What Does the SFO Handbook Update on Evaluating Compliance Programs Tell Us About Designing an Effective Compliance Program?

The UK’s Serious Fraud Office (“SFO”) updated its Operational Handbook to include a chapter on Evaluation of Compliance Programs on January 17, 2020 (“the SFO Guidance”). Many analysts have reviewed the 8-page document and concluded that while it sheds some perspective on how prosecutors would evaluate a compliance program, the document does not provide a comprehensive overview and leaves significant uncertainty for businesses wanting more specific areas of focus. Even if that is the case it is important to consider what was covered in the SFO Guidance to ensure that your efforts to develop and monitor compliance efforts are consistent with the regulatory view.


The overarching principal under the SFO Guidance is “transparency” and should not be construed as legal advice. It is clear from the outset that the document is designed to draw out the main areas of consideration and how it ties in with an investigation rather than a more detailed overview such as the DOJ’s Guidance on Evaluation of Compliance Programs. The SFO Guidance outlines the four main questions in terms of why a compliance program would be evaluated during an investigation as:

  1. Is it in the public interest?
  2. Should a Deferred Prosecution Agreement (“DPA”) be considered (and its parameters)?
  3. Does the organization has an “adequate defense”?
  4. Does the presence and efficacy of the compliance program has an effect on the sentencing?

After presenting the four main questions as the framework for analysis, the SFO then defines a compliance program as an “organization’s internal systems and procedures” which help an organization ensure it is complying with the anti-bribery law and its own policies, procedures and controls. Then SFO acknowledges the increased focus among organizations on compliance and recognizes the variance in the complexity and scope of the compliance programs related to the size of the entity and its line of business.

The fundamental consideration for a compliance program is to ensure that it is “proportionate, risk-based and regularly reviewed,” so that it is effective rather than a “paper exercise.” The three elements “proportionate,” “risk-based” and “regularly reviewed” are not defined in detail but as discussed below are generally explored in the guiding principles referred to by the SFO Guidance.

Arguably in terms of framework, the most valuable aspect of the SFO Guidance is that it clarifies the perspective with which prosecutors should assess a compliance program. The SFO Guidance makes the evaluation of the compliance program as one of the starting points in an investigation and encourages prosecutors to use different tools available to them such as interviews (voluntary, witness, suspect under PACE) and requests for documents (voluntary and compelled). Organizations should be prepared to share with the SFO documentation showing different elements of the compliance program and at different points of implementation.

The evaluation depends on what decision the prosecutor is seeking to make. As stated in the SFO Guidance:

It is necessary to consider the past, the present and, in some cases, even the future. This is because the state of the compliance programme at the time of offending is relevant for some decisions; its current state is relevant for other decisions; and, if a DPA is under consideration, how it could change going forward can also be relevant.”

The SFO Guidance provides three examples to illustrate this matrix of considerations. These are represented in the table below with respect to the state of the compliance program:

TimingDecision to ProsecuteConsidering Defenses and Deferred Prosecution AgreementSentencing
At time of offense A decision to charge must be based on the Guidance on Corporate Prosecutions which considers it a positive factor in favor of prosecution if the offense was committed at a time when the organization had “ineffective corporate compliance” (public interest factor) and the Code for Crown Prosecutors.The prosecution should factor in the likelihood that an organization would satisfy the Court that it had “adequate procedures” in place to prevent the misconduct (“adequate procedures” defense).Even if the organization did not have sufficient measures in place (cannot satisfy “adequate procedures” defense), understanding those measures can affect sentencing if it demonstrates “lesser culpability.”
Current A public interest factor in not proceeding with charging is if the organization has enhanced its compliance program, and if there is “a genuinely proactive and effective” compliance program.A prosecutor needs to assess suitability for a DPA and an important consideration for entering into a DPA is whether the organization “already has a genuinely proactive and effective” compliance program because it shows the degree of reform and rehabilitation.A prosecutor should consider how a Court will view the current state of the compliance program when deciding on sentencing (including whether the level of fine impacts the ability to implement an effective program).
Moving forward A prosecutor should consider when a DPA would be appropriate even if a company does not have a “a fully effective” compliance program. The prosecutor should be ready to justify to the Court elements of the DPA–such as implementation of a compliance program or changes in existing policies and training, and determine if the recommendations would be an effective means by which they can be satisfied, and an assignment of a monitor at the organization’s expense. 

What is clear from the above examples is that no matter the stage an offense was committed or the current state of the compliance program, persistent and good faith effort to put effective measures in place is extremely valuable. Because a timeline of activity is to be considered, improving on systems that utilize risk profiles to ensure resources are effectively used and is consistently updated and revised is important. Additionally, it is an ongoing exercise that requires the use of technology and human engagement.

After establishing a relevance framework, the SFO then draws heavily from the UK Ministry of Justice’s Bribery Act – Guidance (“MoJ’s Guidance”) for how a prosecutor would investigate the efficacy of a compliance program.

