Bribery, corruption and the modern compliance challenge
The UK Bribery Act 2010 is now fifteen years old. It has been in force long enough for organisations to have built their anti-bribery programmes, trained their staff, and satisfied themselves that they are compliant.
And yet, when you examine those programmes closely, a consistent pattern emerges. Many organisations know they need adequate procedures. Very few have a clear understanding of whether what they have built would actually satisfy that standard if it were tested.
The distinction matters more now than ever. With the failure to prevent model now extending to fraud under the Economic Crime and Corporate Transparency Act 2023, the benchmark for what adequate procedures mean is about to be set by the courts for the first time in years.
What the law requires
Under the Bribery Act, a commercial organisation has a defence against the corporate offence of failing to prevent bribery if it can show it had adequate procedures in place designed to prevent bribery by associated persons. The burden of proof sits with the organisation.
The Ministry of Justice guidance sets out six principles: proportionate procedures, top-level commitment, risk assessment, due diligence, communication and training, and monitoring and review. Those principles have since become the blueprint not just for anti-bribery compliance, but for the broader failure-to-prevent framework, extended to tax evasion facilitation and now fraud.
The word adequate is deliberately chosen and deliberately open. It does not mean perfect. It means proportionate to the risks the organisation actually faces, properly implemented, and genuinely embedded in the organisation's operations. A small domestic business with limited third-party exposure will need something materially different from what a multinational operating in high-risk markets needs.
Where programmes commonly fall short
In my experience, anti-bribery programmes most commonly fall short in three areas.
The first is that the risk assessment is superficial. Many organisations complete this as a desk exercise, identifying theoretical risk categories without genuinely engaging with the specific characteristics of their business, the markets they operate in, the third parties they use, and the nature of their customer relationships. A risk assessment that could belong to any organisation in the industry is unlikely to be adequate for any specific one.
The second is that the programme exists on paper but not in practice. Policies are in place, training has been completed, and a gift and hospitality register exists. But the policy is not well understood by the people who need to apply it, the training does not address real scenarios, and the register is used inconsistently. When the programme is tested, the gap between what the documentation says and what actually happens becomes visible.
The third is that third-party risk is managed inadequately. The Bribery Act's concept of an associated person is broad it extends to employees, agents, subsidiaries, consultants, and anyone else who performs services for or on behalf of the organisation. The most significant bribery risks for many businesses arise in their supply chains and third-party relationships, particularly in international markets.
The Skansen Interiors case remains the only contested prosecution under Section 7 of the Bribery Act. A small business with fewer than 30 staff was convicted because it lacked corruption training, a compliance officer, a bribery-specific risk assessment, and controls. The message was clear: organisations of all sizes need targeted, proportionate controls, not just good intentions.
The expanding framework
The adequate procedures defence is no longer just a Bribery Act concept. The Criminal Finances Act 2017 introduced an equivalent reasonable procedures defence for the corporate offences of failing to prevent the facilitation of tax evasion. The Economic Crime and Corporate Transparency Act 2023 introduced a similar defence for the new failure-to-prevent-fraud offence, which came into force in September 2025.
The underlying principles are consistent across all three regimes. An organisation that has genuinely embedded those principles in its anti-bribery programme is well placed to extend its framework to cover facilitation of tax evasion and fraud prevention without starting from scratch. The architecture is the same. The specific controls and risk assessments need to be tailored to each offence type.
What adequate actually looks like in practice.
Top-level commitment is not a statement from the CEO in the policy document. It is the willingness of the board and executive team to support difficult decisions, refusing a contract because the due diligence on an agent raises concerns, and walking away from a market because the corruption risk cannot be adequately managed.
Risk assessment is not a one-time exercise. It needs to be reviewed when the business changes, enters a new market, launches a new product, or acquires a business. Countries move up and down the corruption risk spectrum. The risk assessment needs to keep pace.
Due diligence on third parties needs to be genuinely proportionate to risk. For high-value agents operating in high-risk markets, due diligence needs to go much further than a basic check, covering the nature of the relationship, the services being provided, whether the remuneration is reasonable, and whether any red flags warrant further investigation.
Communication and training need to address real scenarios, not just legal definitions. Employees need to understand what bribery looks like in their specific role, what to do if they are offered something inappropriate, and how to raise concerns without fear of reprisal.
Monitoring and review need to be genuine. The test is whether the organisation is actually using its mechanisms to identify problems and address them, not just to demonstrate that they exist.
A final thought
The adequate procedures defence exists because the law recognises that organisations cannot guarantee that no bribery will ever occur within their operations. What they can do, and what the law requires, is take genuine, proportionate steps to prevent it.
The organisations that are best placed when things go wrong are the ones that treated that obligation seriously before they needed to rely on it. They built programmes that reflected their actual risks, embedded them genuinely in their operations, and maintained them over time.
As the failure to prevent model expands into fraud and potentially further, the investment in getting this right becomes more valuable, not less.