Quick Read
ISO 37001's management review requirement (Clause 9.3) is fundamentally a review *by* management of the anti-bribery system, not a compliance presentation *to* management—a distinction that signals whether leadership genuinely owns the system or has delegated it to the compliance function. The standard places explicit ownership of the ABMS on top management through Clause 5.1, making the management review the mechanism through which that ownership is exercised in practice, and passive attendance at a slide deck presentation fails to satisfy this requirement. Effective management review demands active engagement from leadership to genuinely test the system's effectiveness and reinforce that anti-bribery governance belongs to the business, not to compliance alone.
Executive Summary
ISO 37001 is the international standard for Anti-Bribery Management Systems (ABMS). Clause 9.3 requires that top management conduct a periodic management review of the ABMS. In practice, however, this requirement is routinely misunderstood — and misimplemented.
In organisation after organisation, the management review has become a compliance ritual: the chief compliance officer prepares a slide deck, presents it to a senior management meeting, and the session is minuted as complete. Management receives information. Management nods. The box is ticked.
This whitepaper argues that this approach fundamentally misreads what the standard requires — and what good governance demands. Clause 9.3 is not a reporting obligation placed on compliance. It is a review obligation placed on management. The management review is a review of the ABMS by management, not a presentation to management.
The distinction matters enormously. Under clause 5.1, top management owns the ABMS. The management review is the mechanism through which that ownership is exercised in practice. When management delegates the review to a compliance presentation, it signals to the entire organisation that the ABMS belongs to the compliance function — not to leadership. That signal undermines everything the standard is trying to achieve.
This paper sets out what clause 9.3 actually requires, why active management engagement is non-negotiable, how to structure a review that genuinely tests the ABMS, and how compliance professionals can help their organisations move from passive audiences to active owners.
1. The Ownership Question: Who Is Responsible for the ABMS?
Any meaningful discussion of the management review must begin with a prior question: who owns the ABMS? The answer that ISO 37001:2025 gives is unambiguous — top management does.
Clause 5.1.2 sets out thirteen specific ways in which top management must demonstrate leadership and commitment with respect to the ABMS. These include ensuring that anti-bribery objectives are established and that the ABMS achieves its intended results; integrating ABMS requirements into the organisation's business processes; ensuring that resources needed for the ABMS are available; promoting an appropriate anti-bribery culture within the organisation; directing and supporting personnel to contribute to the effectiveness of the ABMS; and reporting at planned intervals to the governing body on the content and operation of the ABMS.
Clause 5.1.3, newly expanded in the 2025 edition, goes further. It requires that the governing body, top management and management demonstrate an active, visible, consistent and sustained commitment towards a common standard of behaviour and conduct throughout the organisation. The word choices here are deliberate and important. Not passive. Not occasional. Active, visible, consistent and sustained.
Key principle from clause 5.1.3: "The governing body, top management and management shall demonstrate an active, visible, consistent and sustained commitment towards a common standard of behaviour and conduct that is required throughout the organization." This is not a commitment that can be delegated to compliance. It is a personal leadership obligation. |
|---|
The implications for the management review are direct. If top management owns the ABMS under clause 5.1, then the review of the ABMS under clause 9.3 is necessarily management's responsibility — not compliance's responsibility to perform on management's behalf. Compliance provides the data and analysis. Management does the reviewing.
This ownership model is consistent with the broader philosophy of the standard. ISO 37001 is premised on the idea that bribery cannot be prevented by a compliance function working in isolation. The standard requires that anti-bribery be embedded in the organisation's culture and business processes — which is only possible if leadership visibly and genuinely owns it.
2. What Clause 9.3 Actually Requires
Clause 9.3 of ISO 37001:2025 has been restructured from the 2016 edition. The 2025 version organises the management review requirements more clearly into three components: a general statement of obligation (9.3.1), a specification of the inputs that management must consider (9.3.2), and requirements for the outputs and decisions that must result (9.3.3). Each component repays careful reading.
9.3.1 — The Core Obligation
The opening sentence of clause 9.3.1 states:
"Top management shall review the organization's anti-bribery management system, at planned intervals, to ensure its continuing suitability, adequacy and effectiveness." |
|---|
Four words in this sentence deserve particular attention. First, the subject of the sentence is top management — not the anti-bribery function, not the compliance team, not a committee. Management shall review.
