Organizations around the world are taking note of the recently launched ISO 37001 anti-bribery management systems standard. Indeed, as the first global standard for anti-bribery, it offers important guidance for organizations looking to establish, implement, maintain and improve an anti-bribery compliance program or ‘management system.’ In short, it outlines the leading practices of measures and controls that should be in place to mitigate bribery.
Like successful ISO management systems standards before it – such as ISO 9001 – the new standard offers the ability to gain certification. It also provides practical guidance for organizations looking to build or assess programs internally or among third party partners. It is designed to be risk-based and flexible to organizations in all industries and of all sizes.
The CREATe Anti-Corruption Advisory Council
There is no doubt that ISO 37001 offers valuable guidance for implementing a robust anti-bribery management system. For many organizations, however, it is a daunting prospect to assess a compliance program against the standard or take the further step of certification. Beyond using the standard for internal purposes, there are also varying perspectives on how to work with third party partners – those who put organizations at greatest risk – to ensure they are in line with ISO 37001.
To make ISO 37001 accessible and actionable for companies to use internally and with third parties, CREATe.org has spearheaded an industry-leading effort that brings together insights from a group of individuals from leading corporations and organizations. The CREATe Advisory Council has shared experiences and provided feedback on CREATe’s approach to operationalizing ISO 37001.
Advisory Council Feedback on ISO 37001
As a starting point, CREATe surveyed Advisory Council members to gain insights into perspectives about ISO 37001. Highlights include:
- Internal use: When asked about using ISO 37001 internally, many suggested that it is valuable as an internal benchmarking tool. All surveyed believed that their programs would meet the standard’s requirements.
- Use with third parties: All said they would consider asking some third parties to be certified, although cost is a factor. One company would use as a tool to build capacity among third parties; one saw it as a good remedial tool. Several voiced concerns about whether a small company could implement ISO 37001.
- Concerns about certification: There were questions about who will do the certification; how “deep” they will go into a program; and what an audit will look like in practice. Cost and disruption to an organization’s business from an audit were noted as potential deterrents.
Advisory Council Feedback on CREATe’s Approach to Operationalizing ISO 37001
As a way to broaden adoption of ISO 37001 and offer a practical way to benchmark against the standard, CREATe engaged the Advisory Council to provide feedback on an assessment that leverages CREATe’s methodology for measuring the maturity of compliance programs and providing guidance for improvement. The approach is designed to provide an efficient way to prepare for ISO certification, benchmark programs against the standard, or use with third parties.
The CREATe approach features an initial Q&A that maps to ISO 37001 requirements. CREATe’s assessment uses a 1-5 maturity scale which enables organizations to better understand the strengths and weaknesses of controls in place. The CREATe methodology also features a way to conduct an independent evaluation for verification of the assessment. A technology platform is used for administering and scaling the use of the self-assessment, independent evaluation and ongoing improvements.
Feedback from Advisory Council members includes:
- Assessment and maturity scoring: The Advisory Council members stated that there is benefit in being able to understand the maturity of programs and to also set target scores – something that would be particularly helpful for use with subsidiaries and third parties. One advisory council member noted that the assessment offers a standardized way to quantify maturity and define areas of improvement.
- Benchmarking: Many liked the ability to benchmark their anonymized, aggregated scores with other companies from similar regions and industries and in size. One Advisory Council member thought the assessment would be valuable for conducting a gap analysis.
- Management platform: Many noted that the assessment platform and dashboard is user-friendly, intuitive and provides an efficient way to manage a range of assessments and share data with others in the organization. The ability to produce a range of reports was thought to be helpful for sharing information with senior leadership, colleagues and other stakeholders.
- Third party engagement: Many advisory council members stated that the CREATe approach could be valuable for using with third party partners to efficiently ascertain how they map to ISO 37001.
For additional information about the CREATe Advisory Council and assessment, please email info@CREATe.org.