This guidance is a part of the SFO’s Operational Handbook, published for internal use only by its prosecutors. The disclaimer of the Handbook notes that “it is published solely in the interests of transparency” and “should not therefore be relied on as the basis for any legal advice or decision”.

However, the Handbook can be used by organisations as a reference point when assessing the adequacy of the anti-corruption measures they take. It is also helpful in understanding which flaws of corporate compliance programmes the SFO detects in the first place and what should be done in order to address the existing shortcomings.

The preamble of the Handbook states that it can be used by prosecutors to inform decisions on a case, including:

• Is a prosecution in the public interest?
• Should the organisation be invited into deferred prosecution agreement (DPA) negotiations and, if so, what conditions should the DPA include?
• Does the organisation have a defence of “adequate procedures” against a charge under section 7 of the UK Bribery Act (“failure of a commercial organisation to prevent bribery”)?
• Might the existence and nature of the compliance programme be a relevant factor for sentencing considerations?

The paper further describes what a compliance programme is: a “compliance programme” is an organisation’s internal systems and procedures for helping to ensure that the organisation - and those working there - comply with legal requirements and internal policies and procedures”. Moreover, these systems and procedures should be effective and not simply a “paper exercise”.

It is highlighted that a compliance programme should vary in scope, depending on the size of the organisation and the nature of the business. In addition, it should be risk-based and regularly reviewed.

The main part of the Handbook is divided into three key sections:

1. The state of an organisation’s compliance programme for different time periods relevant to the SFO’s decisions;
2. The impact of the assessment of a compliance programme on the SFO’s investigation;
3. The principles for assessing an organisation’s compliance programme.

The Handbook outlines the following time periods of the development of an organisation’s compliance programme where it can be assessed:

• The state of the compliance programme at the time of offending (this may influence the decision to prosecute the organisation, to exempt it from liability if it had put in place all possible measures to prevent the commitment of an offence or to eventually reduce charges);
• The current state of the compliance programme (if at the time of wrongdoing the organisation had a poor compliance programme, but subsequently strengthened it, this may affect the charging decision, the assessment of its suitability for a DPA, and the level of fine);
• How the compliance programme could change going forward (a DPA, imposing further improvements of the compliance programme, may be concluded with the organisation).

As for investigating a compliance programme, the SFO stresses that prosecutors should begin to explore compliance issues early in the investigation. In this context, the information necessary to undertake the assessment may be obtained from a “variety of sources” that can also provide “direct or circumstantial evidence of criminality”. In particular, the SFO may use: 1) voluntary disclosures and interviews; 2) compelled disclosure of documents and information; and 3) witness interviews and, in some cases, suspect interviews.

It is further emphasized that an organisation should have a “variety of written records” of its compliance programme. Therefore, organisations should bear in mind that as early as at the beginning of the investigation the SFO may ask them to provide different documents for assessing their compliance programmes, such as anti-corruption policies and procedures, registers of gifts and hospitality, reports and guides on personnel training, materials on risk assessment, etc.

Finally, in the last part of the Handbook there are “six principles” to guide an organisation in developing and enforcing its compliance programme, which the SFO takes into consideration when assessing it. In fact, they summarize the provisions of the Guidance about procedures which relevant commercial organisations can put into place to prevent persons associated with them from bribing, issued by the UK Ministry of Justice in 2011. The “six principles” include”:

1. Proportionate procedures: the system of anti-corruption policies and procedures should be proportionate to the bribery risks which an organisation faces and to the nature, scale and complexity of its activities. It should also be clear, accessible, effectively implemented and enforced;
2. Top level commitment: the top level management should demonstrate their personal zero tolerance for bribery and promote the adoption and effective implementation of anti-corruption policies and procedures;
3. Risk assessment: an organisation should periodically assess the nature and extent of its exposure to potential external and internal risks of bribery;
4. Due diligence (the assessment of third parties): an organisation should take a proportionate and risk based approach in respect of persons who perform or will perform services for or on behalf of the organisation;
5. Communication (including training): an organisation’s policies and procedures should be understood throughout the organisation also through training; there may be especially tailored training for those in high-risk functions/areas; there may also potentially be communication channels for and training of third parties;
6. Monitoring and review.

In spite of the fact that the amount of the SFO’s guidance material regarding corporate responsibility has grown since Lisa Osofsky assumed the position of Director of the Office in 2018, critics point out that the prosecution and assessment of corporate compliance programmes lack necessary transparency, including the lack of detail in the abovementioned Handbook.

Conversely, a document with a similar title (Evaluation of Corporate Compliance Programs), adopted by the United States, gives organizations a better understanding of how prosecutors assess the “adequacy” of compliance programmes in practice. This document consists of three sections, each of which contains key aspects for undertaking assessment:

I. Is the corporation’s compliance programme well designed?

1. Risk assessment
2. Policies and procedures
3. Training and Communications
4. Confidential reporting structure and investigation process
5. Third party management
6. Mergers and acquisitions (M&A)

II. Is the programme empowered to function effectively?

1. Commitment by senior and middle management
2. Autonomy and resources
3. Incentives and disciplinary measures

III. Does the compliance programme work in practice?

1. Continuous improvement, periodic testing, and review
2. Investigation of misconduct
3. Analysis and remediation of any underlying misconduct

Each of these aspects in the document is accompanied by additional explanations. There is also a “check-list” of specific metrics under analysis and questions that the prosecutors of the US Department of Justice ask when examining them.

For example, in the framework of such aspect as “risk assessment” prosecutors take into consideration:

1. Risk management process,
2. Risk-tailored resource allocation, and
3. Updates and revisions.

In order to assess, for instance, the “risk management process” prosecutors ask the following questions:

• What methodology has the company used to identify, analyze, and address the particular risks it faces?
• What information or metrics has the company collected and used to help detect the type of misconduct in question?
• How have the information or metrics informed the company’s compliance program?