Second, the review is of the ABMS — the system as a whole. This is not a review of individual incidents or a compliance report. It is a structured assessment of whether the organisation's anti-bribery management system is working.
Third, the standard specifies the purpose of the review: to ensure continuing suitability, adequacy and effectiveness. These three words have precise meanings. Suitability asks whether the ABMS is appropriate for the organisation's context. Adequacy asks whether the ABMS covers what it needs to cover. Effectiveness asks whether the ABMS is actually working — whether it is achieving its intended results in preventing, detecting and responding to bribery.
Fourth, the review must occur at planned intervals. This means the frequency must be determined in advance and maintained. Ad-hoc reviews when something goes wrong do not satisfy this requirement.
Clause 9.3.1 also confirms that the governing body shall undertake its own review of top management's implementation of the ABMS, based on information provided by top management and the anti-bribery function. There are therefore two distinct review obligations: management reviews the ABMS, and the governing body reviews management's implementation of it. Neither can substitute for the other.
9.3.2 — The Inputs Management Must Consider
Clause 9.3.2 specifies what the management review must include. These are not optional discussion points — they are mandatory inputs that must be considered as part of every management review. The standard lists the following:
Ref. | Input | What management should be asking |
|---|---|---|
(a) | Status of actions from previous management reviews | Have we closed out what we committed to last time? Are any actions overdue or blocked? |
(b) | Changes in external and internal issues relevant to the ABMS | Has our bribery risk environment changed? New markets, new business models, regulatory developments, personnel changes? |
(c) | Changes in needs and expectations of interested parties relevant to the ABMS | Are investors, regulators, customers or employees signalling new expectations around anti-bribery? |
(d) | Information on ABMS performance, including trends in: nonconformities and corrective actions; monitoring results; audit results; reports of bribery; investigations; and the nature and extent of bribery risks | Is the system working? What do the data tell us about where controls are failing or succeeding? Are there concerning trends? |
(e) | Opportunities for continual improvement | What can we do better? What does the data suggest about where we should invest or change? |
(f) | Effectiveness of actions taken to address bribery risks | Are the controls we have implemented actually reducing our bribery risk exposure? |
The depth and breadth of these inputs makes clear that the management review is not a short briefing. It requires management to engage with data, trends, audit findings, investigation outcomes and risk assessments. This is substantive work. It cannot be absorbed passively.
9.3.3 — The Outputs Management Must Produce
Clause 9.3.3 sets out what the management review must produce:
The results of the management review shall include decisions related to continual improvement opportunities and any need for changes to the anti-bribery management system. Documented information shall be available as evidence of the results of management reviews. A summary of the results of the top management review shall be reported to the governing body. |
|---|
The outputs are decisions — not observations, not concerns, not discussion points. Management must reach conclusions and make decisions. These decisions must be documented. And a summary must flow upward to the governing body.
This output requirement confirms that the management review is an active, decision-making process. An organisation that concludes its management review with a set of minutes recording that compliance presented a report has produced no decisions, no documented actions and nothing to report upward. It has not met the requirements of clause 9.3.
3. The Compliance Presentation Trap
Given how clearly clause 9.3 places the review obligation on management, why is the compliance presentation model so prevalent? Several forces converge to produce it.
3.1 Institutional Inertia
In most organisations, the management review of the ABMS is modelled on board and management reporting more broadly — where compliance, legal, internal audit and risk functions prepare reports that are presented upward. This reporting model is appropriate for many purposes. It is not appropriate when the standard requires management itself to conduct a review.
The compliance presentation model has become the default because it is familiar, easy to organise and straightforward to minute. The compliance team does the work, management provides the meeting room and the signatures. Everyone leaves feeling the obligation has been met.
3.2 Misreading the Separation Between 9.3 and 9.4
ISO 37001 contains two distinct review processes that are easily conflated. Clause 9.4 requires that the anti-bribery function assess on a continual basis whether the ABMS is adequate to manage bribery risks and is being effectively implemented. The function must report its findings to top management and the governing body at planned intervals.
