Recent years have seen seismic shifts in corporate criminal law, from the Bribery Act 2010 to the Economic Crime and Corporate Transparency Act 2023 (ECCTA), and now additional legislation on the table. In response, many firms are ramping up compliance programmes, policies, and risk-management frameworks.
Under newly expanded liability provisions (e.g., via ECCTA and forthcoming bills), organisations, and potentially their senior managers, face greater exposure to criminal offences even without evidence of direct knowledge or benefit. These developments make it clear that regulatory compliance can no longer be treated as a formality: organisations must rethink governance, reporting mechanisms, and internal incentives. But with that legal pressure comes a critical insight: compliance frameworks can only serve as a foundation. To truly guard against misconduct, firms must build, and sustain, a robust cultural framework.
Compliance programmes ≠ immunity
It’s tempting to believe that detailed rules, policies, and controls will prevent wrongdoing. But experience and research suggest otherwise. As critics long ago noted, having a compliance program rarely offers a shield from criminal liability if the underlying organisational culture is flawed.
A workplace culture that encourages ethical decision-making, openness, and accountability, rather than just “tick-box compliance,” helps bridge the gap between policy and practice.
What culture first compliance looks like
- Shared ownership and accountability: compliance isn’t just a legal or back-office function; it’s embedded in daily operations, decision-making and leadership behaviour.
- Psychologically safe channels to raise concerns: employees feel able to speak up when something seems wrong, without fear of reprisal or dismissal.
- Continuous reinforcement, not one-off training: culture is shaped over time through leadership behaviours, consistent messaging, and reinforcement, not just periodic compliance training.
- Alignment of incentives with ethical behaviour — not just rewarding financial or performance outcomes, but rewarding integrity, risk awareness and adherence to “doing the right thing.”
Why firms should care (beyond avoiding fines)
The Crime and Policing Bill may hold senior managers personally liable for a wide range of criminal offences. That increases the stakes for organisations considerably. Legacy IT problems and corporate liability can go hand-in-hand when firms lack strong controls, but even robust controls don’t help much if culture doesn’t support compliance. And in a climate where enforcement agencies and courts assess “reasonable procedures,” a compliance framework that’s culture-light, or reliant solely on documentation, may not meet the threshold: without real protections and encouragement for whistleblowers, even the best policies are undermined.
Building culture: what your firm should do now
- Treat compliance as a strategic priority, not a compliance exercise. Embed compliance principles in leadership strategy, not just in the compliance or legal department.
- Invest in a speak-up culture and whistleblowing mechanisms. Make clear that raising concerns is supported, protected and valued.
- Design training and communication to reinforce values, not just rules. Use real-world examples, scenario-based learning, and leadership modelling, rather than checkbox e-learning alone.
- Align reward and performance systems with ethical behaviours. Recognise and incentivise employees and leaders who demonstrate integrity, not just business results.
- Regularly assess culture via surveys, audits, and feedback loops, and act on what you find. Compliance culture isn’t static.
Yes and…
In an era of expanding corporate criminal liability, compliance programmes remain essential, but they must be underpinned by a firm-wide culture of integrity, accountability, and openness. As regulators broaden the scope of liability, organisations that treat compliance as a checkbox exercise will find themselves at greater risk.