Will ISO 37001 Certification Strengthen an Organization’s

By Zafar I. Anjum, MSc, MS, CII, CFE, CIS, MICA, Int. Dip. (Fin. Crime)
MABI, MIPI. Group Chief Executive Officer
Corporate Research and Investigations Limited

The jury is still out on the long-term effects that ISO 37001 will have on suppressing the trillion-dollar scourge that bribery and other forms of corporate corruption inflicts on business and economic development in the global marketplace.

But from a current prospective, it appears that compliance officers, general counsel, and senior executives of large, multi-national organizations are starting to warm up to the new standard and are actively seeking counsel to improve their existing compliance programs, while weighing the many benefits of attaining ISO 37001 certification from an accredited conformity assessment body.

Since its inception in 2016, the ISO 37001 Anti-Bribery Management System standard specifies a series of measures to help organizations prevent, detect and address bribery.  These measures include adopting an anti-bribery policy, appointing individuals to oversee anti-bribery compliance, training, risk assessments and due diligence on projects and business associates, implementing financial and commercial controls, and instituting reporting and investigation procedures.

The standard addresses the many intricacies and inconsistencies related to the multitude of jurisdictions and laws governing the practice of bribery by defining shared benchmarks in determining the versatility, viability and effectiveness of an organization’s anti-bribery management system.

And with a growing list of fully accredited bodies worldwide now formally qualified to grant ISO 37001 certification, multi-national organizations operating global supply chains (like Microsoft and Walmart) are beginning to advocate for certification as a way in which businesses can pronounce their desire to control and reduce incidents of bribery, while potentially protecting their organizations from the many risks associated with bribery and other forms of corporate corruption.

The Certification Process:  An Independent, Outsider’s View

Because ISO 37001 certification is not a globally required mandate, organizations can certainly run self-directed audit and review programs of their management systems in an attempt to keep up with, and comply with the standard.  Such a review program will be critical in determining the sustainability (or susceptibility) of the compliance system, and its overall impact (and value) to the organization.

But companies are gradually realizing the value that an independent certification body may bring to the organization, and are increasingly turning to those outside experts to audit, validate and certify their compliance programs.

Simply stated, ISO 37001 certification adds a distinct level of credibility to the organization’s compliance program and ensures that the organization is implementing a viable anti-bribery management program utilizing widely accepted controls and systems, while providing visible, public proof from an independent third party that all the proper audit and review steps have been taken in a structured and generally accepted manner.

From a stakeholders’ standpoint, certification provides assurance to management, investors, business associates, personnel and shareholders that the organization is actively pursuing internationally recognized and accepted processes to prevent bribery and corruption.

And from a business standpoint, ISO 37001 certification may lead to a competitive advantage, providing assurance to customers that the company has a robust anti-bribery program, and demonstrating that the organization — and its third-party suppliers — is serious about complying with anti-bribery laws.

The certification process itself is conducted by an accredited body that is well-versed on the standard, well-skilled in anti-bribery and anti-corruption management systems, and can demonstrate competence in conducting a credible audit program.  The process generally involves a thorough document review and staff interviews by the outside party, which is designed to confirm the existence of a strong anti-bribery program or, in some cases, identify weaknesses in the system, thereby presenting opportunities for improvement.

How can we attest to the positive results of such certification?  By examining just four of the many key components of a sound anti-bribery management system and demonstrating that, through compliance with the standard, the desired outcomes of each these specific facets will aid in vastly improving the effectiveness of the overall program.

Leadership Buy-In — Organizational commitment to any management system surely begins at the top.  Top-down leadership demonstrates an overarching understanding of the many risks involved in multi-national and multi-jurisdictional business dealings, and the subsequent commitment to strong policies and procedures required to mitigate those risks.

ISO 37001 certification will ensure that the organization’s governing body — along with top management — demonstrates that understanding and is actively striving to set and approve policy that aligns with the organization’s strategy; provides reasonable oversight over the implementation of the system; and appropriates the necessary resources to properly maintain the system.  Further, this top-down leadership encourages the rest of the organization to abide by its policies and opens up channels of communications, enabling staff to contribute ideas for process improvement.

Conducting Risk Assessments — Risk assessment impels the organization to thoroughly examine the many ways it conducts business from a transactional standpoint, and assigns risk values to those various transactions.  From public procurement, licenses and permits to charitable donations or political contributions in a particular region, risk assessments can identify high-risk markets and industry sectors.

