Quick Read
ISO 37001 requires organizations to identify the competencies needed for roles affecting anti-bribery performance, ensure personnel meet those standards through education or experience, and maintain documented evidence—a requirement that extends beyond annual training checkboxes to genuine, demonstrable capability. Competency differs critically from awareness and training: it is the proven ability to perform work that produces the outcomes the management system requires, not merely exposure to content or policy acknowledgment. This whitepaper provides a practical framework for building and sustaining a competency matrix that auditors and regulators will respect, with principles applicable across other ISO management system standards including ISO 37301, ISO 27001, ISO 45001, and ISO 42001.
The Problem Nobody Talks About
When organisations implement ISO 37001, most of the attention goes to risk assessments, third-party due diligence, gifts and hospitality registers, and the policies and procedures that frame the anti-bribery management system. These are visible, auditable artefacts. They generate reports. They get presented to the board.
Competency sits in the background. It is one of those requirements that appears straightforward until you try to implement it seriously — and then it becomes one of the most difficult things to get right, and the most difficult thing to maintain over time.
Clause 7.2 of ISO 37001:2025 requires that an organisation determine the necessary competence of persons doing work under its control that affects its anti-bribery performance; ensure those persons are competent on the basis of appropriate education, training, or experience; take actions to acquire necessary competence where gaps exist; and retain documented information as evidence of competence. That last word — maintained — is where most organisations fall down.
This whitepaper addresses competency practically: what it means across an ABMS, who needs to be included, how to structure a competency matrix that auditors and regulators will respect, and how to build a system of ongoing competency maintenance that goes beyond the annual refresher training tick-box. It uses ISO 37001 as the primary reference, but the principles apply across ISO management system standards wherever Clause 7.2 obligations exist — ISO 37301, ISO 27001, ISO 45001, ISO 42001, and others.
What Competency Actually Means Under ISO 37001
ISO management system standards use specific language. Competency is not the same as awareness, and both are distinct from training.
Awareness (Clause 7.3) is the general understanding that the ABMS exists, that bribery is prohibited, that there are channels to report concerns, and that policies apply to the individual. Awareness can be delivered through an annual e-learning module. It does not constitute competency.
Competency is the demonstrated ability to apply knowledge and skills to perform work in a way that produces the outcomes the ABMS requires. A person is competent when they can actually do the job — not merely when they can pass a multiple-choice test.
Training is an input to competency, not a synonym for it. Attending a training session is evidence that the person was exposed to content. Competency requires that the exposure was effective — that it produced the ability to perform the required tasks.
An auditor examining Clause 7.2 will look for evidence that you have determined what competency is required for each role, assessed whether people have it, addressed any gaps, and kept records. A folder of training attendance certificates does not satisfy this requirement. A structured, role-specific competency matrix with gap analysis and remediation records does.
Who Is In Scope? The Broader Picture
The most common mistake organisations make when building a competency matrix for their ABMS is limiting the population to the legal and compliance function. ISO 37001 takes a different view: the relevant population is all persons whose work affects the anti-bribery performance of the organisation. This is a wide category, and it needs to be taken seriously.
Consider what 'affecting anti-bribery performance' means in practice. A procurement officer who approves a supplier without completing due diligence affects the ABMS. A sales director who approves hospitality above the approved threshold affects the ABMS. A finance officer who processes an unusual payment without escalating it affects the ABMS. A country manager who receives a government request and does not know the escalation procedure affects the ABMS.
Governance: Board of directors or supervisory board; audit committee; risk committee; nomination and remuneration committee (which sets incentive structures that intersect with bribery risk).
Senior Executives: CEO, CFO, COO, CHRO, General Counsel, CCO, CRO; regional or country heads; business unit heads.
Anti-Bribery Function: Anti-Bribery Compliance Officer; compliance managers and analysts; in-house counsel with anti-bribery responsibility.
High-Risk Business Functions: Sales, business development, and account management; procurement and supply chain; government relations and public affairs; project management for large contracts; marketing and events; finance and treasury.
Second Line: Risk management; internal control; ethics and integrity programmes.
