Friday, November 14, 2025

Risk determination in ISO 37001, a field story

Jean-Christian Le Meur
Risk Management & Internal Controls
Risk determination in ISO 37001, a field story

In the winter of 2020, the aviation giant Airbus agreed to pay more than €3.6 billion in combined penalties to France, the United Kingdom, and the United States after a sprawling foreign-bribery investigation (Le Monde, Les Echos, US DOJ). The record-setting settlement sent shockwaves through compliance teams worldwide because the misconduct had flourished inside an organization that, on paper, held robust policies. At the heart of may compliance failures we find a familiar mistake: lack of poor risk identification.

Why risk identification matters in ISO 37001

ISO 37001, the international standard for anti-bribery management systems, clearly seta that an organization must determine its bribery risks before it can assess, prioritize, and mitigate them. Without a clear, documented determination of bribery risks, the remainder of the compliance program rests on guesswork.

ISO 37001 requires organizations to:

  • identify internal and external issues that give rise to bribery risk,
  • understand the needs and expectations of stakeholders, and
  • define the scope of the anti-bribery management system accordingly.

Only after this groundwork can risk assessment translate findings into ratings, heat maps, and action plans.

The Airbus story through an ISO 37001 lens

Airbus relied heavily on third-party business partners in emerging markets. Intermediary commissions were routinely approved without adequate checks, and red flags were not escalated. A retrospective mapping of the scandal shows at least four risk indicators that should have surfaced (and may be they actually did) during risk determination:

Risk indicator

Evidence in Airbus case

Why it mattered

High-value third-party contracts

Commissions sometimes exceeded 15 percent of deal value

Provided funds for illicit payments

Operations in high-risk jurisdictions

Aircraft sales targeted countries ranked below 50 on the Transparency International CPI

Elevated exposure to public-official bribery

Complex offset agreements

Bundled technology transfer and training packages

Obscured the flow of funds

Rapid growth targets

Aggressive sales quotas announced by leadership

Created pressure to shortcut controls

Had these factors been systematically captured, Airbus would have forecast the likelihood of bribery, adjusted due-diligence depth, and tightened approval workflows.

Building a practical risk determination process

For compliance officers working in intermediate-sized enterprises, resources are tighter than in multinational aerospace firms, but expectations from regulators are converging. The following field-tested sequence aligns with ISO 37001 and can be executed within a quarter:

1 Map activities and stakeholders

Create an inventory of business activities that can influence public-official interactions: sales agents, joint ventures, lobbying, customs brokers, charity spending. Pair each activity with the internal owners who understand its mechanics.

2 Screen external context

Pull macro-data such as the Corruption Perceptions Index, World Bank governance indicators, and sector-specific enforcement statistics. This external scan anchors the discussion in evidence rather than intuition.

3 Facilitate calibrated workshops

Run short workshops/interviews with business leads to score inherent risk on a 1-to-5 scale for each activity, using real-life scenarios. Keep the groups small enough for candid debate. The goal is not consensus but documented rationale.

4 Document assumptions and thresholds

Write down why a risk receives a given score and what would trigger a re-evaluation (for example, entry into a new country or an M&A event). Regulators focus on the logic, not the color of the heat map.

5 Connect to monitoring and remediation

Feed the risk register into control testing plans, internal audit scope, and training calendars. Without this step, determination remains theoretical.

A compliance officer reviews a brightly colored risk heat map displayed on a large wall screen while colleagues discuss mitigation steps around a conference table. City skyline visible through floor-to-ceiling windows.

Common pitfalls and how to avoid them

  1. Treating risk determination as an annual formality. Solution: embed triggers that auto-launch a mini-review when certain thresholds are crossed (new agent onboarded, country risk score drops below 40, etc.).
  2. Outsourcing all analysis to consultants. Solution: involve internal process owners early so the knowledge stays in-house.
  3. Focusing exclusively on country risk. Solution: balance geography with transaction value, payment structure, and business urgency.

How Naltilia accelerates risk determination

Manual spreadsheets and scattered emails make the five-step sequence painful. Naltilia’s AI-powered platform reduces both friction and blind spots:

  • Regulatory risk assessment modules pre-load external indices and flag countries that exceed user-defined risk thresholds.
  • Automated data collection and analysis of internal and external documents to identify relevant variables for risk determination.
  • Workflow automation assigns workshops, consolidates scoring comments, and stores audit-ready evidence in one place.
  • Tailor-made policy suggestions when risk levels shift, keeping the ISO 37001 system evergreen.

With Naltilia, mid-market compliance teams can conduct a defensible risk determination in weeks rather than months and re-run the exercise on demand when strategy or markets change.

Key takeaways

  • Airbus shows that sophisticated policies are useless without an upfront, honest risk determination.
  • ISO 37001 frames determination as the foundation of the anti-bribery management system.
  • A structured five-step approach—mapping, screening, workshops, documentation, linkage—meets the standard while staying pragmatic for medium-sized organizations.
  • AI tools such as Naltilia free compliance officers to focus on judgment rather than data chasing, closing the gap that cost Airbus billions.

Frequently asked questions

Is risk determination different from risk assessment? Yes. Determination identifies and describes the universe of bribery risks, while assessment ranks those risks by likelihood and impact.

How often should a company review its risk determination? ISO 37001 is silent on a fixed timeline. Best practice is at least annually, plus whenever significant changes occur (new market, acquisition, major policy shift).

Can small compliance teams realistically meet ISO 37001 requirements? With clear methodology and supportive technology, even a two-person team can document a defensible determination. Automation handles data intake and evidence management.

Does ISO 37001 certification guarantee immunity from fines? No. Certification shows the system is reasonably designed. Regulators still expect effective implementation and continuous improvement.

How do we start using Naltilia for risk determination? Request a demo. The onboarding team will configure your evidence library (your single source of truth) with relevant documentation (including transcription of interviews and workshops to evaluate employee sentiment) to identify the most relevant risk scenarii of your companies.

Ready to bring clarity to your bribery risk?

Airbus paid billions for lessons you can internalize today. Schedule a conversation with Naltilia’s experts and see how automated risk determination puts you ahead of regulators and competitors alike.

Back to blog