Certification brings a skilled and accredited outsider’s eye to each risk assessment, as the auditing body will have vast business and risk management experience related to particular industry sectors and geographic markets, which will result in more thorough assessments and a higher level of overall protection for the organization.

Employee Training — Certification can cause an organization to more deeply assess its training programs to ensure that employees fully understand the legal and regulatory requirements of the various regions where the organization operates, are guided on the terms of gifts and hospitality for each region, are aware of the procedures for detecting and reporting red flag abuses, and are systematically tested to measure the effectiveness of such training.

Third-Party Due Diligence — Accredited certification bodies will have intricate knowledge of acceptable working relationships with third-party providers (preferably by geographic region) and can bring that expertise to the table when examining specific business opportunities that may be prone to bribery occurrences.  Further, the audit team will be well-versed in third-party due diligence procedures and will be able to identify weaknesses in policies involving third-party relationships.  An outside expert will also be able to gauge the effectiveness of the third-party’s own anti-bribery program to ensure it conforms to the organization’s objectives.

Finally, from a litigation standpoint, ISO 37001 certification can provide a verified level of proof in legal proceedings that the organization has pro-actively demonstrated its commitment to anti-bribery practices by taking reasonable actions to prevent such corruption.

Such proof was required by the Securities and Exchange Commission (SEC) as a partial remediation in the SEC’s $20 million civil settlement with GlaxoSmithKline involving GSK China, a GlaxoSmithKline subsidiary convicted of bribing officials to boost pharmaceutical sales through increased prescriptions and purchases by hospitals in China from 2010 through 2013.  The payments came in the form of gifts, travel, shopping excursions and cash, among other things, which were recorded in GSK’s books and records as legitimate business expenses, such as medical association sponsorships, employee expenses, conferences, speaker fees and marketing costs.

As part of GSK’s remedial efforts (as outlined in the settlement document), the company “enhanced its global risk assessment process, strengthened its monitoring and risk assessment tools, and increased its global compliance organization. Respondent also enhanced its third-party oversight program, including increasing the number and scope of third-party audits, and increased training and education of employees on anti-bribery issues.”

It goes without saying that, had GSK maintained an adequate anti-bribery management system, and demonstrated its processes and procedures to the SEC throughout investigation, the company may have had grounds to appeal its ruling and subsequently reduce the penalty.

While ISO 37001 certification will not eliminate liability in the face of evidence that bribery has actually occurred, it could have positive effects in many jurisdictions and could help the organization avoid costly litigation, lawsuits and subsequent damage and losses.

Such certification may not be the solution for every business, but those organizations that have built strong management systems which adhere to globally recognized best practices and controls to battle bribery and corruption — while maintaining a strong commitment to establishing a corporate culture of integrity, transparency and compliance on the international stage — have already taken the first step to mitigating the ever-present risks associated with bribery.  It only makes sense to enhance that position through certification using an objective and independent outside resource that can add value and viability to an anti-bribery compliance program.


CRI Certification (www.CRIcertification.com) is an accredited body in issuing ISO 37001:2016 certification, and an independent component of CRI Group’s recently launched Anti-Bribery Anti-Corruption Centre of Excellence, which was created to educate, equip and support the world’s leading business organizations with the latest in best-practice due diligence processes and procedures, providing world-class anti-bribery and anti-corruption solutions to organizations seeking to validate or expand their existing compliance frameworks to maintain a competitive edge in the world marketplace.


Zafar I. Anjum, MSc, MS, CFE, CII is Group Chief Executive Officer of CRI Group (www.crigroup.com), a global supplier of investigative, forensic accounting, Anti=Bribery and Anti-Corruption Solutions, integrity due diligence and employee background screening services for some of the world’s leading business organizations. A member of the Dubai International Financial Centre, CRI safeguards businesses by establishing the legal compliance, financial viability, and integrity levels of outside partners, suppliers and customers seeking to affiliate with your business. CRI Group maintains offices in Dubai, Islamabad, Lahore, Karachi, Manila, Riyadh and the United Kingdom.


Zafar I. Anjum, MSc, MS, CII, CFE, CIS, MICA, Int. Dip. (Fin. Crime)
MABI, MIPI. Group Chief Executive Officer
Corporate Research and Investigations Limited
2nd Floor, 5 Harbour Exchange Square
South Quay, London E14 9GE,
United Kingdom
T: +44 207 6861415
M: +44 (0)7588 454959
E: zanjum@crigroup.com