 3.2.1) . Annex 07 shows the SWOT analysis tool (Strengths and Weaknesses, Opportunities and Threats).
A list of external and internal issues is compiled by a multidisciplinary team. Each issue is identified by its level of influence and control. Priority is given to issues that are very influential and not at all mastered.
.jpg)
Minute of relaxation. Game: Context of the company
- diagnosis of the context includes the main external and internal issues
- the list of external and internal issues is exhaustive
- the core values as part of the corporate culture are taken into account in the context of the company
- the results of the context analysis are widely diffused
- the SWOT analysis includes many relevant examples
- the SWOT analysis is a powerful tool for identifying the main threats and opportunities
- the issues of the context of the company, such as the competitive environment, are not taken into account
- in some cases, the corporate culture is not taken into account
- the analysis of issues does not take into account strategic issues
- no clear link between the SWOT analysis and the actions undertaken
- the threats and weaknesses identified in the SWOT analysis remain without action
4.2 Stakeholders
Understand the requirements of stakeholders
Requirements 3 to 5
The purpose of business is to improve our lives and to create value for stakeholders. John Mackey
To fully understand the needs and expectations of stakeholdersperson, group or organization that can affect or be affected by a company (see also ISO 26000, 2.20), it is necessary to start by determining those who may be affected by the anti-bribery management systemset of processes to reduce bribery, for example:
- employees
- top management
- customers
- external providers (suppliers, subcontractors, consultants)
- owners
- shareholders
- bankers
- distributors
- competitors
- social and political organizations
"In a typical company, if you have a meeting, no matter how important, there is always a part that is not represented: the customer. It is very easy within the company to forget the customer." Jeff Bezos.
To address this concern, it became customary to place an empty chair at every meeting.
The list of stakeholdersperson, group or organization that can affect or be affected by a company (see also ISO 26000, 2.20) is created by a multidisciplinary team. Every stakeholderperson, group or organization that can affect or be affected by a company (see also ISO 26000, 2.20) is identified by its briberyabuse of power for personal gain risklikelihood of occurrence of a threat or an opportunity (see also ISO Guide 73, 1.1) level. Priority is given to stakeholdersperson, group or organization that can affect or be affected by a company (see also ISO 26000, 2.20) with the highest briberyabuse of power for personal gain risklikelihood of occurrence of a threat or an opportunity (see also ISO Guide 73, 1.1) level.
Stakeholder: person, group or organization that can affect or be affected by an organization
Anticipating the needs and expectations or in other words the requirementsexplicit or implicit need or expectation (see also ISO 9000, 3.6.4) of stakeholdersperson, group or organization that can affect or be affected by a company (see also ISO 26000, 2.20) means:
- preparing to address bribery risks
- seizing improvement opportunities of the ABMS
The signature of the contract was delayed for a few weeks because we had forgotten to translate part of the documentation into the local language.
Forgetting a stakeholder (and their specific need) can create a lot of worries!
- the list of stakeholders is updated
- the needs and expectations of stakeholders are established through meetings on-site, surveys, roundtables and meetings (monthly or frequent)
- the application of statutory and regulatory requirements is a prevention approach and not a constraint
- statutory and regulatory requirements are not taken into account
- the expectations of stakeholders are not determined
- the list of stakeholders does not contain their area of activity
4.3 Scope
Define the scope of the ABMS
Requirements 6 to 10
No area is immune to the risk of bribery
The scope (or in other words the perimeter) of the ABMSanti-bribery management system delimits what enters and what does not enter the systemset of interacting processes (see also ISO 9000, 3.5.1). The ABMSanti-bribery management system takes into account:
- the purpose of the organization
- internal and external issues, cf. sub-clause 4.1
- stakeholder expectations, cf. sub-clause 4.2
- the conclusions of the bribery risk assessment, cf. sub-clause 4.5
The processesactivities that transform inputs into outputs (see also ISO 9000, 3.4.1), functions and departments most at risklikelihood of occurrence of a threat or an opportunity (see also ISO Guide 73, 1.1) are specifically targeted, such as purchasing, sales and personnel management.
For a new market, a mining company carried out an inventory of the permits and licenses required to exercise its activities. In total, it turned out that nearly 20 permits and licenses were needed, involving several central and local agencies.
This knowledge has enabled the company to effectively manage its bribery prevention actions.
Fraud, agreements between companies, money laundering, influence peddling and other crimes are not directly addressed by ISO 37001, but may be included in your ABMSanti-bribery management system.
The scope is available internally and to stakeholdersperson, group or organization that can affect or be affected by a company (see also ISO 26000, 2.20) as a record, cf. § 7.5.
