Risk assessment methodology for ISO 37001, practical steps

Most compliance officers have lived the same nightmare at least once. At 10 p.m. on a Friday, your CEO forwards a customer’s tender that closes next week and writes, “We need the ISO 37001 risk file by Monday. Can you pull it off?”

When IberMetal, a 500-employee foundry based in Bilbao, received that e-mail, its compliance lead, Marta, decided things had to change. She spent the weekend pasting spreadsheets together, guessing probability scores and hoping her board would not ask too many questions. Months later she adopted a structured risk assessment workflow, mapped to ISO 37001, and automated it with Naltilia. Today the same file takes two hours, not two days, and withstands auditor scrutiny.

This article explains the methodology Marta followed, step by step, so you can replicate her results without the sleepless nights.

Why ISO 37001 puts risk assessment centre stage

ISO 37001 (anti-bribery management systems) requires organisations to identify, analyse and address bribery risks as the foundation of the entire management system. Without a documented, repeatable methodology:

• Controls may target the wrong threats.
• Certification bodies can raise major non-conformities.
• Enforcement agencies will question the adequacy of your programme.

A solid method therefore delivers both business protection and audit evidence.

Pre-work: set the stage

1. Define scope. Decide whether the assessment covers the whole company or a set of subsidiaries, JVs or projects.
2. Secure tone at the top. Ask the board or CEO to sign a short statement endorsing the process and allocating resources.
3. Appoint an owner. ISO 37001 speaks of a “compliance function”. Even in mid-sized firms this can simply be one empowered manager with access to legal counsel.

The 8-step ISO 37001 risk assessment method

1 Assemble the risk team

Include:

• Process owners from sales, procurement, finance and HR.
• Regional managers for countries with public-sector clients.
• A facilitator (internal audit or Naltilia user) who knows the scoring model.

Keep the core group under ten people to stay agile.

2 Gather data

Sources Marta used:

• Country indices (TI CPI, OECD export risk).
• Industry enforcement trends (DOJ, SFO press releases).
• Internal whistleblowing and expense audit logs pulled automatically by Naltilia’s connector.
• Third-party onboarding dossiers.
• Internal documents to analyse context and activity.

Tip: Upload raw files to Naltilia. The AI reads all formats of documents. No need for Excel-only.

3 Identify inherent risks

Workstream-based brainstorming works best. Conduct interviews and meetings with at least:

• Sales and marketing.
• Procurement and logistics.
• Licences, permits and inspections.
• Donations, sponsorship and political activity.
• M&A and JV formation.

Tip: keep transcription and notes of interviews and meetings so Naltilia AI can read the information and transform insights into risk scenarii. Example: “Offer of facilitation payment to customs officer to speed up import.”

4 Rate probability and impact

Adopt a 1-to-5 scale. Keep definitions simple:

• Probability 1: Highly unlikely (<10 % per year).
• Probability 5: Almost certain (>75 % per year).
• Impact 1: Minimal fine or delay (<€10 k).
• Impact 5: Catastrophic (criminal indictment, loss >€5 m).

Establish the objective risk factors and variables that would allow to score risks in terms of probability and impact. Plot each risk on a 5×5 heat map.

5 map existing controls

For every high-impact risk, list preventive and detective measures, for example:

• Four-eyes approval for hospitality above €150.
• Automated screening of vendors against PEP lists.
• Quarterly internal audit of port agent invoices.

Score control effectiveness based on objective elements: Effective (1), Partial (2), Ineffective (3).

6 Calculate residual risk

Residual = Inherent score × Control score / 5.If residual risks is still high, further treatment is required.

7 Define treatment actions

ISO 37001 expects a risk treatment plan:

• Action description.
• Responsible person.
• Target date.
• Required resources.

Example: “Implement e-learning for customs brokers, Q3, Compliance, €5 k.”

8 document and approve

Generate a single “Risk Register & Plan” file. With Naltilia you export the register, heat map and action list straight to PDF, lock it, and obtain digital sign-off from the CEO. Store the file in your ISO management system.

Automating the workflow with AI

Manual risk registers break once you exceed 30 risks or 10 countries. Naltilia’s AI engine accelerates three pain points:

1. Data ingestion. Drag-and-drop evidence of implementation of controls: CSVs, invoices, e-mails.
2. Scoring suggestions. The model reads evidence and scores effectiveness of controls. Human reviewers can override every value.
3. Real-time dashboards. Residual risk levels update instantly when you mark a control as implemented, giving management live KPIs.

Common pitfalls and how to avoid them

1. Over-engineering scales. Five colours suffice; sophisticated weighting schemes should be used but not showed to users…you may lost them in the complexity of algorithms and variables.
2. Parking the register once filed. ISO 37001 requires reviews at planned intervals and upon significant changes. Schedule quarterly refresh sessions of implementation of controls and analysis of incidents.

Frequently asked questions

Do I need separate risk assessments for ISO 37001 and Loi Sapin II?Not necessarily. Build one enterprise risk map, then tag each risk to the frameworks it supports. Naltilia lets you filter by regulation during export.

How granular should scoring be in an SME?If you operate in fewer than five countries, a 3×3 matrix and qualitative descriptions are perfectly acceptable.

Can I outsource the assessment?Consultants can facilitate workshops, but ISO 37001 expects internal ownership. Retain decision authority over scores and treatment.

Start building smarter risk maps

Whether you are racing a Monday deadline or planning next year’s certification, a disciplined methodology and the right technology stack will spare you weekend ordeal.

Naltilia’s AI-powered platform builds ISO 37001-ready risk registers in a fraction of the time, keeps them evergreen and gives you a defensible audit trail.

Ready to see it in action? Book a 30-minute demo and turn your risk assessment into a strategic asset, not a last-minute scramble.