• Governance I Risk I Compliance Management

ISO 37001: Applying Anti-Bribery Framework to Third Parties

June 30, 2020

In 2016, responding to the need for a global standard to help organisations prevent and detect bribery and corruption, the International Organization for Standardization (ISO) introduced ISO 37001 Anti-Bribery Management Systems. This certification provides the anti-bribery framework for organisations of any size or industry to implement practical solutions against bribery. Perhaps overlooked, however, is the fact that ISO 37001’s framework is designed for more than just an organisation’s own internal systems. It can also be applied to existing or potential third-party partners. This adds a crucial layer of third-party due diligence and risk management in today’s world of international business.

News Laws Raise the Stakes for Companies and Individuals

Corporations, agencies, and even small companies don’t exist in a bubble. The reality of international trade and the interconnectedness of business make the potential for bribery and corruption a serious and continuous concern. There are laws that govern business conduct along these lines, such as the Foreign Corrupt Practices Act (FCPA) and the UK Bribery Act 2010, and newer laws on the books or in the pipeline – such as Malaysia’s new Section 17A of the MACC Act.

Taking effect 1 June 2020, Section 17A introduces corporate liability for corruption. The new section also imposes personal liability on directors, controllers, and management, a fact that should make any business leader dealing in Southeast Asia sit up and take notice.

The corporate liability provisions usher in a new era for Malaysia, with its elements modelled on the UK Bribery Act and FCPA and having among the strongest anti-corruption measures in the entire region. First, Section 17A connects the corrupt acts of “a person connected with the commercial organisation” to the organisation itself – depending on the circumstances, an organisation cannot simply blame a “rogue actor” on corruption. Secondly, a corporation is liable for a maximum fine of ten times the total of a bribe or other illegal gratuity; or one million ringgit (whichever is higher). And a bad actor can face imprisonment of a term up to 20 years. Obviously, the punishments determined under Section 17A are not trivial.

With the introduction of Section 17A, companies will be at risk if they do not have proper controls in place to prevent bribery and corruption. If they have agents or third parties who commit such misdeeds on their behalf, or as part of the partnership, they will be similarly liable.  This includes personal liability and the possibility of criminal punishment for directors, executives and managers. This is the kind of new legal peril that companies face if they don’t take measures to proactively prevent bribery and corruption. The ramifications are serious. And other new laws in various jurisdictions are also prescribing heavier penalties, with governments, by and large, pursuing more enforcement actions.

The ISO 37001 Framework

Recognising this vulnerability for companies, ISO unveiled 37001 with a twofold approach: Provide a practical, measurable system that organisations can implement to prevent and protect fraud; while keeping the system flexible and adaptable to fit any industry or jurisdiction. ISO was uniquely positioned to develop such anti-bribery framework with its reputation, having been in the standards business since 1947; and its global reach, which includes 164 member countries.

ISO 37001 Anti-Bribery Management Systems standard defines the critical elements of an anti-bribery anti-corruption policy. These include the following:

  • The organisation shall adopt an anti-bribery policy.
  • An individual must be appointed to oversee anti-bribery efforts.
  • Financial and accounting controls are a critical part of the process.
  • Reporting methods and investigation processes shall be defined.
  • The organisation shall implement compliance, training, risk assessments, and due diligence on projects and business associates.

The last two bullets above illustrate how ISO 37001 can be used as an effective tool when evaluating existing or potential third-party partners (including contractors and suppliers, etc.) The most thorough, comprehensive anti-bribery anti-corruption control system will only go so far if a degree of those standards is applied to due diligence with business partners. Unfortunately, many organisations have learned the hard way that unseen risk can have devastating consequences for a company’s finances and reputation.