Clause 9.4 is where the compliance function's review obligation sits. It is the compliance function's responsibility to analyse, assess and report. When organisations treat the clause 9.4 report as if it were also the clause 9.3 review, they are conflating two different activities with two different owners. Compliance presenting its 9.4 analysis is not a substitute for management conducting its 9.3 review.
Clause 9.3 — Management Review Owner: Top Management Management reviews the ABMS at planned intervals Management analyses inputs and reaches decisions Management documents outputs and reports to governing body | Clause 9.4 — Anti-Bribery Function Review Owner: Anti-Bribery Function Function assesses ABMS adequacy on a continual basis Function reports findings to management and governing body Function provides data that feeds into the 9.3 review |
|---|
3.3 The Signal It Sends
Perhaps the most consequential problem with the compliance presentation model is the message it sends to the organisation. When employees observe that management's role in the ABMS review consists of listening to a compliance presentation, they draw a rational conclusion: the ABMS is a compliance programme, not a management priority.
This conclusion is corrosive. The standard's entire architecture depends on management modelling and reinforcing the anti-bribery culture. Clause 5.1.3 requires that management demonstrate active, visible, consistent and sustained commitment. A passive role in the management review is the opposite of active and visible. It signals that anti-bribery is something the compliance team does, not something that leadership owns.
Regulators and enforcement authorities are alive to this distinction. In evaluating the adequacy of an organisation's anti-bribery programme — whether in the context of a prosecution, a deferred prosecution agreement, or a certification audit — they look at whether leadership genuinely engaged with the programme. A meeting where compliance presented and management noted does not evidence genuine engagement.
4. Management as Reviewer, Not Audience
Reframing the management review as a genuine leadership activity requires a change in both structure and mindset. The following principles should guide the transition.
4.1 Management Reads Before the Meeting
A review cannot happen in real time from a slide deck. The inputs specified in clause 9.3.2 are substantial — they include performance data, audit findings, investigation outcomes, trend analysis and risk assessments. Management cannot meaningfully review this material if they encounter it for the first time during a meeting.
Organisations should establish a formal pre-reading process in which the required inputs are provided to management in advance of the review meeting. Management members should arrive at the review having read the material and prepared questions, challenges and observations. The meeting itself then becomes a discussion and decision-making forum, not a briefing.
4.2 Management Asks Questions, Not Just Receives Answers
The compliance function's role in the management review is to provide information and analysis. Management's role is to interrogate that information. This requires management to be prepared to ask hard questions:
Are we confident that the risk assessment remains current, or have business changes since the last review created new exposures?
What do the trends in monitoring data tell us about where our controls are weakest?
Are the corrective actions from the last review actually being implemented, and are they effective?
Where an investigation concluded without finding a violation, are we confident the investigation itself was sufficiently rigorous?
Is the anti-bribery culture genuinely embedded, or are we seeing signs of superficial compliance?
Are we adequately resourced to manage our bribery risk exposure?
These questions can only be asked and answered if management has engaged with the material before the meeting and approaches the review as genuine oversight rather than a formality.
4.3 Management Makes Decisions and Owns Actions
Clause 9.3.3 requires the review to produce decisions. This means that management must leave the review having made specific, documented commitments. These should be recorded as formal action items with named owners, timeframes and follow-up mechanisms.
Critically, management should own some of these actions directly. If the review reveals that the ABMS is under-resourced, management must allocate resources — not ask compliance to find a way to do more with less. If the review reveals a cultural concern in a particular business unit, management must address that concern — not delegate it back to compliance to fix. If the risk assessment reveals a gap in controls, management must authorise and resource the response.
The management review is the moment at which the ABMS's performance data converts into leadership decisions. When management engages genuinely with that process, the ABMS becomes a living management system. When management delegates it to compliance, it becomes a compliance programme that sits alongside the business rather than within it.
4.4 Management Reports to the Governing Body
Clause 9.3.3 requires that a summary of the management review results be reported to the governing body. This is a management responsibility, not a compliance responsibility. Management should present its own conclusions to the governing body — what the review found, what decisions were made, and what actions are being taken.
This upward reporting loop is important for two reasons. First, it creates accountability — management must be able to articulate the ABMS's performance in its own words, which requires genuine engagement with the review. Second, it enables the governing body to exercise its own oversight obligation under clause 5.1.1, which requires the governing body to receive and review information about the ABMS at planned intervals and to exercise reasonable oversight over management's implementation.
