Common Sense Won’t Save You
(From Prosecution)
When trying to meet regulatory requirements, few phrases make the heart sink quite like “reasonable”, “proportionate” and “adequate”. They’re the double-edged swords of the compliance world; on one hand giving you the flexibility to take a risk-based approach, on the other leaving you, as a wise colleague once put it, “enough rope to hang yourself” if you get it wrong.
Corporate failure-to-prevent offences are the classic illustration and they represent a deliberate shift in how legislators approach corporate liability. Rather than requiring prosecutors to prove individual wrongdoing, they place the burden on organisations to show they had adequate procedures in place.
The Isle of Man and UK have both moved in this direction: the Bribery Act 2010 (UK), the Bribery Act 2013 (IOM), the Criminal Finances Act 2017 (UK covering facilitation of tax evasion) and most recently the failure-to-prevent fraud offence under the Economic Crime and Corporate Transparency Act 2023, which came into force in September 2025. The direction of travel is clear, and there will be more.
In each case, the organisation has a defence if it can demonstrate that it had adequate procedures in place to prevent the relevant offence. Guidance has been provided, of course, on what reasonable, proportionate and adequate procedures might look like but because it has to work for every type of business, from a sole trader to a multinational, it tends to stay firmly in the realm of principle rather than practice. Proportionate to your risks. Clear and accessible. Effectively implemented.
Ask how long a piece of string is and you’ll be told it’s twice as long as it is from the middle. Regulatory guidance, with honourable exceptions, tends to work the same way. Entirely unhelpful if what you actually needed was something practical enough to implement on Monday morning.
For smaller businesses, that ambiguity under the Bribery Act can lead to a tempting conclusion: we’re low risk, everyone knows bribery is wrong, we don’t need anything more formal than that.
The Skansen case is a useful corrective.
What Skansen tells us
Skansen Interiors Ltd was the first company to rely on the adequate procedures defence in a contested prosecution under section 7 of the Bribery Act 2010. They argued that given their small workforce of around 30 people and restricted geographical area of operation, common sense was sufficient. It was supplemented by broad ethical conduct policies, anti-bribery clauses in contracts, and a dual-control system for financial transactions. Staff, they said, understood that bribery was unacceptable.
The jury was not persuaded. It probably didn’t help that two of the company’s directors had already pleaded guilty to bribery offences, which rather undermined the “everyone knows” argument.
Skansen was convicted, and the court made clear that general ethics statements and contractual boilerplate do not amount to adequate procedures — regardless of how small or low-risk you believe your business to be.
The lesson isn’t that small businesses need a 60-page manual. It’s that something documented, communicated and actually used will always outweigh unwritten good intentions. Size and simplicity may affect how detailed your procedures need to be. They don’t remove the need for them.
This is about to get more relevant, not less
Skansen has stood as the only decided case on the adequate procedures defence for the best part of a decade. In April 2025 the SFO charged United Insurance Brokers Limited under the same provision and it will be the first such prosecution since Skansen. When that case is decided it will give us the clearest picture yet of how courts assess adequacy in practice.
Practical steps
You don’t need to overcomplicate this. For a genuinely low-risk business, short and clear beats long and theoretical every time.
Document your procedures, even briefly. Cover the obvious risk areas — gifts and hospitality, third-party relationships, high-risk jurisdictions, conflicts of interest. Make sure they’re approved, dated and findable.
Train your people and keep a record of it. Adequate procedures that nobody knows about aren’t adequate. A note of who attended, when and what was covered carries more weight than you might think.
Evidence what you actually do. How do you screen third parties? How do you record hospitality? How do you escalate a concern? Simple registers and checklists, used consistently, can be very persuasive.
Walk the talk. Tone from the top isn’t a cliché, it’s part of the legal test. Senior people need to model the behaviour the policies describe, and staff need to see that raising concerns is genuinely welcomed.
If the culture contradicts the written procedures, the procedures won’t save you.
If you’re not sure whether your existing framework would pass an adequate procedures test — or if you suspect it currently amounts to little more than common sense and good intentions — it’s worth finding out before a regulator or court does it for you.
