Protect your business from fines and reputational risk with clear controls on corruption exposure.
Bribery and corruption risk is not a large-company problem. It is a mid-market problem that most mid-market companies are not managing in a documented, auditable way — and enterprise customers, public sector procurement teams, and investors are increasingly aware of that gap.
ISO 37001 is the international standard for Anti-Bribery Management Systems. Published in 2016, it provides the governance framework that demonstrates your organisation manages bribery risk systematically. And for mid-market companies with government contracts, international supply chains, or large enterprise customers, it is increasingly appearing in procurement requirements.
Here is what finance and compliance leaders need to understand.
Why Mid-Market Companies Are Being Asked for ISO 37001 Now
Three things are driving demand:
Government and public sector procurement. Public sector procurement teams in Norway and across Europe are embedding anti-bribery management requirements into tender processes. ISO 37001 certification — or evidence of equivalent controls — is increasingly a qualification criterion. Companies without documented anti-bribery programmes are being excluded from procurement processes they would otherwise win.
Enterprise customer requirements. Large companies with their own anti-bribery obligations under the UK Bribery Act, FCPA, or equivalent legislation are pushing anti-corruption due diligence down their supply chains. Vendor questionnaires now routinely ask about anti-bribery policies, third-party due diligence procedures, and management oversight of corruption risk. ISO 37001 gives you a documented, internationally recognised answer.
International operations and partnerships. Any company operating in, sourcing from, or selling into jurisdictions with elevated corruption risk — which includes a significant proportion of global markets — faces legal exposure under extraterritorial anti-bribery laws. The UK Bribery Act applies to any company with a UK business presence. The FCPA applies to any company listed on a US exchange or with US operations. ISO 37001 provides the "adequate procedures" defence that can mitigate liability under these laws.
What ISO 37001 Actually Is
ISO 37001 is the international standard for Anti-Bribery Management Systems (ABMS). It provides a framework for implementing, maintaining, and improving controls designed to prevent, detect, and respond to bribery — in your own organisation and across your third-party relationships.
The standard covers three types of bribery risk:
1. Bribery by the organisation — employees, agents, or contractors paying bribes on your behalf.
2. Bribery of the organisation — third parties attempting to bribe your staff.
3. Third-party facilitation — agents, intermediaries, or partners using your company as a vehicle for corrupt payments.
For mid-market companies, the third-party risk is typically the most significant. Agents and intermediaries in international markets, consultants supporting public sector bids, and joint venture partners in higher-risk jurisdictions all represent bribery exposure that sits outside direct management control — and directly in the CFO's domain through financial approvals and payment processes.
Why This Is Primarily a CFO Problem
ISO 37001 covers the entire organisation but the highest-risk controls sit in finance:
Financial controls — ISO 37001 requires specific financial controls designed to prevent bribery: approval thresholds for unusual payments, controls over gifts and hospitality, management of facilitation payments, and oversight of third-party commission structures. These live in the CFO's function.
Third-party due diligence — agents, intermediaries, consultants, and joint venture partners who could facilitate bribery on your behalf require documented due diligence before engagement and periodic review. Finance typically owns or co-owns these commercial relationships.
Gifts and hospitality — a documented policy with approval thresholds and a register of gifts given and received. Finance owns the register and the approval process.
Political contributions and charitable donations — both are high-risk bribery vectors that require documented approval processes and annual sign-off. Finance approves the payments.
The governance layer comes down to the same three workflows:
1. Sign-offs. Anti-bribery policy approved at board level. Risk assessment of bribery exposure by geography, sector, and transaction type. Due diligence decisions for high-risk third parties. Approval of unusual payments and high-value hospitality. These require documented trails that would withstand scrutiny from a regulator or court.
2. Disclosures. Anti-bribery compliance report to the board. Incident disclosures where bribery is suspected or identified. Transparency reporting where required by customers or public sector contracts. Whistleblower reports and investigation outcomes documented and retained.
3. Information requests. Third-party due diligence questionnaires. Regulatory requests in the event of an investigation. Customer and procurement questionnaires about your anti-bribery programme. Audit evidence requests during certification or surveillance audits.
What the Legal Exposure Looks Like
ISO 37001 is voluntary. The anti-bribery laws it helps you comply with are not.
Norwegian anti-corruption law (Straffeloven §§ 387–389) — applies to all Norwegian companies and individuals. Covers both active bribery (paying) and passive bribery (receiving). Companies can face fines and individuals can face imprisonment.
UK Bribery Act — applies to any company that carries on business in the UK. The corporate offence of failing to prevent bribery carries unlimited fines. The only defence is demonstrating that adequate procedures were in place — and ISO 37001 is explicitly recognised as evidence of adequate procedures.
US Foreign Corrupt Practices Act — applies to companies listed on US exchanges, US subsidiaries, and companies conducting business in the US. Penalties include significant fines and disgorgement of profits. ISO 37001 provides evidence of the compliance programme that regulators consider in enforcement decisions.
OECD Anti-Bribery Convention — ratified by Norway and 43 other countries. Creates an international framework of corporate liability for bribery of foreign public officials.
The practical implication: a bribery incident at a mid-market company without a documented anti-bribery management system faces full regulatory exposure. A company with ISO 37001 certification — or documented equivalent controls — has a defensible position that regulators and courts take into account.
How Long ISO 37001 Takes
What It Costs
With governance automation tooling: €8,000–18,000 first year including certification audit fees.
Traditional consultant route: €20,000–60,000 depending on the complexity of your third-party relationships and international exposure.
Annual ongoing with tooling: €6,000–12,000. Anti-bribery management is a continuous obligation — third-party relationships change, risk profiles evolve, and incidents require documented response.
Want the ISO 37001 CFO sign-off checklist, the third-party due diligence framework, and the full implementation roadmap?
Download: ISO 37001 for Mid-Market Companies — What Leadership Needs to Know →