5. The Role of Compliance: Enabling, Not Substituting
Emphasising management's ownership of the review does not diminish the compliance function's role — it clarifies and elevates it. Compliance's job is to make the management review possible and productive, not to do the review on management's behalf.
5.1 Providing the Right Inputs
The most important thing the compliance function can do to support an effective management review is to prepare inputs of genuine analytical quality. This means more than compiling statistics. It means providing trend analysis, contextualised data, risk-calibrated assessments and honest appraisals of where the ABMS is performing well and where it is not.
A compliance function that presents only good news, or that presents data without interpretation, is not serving management effectively. Management needs to understand what the data means, where the risks lie and what the options are. The compliance function should be prepared to present difficult findings clearly and to recommend specific responses.
5.2 Preparing Management for Their Role
Compliance professionals who want management to engage actively with the review must help management understand what that engagement looks like. This includes explaining the purpose of the management review under clause 9.3, distinguishing it from the compliance function's own review under clause 9.4, and helping management understand the specific inputs they will be expected to consider.
Pre-reading materials should be structured to support active engagement — not so dense as to be inaccessible, but substantive enough that management can form genuine views before the meeting. Where possible, the compliance function should brief management individually or in small groups before the formal review, so that management arrives with context and questions rather than encountering everything cold.
5.3 Supporting Documentation and Follow-Through
After the review, compliance should support the documentation requirements of clause 9.3.3 and help track the implementation of management's decisions. The standard requires that documented information be available as evidence of the results of management reviews. This documentation should record not just what was presented, but what management discussed, what conclusions they reached and what actions they committed to.
Compliance should maintain an action register from the management review and report progress against that register at subsequent reviews. This creates the accountability loop that clause 9.3.2(a) requires — the status of actions from previous management reviews must be one of the inputs to each subsequent review. If management made commitments and did not follow through, that fact must be visible.
6. Structuring a Meaningful Management Review
The following framework describes how a well-structured management review under clause 9.3 might be organised. It is not prescriptive — organisations should adapt it to their size, complexity and culture. The principles, however, apply broadly.
Phase 1: Preparation (Two to Four Weeks Before)
The anti-bribery function assembles the clause 9.3.2 inputs: status of previous actions, context changes, interested party developments, performance data (nonconformities, monitoring results, audit findings, bribery reports and investigations), risk landscape, and improvement opportunities.
The function prepares an analytical management review briefing document — not a slide deck, but a structured written report that can be read and absorbed. This document should include trend analysis, the function's own assessment and specific questions or issues for management to consider.
The briefing document is circulated to management at least one week before the review meeting, with a clear expectation that it will be read in advance.
Individual pre-briefing conversations between the compliance function and key management members may be scheduled to ensure context and answer preliminary questions.
Phase 2: The Review Meeting
Management opens the meeting — not compliance. The chair of the review (typically the CEO or a designated senior executive) sets the agenda and tone.
The compliance function provides a brief oral summary of the key issues in the briefing document. This should be short — the purpose is to orient discussion, not to replace the pre-reading.
Management leads the discussion of each input area. The compliance function answers questions and provides clarification, but management drives the interrogation of the data.
For each area, management reaches a documented conclusion: is this satisfactory, does it require action, or does it require escalation?
The meeting concludes with management agreeing a set of specific decisions and actions, with named owners and timeframes.
Phase 3: Documentation and Follow-Through
Management review minutes are prepared that document the inputs considered, the management discussion and the decisions reached. The standard requires documented information — a set of minutes that records only attendance and that compliance presented does not meet this requirement.
An action register is maintained with management's commitments from the review.
A summary is prepared by management for reporting to the governing body.
The compliance function tracks progress against the action register and includes a status update in the inputs to the next management review.
A practical test: After the management review, ask: if the compliance team had not been in the room, would management have been able to conduct the review themselves, based on the pre-reading materials provided? If the answer is no, then compliance is doing management's job for them. The review is not genuinely management-led. If the answer is yes — management read the materials, formed views, asked hard questions, and made decisions — then the review is functioning as the standard intends. |
|---|
7. Indicators of Genuine Engagement
How can an organisation assess whether its management review is genuinely management-led rather than a compliance exercise? The following indicators help distinguish authentic engagement from compliance theatre.