Third Line: Internal audit — responsible for evaluating ABMS effectiveness.
Human Resources: Recruitment and onboarding; performance management; learning and development.
IT & Document Management: Staff responsible for ABMS data systems, investigation case management, due diligence records, and document control.
External Parties (where in scope): Agents, intermediaries, joint venture partners within ABMS scope; external legal counsel on anti-bribery matters; third-party auditors and assessors.
Competency Domains for an ABMS
Before building the matrix, the organisation must define the competency domains — the subject areas across which competency is assessed. The following ten domains are appropriate for an ISO 37001-based ABMS.
Domain | Description |
D1 | Anti-Bribery Law & Regulatory Environment — Applicable domestic laws; UK Bribery Act, FCPA, OECD Anti-Bribery Convention, UNCAC; extraterritorial reach; individual and corporate liability; recent enforcement trends. |
D2 | ISO 37001 Standard Requirements — Structure and intent of the standard; mandatory requirements vs guidance; relationship to other ISO standards; documentation requirements; audit and certification process. |
D3 | Anti-Bribery Risk Assessment — Methodology for identifying, analysing, and evaluating bribery risk; country, sector, transaction, and business partner risk factors; risk scoring; integration with enterprise risk management. |
D4 | Third-Party Due Diligence — Principles and process of anti-bribery due diligence; risk-based tiering; red flag identification and escalation; enhanced due diligence triggers; ongoing monitoring; documentation. |
D5 | Controls, Policies & Procedures — Design and implementation of anti-bribery controls; gifts, hospitality, and entertainment policy; facilitation payments; charitable donations; public official interactions; approval thresholds. |
D6 | Communication, Training & Culture — Designing and delivering anti-bribery training; communicating ABMS requirements to business partners; embedding anti-bribery culture; board-level reporting on ABMS performance. |
D7 | Incident Management & Investigation — Recognising potential bribery incidents; initial response and evidence preservation; referral and escalation; conducting or supporting investigations; privilege considerations; voluntary disclosure. |
D8 | Monitoring, Measurement & Internal Audit — Designing and executing ABMS monitoring; KPIs and effectiveness metrics; internal audit; findings documentation; corrective action; management review input; continuous improvement. |
D9 | M&A, JVs & Corporate Restructuring — Pre-acquisition anti-bribery due diligence; integration planning; inherited liability; joint venture anti-bribery arrangements; contractual protections. |
D10 | Gifts, Hospitality & Conflicts of Interest — Policy requirements and thresholds; approval processes; register maintenance; public official interactions; cultural sensitivity; identifying and managing conflicts of interest. |
Proficiency Levels
A matrix requires a scale. Four levels of proficiency are appropriate for most organisations. Labels should be self-explanatory and consistently applied across the organisation.
Level | Label | Definition |
1 | Aware | Understands the domain is relevant; knows where to seek guidance; recognises trigger situations and escalates. Not expected to apply specialist knowledge independently. |
2 | Knowledgeable | Substantive understanding; applies relevant policies and procedures; makes routine decisions within established frameworks; escalates complex situations appropriately. |
3 | Proficient | Applies domain independently in area of responsibility; advises colleagues; analyses non-routine situations; produces professional-quality work product; maintains currency with developments. |
4 | Expert | Advisory and design level; develops the organisation's approach; advises senior management and board; interacts with regulators and external counsel; maintains currency with enforcement trends. |
The Competency Matrix: Role-by-Role Requirements
The matrix below illustrates how proficiency requirements vary by role across the ten competency domains. This is an illustrative template — each organisation must calibrate it against its specific risk profile, regulatory environment, and structure.
