The SFO’s ‘Evaluating Compliance Programmes’ Guidance: An Opportunity Missed?

Aziz Rahman

Aziz Rahman

The Serious Fraud Office (SFO) has just published a guidance document on how the organisation will assess the compliance programmes of the companies which it investigates. Here, Aziz Rahman outlines his concerns that the guidance perhaps falls somewhat short of what’s required.

Compliance is a loaded issue for companies. Get it right and problems can be prevented. Get it wrong, though, and allegations of business crime can be accompanied by investigation, prosecution and the financial and reputational damage that a conviction can bring.

The business world should, therefore, be pleased to see the SFO publishing its guidance relating to how it assesses the effectiveness of the companies it investigates. The SFO’s eight-page document entitled ‘Evaluating Compliance Programmes’ arrived with very little fanfare. It outlines the stages at which the SFO will examine a company’s compliance: at the time of the alleged offending, when a decision is being made on whether or not to charge the company involved and, in some cases, in the future when introducing and maintaining an effective compliance programme as a condition of avoiding prosecution.

The new guidance pays close attention to the six principles detailed in the Bribery Act guidance published in 2011 by the Ministry of Justice. It goes on in some detail about the importance of proportionate procedures, top-level commitment, risk assessment, due diligence, communication and training and monitoring and review.

An opportunity missed

This is all laudable, but it’s hard not to see this as an opportunity missed. That’s because this guidance isn’t really grasping the nettle and telling companies in cold, hard terms exactly what they should be doing.

There’s very little in what the SFO has just put out that can be classed as solid advice that companies can apply to their workplaces. Yes, there’s plenty of reference to principles – principles that have been available to examine for almost a decade now – and a mildly interesting outline of how the SFO goes about its business, but there’s little that’s either new or noteworthy.

We’ve known for years that the defence of adequate procedures is available. What the business world needs to know is just how the SFO weighs up precisely what it will consider adequate. Then there’s the issue of theory and practice: a company may have a well thought-out and carefully developed compliance programme, but where does it stand if that programme fails to prevent wrongdoing?

The SFO needs to clarify where it stands when it comes to assessing a compliance programme that has fallen short of its goals. We needed to know if such a programme could ever be considered adequate and, if so, why. Unfortunately, we haven’t been given this detail.

No ‘one-size-fits-all’

If we consider the US Department of Justice’s updated guidance ‘Evaluation of Corporate Compliance Programmes’, it emphasises that a compliance programme will only be genuinely effective if compliance personnel are empowered in a company. Its message essentially boils down to the importance of a compliance programme being well designed, implemented effectively and in good faith and working in practice.

A few months ago, the SFO’s General Counsel Sarah Lawson said that corporate compliance functions had to be well resourced and should not suffer as a result of cost-cutting. Part of this, I believe, is because compliance cannot be done on a ‘one-size-fits-all’ basis due to the variations in companies’ sizes and structures, the nature of their business and the risks they face. That’s why any guidance on such an important issue is always welcome.

It’s hard, however, to muster much enthusiasm for what the SFO has just produced.

Aziz Rahman is Senior Partner and Head of the Corporate Crime Group at Rahman Ravelli Solicitors

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts