Quick Read
ISO 37001:2025 Clause 7.2.2.2 requires organisations to implement three distinct human resources controls for high-risk positions: pre-employment due diligence that goes beyond standard background checks to assess bribery compliance likelihood, periodic review of incentive structures to prevent them from encouraging bribery, and regular compliance declarations from in-scope personnel and leadership. Most organisations meet only the first requirement through conventional background screening and neglect the substantive assessment of remuneration safeguards and formal compliance declarations. This whitepaper clarifies what each sub-clause actually demands and provides a practical framework to close the compliance gap.
Executive Summary
Clause 7.2.2.2 of ISO 37001:2025 is one of the most consistently misunderstood requirements in the entire standard. It sits within the human resources controls and imposes three distinct obligations on organisations for all positions exposed to more than a low bribery risk. Most organisations are aware of one of those obligations. Very few are meeting all three.
The clause requires organisations to implement procedures that provide for: (a) due diligence on persons before they are employed, transferred, or promoted, to ascertain that it is appropriate to employ or redeploy them and reasonable to believe they will comply with the anti-bribery policy and the ABMS; (b) periodic review of performance bonuses, targets, and other incentivising elements of remuneration to verify that reasonable safeguards exist to prevent them from encouraging bribery; and (c) periodic compliance declarations from in-scope personnel, top management, and the governing body, confirming their compliance with the anti-bribery policy.
In audit after audit, organisations present their background check processes as evidence of compliance with sub-clause (a) — showing reference checks, sanctions screening results, and reports from commercial background check providers. They believe, in good faith, that they are meeting the requirement. Most are not. And the majority have done nothing substantive to address sub-clauses (b) and (c).
The standard does not ask whether a candidate has a clean criminal record. It asks whether the organisation has reasonable grounds to believe the individual will comply with the anti-bribery policy and the ABMS. That is a fundamentally different question — and answering it requires a fundamentally different process. |
|---|
This white paper examines all three sub-clauses, explains what each actually requires, identifies the misconceptions that drive non-compliance, and provides a practical framework for building a programme that meets the standard and protects the organisation. It gives particular attention to the guidance in Annex A.8.1, which describes seven specific dimensions of personnel due diligence — including two that require the organisation to assess whether the act of hiring itself could constitute bribery.
It is written from the perspective of an ISO 37001 auditor who has seen these failures repeatedly across industries and jurisdictions, and is intended to help compliance professionals, HR leaders, and management system owners understand the gap between what they are doing and what they need to be doing.
What the Standard Actually Requires
Clause 7.2.2.2 sits within Section 7.2 (Competence, Training and Awareness) and addresses the human resources procedures that must be in place for positions exposed to more than a low bribery risk, as determined by the organisation’s bribery risk assessment under Clause 4.5. It also applies to the anti-bribery compliance function itself.
The clause contains three distinct requirements. Each is mandatory. Each addresses a different dimension of personnel-related bribery risk. And each is routinely underperformed.
Sub-Clause (a): Pre-Employment and Pre-Redeployment Due Diligence
The standard requires that due diligence (cross-referencing Clause 8.2) is conducted on persons before they are employed, and on personnel before they are transferred or promoted. The timing is explicit — this is a pre-appointment requirement, not a post-hoc exercise.
The purpose of the due diligence is twofold. First, to ascertain as far as is reasonable that it is appropriate to employ or redeploy the individual. Second, to establish that it is reasonable to believe the individual will comply with the anti-bribery policy and the anti-bribery management system requirements. These are two distinct tests, and organisations must be able to demonstrate evidence against both.
Critically, the clause scope extends well beyond new hires. Internal transfers to higher-risk roles and promotions into positions with greater bribery exposure are explicitly included. An individual who was low-risk in a domestic support function becomes a different proposition when transferred to a commercial role in a high-risk jurisdiction. The standard requires that the organisation treats this transition as a due diligence trigger.