Role / Function | D1 AB Law | D2 ISO 37001 | D3 Risk | D4 Due Dilig. | D5 Controls | D6 Trg/Cult. | D7 Incidents | D8 Monitor | D9 M&A/JV | D10 Gifts |
|---|---|---|---|---|---|---|---|---|---|---|
Board / Directors | 2 | 2 | 2 | 1 | 2 | 1 | 2 | 2 | 2 | 2 |
CEO | 2 | 2 | 3 | 2 | 3 | 3 | 3 | 2 | 3 | 3 |
ABCO / CCO | 4 | 4 | 4 | 4 | 4 | 4 | 4 | 4 | 3 | 4 |
General Counsel / CLO | 4 | 3 | 3 | 3 | 3 | 2 | 4 | 2 | 4 | 3 |
CFO / Finance Director | 2 | 2 | 3 | 2 | 3 | 2 | 2 | 2 | 3 | 3 |
CHRO / HR Director | 2 | 2 | 2 | 2 | 3 | 3 | 2 | 1 | 1 | 2 |
Head of Procurement | 2 | 2 | 3 | 3 | 3 | 1 | 2 | 2 | 1 | 3 |
Sales / BD Leaders | 2 | 1 | 2 | 2 | 3 | 1 | 2 | 1 | 1 | 3 |
Sales / BD (operational) | 1 | 1 | 1 | 1 | 2 | 1 | 1 | 1 | 1 | 2 |
Finance / AP / Treasury (ops) | 1 | 1 | 1 | 1 | 2 | 1 | 2 | 1 | 1 | 2 |
Procurement Officers (ops) | 1 | 1 | 2 | 2 | 2 | 1 | 1 | 1 | 1 | 2 |
Gov't Relations / Public Affairs | 3 | 2 | 2 | 2 | 3 | 1 | 2 | 1 | 1 | 3 |
Project Managers (large contracts) | 2 | 1 | 2 | 2 | 2 | 1 | 2 | 1 | 1 | 2 |
Internal Audit | 3 | 4 | 3 | 3 | 3 | 2 | 3 | 4 | 2 | 3 |
Risk Management | 2 | 3 | 4 | 2 | 2 | 1 | 2 | 3 | 2 | 1 |
HR – Recruitment / Onboarding | 1 | 2 | 1 | 2 | 2 | 2 | 1 | 1 | 1 | 1 |
IT / Information Security | 1 | 1 | 1 | 1 | 2 | 1 | 1 | 1 | 1 | 1 |
Level Legend: 1 = Aware | 2 = Knowledgeable | 3 = Proficient | 4 = Expert
Note: The matrix should be supplemented with brief role-specific rationale explaining why certain proficiency levels are required. For example, why the Board requires Level 2 in anti-bribery law (sufficient to exercise informed governance) but only Level 1 in due diligence (they oversee, not execute). This documentation supports auditor review and helps the organisation apply consistent logic when updating the matrix.
Soft Skills: The Overlooked Dimension of ABMS Competency
Technical knowledge of anti-bribery law, ISO 37001 requirements, and due diligence methodology is necessary but not sufficient. The people who carry operational responsibility for an ABMS — compliance officers, internal auditors, legal counsel, procurement leaders, HR directors — spend a significant part of their working lives doing things that require entirely different capabilities: persuading a reluctant business unit to accept a control, delivering training that actually changes behaviour, interviewing a witness who is holding something back, presenting an unflattering compliance report to a board that would prefer not to hear it, or holding a position under pressure from a senior executive who wants a different answer.
These are soft skills. The term undersells them. They are not peripheral to the ABMS — they are the mechanism by which technical competency becomes operational effectiveness. An ABCO who cannot influence without authority cannot embed a culture of anti-bribery compliance regardless of how thoroughly they understand the standard. A procurement officer who cannot negotiate compliantly on third-party terms is a gap in the control framework that no policy document closes. An internal auditor who cannot conduct a credible investigative interview will miss things that a technically weaker but more skilled interviewer would find.
ISO 37001 does not specify soft skill requirements, but it does require that persons affecting anti-bribery performance be competent to do so. For key roles, soft skills are part of that competency. The following framework identifies seven soft skill domains and maps them to the roles where each is operationally material.