- all group subsidiaries are included in the scope of the ABMS
- the scope is relevent and available upon request
- a subsidiary of the group does not fall within the scope of the ABMS
- the subsidiary does not have its own anti-bribery controls
- certain activities are outside the scope of the ABMS without justification
4.4 ABMS
ABMS requirements, processes and interactions
Requirements 11 to 14
Quality management, in its essence, concerns the description of processes, then their improvement. Isaac Getz
The requirementsexplicit or implicit need or expectation (see also ISO 9000, 3.6.4) of the ISO 37001 standard are related to:
- the anti-bribery management system and
- necessary processes
To do this:
- the anti-bribery management system (ABMS) is:
- reasonable and appropriate
- established
- documented (a simple and sufficient documentary system is in place)
- set up and
- continually improved
- the ABMS takes into account:
- internal and external issues (cf. sub-clause 4.1)
- stakeholder’s needs and expectations (cf. sub-clause 4.2)
- identified bribery risks (cf. sub-clause 4.5)
- the anti-bribery policy, objectives, indicators and resources are determined
- threats are determined and actions to reduce them are established (cf. sub-clauses 4.5 and 6.1)
- the essential processes necessary for the ABMS are controlled:
- the owners are assigned
- the corresponding resources are assured
- the inputs and outputs are identified
- the necessary information is available
- the sequences and interactions are established
- each process is measured and monitored (criteria established), objectives are established and performance indicators analyzed
- actions to obtain the continual improvement of processes are established
- the strict minimum necessary ("as much as necessary") of process documents is maintained and retained (
)
The anti-bribery manual is not a requirementexplicit or implicit need or expectation (see also ISO 9000, 3.6.4) of the ISO 37001 standard version 2025, but it is always a possible method to present the organizationa structure that satisfies a need (see also ISO 9000, 3.2.1) , its ABMSanti-bribery management system and its proceduresdocument describing the to carry out a process (see also ISO 9000, 3.4.5 and documented information), policies and processesactivities that transform inputs into outputs (see also ISO 9000, 3.4.1) (see annex 08).
The ISO guide “The integrated use of management system standards” of 2018, contains relevant recommendations on the integration of management systemsset of processes allowing objectives to be achieved (see also ISO 9000, 3.5.3).
.jpeg)
Pitfalls to avoid:
- going overboard on quality:
.jpg)
- a useless operation is performed without adding value and without the customer asking for it - it is a waste, cf. quality tools D 12
- having all procedures written by the quality manager:
- bribery prevention is everybody's business, "the staff is conscious of the relevance and importance of each to the contribution to anti-bribery objectives", which is even more true for department heads and process pilots
- forgetting to take into account the specificities related to the corporate culture:
- innovation, luxury, secrecy, authoritarian management (Apple)
- strong culture related to ecology, action and struggle, while cultivating secrecy (Greenpeace)
- fun and quirky corporate culture (Michel & Augustin)
- liberated company, the man is good, love your customer, shared dream (Favi)
The requirementsexplicit or implicit need or expectation (see also ISO 9000, 3.6.4) of the ISO 37001 standard are shown in figures 4-1:
Figure 4-1. The requirements of the ISO 37001:2025 standard
The implementation of the ABMSanti-bribery management system and good practices are verified by a pre-audit.
- the process map has enough arrows to show who is the customer (internal or external)
- for a process, it is better to use a lot of arrows (several customers) rather than to forget one
- reveal the added value of the process during the process review
- the analysis of processes performance is an example of continual improvement evidence of the effectiveness of the ABMS
- top management regularly monitors the objectives and action plans
- top management commitments to continual improvement are widely communicated
- the purpose of each process is clearly defined
- some process outputs are not set correctly (customers not considered)
- the process owners are not formalized
- outsourced processes are not determined
- sequences and interactions of certain processes are not determined
- monitoring the effectiveness of certain processes is not established
- the ABMS is not updated (new processes are not determined)
4.5 Bribery risks
Bribery risks, criteria, assessment, treatment, records
Requirements 15 to 23
Any decision involves a risk. Peter Barge
Risk managementactivities to restrict the possibility that something goes wrong (see also ISO Guide 73, 2.1) has in the past been viewed by some managers as superfluous. These people believed that the main objective was to avoid risklikelihood of occurrence of a threat or an opportunity (see also ISO Guide 73, 1.1). Many have since understood that risklikelihood of occurrence of a threat or an opportunity (see also ISO Guide 73, 1.1) is inevitable and intrinsic to any activity but must be reduced to an acceptable level.
To identify and limit the briberyabuse of power for personal gain riskslikelihood of occurrence of a threat or an opportunity (see also ISO Guide 73, 1.1), an anti-bribery management systemset of processes to reduce bribery based on risk assessmentrisk identification, analysis and evaluation process (see also ISO Guide 73, 3.4.1) and treatment should be established. A few steps:
- identify situations at risk of bribery
- review all:
- trades
- high-risk positions
- past incidents
- audit results
- analyze the impact and the likelihood of the risk appearing
- assess the risks by prioritizing the risks of the most critical situations
- put in place an action plan to act on priority situations
- determine the acceptable threshold of residual risk
- strengthen accounting controls for risky situations
- assess the controls put in place
- update the action plan regularly
- raise staff awareness and training, cf. sub-clause 7.3
- carry out due diligence on partners, cf. sub-clause 8.2
- set up the reporting mechanism, cf. sub-clause 8.9
The criteria for assessing the level of briberyabuse of power for personal gain risklikelihood of occurrence of a threat or an opportunity (see also ISO Guide 73, 1.1) are defined and take into account the anti-bribery policydirectives from top management to set objectives for the prevention of bribery and the objectivesmeasurable goal to be achieved to be achieved.
