Almost every organisation of meaningful size has an anti-bribery and corruption (ABC) policy. A meaningful number of those policies are filed and not operationalised. When the regulatory action arrives — under the FCPA, the UK Bribery Act, the EU Anti-Corruption Directive, or a national equivalent — the policy alone provides no defence. ISO 37001 is the international standard for an anti-bribery management system (ABMS), and its purpose is precisely to distinguish a programme that exists on paper from one that operates in practice.
What Makes ISO 37001 Different from a Policy
A policy declares intent. A management system implements that intent through assigned responsibilities, defined processes, due diligence on third parties, training, financial controls, gifts and hospitality controls, monitoring, internal audit, and management review. ISO 37001 specifies what each of these must include and provides the framework for demonstrating the system actually operates. Certification is third-party verification by an accredited body that the system meets the standard's requirements.
Why Regulators and Acquirers Care
In FCPA enforcement, the existence of a credible compliance programme can affect the resolution and the size of any penalty. The DOJ Evaluation of Corporate Compliance Programs frames many of the same questions ISO 37001 addresses — is the programme well-designed, applied earnestly and in good faith, and does it work in practice? ISO 37001 certification is not a free pass, but it is structured evidence that the programme has been independently assessed against an international standard. In M&A, acquirers conducting integrity due diligence look favourably on certification because it reduces the inherited risk profile.
The High-Risk Activities the Standard Pushes On
ISO 37001 puts particular weight on activities where bribery risk is concentrated: third-party relationships (especially intermediaries, agents, and consultants), gifts and hospitality, charitable contributions and sponsorships, political contributions, and acquisitions. Each requires defined due diligence proportional to risk, documented controls, and ongoing monitoring. Programmes that have policies on these activities but cannot demonstrate the controls are running consistently tend to be where regulators find their most damaging evidence.
Third-party intermediaries are the single most common bribery exposure for multinational organisations. The relationship looks routine — sales agent in a foreign market, customs broker, consultant. The control gap is rarely the contract itself; it is the absence of due diligence proportional to the actual exposure, ongoing monitoring of the relationship, and documented justification for engaging the intermediary in the first place. ISO 37001 audits these structurally.
The Anti-Bribery Compliance Function
The standard requires a defined anti-bribery compliance function with sufficient independence and authority. The function reports to top management or the governing body, has access to information needed to operate the programme, and has direct escalation paths for serious matters. Programmes where the compliance function reports through commercial leadership and depends on commercial budget for its operations face a structural conflict the auditor will identify.
How to Approach Implementation
- Conduct an explicit bribery risk assessment per business unit, geography, and activity type
- Define the ABMS scope and obtain top management commitment with documented evidence
- Build third-party due diligence proportional to risk — not a flat process applied uniformly
- Implement gifts, hospitality, and donations procedures with thresholds and approval workflows
- Train people whose roles touch the high-risk activities, with completion records that audit holds
- Establish reporting channels with anti-retaliation protections
- Run internal audit against the ABMS, not just the underlying policies
- Conduct management review with documented decisions and follow-up
When ISO 37001 Is Worth Pursuing
ISO 37001 is most clearly valuable for organisations operating across borders, in sectors with significant government interaction, or those exposed to enforcement under multiple jurisdictions. Smaller organisations with limited international exposure may not need certification, but the standard's framework is still useful as an internal reference. The implementation cost is real; the cost of inadequate ABC compliance when enforcement arrives is much larger.