Soft Skill Domains
Domain | Description |
SS1 | Leadership & Tone — The ability to set and sustain an anti-bribery culture through visible personal commitment, consistent messaging, and decision-making that demonstrates values over convenience. Relevant at board and executive level and for the ABCO in their relationship with senior management. |
SS2 | Influence Without Authority — The ability to achieve compliance outcomes through persuasion, credibility, and relationship rather than direct authority. The compliance function rarely has line control over the business units it needs to influence. Fundamental for the ABCO, compliance team, and internal audit. |
SS3 | Communication & Presentation — Written and verbal communication calibrated to different audiences: clear, jargon-free briefings for operational staff; evidence-based analytical reports for senior management; governance-framed presentations for board and audit committee. Includes communicating bad news accurately without being alarmist. |
SS4 | Training Delivery & Facilitation — The ability to design and deliver training that produces behaviour change, not just awareness. Includes facilitation skills for case study discussions, scenario-based workshops, and executive sessions; the ability to read a room and adjust accordingly. |
SS5 | Negotiation & Difficult Conversations — The ability to negotiate compliantly — pushing back on supplier terms, declining inappropriate requests, insisting on due diligence where it is resisted, and navigating the tension between commercial pressure and compliance obligation. |
SS6 | Investigation Interviewing — The ability to plan and conduct investigative interviews that are legally sound, non-coercive, and productive. Includes active listening, structured questioning, managing defensive or evasive responses, and documenting interviews accurately. A technical discipline with its own methodology that must be learned and practised. |
SS7 | Cross-Cultural Intelligence — The ability to operate effectively across cultural contexts where bribery risk is often concentrated — understanding cultural norms around gift-giving, relationship-building, and official interactions without treating cultural difference as an excuse for non-compliance. |
Soft Skills Matrix: Requirements by Role
The matrix below applies the same four-level proficiency scale to soft skill domains for the key roles where these capabilities are operationally significant. Roles not listed require general professional communication skills but no structured development programme for these domains.
Role / Function | SS1 Leadership | SS2 Influence | SS3 Comms | SS4 Training | SS5 Negotiation | SS6 Investig. | SS7 Cross-Cult. |
|---|---|---|---|---|---|---|---|
Board / Directors | 3 | — | 2 | — | — | — | 2 |
CEO | 4 | 3 | 3 | 2 | 3 | — | 3 |
ABCO / CCO | 4 | 4 | 4 | 4 | 4 | 3 | 3 |
General Counsel / CLO | 3 | 3 | 3 | 2 | 4 | 3 | 2 |
CFO / Finance Director | 3 | 3 | 3 | 1 | 3 | — | 2 |
CHRO / HR Director | 3 | 3 | 3 | 3 | 3 | 1 | 3 |
Head of Procurement | 2 | 2 | 2 | 1 | 3 | — | 3 |
Sales / BD Leaders | 2 | 2 | 3 | 1 | 3 | — | 3 |
Gov't Relations / Public Affairs | 2 | 2 | 3 | 1 | 3 | — | 4 |
Internal Audit | 2 | 3 | 3 | 2 | 2 | 3 | 2 |
Risk Management | 2 | 3 | 3 | 1 | 2 | — | 2 |
HR – Recruitment / Onboarding | 1 | 2 | 2 | 2 | 2 | — | 2 |
Developing soft skills requires different methods than technical training. Knowledge of anti-bribery law can be acquired through reading and formal instruction. Influence, facilitation, negotiation, and interviewing are learned through practice, feedback, and reflection. Effective development approaches include: coached role-play and scenario exercises; facilitated peer review of real training sessions or presentations; structured mentoring from experienced practitioners; participation in professional speaking or facilitation programmes; and deliberate post-event review of what worked and what did not.
Competency Gap: Assessment and Remediation
A matrix defines what is required. It does not establish that anyone actually has it. The next step is assessment — a structured evaluation of whether each person meets the proficiency level required for their role.
Assessment methods should be appropriate to the proficiency level being tested. For Level 1, a brief knowledge check or structured conversation may be sufficient. For Levels 3 or 4, assessment must be more rigorous — work sample review, structured interview, practical exercise, or formal examination. The most honest form of competency assessment at higher levels is task-based: can this person actually do what the role requires?
Where assessment identifies a gap, a remediation plan should be documented specifying: the gap identified, agreed development activities, timeline for completion, and the method by which closure will be confirmed. Remediation plans should be treated as management commitments, reviewed in the management review process, and tracked against completion.
