Love  it or loathe it, the Bribery Act has put anti-corruption compliance on the boardroom agenda like nothing has done before.

More than just 'box ticking'

When the Bribery Act was introduced into the UK in 2011, the most significant change to the pre-existing law was the establishment of the corporate offence of failing to prevent bribery - an organisation is liable to prosecution if an associated person (who performs services for or on behalf of the company) bribes another, intending to obtain or retain business or an advantage in the conduct of business for that organisation. Significantly, where organisations can prove that they have 'adequate procedures' in place designed to prevent such unlawful conduct, a full defence is available. But five years on, the question remains – how can a company ensure its ‘adequate procedures' are adequate? What has become clear is that this is far more than just a 'box ticking' exercise.

No one can doubt that the Act (and, in particular, the threat of the corporate offence) has had a huge impact on how bribery and corruption compliance is now viewed by most companies that carry on any of their business in the UK. Indeed, it is now common practice for companies to assess their high risk areas and develop a myriad of procedures and processes to mitigate their risks as far as possible, and ensure 'adequate procedures' are in place.

Reaching far and wide

Compliance with the Bribery Act has not only impacted those companies that operate in the UK. The jurisdictional reach is extremely wide. But even businesses which are strictly beyond that reach can no longer easily work with those that are within it. Due to the sometimes extensive due diligence carried out on third parties by UK companies, it has significantly affected how overseas companies now view their own bribery risk profile. There has been a particular focus on third party companies that act as agents or introducers for business or are foreign public officials, where the risk of bribery and corruption is arguably at its greatest. The impact of the corporate offence of the failure to prevent bribery (and the potential defence of adequate procedures) is viewed as very significant in achieving better compliance practices.

Limited judicial interpretation so far

But how has the defence of 'adequate procedures' been tested so far, and what does it mean to say procedures are 'adequate'? Given that the Ministry of Justice's guidance is just that (guidance), the law can only be developed by way of case law or legislative intervention. The recent case of Sweett Group plc ("Sweett"), which involved the first company to be sentenced and convicted for the corporate offence in February 2016, did not take the analysis of adequate procedures any further, since Sweett pleaded guilty and did not try to avail itself of the defence. Fortunately, the long awaited first Deferred Prosecution Agreement, with Standard Bank plc at the end of 2015, provided judicial consideration (albeit limited) of the meaning of adequate procedures. Lord Justice Leveson found that there was no allegation of knowing participation in an offence of bribery by Standard Bank or its employees; the offence was limited to an allegation of inadequate systems to prevent associated persons from committing an offence of bribery. The applicable policy was found to be unclear and was not reinforced effectively to the Standard Bank deal team. In addition, the training for Standard Bank did not provide sufficient guidance where a different Standard Bank entity engaged an introducer or consultant.

It's all about the culture

The DPA judgments highlight the importance of not just having anti bribery policies and procedures in place, but ensuring that employees understand those policies and procedures and what those policies are trying to achieve. The DPA also highlights the importance of understanding the various risks in different business transactions - a 'one size fits all' approach is not appropriate when it comes to tailoring 'adequate procedures'. As the SFO's Ben Morgan commented in December 2015:

"…Where the risks and red flags are prevalent, it seems to me no amount of just sticking to a policy is going to be adequate, in the final reckoning. What is really needed is a culture in which people are able to spot what is in front of them, and react to it…"

The Standard Bank DPA (and the commentary by the SFO) has gone some way to re-emphasise that identifying the relevant risks and putting in place 'adequate procedures' is not just a 'box ticking' exercise; there needs to be a clear understanding within every organisation as to the purpose of what such policies and procedures are intended to achieve. The law is yet to be stress-tested. In the meantime, it is important to remember that the purpose of establishing 'adequate procedures’ should not merely be to enable defence arguments to be run. Adequate anti-bribery procedures are an essential part of the overarching ethics policy of every company. If the right corporate culture exists, and if there is a genuine desire to stamp out poor behaviour, then it is more likely that the  procedures will be 'adequate'. Without such a culture, no written policy document or ethics statement will suffice.