Note 2 to the clause directs the reader to Annex A.8 for guidance. The guidance in A.8.1 is instructive because it provides seven specific examples of actions an organisation can take when conducting due diligence on personnel. These examples go far beyond background checks and sanctions screening — and include assessments that most organisations have never considered. The guidance is examined in detail in this paper.
Sub-Clause (b): Review of Performance Incentives
The standard requires that performance bonuses, performance targets, and other incentivising elements of remuneration are reviewed periodically to verify that there are reasonable safeguards in place to prevent them from encouraging bribery.
This is the requirement that most organisations miss entirely. It recognises a fundamental reality: incentive structures can create the conditions for bribery. A sales target that is unrealistically aggressive in a high-risk market creates pressure to win business by any means. A bonus structure tied exclusively to revenue without governance safeguards incentivises risk-taking. A procurement KPI focused solely on cost reduction creates pressure to accept suppliers who offer inducements.
The standard does not require the elimination of performance incentives. It requires that they are reviewed, with safeguards verified, to ensure they do not inadvertently encourage bribery. This review must be periodic — a one-time assessment at programme launch is not sufficient.
Sub-Clause (c): Anti-Bribery Compliance Declarations
The standard requires that in-scope personnel, top management, and the governing body (if any) file a declaration at reasonable intervals, proportionate with the identified bribery risk, confirming their compliance with the anti-bribery policy.
The compliance declaration can stand alone or form part of a broader compliance declaration process (Note 1 to the clause). The frequency must be proportionate to the identified bribery risk — an annual declaration may be appropriate for moderate-risk roles, while senior leaders in high-risk positions may require more frequent attestation.
This is a control that is either absent entirely or implemented as a perfunctory annual tick-box exercise with no substance. An auditor will look for evidence that the declarations are designed, distributed, collected, and reviewed — and that the process is capable of identifying non-compliance, not just generating a compliance statistic.
Clause 7.2.2.2 imposes three obligations, not one. An organisation that has addressed only due diligence — even if it has addressed it well — is meeting one-third of the requirement. |
|---|
Scope: Who Is In Scope?
The clause applies to “all positions which are exposed to more than a low bribery risk, as determined in the bribery risk assessment (see 4.5).” It also applies to the anti-bribery compliance function regardless of its risk rating.
This scope determination is critical and is where many organisations make their first mistake. The population in scope is not limited to senior executives or compliance officers. It encompasses anyone whose role the organisation’s own bribery risk assessment has classified as more than low risk. This typically includes:
Sales and commercial roles, particularly in government-facing markets
Procurement and supply chain management roles
Finance and treasury roles with payment authority
Roles involving government or regulatory interaction
Country managers and regional directors in high-risk jurisdictions
Senior leadership with strategic decision-making authority
The anti-bribery compliance function itself
The organisation must have a documented basis for determining which roles are in scope. This requires a completed bribery risk assessment under Clause 4.5 that maps roles to bribery risk levels. Without this, there is no rational basis for scoping Clause 7.2.2.2 — and an auditor will note the gap immediately.
If the organisation cannot demonstrate which roles are classified as more than low bribery risk, the entire Clause 7.2.2.2 programme is built on an unsupported foundation. The risk assessment under 4.5 is the entry point. |
|---|
Sub-Clause (a): The Due Diligence Problem
Sub-clause (a) cross-references Clause 8.2 for the due diligence methodology. Clause 8.2 requires that due diligence be based on information from independent and reliable sources and be reasonable and proportionate to the bribery risk. These two requirements — independence and proportionality — are the tests against which the due diligence programme is judged.
In practice, organisations confuse three distinct processes, each of which has a legitimate purpose but none of which — individually or collectively — constitutes anti-bribery due diligence as contemplated by the standard.
Misconception 1: Reference Checks Are Due Diligence
Reference checks serve a legitimate HR purpose: they verify employment history, confirm role descriptions, and gather subjective assessments of performance. They are not due diligence.