Maintaining Competency Over Time: The Ongoing Obligation
This is the dimension that most organisations get wrong. Competency is established at a point in time and then assumed to persist. It does not.
Anti-bribery law develops continuously. Enforcement agencies issue new guidance, pursue new cases, and signal new priorities. Significant enforcement actions — FCPA corporate settlements, SFO prosecutions, cross-border deferred prosecution agreements — establish new standards for what adequate procedures and competent management look like. A person who was genuinely competent in 2020 is not necessarily still competent in 2025 on the basis of that original learning.
The most effective model borrows from the continuing professional education (CPE) frameworks used in law, accounting, and other professions: they define a minimum annual activity requirement, specify which activities qualify, and require documented evidence.
Designing an ABMS Continuing Competency Framework
Step 1: Define Annual Hours Requirements by Role
Role Category | Examples | Min. Hrs | |
High-intensity | ABCO, CCO, General Counsel, Internal Audit ABMS specialists | 20 | |
Substantive | Senior executives, high-risk function leaders, Risk Management, HR leaders | 10 | |
Operational | Sales, procurement, finance — operational level. One formal refresher event required annually. | 4 | |
Awareness | General staff, IT, administrative functions. Typically satisfied by the annual refresher. | 2 |
Step 2: Define Qualifying Activities
Not every form of learning qualifies equally. The following eight categories are appropriate qualifying activities for an ABMS continuing competency framework.
Activity Type | Description & Qualifying Criteria |
Formal Training & Qualifications | ICA, ACFE, IBA, law firm CLE programmes; CCEP, CFE, CAMS certifications and their annual CPE requirements. For internal auditors, completion of an ISO 37001 internal auditor training course delivered by an accredited certification body is a baseline competency requirement. |
External Conferences & Seminars | Compliance Week, ACFE Global Fraud Conference, IBA Anti-Corruption Committee events, GRC summits, FCPA/Bribery Act update seminars from law firms or bar associations. |
Webinars & Online Learning | Regulatory update webinars from enforcement agencies; professional body topical webinars; structured online modules. Minimum 45 minutes with substantive content; brief awareness videos do not qualify. |
Enforcement Case Reviews | Structured debrief of significant enforcement actions (DOJ FCPA resolutions, SFO DPAs, domestic enforcement). Documented with date, participants, case reviewed, duration, key learnings. |
Internal Training Delivery | Designing and delivering ABMS training to colleagues. Credited at 2:1 ratio — one hour of delivery counts as two qualifying hours. |
Professional Association Activity | Committee membership, working group contributions, chapter events, peer network participation. Substantive engagement required, not nominal membership. |
Regulatory Reading & Research | Reviewing new guidance from FATF, OECD, DOJ, SFO, OFAC, domestic regulators. Claims must identify the specific document and a reasonable time allocation. |
External Expert Engagement | Briefings or consultations with external anti-bribery counsel, specialist advisers, or certification body auditors. Includes certification audit debriefs and advisory sessions on new risk areas. |
Internal auditors responsible for evaluating the ABMS must complete a formal ISO 37001 internal auditor training course delivered by an accredited certification body with recognised expertise in anti-bribery. This is not an optional development activity — it is a baseline competency requirement.
The enforcement case review category deserves particular emphasis. When the DOJ publishes a new FCPA resolution, when the SFO secures a conviction or DPA, or when a significant domestic enforcement action is publicised, this represents a genuine competency development opportunity. A compliance team that conducts a formal debrief — reviewing the facts, the control failures, what could have been done differently, and the implications for its own ABMS — is engaged in material competency development. These sessions should be documented with date, participants, case reviewed, duration, and key learnings.
Step 3: Require Documentation
Every qualifying activity must be documented. The organisation should maintain an individual competency log for each person in scope, recording: the person's name and role; required annual hours; each qualifying activity (date, type, title, provider, duration, evidence); cumulative hours against the requirement; and annual review sign-off. Logs should be updated in real time — not reconstructed at year end.
