The Serious Fraud Office (SFO) has just published a guidance document on how the organisation will assess the compliance programmes of the companies which it investigates. Here, Aziz Rahman outlines his concerns that the guidance perhaps falls somewhat short of what’s required.
Compliance is a loaded issue for companies. Get it right and problems can be prevented. Get it wrong, though, and allegations of business crime can be accompanied by investigation, prosecution and the financial and reputational damage that a conviction can bring.
The business world should, therefore, be pleased to see the SFO publishing its guidance relating to how it assesses the effectiveness of the companies it investigates. The SFO’s eight-page document entitled ‘Evaluating Compliance Programmes’ arrived with very little fanfare. It outlines the stages at which the SFO will examine a company’s compliance: at the time of the alleged offending, when a decision is being made on whether or not to charge the company involved and, in some cases, in the future when introducing and maintaining an effective compliance programme as a condition of avoiding prosecution.
The new guidance pays close attention to the six principles detailed in the Bribery Act guidance published in 2011 by the Ministry of Justice. It goes on in some detail about the importance of proportionate procedures, top-level commitment, risk assessment, due diligence, communication and training and monitoring and review.
An opportunity missed
This is all laudable, but it’s hard not to see this as an opportunity missed. That’s because this guidance isn’t really grasping the nettle and telling companies in cold, hard terms exactly what they should be doing.
There’s very little in what the SFO has just put out that can be classed as solid advice that companies can apply to their workplaces. Yes, there’s plenty of reference to principles – principles that have been available to examine for almost a decade now – and a mildly interesting outline of how the SFO goes about its business, but there’s little that’s either new or noteworthy.
We’ve known for years that the defence of adequate procedures is available. What the business world needs to know is just how the SFO weighs up precisely what it will consider adequate. Then there’s the issue of theory and practice: a company may have a well thought-out and carefully developed compliance programme, but where does it stand if that programme fails to prevent wrongdoing?
The SFO needs to clarify where it stands when it comes to assessing a compliance programme that has fallen short of its goals. We needed to know if such a programme could ever be considered adequate and, if so, why. Unfortunately, we haven’t been given this detail.
If we consider the US Department of Justice’s updated guidance ‘Evaluation of Corporate Compliance Programmes’, it emphasises that a compliance programme will only be genuinely effective if compliance personnel are empowered in a company. Its message essentially boils down to the importance of a compliance programme being well designed, implemented effectively and in good faith and working in practice.
A few months ago, the SFO’s General Counsel Sarah Lawson said that corporate compliance functions had to be well resourced and should not suffer as a result of cost-cutting. Part of this, I believe, is because compliance cannot be done on a ‘one-size-fits-all’ basis due to the variations in companies’ sizes and structures, the nature of their business and the risks they face. That’s why any guidance on such an important issue is always welcome.
It’s hard, however, to muster much enthusiasm for what the SFO has just produced.
Aziz Rahman is Senior Partner and Head of the Corporate Crime Group at Rahman Ravelli Solicitors