References are nominated by the candidate, making them inherently non-independent. Referees have a social incentive to provide positive feedback. The questions asked are rarely designed to elicit information about integrity, bribery risk, or ethical conduct. And even where a referee has concerns, they are unlikely to volunteer them in a structured reference call.
An auditor reviewing reference check records as evidence of sub-clause (a) compliance will note the absence of independence and the absence of any assessment directed at whether the individual will comply with the anti-bribery policy.
Misconception 2: Sanctions and PEP Screening Is Due Diligence
Screening a candidate against sanctions lists (OFAC, EU, UN), politically exposed persons databases, and AML watchlists serves a critical compliance function — but it is not anti-bribery due diligence.
These databases answer binary questions: is this person on a list? Have they been designated under a sanctions regime? Are they a PEP? These are important regulatory checks, but they do not address the question the standard is asking: is it reasonable to believe this person will comply with the anti-bribery policy and the ABMS? A person with no sanctions history and no PEP designation can still pose a significant bribery risk.
Misconception 3: Background Check Services Are Due Diligence
Commercial background check providers (such as global screening providers) offer valuable verification services: identity confirmation, criminal record checks, education and employment verification, credit history, directorship searches, and media screening. These services are useful, but they are verification, not investigation.
A background check confirms whether the information a candidate has provided is accurate and whether there are any publicly recorded adverse events. It does not investigate bribery risk. It does not assess whether the individual is likely to comply with the anti-bribery policy. It does not examine conflicts of interest, undisclosed business relationships, or patterns of conduct that might indicate corruption exposure.
For standard-risk roles, a well-configured background check may form part of the due diligence package. For high-risk roles — particularly senior appointments with financial authority or government-facing responsibilities — it is grossly insufficient on its own.
Screening Type | Primary Purpose | Addresses Sub-Clause (a) Test? |
|---|---|---|
Reference Checks | Verify employment history; gather subjective performance assessments from candidate-nominated referees | No — Not independent. Does not assess compliance propensity with anti-bribery policy or ABMS. |
Sanctions / PEP / AML Screening | Identify individuals on regulatory watchlists or designated as politically exposed | No — Binary list check. A clean result does not establish it is reasonable to believe the person will comply with the ABMS. |
Commercial Background Checks | Verify identity, criminal records, education, employment, credit, directorships | Partially — Confirms factual accuracy. Does not assess integrity, conflicts, or compliance propensity. |
Anti-Bribery Due Diligence (Clause 8.2) | Ascertain appropriateness of employment and reasonable belief in compliance with anti-bribery policy and ABMS | Yes — Investigative, risk-proportionate, from independent and reliable sources. Directly addresses the clause test. |
If your programme consists exclusively of the first three rows, you have a verification programme, not a due diligence programme. The standard requires the fourth row. |
|---|
The Standard’s Guidance: Annex A.8.1
Note 2 to Clause 7.2.2.2 directs the reader to Annex A.8 for guidance on employment procedures. Annex A.8.1 provides seven specific examples of actions an organisation can take when undertaking due diligence on persons prior to appointment, depending on the proposed function and corresponding bribery risk. These examples deserve careful attention because they reveal the breadth of inquiry the standard contemplates — and expose how narrow most organisations’ current processes are.
(a) Discussing the Anti-Bribery Policy at Interview
The guidance suggests discussing the organisation’s anti-bribery policy with prospective personnel at interview, and forming a view as to whether they appear to understand and accept the importance of compliance. This is a qualitative, judgement-based assessment — not a background check. It requires the interviewer to be equipped to have a substantive conversation about anti-bribery expectations and to document their assessment of the candidate’s response.
Most organisations do not raise anti-bribery compliance during interviews for any role, let alone document the candidate’s reaction. For high-risk roles, this should be a structured component of the interview process, with documented assessment criteria.
(b) Verifying Qualifications
The guidance recommends taking reasonable steps to verify that prospective personnel’s qualifications are accurate. This is the one area where most organisations perform adequately, through commercial background check providers. The key word is “reasonable” — the depth of verification should be proportionate to the role.
