Executive Overview: The Evolution of Corporate Compliance—and the Global Expectations of Today

Over the last three decades, corporate compliance has transformed from an emerging U.S.-centric concept into a global, multi-jurisdictional expectation. What began in the early 1990s with the U.S. Sentencing Guidelines—introducing the first formal definition of an “effective compliance and ethics program”—has matured into a sophisticated governance discipline that regulators around the world now consider essential to corporate integrity and accountability.

A significant inflection point in that evolution was the work of the Committee of Sponsoring Organizations of the Treadway Commission (COSO). COSO’s Internal Control—Integrated Framework provided the first widely adopted, principles-based architecture for designing and evaluating internal controls. While COSO was not written as “compliance guidance” per se, its components—risk assessment, control environment, control activities, communication, and monitoring—have become the backbone of how companies around the world structure compliance programs today. In many ways, COSO is the operating system; DOJ, SFO, MOJ, and Home Office guidance are the applications that run on it.

As cross-border enforcement expanded, jurisdictions enacted their own compliance-related laws and “failure to prevent” offences, including the U.K. Bribery Act, France’s Sapin II, Brazil’s Clean Company Act, the U.K.’s new ECCTA, and others. Each of these frameworks draws—implicitly or explicitly—on COSO’s principles of risk-based controls, governance, accountability, and continuous improvement.

The result is a clear global trend: regulators expect compliance programs to be more than policies and procedures; they expect systems of control that are risk-aligned, data-informed, culturally reinforced, and demonstrably effective in practice.

Today’s enforcement environment is defined by:

  • Global convergence of expectations around risk assessment, governance, training, investigations, and monitoring.
  • Higher scrutiny of culture, incentives, and accountability—especially at the top.
  • Sophisticated evaluation methods, where agencies want evidence (data, investigation records, audit results) that programs work “on the ground,” not just on paper.
  • New and emerging risks (AI governance, cybersecurity, third-party ecosystems, financial fraud) that stretch traditional control frameworks.

Against this backdrop, the U.K. Serious Fraud Office’s newly issued guidance on compliance programme evaluation and the U.S. Department of Justice’s 2024 Evaluation of Corporate Compliance Programs (ECCP) offer two of the most influential regulatory lenses shaping expectations today. While one focuses more on statutory defenses and outcomes (SFO) and the other on program design and operational effectiveness (DOJ), both share an unmistakable alignment with COSO’s foundational principles.

Put simply: COSO built the structure. DOJ and SFO are now defining what “good” looks like.

The remainder of this article explores the new SFO guidance in detail, highlights its practical implications, and compares it to the DOJ’s ECCP to illustrate where global expectations are converging—and what that means for organizations striving to build modern, defensible, and truly effective compliance programs.

SFO on Compliance

The U.K. Serious Fraud Office has quietly given compliance officers a new “tell” on how it will assess corporate compliance programmes – and it aligns in interesting ways with the U.S. Department of Justice’s 2024 Evaluation of Corporate Compliance Programs (ECCP).

At a high level, the SFO guidance isn’t a checklist. It’s a framework for when and why prosecutors will scrutinize your programme, and what they’ll be thinking about when they do.

What exactly is the SFO saying?

The SFO identifies six points in the life cycle of a case where the effectiveness of your compliance programme can become central:

  1. Whether to prosecute the company at all – Under the Full Code Test and the joint SFO–CPS Corporate Prosecution Guidance, a weak or purely “paper” programme is a factor in favour of prosecution; a genuinely proactive, effective programme can be a factor against prosecution.
  2. Whether to offer a Deferred Prosecution Agreement (DPA) – If the misconduct occurred when there was no programme, or an obviously ineffective one, and there’s been no meaningful improvement, that points toward prosecution rather than a DPA. – Conversely, a proactive response, remediation, and demonstrable strengthening of compliance support DPA eligibility.
  3. What compliance terms/monitorship to include in a DPA – Prosecutors will assess what changes to your programme are necessary, fair, and proportionate, and whether an independent monitor is justified. – Even if a monitor is imposed, its scope is supposed to be tailored to the actual risks and failures in the case.
  4. Whether you had “adequate procedures” to prevent bribery (Bribery Act s.7) – This is your statutory defence: at the time of the bribe, did you have adequate anti-bribery procedures, as articulated in the Ministry of Justice’s six principles (proportionate procedures, top-level commitment, risk assessment, due diligence, communication/training, monitoring & review)?
  5. Whether you had “reasonable procedures” to prevent fraud (ECCTA s.199) – Under the new “failure to prevent fraud” offence, you can defend yourself by showing you had reasonable fraud prevention procedures in place, or that it wasn’t reasonable in the circumstances to have any. – The Home Office’s failure-to-prevent fraud guidance again uses six principles (top-level commitment, dynamic risk assessment, proportionate procedures, due diligence, communication/training, monitoring & review), but now in a fraud context.
  6. How you are sentenced – For bribery and other economic crimes, sentencing guidelines look at: • whether there was a culture of wilful disregard and no meaningful controls (high culpability), or • some effort at prevention that fell short (lower culpability), and • the “cost avoided” by not putting proper measures in place.

