The Serious Fraud Office’s (SFO) updated Guidance on Evaluating a Corporate Compliance Programme, released in November 2025, fundamentally changes the landscape for organisations subject to UK regulatory scrutiny. Rather than offering tactical updates, the new Guidance demands a holistic, evidence-based approach to corporate compliance, impacting charging decisions, settlement negotiations, and sentencing outcomes.
This isn’t about updating a policy or running extra training, it calls for a fully integrated, operationally robust compliance programme with proof it works across the business.
What Drives the SFO Guidance Update?
The SFO’s Guidance now aligns compliance programme evaluation with six key enforcement touchpoints: whether to prosecute, whether to offer a Deferred Prosecution Agreement (DPA), DPA terms and monitorships, defences to “failure to prevent” offences for bribery and fraud, and sentencing. The introduction of the “failure to prevent fraud” offence under the ECCTA expands the scope, making fraud as central as bribery in compliance evaluations. Critically, the SFO states that effective compliance is not just a defence; it can also influence the decision not to charge an organisation, or significantly affect how investigations are resolved.
From Defence to Operational Advantage
A crucial but often missed point: having an effective compliance programme isn’t only relevant in court or in response to SFO allegations. It plays a decisive role from the outset. The quality and substance of an organisation’s compliance controls can encourage the SFO not to pursue charges, or to offer more favourable resolution terms such as DPAs and reduced-penalty agreements. Conversely, clear compliance failures, particularly if evident at the time of the offence, tilt decisions toward prosecution.
The SFO evaluates effectiveness holistically. The mere existence of procedures and policies isn’t enough; they must work in real-world conditions. Notably, isolated compliance failures do not automatically indicate ineffectiveness, provided ongoing controls, oversight, and remediation are clear and demonstrable.
Self-Reporting and Expanded Investigations
The Guidance warns organisations not to rely on self-reporting as a safe harbour. Voluntary disclosure of incidents can prompt the SFO to revisit the entire history of a company’s compliance programme, using its full range of investigative powers. This means not just reviewing the specific event reported but assessing how compliance procedures have operated over time including legacy weaknesses, cultural norms, and how previous issues were managed.
To withstand scrutiny, organisations must be prepared to provide documented evidence of implementation, impact, and improvement, moving beyond assertions toward measurable operational results. Systems that track training attendance, policy deployments, whistleblowing reports, investigations, and remediation outcomes become critical assets.
No Set Answers: Case-by-Case Analysis
A feature of the SFO Guidance on Evaluating a Corporate Compliance Programme that experts are weighing in on is its refusal to offer “pre-ordained answers.” The SFO will always assess compliance effectiveness case-by-case, meaning organisations cannot rely on any fixed menu of required controls or policies for protection. Instead, each programme is judged on not only design and documentation but also how it has performed in practice, proportionate to the company’s risk profile, size, sector, and operations.
Having policies or isolated failures are not determinative; what matters is the ongoing, dynamic assessment and adaptation of controls in line with risk, with top-level management fostering an authentic culture of compliance, not just verbal endorsements.
Key Principles and Practical Expectations
The Guidance centers compliance on six interdependent principles:
-
Top-level management commitment to ethical conduct and prevention
-
Documented, dynamic risk assessments for bribery and fraud
-
Proportionate, context-specific procedures tied to risk exposure
-
Risk-based due diligence for intermediaries and third parties
-
End-to-end communication and training, embedding compliance culture
-
Monitoring and periodic review, incorporating lessons from investigations and sector trends
These are not boxes to tick, they must drive measurable conduct, decision-making, and continuous programme evolution. Technology and monitoring tools now play an essential role, enabling companies to surface anomalies, automate evidence collection, and demonstrate operational effectiveness to regulators.
Why This Isn’t Just a Tactical Update
Compliance cannot be compartmentalised or refreshed with tweaks to a policy or a disclosure form; instead, organisations need a fully integrated, data-driven approach that connects risk assessments, third-party oversight, training, disclosure management, investigations, and cultural leadership in a single system.
Corporate teams should:
-
Anchor compliance programmes in international best practice (e.g., DOJ, AFA), mapping frameworks to UK-specific risks.
-
Ensure that evidence of effectiveness (training records, investigations, audit trails) is contemporaneous and structured, not reconstructed post-factum.
-
Build governance that empowers compliance to act proactively, backed by documented board-level oversight.
The Lifecycle View: Building a Resilient Compliance Programme
The SFO Guidance expects compliance programmes to be responsive and evolving across business operations. Leaders should take a lifecycle view:
-
Develop and update risk assessments dynamically, directly informing controls, training, resource allocation.
-
Engage management in fostering a compliance-first culture, including targeted comms, ongoing training, and ethics leadership.
-
Apply proportionate due diligence and monitoring for intermediaries and higher-risk transactions, evidencing real-world outcomes.
-
Systematically track investigations, learn from whistleblowing, and amend procedures in response to lessons learned.
This approach supports resilience, enabling organisations to anticipate and meet regulatory expectations, not just react to them. Centralised compliance technology platforms are indispensable, providing the visibility and auditability regulators now require.
Conclusion
The SFO Guidance on Evaluating a Corporate Compliance Programme is a clear call to shift from paper compliance and tick-box exercises to a strategic, evidence-based compliance culture. Organisations must prepare for expanded scrutiny and case-by-case evaluation, where operational effectiveness, continuous improvement, and integrated systems become the best line of defence and opportunity for constructive engagement with regulators. Prepare now, invest in robust, holistic systems, and treat every stage of the compliance lifecycle as critical to both risk management and business advantage.
Unsure of where to go from here, or how your program stacks up? Speak to one of our experts today.