(c) Obtaining Satisfactory References
The guidance suggests taking reasonable steps to obtain satisfactory references from prospective personnel’s previous employers. Note the emphasis on “satisfactory” — this implies a qualitative assessment of the reference content, not merely the act of collecting a reference. A reference that is vague, non-committal, or that raises concerns is not satisfactory. Organisations should have criteria for assessing reference quality and a documented process for escalating unsatisfactory references.
(d) Determining Prior Involvement in Bribery
The guidance recommends taking reasonable steps to determine whether prospective personnel have been involved in bribery. This goes beyond a criminal record check. Criminal convictions for bribery are rare relative to the incidence of bribery itself. The guidance contemplates a broader inquiry: media analysis, industry intelligence, regulatory actions, civil proceedings, debarment lists, and any other available information that might indicate involvement in bribery — even where no criminal conviction exists.
This is the point at which background checks reach their limit. A clean criminal record is not evidence of non-involvement in bribery. It is evidence of non-conviction. The standard asks a different question.
(e) Verifying the Organisation Is Not Offering Employment as a Reward
This is arguably the most overlooked and most important item in the guidance. The standard asks the organisation to take reasonable steps to verify that it is not offering employment to prospective personnel in return for their having, in previous employment, improperly favoured the organisation.
This flips the due diligence lens entirely. Most organisations ask: is this person a risk to us? The standard also asks: are we creating a risk by hiring this person? Is the job offer itself an act of bribery — a reward for past corrupt conduct that benefited us? |
|---|
Consider the scenario: a procurement official at a government agency consistently awarded contracts to the organisation over a period of years. That individual leaves government and applies for a role at the organisation. Under item (e), the organisation must assess whether the job offer could constitute a reward for the official’s prior favourable treatment. If it does, the employment itself is an act of bribery — regardless of the individual’s qualifications.
This assessment requires the organisation to review its prior business relationship with the candidate’s former employer, identify any contracts or decisions in which the candidate was involved, and assess whether the employment offer could reasonably be perceived as a quid pro quo. It is a fundamentally different kind of due diligence — one that examines the organisation’s own conduct and motivations, not just the candidate’s history.
(f) Verifying the Purpose of the Employment Offer
Item (f) extends the same principle forward-looking. It requires the organisation to verify that the purpose of offering employment to the prospective personnel is not to secure improper favourable treatment for the organisation in the future.
This addresses a classic corruption typology: hiring an individual — particularly a former government official, regulator, or decision-maker at a key client — not for their skills, but for their influence, relationships, or ability to direct future business to the organisation. The standard requires the organisation to examine the true purpose of the hire and document its assessment.
In practice, this means asking: why are we hiring this person? Is the primary driver their professional capability, or is it their network, their relationships, or their ability to influence outcomes in our favour? If the answer is the latter, the organisation must consider whether the hire itself creates a bribery risk — even if no explicit corrupt agreement exists.
(g) Identifying Relationships to Public Officials
The guidance recommends taking reasonable steps to identify the prospective personnel’s relationship to public officials. This extends beyond the candidate’s own status as a current or former public official. It includes family relationships, business partnerships, political affiliations, and any other connections to public officials that could create a conflict of interest or a channel for corrupt influence.
In high-risk jurisdictions, these relationships can be complex and opaque. Due diligence in this area requires more than a PEP database check — it requires inquiry into the candidate’s broader network and an assessment of whether those relationships create bribery exposure for the organisation.
The A.8.1 guidance describes seven dimensions of personnel due diligence. Most organisations address two of them (qualifications and references) and partially address a third (prior involvement in bribery through background checks). Items (e) and (f) — which require the organisation to assess whether the hire itself could constitute bribery — are almost universally ignored. Yet they represent some of the most significant bribery risks an organisation can face. An auditor who is familiar with Annex A.8.1 will assess the organisation’s due diligence programme against all seven items, not just the first three. |
|---|
What Genuine Due Diligence Looks Like
A compliant sub-clause (a) programme must be risk-stratified. The clause applies to all positions exposed to more than a low bribery risk, but the depth of due diligence should be proportionate to the level of risk. A role classified as moderate risk does not require the same investigation as a senior appointment in a high-risk jurisdiction.