Step 4: Embed in the Management Review
Competency should be a standing agenda item in the ABMS management review (Clause 9.3). The annual review should address: aggregate compliance with continuing competency requirements; roles where requirements were not met and the reason; significant regulatory changes requiring targeted updates; structural changes that alter the matrix; and competency-related corrective actions from the previous review.
What Auditors Will Look For: The Records Requirement
An ISO 37001 certification audit will examine Clause 7.2 compliance as a matter of course. External regulators reviewing the adequacy of an anti-bribery programme will also look at competency records as an indicator of programme seriousness.
Record | What It Must Show |
The Competency Matrix | Current approved version, showing required proficiency levels by role across all domains. Version-controlled, with date of last review. |
Assessment Records | Evidence that competency has been assessed for each role, not merely assumed from qualifications or tenure. Critical for new hires, role changes, and promotions. |
Gap Analysis & Remediation Plans | Documented instances where gaps were identified, agreed remediation activities, and confirmation that remediation was completed. |
Individual Competency Logs | Ongoing record of continuing competency activity for each person in scope, updated at least annually. |
Training Records | Attendance records, completion certificates, and assessment results for all formal training activities. |
Management Review Records | Minutes or reports demonstrating that competency was addressed in the annual management review. |
The absence of any of these records is an audit finding. The absence of several is a major nonconformity under the standard.
Practical Considerations for Implementation
Start with the ABCO and work outward — The organisation's own anti-bribery compliance function should be the first area of rigorous competency assessment. If the person responsible for the ABMS cannot demonstrate that they meet the competency requirements of their role, the credibility of the entire system is undermined.
Use the risk assessment to prioritise — The risk assessment required under Clause 5 identifies areas of highest bribery risk. The competency matrix should reflect that prioritisation. Roles closest to the highest-risk transactions, geographies, and counterparties warrant the most rigorous requirements.
Distinguish the matrix from the training plan — The competency matrix defines what is required. The training plan is one mechanism by which requirements are met. A training plan not grounded in a competency matrix is activity without direction.
Build escalation into the design — For operational roles, the most critical competency is often knowing what you do not know and escalating accordingly. A framework that produces people who are overconfident about the boundaries of their authority is more dangerous than one that produces people who know to ask.
Treat new joiners as a specific risk — New employees arriving in in-scope roles represent a specific competency risk. They need to be assessed against the matrix promptly, not assumed competent. Onboarding should include structured competency orientation, not simply a standard e-learning module.
Link competency to performance — Where appropriate, continuing competency requirements should be reflected in performance objectives. An ABCO whose annual objectives do not include maintaining and developing their anti-bribery competency has a programme design gap.
Conclusion: Competency as a System, Not a Snapshot
The most important reframe that organisations need to make about competency is this: it is not a state that is achieved and then maintained on autopilot. It is a system that must be actively managed.
The competency matrix provides the architecture — the definition of what is required, by whom, and at what level. The assessment process establishes where people currently sit. The gap analysis and remediation process closes the distance. The continuing competency framework ensures the distance does not reopen over time.
What ties the system together is documentation. Not documentation as an end in itself, but documentation as the discipline that forces the organisation to be honest about whether its ABMS operates as described. An auditor can only evaluate what is recorded. ISO 37001 asks organisations to take anti-bribery seriously. Taking competency seriously is one of the most direct ways to demonstrate that they do.
About Speeki
Speeki is an ISO-accredited assurance and certification body, accredited by COFRAC and ANAB under ISO/IEC 17021-1 for management system certification including ISO 37001. Our role as a certification body is fundamentally different from that of a consultant: we do not implement ABMS programmes, which means we have no conflict of interest in evaluating them.
We work with organisations at every stage of the certification journey — from gap assessment through to certification audit and ongoing surveillance — and competency is consistently one of the most common areas where programmes fall short of what the standard requires.
If you are building or reviewing your ABMS competency framework and want to understand how it will be evaluated in a certification context, or if you are preparing for your initial or recertification audit and want to test your Clause 7.2 position against what auditors actually examine, contact us at speeki.com.
speeki.com | © Speeki. All rights reserved.
This whitepaper is produced by Speeki for informational purposes. It is not legal advice.