New Bribery Risk Entry
Assess inherent bribery risk before controls. Risk Score = Likelihood ร Impact. High/Critical risks require enhanced controls and may require enhanced due diligence (EDD).
Due Diligence โ ISO 37001:2025 Clause 8.2
Clause 8.2 requires the organisation to conduct proportionate due diligence on transactions, projects, activities and business associates before entering into relationships or transactions. The level of due diligence must be commensurate with the bribery risk.
Simplified Due Diligence (SDD)
Applied to low-risk relationships where bribery risk is demonstrably low. Basic checks: verify identity, confirm no obvious red flags, no adverse media.
Suitable for: Low-risk domestic suppliers, minor subcontractors, commodity purchases with no public official contact.
Standard Due Diligence (SDD)
Applied to most business associates. Includes: company/UBO verification, sanctions screening, adverse media search, PEP check, anti-bribery questionnaire, reference checks, site visit (where warranted).
Suitable for: Most suppliers, agents, distributors, JV partners in moderate-risk contexts.
Enhanced Due Diligence (EDD)
Applied to high-risk relationships or where red flags are identified. Includes all SDD plus: deep corporate structure investigation, independent on-site audit, interviews with senior management, regulatory references, specialist third-party intelligence report, legal opinion.
Required for: High-risk countries, agents with PEP connections, politically sensitive contracts, large-value government-facing relationships, relationships where red flags exist.
Bribery Red Flags
Unusual payment requests or structures; relationships with public officials or their family members; excessive commissions or fees; lack of transparent ownership; refusal to certify compliance; third country routing of payments; pressure to "make things happen" quickly; anonymous referrals; use of cash; operating in very high CPI-risk countries without adequate controls.
Contractual Protections
All business associate agreements should contain: representations and warranties of ABMS compliance; audit rights; right to terminate for bribery non-compliance; clawback provisions; annual certification requirements; specific prohibitions on facilitation payments, gifts and hospitality above defined thresholds; sub-contractor flow-down obligations.
Key Anti-Bribery Controls โ ISO 37001 Clause 8
Anti-Bribery Policy (Cl. 5.2)
Clear, board-approved policy prohibiting all forms of bribery. Must define bribery, scope, responsibilities, zero tolerance position, and consequence of breach. Published internally and externally where appropriate.
Training & Awareness (Cl. 7.3)
All staff must receive anti-bribery training proportionate to their role and risk level. High-risk roles (procurement, sales, finance, government affairs) require enhanced training. Third parties should receive policy and training. Record training completion.
Gifts & Hospitality Register (Cl. 8.7)
Maintain a register of all gifts and hospitality offered and received. Set clear financial thresholds. Require pre-approval above thresholds. Prohibit cash gifts. Apply enhanced scrutiny to gifts involving public officials or high-risk relationships.
Financial Controls (Cl. 8.3)
Segregation of duties; dual authorisation for high-value payments; prohibition on cash payments above defined limits; no off-books accounts; all payments to documented, verified beneficiaries; expense reimbursement controls with receipts required.
Whistleblowing (Cl. 8.9)
Confidential reporting channel (internal or external). Non-retaliation policy with legal protection. Multiple reporting options (phone, email, web portal). Third-party managed hotline for independence. Regular promotion and testing of the channel.
Investigation Procedures (Cl. 8.10)
Documented procedure for investigating bribery concerns. Independent investigator. Preservation of evidence. Legal privilege. Regulatory notification obligations. Victim and perpetrator considerations. Outcome and remediation documentation.
ISO 37001:2025 โ Key Clause Guidance
4.5 โ Bribery Risk Assessment
Conduct a bribery risk assessment to identify, analyse and evaluate bribery risks. Consider all relevant factors: jurisdictions, sectors, business activities, business associates, transactions and relevant variables. Review periodically and after significant changes.
8.6 โ Business Associates
Implement ABMS controls over business associates who perform activities that present a bribery risk. Include anti-bribery commitments in agreements. Conduct ongoing monitoring. Respond to non-compliance. Document all due diligence.
9.1 โ Monitoring
Monitor, measure, analyse and evaluate the ABMS. Key metrics: DD completion rates, gifts/hospitality register, training completion, concerns raised, investigation outcomes, audit findings, near misses and policy exceptions.
5.3.2 โ Compliance Function
A person or group must have responsibility and authority for the ABMS. They need resources, independence, access to the governing body, and must not face retaliation for raising issues in good faith. This is often the Chief Compliance Officer role.
1โ4: Low โ standard controls 5โ9: Medium โ review & standard DD 10โ16: High โ enhanced controls & EDD 17โ25: Critical โ immediate action required