Moderate-Risk Roles
For roles classified as more than low but not at the highest risk tier, a reasonable due diligence package typically includes:
Identity and right-to-work verification
Criminal record check (where legally permitted in the jurisdiction)
Employment history verification from independent sources (not candidate-nominated references alone)
Education and professional qualification verification
Sanctions, PEP, and AML screening
Basic adverse media search
Conflict of interest declaration (self-disclosure, cross-checked where possible)
This package combines verification with a basic layer of independent screening. The conflict of interest declaration is particularly important — it provides a documented baseline against which future disclosures or discoveries can be measured.
High-Risk Roles
For senior roles, roles with significant financial authority, government-facing positions, roles in high-risk jurisdictions, or any role that the organisation’s risk assessment classifies at the highest bribery risk tier, the due diligence must go substantially further:
All moderate-risk checks, plus:
Enhanced media and intelligence analysis using multiple independent sources (not just a Google search)
Source-based inquiries — contacting former colleagues, industry contacts, and regulatory bodies independently (not through candidate-nominated referees)
Conflict of interest investigation — reviewing directorships, business interests, family connections, and undisclosed relationships that could create bribery exposure
Jurisdictional risk overlay — assessing whether the individual’s career history includes prolonged periods in high-risk jurisdictions where bribery is endemic
Integrity assessment — structured interviews or assessment tools designed to evaluate ethical decision-making and responses to integrity dilemmas
Financial probity review — where legally permissible and proportionate, assessing whether the individual’s financial position is consistent with their declared income and career history
Reverse lens assessment (A.8.1(e) and (f)) — verifying that the organisation is not offering employment as a reward for past favourable treatment, and that the purpose of the hire is not to secure future improper advantage
Public official relationship mapping (A.8.1(g)) — identifying the individual’s relationships to public officials, including family, business, and political connections
This is what independent and reliable sources look like in practice for high-risk appointments under Clause 8.2. It is investigative, not administrative.
Transfers and Promotions
The clause explicitly requires that due diligence is conducted before personnel are transferred or promoted into in-scope roles. This is the trigger that most organisations miss. An individual hired five years ago into a low-risk role may have undergone appropriate checks at the time. When they are promoted to a high-risk commercial role or transferred to a high-risk jurisdiction, the original due diligence is no longer fit for purpose.
Organisations must define and document the triggers for refreshed due diligence within their HR and compliance workflows. Without these triggers, the clause requirement is being met only at the point of hire and ignored thereafter.
The clause says “before they are transferred or promoted.” Not after. Not during onboarding into the new role. Before. If the due diligence is conducted after the individual has started in the new position, it is too late to satisfy the requirement. |
|---|
Audit Findings: Due Diligence Failures
The following examples are drawn from real ISO 37001 audit findings (anonymised) where organisations failed to apply adequate due diligence under sub-clause (a).
Example 1: Regional Director, Sub-Saharan Africa
A multinational appointed a Regional Director for Sub-Saharan Africa with oversight of government contracts in six high-risk jurisdictions. The due diligence consisted of a commercial screening provider background check (clean result) and two candidate-nominated references (both positive). No independent media analysis was conducted. No conflict of interest investigation was performed. No source-based inquiries were made. Within 18 months, the individual was implicated in a facilitation payment scheme involving a government procurement official.
Example 2: Chief Commercial Officer, Energy Sector
An energy company appointed a Chief Commercial Officer responsible for negotiating contracts with state-owned enterprises. The individual had previously held senior positions in two jurisdictions with elevated corruption perception indices. The company’s due diligence consisted of standard employment verification and a sanctions screening. No investigation into the individual’s tenure in high-risk markets was conducted. The auditor raised a minor nonconformity, noting that the due diligence was not proportionate to the bribery risk and could not establish a reasonable basis for believing the individual would comply with the anti-bribery policy.
