Quick Read
An ISO 37001 Performance Dashboard consolidates evidence from an Anti-Bribery Management System—including risk assessments, control tests, due diligence records, training completion, and audit findings—into a single real-time view that enables compliance officers and senior management to evaluate programme health and effectiveness. ISO 37001 explicitly requires measurement and monitoring (Clauses 9.1–9.3), making the dashboard essential for demonstrating that controls are working, risks are tracked, and management reviews are rigorous. A well-maintained dashboard serves as persuasive evidence of active, visible, and sustained management commitment during regulatory investigations, certification audits, and due diligence inquiries.
1. The Case for a Performance Dashboard
An Anti-Bribery Management System built to ISO 37001 is more than a set of policies and procedures. It is an operational framework that generates continuous evidence — risk assessments, control test results, due diligence records, training completions, speak-up reports, audit findings, and management decisions. That evidence only has value if it is consolidated, visible, and acted upon.
The ABMS Performance Dashboard is the mechanism through which all of that evidence is brought together into a single, real-time view of programme health. It allows compliance officers, the Anti-Bribery Function (ABF), senior management, and governing body members to understand — at a glance and in detail — whether the organisation's anti-bribery controls are working, where risks are concentrating, and whether the programme is improving over time.
|
|---|
1.1 Why ISO 37001 Requires Measurement
ISO 37001 is explicit that measurement and monitoring are not optional. Clause 9.1 requires the organisation to evaluate the performance of the ABMS and its effectiveness. Clause 9.2 requires a structured internal audit programme to confirm that the system conforms to requirements and is effectively implemented. Clause 9.3 requires top management to conduct formal reviews of ABMS performance at planned intervals, using documented evidence as input.
These obligations cannot be discharged through narrative reports alone. They require defined indicators, collected at regular intervals, assessed against targets, and used to drive decisions. The dashboard operationalises exactly this requirement by translating the raw data that the ABMS generates into trackable metrics and trend lines.
1.2 Measurement as Evidence of Commitment
One of the most commonly underestimated aspects of ISO 37001 is its requirement that top management demonstrate commitment that is active, visible, consistent, and sustained (Clause 5.1). In the event of a regulatory investigation, a certification audit, or a counterparty due diligence inquiry, a well-maintained performance dashboard is among the most persuasive evidence that the programme is genuinely operational — not merely documented.
Regulators and auditors do not simply ask whether an anti-bribery policy exists. They ask whether the organisation knows if its controls are working, whether it tracks bribery risk exposure over time, whether it monitors training completion, and whether management reviews programme performance with sufficient rigour to detect and correct weaknesses. A dashboard answers all of those questions directly.
2. How the Dashboard is Populated
The dashboard is not a standalone tool. It is a real-time aggregation layer sitting on top of the data that the ABMS is already producing. Each module draws on a defined set of data sources within the programme. Understanding this connection between ABMS activity and dashboard metrics is essential for compliance officers responsible for maintaining the system.
Dashboard Module | ABMS Data Sources |
|---|---|
Overview & KPIs | Risk assessment outputs, control testing register, training records, investigation log, management review minutes |
Risk & Due Diligence | Bribery risk register, third-party due diligence workflow (screening, enhanced DD, approvals, rejections), risk scoring records |
Control Testing | Anti-bribery control library, quarterly testing results, ISO 37001 clause mapping, corrective action tracker |
Training & Awareness | Training management system — completion records, assessment scores, certification expiry dates, department-level breakdowns |
Reports & Investigations | Speak-up/whistleblower channel records, investigation case management log, case outcomes, remediation actions |
Objectives & Audit | ABMS objectives register (Clause 6.2), annual audit programme (Clause 9.2), non-conformity and corrective action log (Clause 10.1) |
In a mature implementation, most of these data sources feed the dashboard automatically through system integrations. In organisations at an earlier stage of programme development, the data is typically entered manually or exported from existing systems — HR platforms, procurement tools, finance controls, and case management software. Either way, the principle is the same: the ABMS generates the data, and the dashboard surfaces it.
|
|---|
3. The Six Dashboard Modules
The dashboard is organised into six functional modules, each corresponding to a distinct area of the ISO 37001 programme. Together they provide a complete picture of ABMS health across all major clause areas.
Module 1 — Overview
The Overview module provides a programme-level summary. It displays five headline KPIs — overall ABMS maturity score, control effectiveness rate, open audit findings, training compliance rate, and active investigations — alongside year-over-year comparisons, a maturity trend chart, an ISO 37001 clause compliance radar, and regional risk exposure analysis.
This is the primary view for senior management and the governing body. It answers the question: is the programme getting better, holding steady, or deteriorating? The year-over-year comparison panels are particularly valuable for management review meetings, where Clause 9.3 requires inputs that demonstrate performance trends and the results of previous reviews.
Module 2 — Risk & Due Diligence
This module surfaces the bribery risk register and the third-party due diligence pipeline. The heat map displays bribery risks plotted by likelihood and impact, with colour coding from green (low) to red (critical). The top risks table identifies the highest-priority exposures with inherent versus residual scoring and trend direction.