A Foundation for Effective Risk Management

ISO 37001 Anti-bribery Management Systems standard outlines the fundamental elements needed to establish third-party compliance. The most effective system will be risk-based and must include comprehensive risk assessments. A risk-based compliance program will allow the organisation to apply appropriate levels of due diligence to third-parties relative to their risk level. For example, a supplier that is considered “high risk” (based upon a proper risk assessment) will require a more intensive level of due diligence, compared to a vendor that is relatively low risk (for example, one that conducts limited business with the entity and could easily be replaced without disrupting the chain if production).

In this way, an organisation avoids a “one-size-fits-all” approach that expends unnecessary resources (in time and financial cost) where it isn’t needed. On the other hand, recognising where such resources are needed also helps the company be more in tune with identifying a high-risk relationship in the first place. This might even prompt a useful analysis of whether the relationship should be limited or terminated, depending on the company’s acceptable risk level.

Evaluating Third Parties

So, how does ISO 37001 provide guidance on evaluating third-party partners? The following are a few of the questions considered essential for determining risk factors among third parties:

  • Has the third party been vetted as a legitimate business, through due diligence checks of corporate registration documents, tax filings, tax identification number and other methods?
  • Does the third party meet the parameters of the contract in terms of resources and experience?
  • Does the third party have its own anti-bribery anti-corruption management system?
  • Does the third party have any criminal record or reputation for bribery, corruption, fraud or similar crimes?
  • Has the third party been investigated, fined, or penalised for such offences?
  • Who are the key stakeholders, including owners, directors and top managers?
  • Do any of the key players listed above have criminal backgrounds or reputations for bribery, corruption, fraud or similar crimes?

When implemented under the guidance of trained, certified professionals, the standards of ISO 37001 can provide the higher level of protection found in the answers to the questions above.

One of the leading such providers is ABAC® (Anti-Bribery and Anti-Corruption) Center of Excellence. International firm CRI Group established ABAC® to help organisations of all types and industries implement ISO 37001. They use a team of experts that includes certified ethics and compliance professionals, financial and corporate investigators, forensic analysts, certified fraud examiners, qualified auditors, and accountants when implementing the ISO 37001 standard for organisations.  As an accredited provider of ISO 37001 ABMS, the team provides an experienced implementation of ISO 37001’s key elements, helping clients more effectively prevent bribery and corruption.


The establishment of ISO 37001 as a worldwide standard marked a huge step forward against bribery and corruption. Before that, companies were left on their own to develop a strategy and system to manage risk on all fronts. Now, in addition to the benefit of comprehensive internal controls, organisations can also reap the advantages of applying ISO 37001 standards to third-party partners to ensure they remain within acceptable risk parameters.

The guidance will also help organisations stay in compliance with laws like the FCPA and UK Bribery Act. Adopting the standards set forth in ISO 37001 demonstrates to regulators, investigators, and litigators (should it come to that) that an entity has taken reasonable steps to prevent and detect bribery corruption, and comply with applicable laws. When implemented with the guidance of an expert certification body such as ABAC® CoE, any organisation will have a head start in managing their risk profile and due diligence efforts more effectively. The guidance put forth by ISO 37001 is practical, adaptable, and proven to be successful.

Webinar: ISO 37001 ABMS to Evaluate Your Anti-Corruption Compliance Program

Don’t miss the chance to find out more about ISO 37001 ABMS as an effective and powerful tool for your business to establish competency and compliance requirements for the scope of Section 17A MACC enforcement.


About ABAC® Center of Excellence

ABAC® is an independent certification body powered by CRI Group. ABAC® Center of Excellence offers a complete suite of services and solutions designed to educate, equip & support the world’s leading business organisations with the latest best-in-practice risk & performance assessments, systems improvement & standards certification. ABAC® programs protect your organisation from damaging litigation & safeguard your business in the global marketplace by providing certification & training in internationally recognised ISO standards, such as ISO 37001 Anti-Bribery Management Systems, ISO 37301 Compliance Management Systems and ISO 31000 Risk Management Systems.

GET A FREE QUOTE  or CONTACT US to discuss your anti-bribery, risk and compliance needs.