ISO 37001:2016, Based Bribery Risk Assessment
Authored By, Rian Munanjar, Lead Consultant GRC – Robere & Associates (Indonesia)
Implementing ISO 37001:2016, the Anti-Bribery Management System (ABMS), offers significant benefits to organizations, including enhanced reputation, reduced legal and financial risks, and improved stakeholder relationships. This standard also fosters an organizational culture that rejects bribery, promoting integrity and transparency in all business aspects.
Understanding ISO 37001:2016
ISO 37001:2016, the Anti-Bribery Management System, introduces a comprehensive framework for managing bribery risks in daily operations and business transactions. Key elements of this standard include an anti-bribery policy, due diligence procedures, anti-bribery employee training, bribery risk evaluation, business associate due diligence, and ongoing monitoring of the anti-bribery management system’s effectiveness. Bribery risk management is one of the critical initial steps for organizations aiming to implement an ABMS.
Why Organizations Need to Conduct Bribery Risk Assessments Based on ISO 37001:2016
The objective of a bribery risk assessment is to enable an organization to establish a robust foundation for implementing an Anti-Bribery Management System. Through the identification of bribery risks, organizations can focus on priority risks. By understanding the priority risks that must be addressed, organizations can accurately implement risk mitigation strategies, control implementation, and allocate necessary resources.
How to Assess Bribery Risks According to ISO 37001:2016?
When conducting a bribery risk assessment, organizations need to consider several provisions:
1. Organizations must establish criteria of levels of bribery risk, taking into account organizational policies and objectives.
The determination of bribery risk criteria levels typically utilizes a Risk Heat Map. A Risk Heat Map measures the level of risk by considering Likelihood (the probability of a risk occurring) and Impact (the consequence of a risk occurring).
Likelihood represents the probability of a risk occurring, relative to its infrequency over a certain period or number of occurrences. Below are examples of criteria for determining likelihood values:
| Likelihood Value | Definition | Example |
|---|---|---|
| 1 (Low) | Very Rare / Unlikely | 0 to 1 occurrence |
| 2 (Low to Moderate) | Rare / Small Probability | 2 to 3 occurrences |
| 3 (Moderate) | Somewhat Rare / Possible | 3 to 5 occurrences |
| 4 (Moderate to High) | Frequent / High Probability | 6 to 8 occurrences |
| 5 (High) | Very Frequent / Certain | More than 8 occurrences |
Meanwhile, Impact refers to the consequences of a risk occurring. Below are examples of criteria for determining impact values:
| Impact Value | Definition | Assessment |
|---|---|---|
| 1 (Low) | Very Low | If the risk occurs, it does not disrupt operations or finances. (Loss Cost < 0.01% of total equity) |
| 2 (Low to Moderate/LTM) | Low | If the risk occurs, it causes operational constraints, financial obligations, and reputation decline, but not significantly. (Loss Cost > 0.01% - < 0.25% of total equity) |
| 3 (Moderate) | Moderately High | If the risk occurs, it causes operational constraints, financial obligations, and a fairly significant reputation decline. (Loss Cost > 0.25% - < 0.50% of total equity) |
| 4 (Moderate to High) | High | If the risk occurs, it causes operational constraints, financial obligations, and a relatively significant reputation decline. (Loss Cost > 0.50% - < 0.80% of total equity) |
| 5 (High) | Very High | If the risk occurs, it causes operational constraints, financial obligations, and a significant reputation decline. (Loss Cost > 0.80% of total equity) |
From the likelihood and impact assessment on the Risk Heat Map, the prioritization of bribery risks within an organization will be generated. An example of bribery risk priority levels is as follows:
In conducting a bribery risk assessment, organizations must assess both inherent risk and residual risk. Inherent risk is the risk that exists before any mitigation efforts or controls, or other actions are established to reduce the risk from its initial level to a more acceptable level for an organization. Meanwhile, residual risk is the risk remaining after mitigation efforts and controls are implemented to reduce inherent risk. This residual risk is what organizations must manage based on previously determined risk mitigation strategies.
Below is an example of a bribery risk assessment related to the procurement process, including how an organization addresses such risks:
2. Organizations must conduct bribery risk assessments periodically.
The provisions for conducting bribery risk assessments are as follows:
- Identify reasonable organizational bribery risks in anticipation of relevant internal and external issues concerning an organization’s objectives. When identifying bribery risks, organizations need to understand their end-to-end business processes and consider the number of interactions carried out from internal to external and internal to internal within an organization.
- Analyze, assess, and prioritize identified bribery risks; and
- Evaluate the suitability and effectiveness of existing organizational controls to reduce assessed bribery risks.
3. Bribery risk assessments must be reviewed periodically.
The review of bribery risk assessments is conducted under the following provisions:
- Reviews are carried out periodically so that any new information can be assessed in a timely manner by the organization; and
- Upon the occurrence of significant changes to the organizational structure or activities.
4. Documented Information
Organizations must retain documented information to demonstrate that bribery risk assessments have been conducted and used to design and improve the anti-bribery management system.
Discuss with Us!
For those who wish to delve deeper and gain the latest insights into Anti-Bribery Management Systems based on ISO 37001:2016, Robere & Associates is ready to assist. Join us now!