Below the heat map, the due diligence section tracks the full population of active third parties — screened, pending, high-risk, and rejected or terminated. Monthly completion rate charts allow the ABF to identify backlogs before they become control failures. This module supports the Clause 8.2 due diligence obligation and the Annex A.10 guidance on proportionate DD by risk tier.
Module 3 — Control Testing
Anti-bribery controls must be tested to establish that they are operating effectively, not merely that they exist. This module records the results of control tests mapped to individual ISO 37001 clauses, with a status of Effective, Partially Effective, or Ineffective for each control. The current quarter shows 45 controls tested at 100% coverage.
Trend charts allow the ABF to track whether control effectiveness is improving quarter-on-quarter, and the year-over-year comparison panels show the cumulative impact of remediation actions over a twelve-month period. Any Ineffective or Partially Effective controls automatically feed the corrective actions tracker visible in the Objectives & Audit module.
Module 4 — Training & Awareness
ISO 37001 Clause 7.3 and Annex A.9 require that all personnel whose roles create bribery risk receive appropriate, targeted training at regular intervals. This module tracks completion against the full staff population, broken down by department and by training module. Assessment scores are monitored against the programme pass threshold.
The overdue certifications counter provides an early warning mechanism — allowing the ABF to chase outstanding completions before they become non-conformities at an internal audit. The year-over-year panels demonstrate programme-wide improvement in training culture, which is directly relevant to the new Clause 5.1.3 anti-bribery culture requirement introduced in the 2025 edition of the standard.
Module 5 — Reports & Investigations
A functioning speak-up channel (Clause 8.9) only delivers value if the organisation can demonstrate that reports are received, investigated, and resolved in a timely and proportionate manner. This module tracks the full investigation lifecycle — from initial report through triage, active investigation, resolution, and closure — with average closure times and outcome categorisation.
The ability to show regulators and auditors that speak-up reports are being acted upon, and that investigation closure times are improving, is critical to demonstrating programme effectiveness. Unexplained spikes in report volumes, or investigations that remain open without documented rationale, are early warning signals that the module is designed to surface.
Module 6 — Objectives & Audit
Clause 6.2 of ISO 37001 requires the organisation to establish measurable objectives for the ABMS, plan how to achieve them, and track progress. Clause 9.2 requires a formal internal audit programme. Clause 10.1 requires that non-conformities are identified, corrective actions assigned, and effectiveness of those actions verified. This module consolidates all three.
Objective progress bars show percentage completion against each ABMS objective for the current period. The audit tracker shows the status of each scheduled audit — planned, in progress, or completed — alongside any open findings. The corrective actions register ensures that weaknesses identified through audits, management reviews, or control testing are being tracked to resolution and are not being lost between reporting cycles.
4. The Dashboard and the ISO 37001 Management Review
Clause 9.3 of ISO 37001 is among the most practically demanding requirements in the standard. It requires top management — not the compliance function acting on their behalf, but top management themselves — to review the ABMS at planned intervals using a defined set of documented inputs, and to produce outputs in the form of documented decisions and actions.
The dashboard is designed to serve as the primary input pack for the Clause 9.3 management review. Each of the required inputs maps directly to a dashboard module:
ISO 37001 Cl. 9.3 Required Input | Dashboard Module |
|---|---|
Status of actions from previous management reviews | Objectives & Audit — corrective actions tracker |
Changes in external/internal context relevant to bribery risk | Risk & Due Diligence — risk register and heat map |
Information on ABMS performance — incidents, non-conformities, audit results | Control Testing, Reports & Investigations, Objectives & Audit |
Adequacy of resources | Training & Awareness — overdue completions, headcount coverage |
Adequacy of procedures for speak-up and investigation | Reports & Investigations — volumes, closure times, outcomes |
Results of the compliance function's ABMS review (Cl. 9.4) | Overview — ABF meeting cadence, programme KPIs |
Recommendations for improvement | All modules — trend deterioration, red-status controls, open findings |
When the dashboard is used as the pre-read for a management review meeting, it transforms the review from a passive compliance briefing into a structured decision-making session. Management arrive with the data already in front of them, enabling them to focus on interpretation, judgement, and action rather than on receiving information.
|
|---|
5. Integrating the Dashboard into Your Programme
The dashboard is most effective when it is embedded into the rhythm of the ISO 37001 programme rather than treated as a periodic reporting exercise. The following practices reflect how high-performing organisations use it:
Monthly ABF review: The compliance function reviews all six modules at the start of each month to identify any deterioration in KPIs, escalate emerging risks, and update the control testing log.
Quarterly management review input: Dashboard outputs are packaged as the pre-read for the Clause 9.3 management review, replacing narrative reports with data-driven panels that management can review in advance of the meeting.
Annual audit cycle planning: The Objectives & Audit module is used to schedule and track the internal audit programme, ensuring all ABMS areas receive coverage within the audit period.
Real-time third-party DD tracking: The Risk & Due Diligence module is updated as new third parties enter the screening pipeline, ensuring the ABF maintains a current picture of DD backlogs and high-risk partner exposures.
Year-over-year programme benchmarking: The built-in YoY comparison panels allow the organisation to demonstrate improvement trajectory to certification bodies, regulators, and counterparties conducting compliance due diligence on the organisation itself.
|
|---|