Guiding Principles for Assessment of a Corporate Compliance Program

The SFO considers the six guiding principles for the use of “adequate procedures” defense detailed in the MoJ’s Guidance as instructive in assessing a compliance program. As a result, the SFO Guidance contains primarily direct content from the MoJ’s Guidance with regards to each principle:

  1. Proportionate Procedures:

According to the MoJ’s Guidance, a compliance program must include procedures designed proportionate to the complexity and type of risk to which the organization is subject. “Procedures” include both anti-bribery related policies and implementation measures for those policies. One action which is specifically stated in the SFO Guidance as a first step for determining proportionality is performance of a risk assessment (MoJ’s Guidance Principle 1.2).

Since being proportionate is an important principle any compliance program, including the tools used, must allow for a degree of customization.

  1. Top Level Commitment:

A clear tone must be set by the highest decision-making levels in the organization. In the case of multi-nationals, the tone is expected to be set by the Board and then carried through various levels of management. The involvement of the Board needs to extend to decision-making, risk assessment assurance and training of senior management on anti-bribery and anti-corruption matters.

  1. Risk Assessment:

Periodic, informed and documented are the key words in performing risk assessments. Based on what is outlined in the Guideline, the SFO re-iterates that there are external and internal risks which need to be mitigated by regular reconsideration. The external risks include those articulated in Principle 3.5 of the MoJ’s Guidance: country, sectoral, transactional, business opportunity and business partnership.

High internal risks as referenced from MoJ’s Guidance Principle 3.6 include: deficiencies in training of employees and others conducting business for the organization, compensation structure or culture that promotes risk-taking, lack of clarity regarding hospitality and promotions, lack of clear controls and lack of clear messages from the top.

Conducting a risk assessment is therefore not a mere exercise of defining risk factors. It is a process, and requires the use of different tools to constantly remain on top of the internal and external risks to which an organization is subject.

  1. Due Diligence:

With respect to those engaged to carry out work on behalf of the organization due diligence must be conducted. Due diligence must be proportionate with the level of risk depending on the nature of the relationship. The guidance mentions some areas in which conducting due diligence is important: business entities such as intermediaries and vendors, employees and M&A.

For employees, the guidance references the concept that human resource processes must include due diligence to “mitigate” bribery risks as proportionate with the type of position. In the context of intermediaries, an organization must perform due diligence commensurate with taking “considerable care” in entering business relationships, while for M&A based transactions “robust” due diligence is needed.

These different levels of consideration for due diligence all point to a constant flow of information that must be monitored and reviewed. For example, merely using AI tools which include function on pre-set criteria is not sufficient. The program must have active human oversight.

  1. Communication (Training):

According to the SFO Guidance, bribery prevention policies must be clear through internal and external communications of the organization. The main areas of internal communications specified in the SFO Guidance relate to training of employees and employee procedures such as whistleblowing, training of third parties, training of management and those engaged in providing “speak up” support such as hotline service or ethics officers.

Internal communications include trainings and a compliance program that has effective and regularly evaluated trainings, particularly for individuals in the following categories: 1) those performing high-risk functions such as positions related to purchasing, contracting, distribution and marketing, 2) individuals working in high-risk locations, or 3) those involved in whistleblowing procedures.

Training of third parties on anti-bribery related processes and procedures including potentially asking the third party to conduct trainings or show proof that it has mechanisms in place to communicate bribery prevention.

Internal communications must also disseminate information about specific policies, penalties for breach of behavior and what management responsibilities are at various levels. Secure and accessible processes set-up for individuals to seek guidance on how to handle situations is also an important consideration.

  1. Monitoring and Review

Regular and ongoing monitoring and review into the effectiveness of compliance processes is an important consideration. While the SFO Guidance does not specify how often these should be conducted, it re-iterates using different detection mechanism such as the use of investigations, internal controls, and staff surveys. Internal management reports monitoring for anti-bribery compliance are also important together with the use of external resources that can test the effectiveness of the measures put in place.

Since the SFO Guidance includes extracts from the MoJ’s Guidance without additional information on how they can be demonstrated, it has not necessarily elevated questions about specific items that should be included. Another approach, however, is to consider that this allows for flexibility since a compliance program needs to be tailored to the organization’s risk and resources.

The areas that should be a focus are using systems and mechanisms which allow for comprehensive risk assessment, ongoing evaluation of risk profile, and due diligence both internal and external. Investment in training and communication tools, close monitoring including potential audits or reviews from external parties are also important.


While the SFO Guidance does not reveal many new considerations, it does highlight the importance of having a compliance program that an organization can show is effective even if it is a work in progress. As long as an organization continues to promote a culture of non-tolerance for bribery and corruption by periodically reviewing its compliance measures to its risk profile and documents such efforts it will be able to weather a potential investigation better than one which has a compliance program but has not improved it to adapt with changes in its business. Using robust due diligence tools that utilize automated and human detection and monitoring, together with internal efforts to set the right tone at the top and provide training, can safeguard the organization.