“Risk positions” are those with:
- regular contacts with customers
- regular contacts with suppliers
- conflicts of interest
- the company's decision-making responsibilities
- financial responsibilities
- budget management facilities for distributing gifts, making discounts, sponsorship
A risklikelihood of occurrence of a threat or an opportunity (see also ISO Guide 73, 1.1) map is shown in annex 02.
A risklikelihood of occurrence of a threat or an opportunity (see also ISO Guide 73, 1.1) can be classified as:
- negligible
- low (limited)
- moderate
- high (significant)
- critical
In annex 09 you can find 19 PRS tools (problem, risk, safety). For more tools please see the D 12 Quality tools set.
The Excel file (annex 10) allows risk managementactivities to restrict the possibility that something goes wrong (see also ISO Guide 73, 2.1) with spreadsheets:
- identify
- analyze
- assess
- treat and
- monitor
For more information on risk assessmentrisk identification, analysis and evaluation process (see also ISO Guide 73, 3.4.1) and treatment, see training T 61v18 Risk management.
In company ABC, each batch is validated by a quality operator. One batch was refused (the sample taken exceeded the authorized threshold of nonconformities). The production manager, in order not to lose his monthly bonus, asked the operator to close his eyes and validate the batch in exchange for an envelope with a few notes. The quality operator refused the envelope and reported the attempted bribery to his manager, who informed the anti-bribery manager.
The director demanded an exemplary sanction and asked to update the risk map, which was mainly oriented towards risky positions in purchasing, sales and recruiting.
Risk managementactivities to restrict the possibility that something goes wrong (see also ISO Guide 73, 2.1) tools are used for all stages of the "Manage risk" processactivities that transform inputs into outputs (see also ISO 9000, 3.4.1), cf. annex 11.
The ISO 31010 standard describes the most widely used risk assessmentrisk identification, analysis and evaluation process (see also ISO Guide 73, 3.4.1) tools or techniques.
A risklikelihood of occurrence of a threat or an opportunity (see also ISO Guide 73, 1.1) can have negative impacts (we talk about threatsuncertain event that could have a negative impact on the objectives) or positive impacts (we talk about opportunitiesuncertain event that may have a favorable impact).
Often risklikelihood of occurrence of a threat or an opportunity (see also ISO Guide 73, 1.1) is equated with hazard and commonly used in place of threatuncertain event that could have a negative impact on the objectives.
Any threatuncertain event that could have a negative impact on the objectives that can disrupt normal business operations is:
- determined
- analyzed
- assessed and
- appropriate actions are taken to prevent or reduce adverse effects
The risk-based approach allows us to prepare the action to be taken if an output element of the processactivities that transform inputs into outputs (see also ISO 9000, 3.4.1) does not meet a requirementexplicit or implicit need or expectation (see also ISO 9000, 3.6.4). In other words, be ready in case something does not work out (well).
Any opportunityuncertain event that may have a favorable impact that can increase desirable effects on the anti-bribery management systemset of processes to reduce bribery is supported with continual improvementprocess allowing the improvement of the global performance of the organization (see also ISO 9000, 3.3.2) actions.
The nature of actions is proportional to the potential impact of threatsuncertain event that could have a negative impact on the objectives and opportunitiesuncertain event that may have a favorable impact. Some examples of risks are listed in annex 12.
An example of a “Risk Management” proceduredocument describing the to carry out a process (see also ISO 9000, 3.4.5 and documented information) is shown in annex 13.
Records of the results of the risk assessmentrisk identification, analysis and evaluation process (see also ISO Guide 73, 3.4.1) are kept.
The risklikelihood of occurrence of a threat or an opportunity (see also ISO Guide 73, 1.1) reduction action plan, cf. annex 14, includes the following options:
- avoid the risk (refuse the risky activity)
- accept risk to gain an opportunity
- eliminate the source of the risk
- modify the likelihood of occurrence of the risk
- react to the consequences of the risk
- share the risk with other stakeholders
- maintain the residual risk (acceptable level)
Example of an unidentified risklikelihood of occurrence of a threat or an opportunity (see also ISO Guide 73, 1.1):
- the list of risks taken into account is exhaustive and up-to-date
- the list of risks is communicated to all staff
- bribery risks are prioritized in an updated list
- the action plan to fight priority risks is implemented
- the effectiveness of preventive actions has been assessed
- the new level of residual risk is updated
- actions to reduce certain risks are integrated into key processes
- the action plan includes a column used for monitoring the effectiveness of actions
- the action plan takes into account the results of internal audit
- some stakeholder requirements are not taken into account when planning actions to address risks
- some bribery risks are not identified
- risks are not prioritized
- the risks of salespeople are not a priority
- no preventive action has been implemented
- the residual risk level is not updated
- no planning of actions to reduce negative impacts
- no opportunity to increase desirable effects
- threats and opportunities are not identified and assessed for certain processes
- the list of risks has not changed since its creation