The Serious Fraud Office’s 2025 Guidance on Evaluating a Corporate Compliance Program is more than another regulatory document. It is a bright line in the sand. It says, with unmistakable clarity, that compliance must move beyond paper, policies, and PowerPoints. The era of check-the-box compliance is over. The SFO wants to know whether your program works, whether it is embedded, and whether it actually shapes employee behavior at the moment of risk.
For corporate compliance professionals, this should be welcome news. For years, I have advocated that compliance is effective only when it is operationalized, when it is woven into business processes, incentives, controls, communications, and culture. Indeed, it is the subtitle of my seminal work, The Compliance Handbook: A Guide to Operationalizing Your Compliance Program. The SFO has now said the quiet part out loud: if your program does not function in practice, it will not be credited, and it will not protect the organization in the moments that matter most.
The SFO Is Not Evaluating Paper. It Is Evaluating Performance.
The SFO identifies six scenarios in which it evaluates a company’s compliance program, including charging decisions, DPAs, monitorships, and statutory defenses under the Bribery Act and the ECCTA failure-to-prevent fraud offence. In each scenario, the question is the same: did the program work at the time of the misconduct, and does it work today?
The guidance explicitly flags that a company with an ineffective program at the time of the offence faces a public-interest factor in favor of prosecution. Conversely, proactive remediation and an already-effective program weigh against prosecution. This is a radical shift in emphasis. A policy framework will not suffice. A training slide deck will not suffice. A risk assessment performed once every three years will not suffice.
The SFO wants evidence of operational behavior:
- Were approvals actually checked, or were they just required?
- Were red flags escalated in practice, not just in policy?
- Were third-party risks managed through real due diligence, not just questionnaires?
- Did employees feel empowered to speak up?
- Did managers respond appropriately when they did?
The guidance says it plainly: “A key feature of any compliance program is that it needs to be effective and not simply a ‘paper exercise.’” That sentence should be printed above every compliance officer’s door.
Adequate vs. Reasonable vs. Effective: The SFO’s Focus Is on Reality
The legal standards differ across regimes: “adequate procedures” for the Bribery Act and “reasonable procedures” for ECCTA failure to prevent fraud, but the SFO’s approach is consistent across all of them. The prosecutor will examine whether the program operated as designed. A beautifully written policy that sits untouched in a shared drive does nothing for your defense. Under both frameworks, the principles are clear:
- Top-level commitment must be visible and sustained.
- Tone-from-the-top is no longer a slogan. Executives must demonstrate operational ownership through resources, messaging, and decisions.
- Risk assessments must be dynamic and documented.
- Periodic reviews are insufficient. Companies must revisit risks as business models, markets, and products evolve.
- Due diligence must be risk-based and enforced.
- The SFO will look for evidence of follow-through: actual reviews, remediation steps, and periodic refreshes, not just questionnaires.
- Training must reach the right people, at the right depth, at the right time.
- If frontline staff cannot articulate how policies apply to real situations, the program is not embedded.
- Monitoring and review must capture failures and lead to improvements.
- The SFO expects companies to learn from investigations, whistleblowing incidents, and near misses.
These principles have one common trait: they require action, not intention. Indeed, it is clear that “compliance” is a verb.
How the SFO Looks Behind the Curtain
The SFO’s FAQs section is an important reality check. The agency describes its evaluation process as holistic, evidence-based, and focused on operational activity (pages 10–12). It will use every investigative tool at its disposal.
This includes:
- voluntary disclosures
- compelled document production under section 2
- witness interviews
- suspect interviews
- direct questions to the organization
Why is this important? Because the SFO is not taking the company’s word for anything. Assertions are not evidence. The agency will “dig behind generalities and challenge high-level assertions” to determine whether policies translate into conduct. In other words, if the program only exists in policy language, the SFO will know and quickly.
DPAs and Monitorships: Operationalized Compliance Determines Outcomes
When considering whether a DPA is appropriate, the SFO again focuses on whether the program works in practice. A DPA is less likely if the program was ineffective at the time of the offence and has not substantially improved since. If the program failed but is now demonstrably effective, a DPA becomes more viable. If a monitorship is imposed, the SFO expects the monitor to advise on “necessary compliance improvements” that reduce future risk. This language reinforces a core message: compliance must be operational, measurable, and continuously improving.
For companies negotiating a DPA, this means a surge of paper policy updates is not persuasive. What prosecutors want to see is changed behavior, improved controls, and evidence that new measures are taking hold across the organization.
The Shift from Compliance as Documentation to Compliance as a Business System
The guidance mirrors a shift seen globally from the DOJ’s “three questions” to the French AFA’s operational guidance and places the United Kingdom in alignment with international enforcement trends.
Across regimes, regulators are converging on the same model:
- A well-designed program.
- Adequate resources and authority to operate.
- Proof that the program works in practice.
The SFO’s guidance aligns directly with this structure. For compliance officers, that means your influence must go beyond policy drafting. Compliance must embed itself into:
- procurement workflows
- HR processes
- incentives and compensation frameworks
- approval systems
- financial controls
- business-development oversight
- investigation protocols
- continuous monitoring and data analytics
- leadership behavior
- cultural reinforcement mechanisms
This is what it means to operationalize compliance. A check-the-box program may look good in a binder. But it will not protect the company from enforcement, reputational harm, or sentencing penalties. A program that works in practice. This means real controls, real accountability, real culture, and a real will to do so.
The Message for Compliance Leaders
The SFO is telling companies something essential: The risk is not that you have a compliance failure. The risk is that your compliance program cannot prevent one. Your company can withstand a failure. It cannot withstand a failure in a system that does not exist.
The guidance signals a new enforcement reality: companies that invest in operationalized compliance, which is truly embedded into how people work, will be treated differently, prosecuted differently, and negotiated with differently. For compliance leaders, the priority is clear. This is the moment to shift your program from aspirational to operational. Because when regulators ask whether your program works, the only answer that matters now is evidence.