Example 3: Internal Promotion to Head of Procurement
A construction firm promoted an internal employee to Head of Procurement with authority to approve supplier contracts up to USD 10 million. No due diligence was conducted in connection with the promotion — the organisation assumed that the checks performed at the point of original hire five years earlier were sufficient. No conflict of interest review was conducted. A subsequent internal audit revealed that the individual held undisclosed business interests in two supplier companies. The auditor raised a minor nonconformity for failing to conduct due diligence before the promotion, as required by the clause.
Example 4: Country Manager Transfer, Southeast Asia
A pharmaceutical company transferred a mid-level manager to the role of Country Manager for a Southeast Asian market classified as high-risk in the company’s own risk assessment. The transfer was made urgently to fill a gap, and due diligence was limited to identity verification and a sanctions check — the same checks performed when the individual was originally hired into a low-risk domestic role. The auditor raised a minor nonconformity and noted that the organisation’s own risk classification required enhanced due diligence that was not applied to the transfer.
In every one of these cases, the organisation had a background check process in place. In every case, the process was insufficient to establish that it was appropriate to employ or redeploy the individual and reasonable to believe they would comply with the anti-bribery policy. The standard does not reward effort — it requires effectiveness. |
|---|
Sub-Clause (b): Performance Incentives
Sub-clause (b) is the requirement that organisations most frequently overlook entirely. It requires that performance bonuses, performance targets, and other incentivising elements of remuneration are reviewed periodically to verify that there are reasonable safeguards in place to prevent them from encouraging bribery.
The logic is straightforward: incentive structures shape behaviour. If an organisation creates aggressive revenue targets in a high-risk market with no governance safeguards, it is creating the conditions under which bribery becomes a rational economic decision for the individuals tasked with meeting those targets. The standard recognises this and requires the organisation to address it proactively.
What the Review Must Cover
The periodic review of incentive structures should assess:
Revenue and sales targets: Are targets for high-risk markets or government-facing business calibrated to reflect the additional constraints of operating within the ABMS? Are targets set without reference to the bribery risk profile of the market?
Bonus structures: Are bonuses tied exclusively to financial performance, or do they include governance, compliance, and ethical conduct metrics? Is there a mechanism to claw back bonuses where bribery or non-compliance is subsequently identified?
Procurement KPIs: Are procurement performance metrics focused solely on cost reduction, or do they include supplier due diligence completion rates, compliance with approved supplier lists, and adherence to anti-bribery controls?
Commission structures: Are sales commissions structured in a way that creates disproportionate incentives for winning specific contracts or accounts that carry elevated bribery risk?
Non-financial incentives: Are promotions, recognition, or career advancement linked in any way to performance metrics that could indirectly encourage bribery?
Common Audit Findings
The following are typical findings relating to sub-clause (b):
No documented review of incentive structures has ever been conducted against bribery risk
Sales targets for high-risk jurisdictions are set identically to low-risk markets with no governance overlay
Bonus structures contain no compliance or governance component and no clawback mechanism
The HR and compliance functions have never jointly reviewed the incentive framework
The organisation argues that incentive review is a “business decision” outside the scope of the ABMS
The last point is particularly common and reflects a fundamental misunderstanding. The standard does not require the organisation to change its incentive structures. It requires that they are reviewed to verify that safeguards exist. An organisation that has never conducted this review is non-compliant regardless of whether its incentive structures are, in fact, reasonable.
The standard requires review and verification. An organisation that says “our incentives don’t encourage bribery” without documented evidence of periodic review has not met the requirement. The assertion is not a substitute for the process. |
|---|
Sub-Clause (c): Compliance Declarations
Sub-clause (c) requires that in-scope personnel, top management, and the governing body file a declaration at reasonable intervals, proportionate with the identified bribery risk, confirming their compliance with the anti-bribery policy.
