Compliance is a loaded issue for companies. Get it right and problems can be prevented. Get it wrong and allegations of business crime can be accompanied by investigation, prosecution and the financial and reputational damage that a conviction can bring.
The business world should, therefore, be pleased to see the Serious Fraud Office (SFO) publishing its guidance relating to how it assesses the effectiveness of the companies it investigates. The SFO’s eight-page document “Evaluating Compliance Programmes’’ arrived with very little fanfare late last week. It outlines the stages at which the SFO will examine a company’s compliance: at the time of the alleged offending, when a decision is being made on whether to charge the company and, in some cases, in the future when introducing and maintaining an effective compliance programme as a condition of avoiding prosecution.
The new guidance pays close attention to the six principles detailed in the Bribery Act guidance published in 2011 by the Ministry of Justice. So it goes on in some detail about the importance of proportionate procedures, top-level commitment, risk assessment, due diligence, communication and training and monitoring and review.
This is all laudable. But it is hard not to see this as an opportunity missed. That is because this guidance isn’t really grasping the nettle and telling companies in cold, hard terms exactly what they should be doing. There is very little in what the SFO has just put out that can be classed as solid advice that companies can apply to their workplaces. Yes, there’s plenty of reference to principles – principles that have been available to examine for almost a decade – and a mildly interesting outline of how the SFO goes about its business. But there is little that is new or noteworthy.
We have known for years that the defence of adequate procedures is available. What the business world needs to know is just how the SFO weighs up precisely what it will consider adequate. And then there’s the issue of theory and practice: a company may have a well thought-out, carefully-developed compliance programme but where does it stand if that programme fails to prevent wrongdoing? The SFO needs to come out and clarify where it stands when it comes to assessing a compliance programme that has fallen short of its goals. We needed to know if such a programme could ever be considered adequate and, if so, why. Unfortunately, we haven’t been given this.
A few months ago, the SFO’s General Counsel Sarah Lawson said that corporate compliance functions had to be well resourced and should not suffer as a result of cost cutting. Part of this, I believe, is because compliance cannot be done on a one-size-fits-all basis, due to the variations in companies’ size and structure, the nature of their business and the risks they face. That is why any guidance on such an important issue is always welcome. It is hard, however, to muster much enthusiasm for what the SFO has just produced.
If we take the US Department of Justice’s (DOJ’s) updated guidance “Evaluation of Corporate Compliance Programs”, it emphasises that a compliance programme will only be genuinely effective if compliance personnel are empowered in a company. Its message essentially boils down to the importance of a compliance programme being well designed, it being implemented effectively and in good faith and it working in practice. It is hard to see anyone using those words about what the SFO has just published.
This piece originally featured on the FCPA Blog.