Recent updates to anticorruption legislation show that regulators are widening the scope of corporate liability for fraud, bribery and corruption.
It is no longer sufficient for compliance programs to exist only on paper. Organisations must demonstrate that their anti-bribery, anti-corruption (ABC) and anti-fraud programs are effective in practice.
This article explores the UK and global compliance expectations and provides a practical seven-step framework for testing the effectiveness of your organisation’s defenses.
Regulators expect substance over form
Recent developments in anticorruption legislation have expanded the scope of corporate liability, placing the onus on organisations to demonstrate the operational effectiveness of their defenses.
This is reflected in the UK's introduction of the "failure to prevent fraud" offence, which came into effect in September 2025 under the Economic Crime and Corporate Transparency Act 2023. Under this legislation, large organisations can be held criminally liable for fraud committed by employees, agents, subsidiaries or other associates acting with the intent to benefit the organisation. The primary defense available is the organisation’s ability to prove that “reasonable procedures” were in place to prevent fraud. The accompanying guidance to this legislation outlines a fraud prevention framework underpinned by six principles that organisations should adopt in their compliance frameworks, namely:
- Top-level commitment
- Risk assessment
- Proportionate risk-based prevention procedures
- Due diligence
- Communication (including training)
- Monitoring and review
Similarly, the January 2025 updates to the UK Bribery Act 2010 guidance reinforce this standard. While focusing on bribery, the act created the “failure to prevent bribery” as a corporate offence. Organisations that wish to demonstrate that they have taken steps to prevent their employees or agents from committing bribery are required to have adequate procedures in place.
This UK stance is not an outlier. It reflects a global consensus on the hallmarks of an effective compliance program.
The ISO 31000 international standard for risk management mandates a structured and comprehensive approach to risk processes, ensuring consistent and comparable outcomes.
The United States' Foreign Corrupt Practices Act Resource Guide outlines the “Hallmarks of Effective Compliance Programs” and mirrors the UK’s approach by emphasising that risk-based due diligence to third-party engagements and continuous improvement are key to an effective compliance program.
This alignment among regulators offers a strategic advantage to organisations. By adopting risk management strategies aligned with regulatory principles, organisations can systematically manage fraud and corruption risks while demonstrating their commitment to compliance.
Your Seven-Step Playbook for ABC & Anti-Fraud Assessments
To effectively manage compliance, organisations must understand their risks along the value chain and adopt a structured, defensible approach. The following seven steps provide a practical framework for assessing and strengthening ABC and anti-fraud programs.
1. What is the appropriate scope?
Organisations must thoroughly understand their ABC programs before conducting risk evaluations. Determining the full scope involves identifying which risks are currently addressed by the risk management process. It requires pinpointing where these risks are located, whether in specific business units or geographic regions, and clarifying who holds accountability for managing them. Establishing a clear scope enhances transparency, sharpens focus, and signals to regulators that the organisation takes the principle of “tone at the top” seriously.
2. Which processes within your value chain present heightened risks of corruption?
This involves mapping risk hotspots including government touchpoints, evaluating third-party influence and identifying areas where discretionary approvals could be exploited for personal gain.
3. Are stakeholders equipped to effectively implement risk control policies and procedures?
Effective risk management extends beyond written policies and requires gathering insights from various sources, including stakeholder feedback and direct observation of how controls function in practice. Conducting interviews can uncover tacit knowledge that may not be documented, while walk-throughs help verify whether controls are operating as intended.
4. Are your controls designed to proactively detect red flags?
A proactive approach to fraud detection involves the use of forensic data analytics and technology-assisted reviews to analyse large datasets and identify patterns or anomalies. While human error is inevitable, especially in payroll and accounting processes, controls must be capable of detecting unusual narratives when they occur.
Detecting covert activities such as round-sum payments, split invoices, weekend approvals or duplicate vendors is essential to uncovering misconduct.
5. Is your third-party screening tiered for exposure?
Not all third parties pose the same level of risk. Politically exposed persons (PEPs), for example, are inherently high-risk due to their influence, access to public funds and susceptibility to bribery. Therefore, they require more rigorous screening.
Organisations must exercise heightened diligence when engaging contractors, consultants, service providers and outsourced employees. Regulators hold organisations accountable for the misconduct of associates; therefore, a uniform approach to third-party screening will expose organisations to significant liabilities.
6. How often are your controls stress-tested?
Regular stress-testing of your controls is vital. Organisations must ensure that critical controls are tested frequently and that red flags are properly investigated. Particular attention should be paid to procurement processes, third-party onboarding, conflict-of-interest declarations and the ongoing training of high-risk stakeholders.
7. Have you identified and recorded internal good practices?
Organisations must document their compliance with legislative and regulatory obligations and act to close any gaps in compliance. Establishing KPIs helps create accountability and enables the tracking of progress. This exercise serves as tangible evidence to regulators and stakeholders that compliance is your organisation’s priority.
Case study: Lessons from a life sciences manufacturer
In an environment of increasing regulatory scrutiny, complex supply chains and networks, life sciences companies need a risk-based approach tailored to the specific challenges of their industry.
- A fast-growing European life sciences manufacturer, facing these very pressures, engaged Control Risks to conduct a corruption risk assessment. Our approach involved:
- Reviewing the company's policies and procedures
- Interviewing 10 senior managers across various functions and regions
- Testing 20 higher-risk expenses using targeted analytics
- Our findings revealed inconsistent documentation for charitable donations and payments to Health Care Professionals (HCPs), a lack of procurement control consistency across different markets and uneven processes for maintaining registers, securing approvals, and retaining evidence.
- This process culminated in a detailed risk register being prepared that assessed the likelihood and impact of each risk while evaluating the effectiveness of existing controls. Where those controls were found to be insufficient, we developed a prioritised and time-bound action plan to allow our client to bridge the identified gaps.
- This engagement was successful because we targeted the areas most likely to fail, provided evidence of real-world control performance and left the client with a clear roadmap and measurable KPIs.
Defensible compliance in 2025 and beyond
Credibility in compliance is built on risk-based prioritisation, leadership commitment and demonstrable effectiveness - standards that regulators and stakeholders now expect.
Article written by: Oleg Kozlov & Anish Neupane