This is a control that is either absent or implemented as a meaningless annual tick-box. Neither is acceptable.
What a Compliant Declaration Process Looks Like
A compliant declaration process requires:
Defined scope: The organisation must identify who is required to file declarations. The clause specifies in-scope personnel (positions exposed to more than low bribery risk), top management, and the governing body.
Proportionate frequency: The interval must be proportionate to the bribery risk. Annual declarations may be appropriate for moderate-risk roles. Senior leadership and high-risk roles may require six-monthly or even quarterly declarations. The frequency must be documented and justified.
Substantive content: The declaration must require the individual to confirm their compliance with the anti-bribery policy. A generic “I comply with all company policies” checkbox is insufficient. The declaration should specifically reference the anti-bribery policy and the ABMS, and should require the individual to confirm that they have not engaged in, facilitated, or become aware of conduct inconsistent with the policy.
Collection and tracking: The organisation must have a mechanism to distribute, collect, and track declarations. An auditor will ask for completion rates, follow-up procedures for non-responders, and evidence that the process is actively managed.
Review and escalation: Completed declarations must be reviewed. If an individual discloses a concern, conflict, or potential breach, there must be a documented escalation process. If the organisation collects declarations but never reviews them, the control is not effective.
Integration with Broader Compliance Programmes
Note 1 to the clause confirms that the anti-bribery compliance declaration can be a standalone document or a component of a broader compliance declaration process. Many organisations already have annual compliance or conflict of interest declaration processes in place. The anti-bribery declaration can be integrated into these existing programmes, provided that the anti-bribery-specific content is substantive and clearly distinguishable.
An auditor will look for evidence that the anti-bribery element is not buried within a generic compliance attestation to the point of meaninglessness. The declaration must specifically address anti-bribery policy compliance, not merely assert general policy adherence.
Common Audit Findings
No compliance declaration process exists for anti-bribery policy compliance
Declarations are collected annually but contain only generic language about “complying with company policies” with no specific reference to the ABMS
Declarations are distributed to all employees uniformly rather than being scoped to in-scope personnel, top management, and the governing body as required
Completion rates are not tracked and non-responders are not followed up
Declarations are collected but never reviewed — no process exists to act on disclosures
The frequency is uniform (annual for all) with no risk-proportionate differentiation
Implementation Framework
Building a compliant Clause 7.2.2.2 programme requires addressing all three sub-clauses systematically. The following framework is sequenced for practical implementation.
Phase 1: Foundation (Immediate)
Step 1 — Map roles to bribery risk using the Clause 4.5 risk assessment. Identify all positions exposed to more than a low bribery risk. Document the classification and the rationale.
Step 2 — Define tiered due diligence requirements for moderate-risk and high-risk roles. Document the specific checks required for each tier, the responsible function, and the sources to be used.
Step 3 — Identify independent and reliable sources for high-risk due diligence. Engage specialist investigators where internal capability is insufficient.
Phase 2: Build Controls (Within 60 Days)
Step 4 — Separate reference checking from due diligence in process documentation. Ensure that HR and compliance understand the distinction.
Step 5 — Implement pre-appointment completion requirement. No individual should commence employment in, or be transferred or promoted to, an in-scope role until due diligence is completed.
Step 6 — Define triggers for refreshed due diligence on transfers and promotions. Integrate these triggers into the HR workflow.
Step 7 — Conduct the first documented review of performance incentives against bribery risk. Assess sales targets, bonus structures, procurement KPIs, and commission arrangements for all in-scope roles.
Phase 3: Sustain and Mature (Within 120 Days)
Step 8 — Design and implement the anti-bribery compliance declaration process. Define the scope, frequency, content, distribution mechanism, and review process.
Step 9 — Train HR and hiring managers on tiered due diligence requirements and the distinction between verification and investigation.
Step 10 — Establish the periodic review cycle for incentive structures (at least annual, more frequent where material changes occur).