In other words: your programme matters at charging, at DPA vs prosecution, in monitorship scope, in your statutory defences, and even at sentencing.

What the SFO doesn’t give you

The SFO is very explicit that there are no “pre-ordained answers” that guarantee a particular outcome. It’s a holistic, case-specific assessment: size, sector, risk profile, and how your controls actually operate in practice – not just whether policies exist.

And they also make clear: they will “dig behind generalities” and use their full investigative powers (compelled documents, witness interviews, whistleblower files, internal investigation records) to test your claims of effectiveness. That has real implications for voluntary self-disclosure: you’re not just opening up the specific incident – you’re inviting a deep dive into historic compliance failures as well.

I still think self-disclosure is the correct answer in most serious cases, but this guidance complicates the risk/reward calculus. You can’t assume the narrative will stay narrow.

How does this compare to DOJ’s 2024 ECCP?

The DOJ’s ECCP, most recently updated in September 2024, is much more detailed than the SFO document – almost a catalogue of questions prosecutors can ask. But conceptually, they’re moving in the same direction.

DOJ still organizes its analysis around three fundamental questions:

  1. Is the program well designed?
  2. Is it being implemented in good faith (i.e., resourced and empowered)?
  3. Does it work in practice?

Those three questions get unpacked into topic areas that are very familiar to anyone reading the SFO guidance:

  • Risk assessment
  • Policies & procedures
  • Training and communications
  • Confidential reporting & investigations / speak-up culture
  • Third-party and M&A oversight
  • Continuous improvement, data use, incentives & discipline

The 2024 ECCP revisions go even further by:

  • Stressing AI and emerging technologies – asking how companies are assessing and controlling AI-driven risks.
  • Raising expectations for data analytics – DOJ wants to see compliance using data with the same sophistication as the business.
  • Tightening expectations around whistleblowing and anti-retaliation, consistent with DOJ’s new whistleblower program and broader corporate enforcement push.

Interestingly, the SFO itself points to the DOJ ECCP as a useful external benchmark, alongside French AFA guidance, when thinking about what an “effective compliance programme” looks like.

Are SFO and DOJ actually aligned?

Broadly, yes – but they come at it from slightly different angles:

  • SFO is anchored in defences and outcomes – “Adequate procedures” (bribery) and “reasonable procedures” (fraud) are the gates to statutory defences and key factors in charging, DPAs, and sentencing.
  • DOJ is anchored in design and behavior over time – Prosecutors look at how your program is structured, how it’s resourced, what data it uses, how it responds to misconduct, and how it evolves.
  • Both are moving toward: – Risk-based design, not copy-paste programmes – Evidence of authentic culture and accountability (not paper policies) – Use of data, technology, and lessons learned to improve continuously

Practical takeaways for global companies

If you operate in both the U.S. and the U.K., this is what I’d focus on:

  • Build a single, risk-based compliance framework that you can defend as adequate (bribery) and reasonable (fraud) in the U.K., and as effective in design, implementation, and operation under the DOJ ECCP.
  • Make sure you can prove it works – with data, investigations history, remediation steps, training records, third-party files, and audit results.
  • Assume that self-disclosure will trigger a holistic review of your programme’s history, not just the incident at hand.
  • Treat the SFO guidance and the DOJ ECCP as complementary lenses, not competing rulebooks.

If your compliance programme can stand up under both, you’re not just “meeting guidance” – you’re building something that actually reduces risk and gives you meaningful arguments when things go wrong.