Indicators of Genuine Management Engagement | Red Flags: Compliance Presentation Model |
|---|---|
Management reads pre-meeting materials and arrives with questions prepared | Management first encounters the material during the meeting |
Management challenges the data and asks for explanations of adverse trends | Management receives the presentation without substantive questions |
Management decisions and actions are minuted with named owners and deadlines | Minutes record that compliance presented and management noted |
Management allocates resources or makes structural changes in response to findings | No resource or structural decisions result from the review |
Management personally reports the review summary to the governing body | Compliance reports the review summary to the governing body |
Previous review actions are tracked and their status is reviewed at the next meeting | There is no follow-up on previous actions between reviews |
Management can discuss ABMS performance in their own words outside the review meeting | Management defers all ABMS questions to compliance |
8. A Note on the 2025 Update to ISO 37001
The 2025 edition of ISO 37001 makes several changes that are relevant to the management review and to the broader question of management ownership. Compliance professionals preparing for transition from the 2016 edition should note the following.
Clause 5.1.3, on anti-bribery culture, is a new provision in the 2025 edition. It explicitly requires the governing body, top management and management to demonstrate an active, visible, consistent and sustained commitment. This language goes beyond the 2016 edition's requirements and places a direct, personal obligation on management to model the behaviours the ABMS is designed to promote. The management review is one of the most visible opportunities for management to demonstrate this commitment.
Clause 9.3 has been restructured in the 2025 edition, with the addition of a clearer general statement of the review obligation in 9.3.1, including an explicit requirement for the governing body to review top management's implementation. The inputs and outputs have also been reorganised and in some respects expanded — notably the requirement to consider changes in the needs and expectations of interested parties (9.3.2(c)), reflecting the broader 2025 emphasis on stakeholder engagement.
The 2025 edition also introduces a new requirement in 9.3.3 for a summary of the management review to be reported to the governing body. This formalises the upward reporting loop and makes explicit a practice that the 2016 edition implied but did not state directly.
Taken together, these changes reinforce the direction of travel: the 2025 edition places greater emphasis on visible, active leadership engagement and on the accountability chain from the ABMS through management to the governing body.
9. Conclusion
The management review under clause 9.3 is one of the most important mechanisms in the ISO 37001 framework. Done well, it creates a regular, structured forum in which management examines the organisation's anti-bribery performance, tests the adequacy of its controls, identifies improvement opportunities and makes accountable decisions. It is the moment at which management's ownership of the ABMS is most concretely exercised.
Done poorly, however, it becomes the opposite: a ritual that allows management to discharge the formality of a review while remaining genuinely disengaged from the ABMS. The compliance presentation model produces documented meetings, minuted reports and signed-off records — all the outward signs of a functioning management review — while leaving management no more engaged with the ABMS than before the meeting.
Compliance professionals have a critical role to play in shifting this dynamic. By preparing analytical, substantive inputs; by helping management understand their review obligation; by structuring the review to invite genuine interrogation rather than passive reception; and by rigorously tracking and reporting on management's decisions, compliance functions can help their organisations move from compliance theatre to genuine governance.
The standard's requirements are clear. The management review is a review of the ABMS by management. Clause 5.1 establishes that management owns the ABMS. Clause 9.3 is the mechanism through which that ownership is exercised. And clause 5.1.3 reminds us that management's commitment to the ABMS must be active, visible, consistent and sustained — not delegated, not occasional, and not passive.
The question for every organisation is not whether they have a management review on the calendar. It is whether management is genuinely doing the reviewing.
Speeki
Speeki is a global assurance body accredited to certify anti-bribery management systems.
For more information about how Speeki can support your ABMS certification, visit www.speeki.com.
Disclaimer
This whitepaper is provided for informational purposes only and does not constitute legal advice. References to ISO 37001:2025 reflect the standard as published and should be read in conjunction with the full text of that standard. Speeki recommends that organisations seek qualified legal and compliance advice in relation to their specific circumstances.
© 2026 Speeki Pte Ltd. All rights reserved.