Step 11 — Integrate all three sub-clause processes into the management review agenda to ensure ongoing governance and continual improvement.
Implementation Checklist
The following checklist covers all three sub-clauses and is sequenced by priority.
Sub-Clause | Action | Owner | Timeline |
|---|---|---|---|
(a) | Complete role-based bribery risk classification under Clause 4.5 | Compliance / HR | Immediate |
(a) | Document tiered due diligence requirements (moderate-risk vs. high-risk) | Compliance | Within 30 days |
(a) | Identify and engage independent sources for high-risk investigations | Compliance | Within 30 days |
(a) | Implement pre-appointment completion requirement for all in-scope hires, transfers, and promotions | HR / Compliance | Within 60 days |
(a) | Define and document triggers for refreshed due diligence on role changes | HR / Compliance | Within 60 days |
(a) | Separate reference checking from due diligence in documentation and practice | HR / Compliance | Within 60 days |
(b) | Conduct first documented review of incentive structures against bribery risk | HR / Compliance / Finance | Within 60 days |
(b) | Assess sales targets, bonus structures, commission arrangements, and procurement KPIs | HR / Business Units | Within 60 days |
(b) | Document safeguards and any remediation required | Compliance | Within 90 days |
(b) | Establish periodic review cycle (at least annual) | Compliance / HR | Within 90 days |
(c) | Design anti-bribery compliance declaration (scope, content, frequency) | Compliance | Within 90 days |
(c) | Implement distribution, collection, and tracking mechanism | Compliance / HR / IT | Within 120 days |
(c) | Define review and escalation process for disclosures | Compliance | Within 120 days |
(c) | Conduct first declaration cycle for in-scope personnel, top management, and governing body | Compliance | Within 120 days |
All | Integrate all three sub-clause processes into management review | Compliance | Ongoing |
All | Conduct annual review of programme effectiveness and risk classifications | Compliance / HR | Annual |
Conclusion
Clause 7.2.2.2 is not a background check requirement. It is a comprehensive human resources control that addresses three distinct dimensions of personnel-related bribery risk: the integrity of the people you employ, the incentive structures that shape their behaviour, and the accountability mechanism that requires them to attest to their compliance.
Most organisations address only the first of these — and even then, they typically address it inadequately, confusing verification with investigation and treating background checks as a substitute for risk-proportionate due diligence. The guidance in Annex A.8.1 describes seven dimensions of personnel due diligence, including the critical requirement to assess whether the act of hiring itself could constitute bribery. Most organisations address two or three of the seven and have never considered the rest.
The gap between current practice and the standard’s requirements is significant but addressable. It requires a shift in mindset — from verification to investigation, from uniform to risk-stratified, from administrative to analytical — and an expansion of scope to encompass incentive review and compliance declarations.
Organisations that make this shift will not only meet the standard but materially strengthen their anti-bribery defences. They will know more about the people they employ, have greater confidence that their incentive structures do not create perverse outcomes, and maintain an ongoing accountability mechanism that reinforces the anti-bribery culture from the top down.
If your due diligence programme cannot tell you anything about a candidate that the candidate did not already tell you, it is not due diligence. It is verification.
If you have never assessed whether a hire could itself constitute a reward for past corrupt conduct (A.8.1(e)) or an attempt to secure future improper advantage (A.8.1(f)), you are missing the standard’s most critical due diligence dimension.
If you have never reviewed your incentive structures against bribery risk, you have an open nonconformity waiting to be found.
If your compliance declarations are generic policy attestations, they are not meeting the standard.
Clause 7.2.2.2 requires all three sub-clauses. Annex A.8.1 describes seven dimensions of due diligence. The standard is clear. The question is whether your programme measures up.
Speeki
Speeki is a global ESG assurance and ISO certification firm accredited under ISO 17021-1, operating across 100+ countries. We provide independent sustainability assurance, ISO management system certification (including ISO 37001, ISO 37301, ISO 42001, and others), and non-financial audit services.
Learn more at: speeki.com