(Anti Bribery Management System = ISO 37001:2016)
Note : This is the most critical element in ABMS, failure to understand and comply to this element may prove negative to the organization.
5. OPERATION - Planning and Control
Process to comply to ABMS requirements should be planned and implemented. They should also be controlled and reviewed. (Process requires criteria, control and proper documented information)
Do not change the process unnecessarily. Apart from internal, focus also on outsourced process (sub-contractor, supplier, vendor, consultant etc)
Due Diligence - Bribery Risk Assessment
Potential bribery risk should be assessed no matter how insignificant (conducted on defined frequency for updated information) - transactions - projects/activities, if necessary - always involved business associates and certain important positions of the organization. Despite the organization may conclude that it is unnecessary, unreasonable or disproportionate to undertake due dilligence on certain personnel and business associate, but it is advisable and highly recommendable that apart from prioritization, assessment should also cover the rest of the organization as well. (no stone left unturned)
Financial Controls
is required to manage risk. Non-Financial control managing such risk should also be prioritized such as purchasing/procurement, operation, sales, commercial, HR and legislation-related activities. It's recommended to encourage business associates/service providers to understand, implement and consistent with the organizational strong view on bribery and ensure the implement their own anti-bribery controls/mitigation as well. (subject to assessment) It's recommended that the business associate/service providers/3rd party to submit evidence of anti-bribery controls/mitigation.
Assessment should be reasonable and proportionate.
Anti-Bribery Commitments
Business associates with low risk of bribery should still be subject to assessment. They should show evidence of commitment and be willing to be assessed on any transaction, project, activity, or relationship. Failure to do so; in the event of proven bribery; the organization may terminate the business associates.
The organization must also be ready to assist in assessing, managing and help business associates understand the risk.
Gifts, Hospitality, Donations or equivalent
Procedure(s) is required to ensure any offering, gifts, hospitality, donations or equivalent could be perceived as bribery. (Clear definitions and situations are required to address these issues)
Managing Inadequacy of Anti-Bribery Controls
Not all risks are manageable. The organization may change the nature of transaction, project, activity or relationship where applicable in order to better manage the risks. (It is recommended that business associates, supplier, sub-contractor, consultants should share the responsibility and accountability to manage risks of bribery that is found difficult to control)
(Should there be "red flags" situation (proven bribery has been committed), the organization may terminate, discontinue, suspend or withdraw (even taking legal action where necessary).
Raising concerns
Procedure(s) is/are required especially for smooth reporting or whistleblowing any possible or ongoing bribery activities to the appropriate personnel such as Management Representative or anyone with authority to make decision such as members of the governing body. (Although the personnel may also; out of fear that such action may possibly jeopardize his work/duty; directly report the alleged incident to the authorities) All reports should be treated in strictest of confidence and the identity of the person reporting the incident must be protected whether or not the alleged corruption activity result to be genuine or otherwise.
The person in charge should investigate as soon as possible without partiality.
Investigating and Dealing with bribery
Procedure (s) is/are required for investigation process determining the extent of such alleged acts (based on the law, anti-bribery policy or ABMS). The personnel that is/are conducting such investigation should be given authority to do so. (transparency should be genuine with no attempts to "sweep the matter under the carpet" or intimidating investigators or intervening in the investigation. On the other hand, the personnel and witness should also be given ample opportunity to defend themselves, prove their innocence or provide evidence)
Organization may also; to avoid partiality; hire a 3rd party (such as private investigator) to investigate the matter.