Global Site
Argentina Aruba Barbados Bolivia Brazil Canada Cayman Islands Chile Colombia Costa Rica Curacao Ecuador El Salvador Guatemala Honduras Mexico Panama Paraguay Peru Puerto Rico Saint Martin Suriname United States Uruguay Venezuela
Australia Cambodia China Hawaii Hong Kong India Indonesia Japan Macau Malaysia Maldives Mongolia Myanmar Nepal New Zealand Pakistan Philippines Singapore South Korea Sri Lanka Taiwan Thailand Vietnam
Albania Andorra Armenia Austria Azerbaijan Belgium Bulgaria Croatia Cyprus Czech Republic Denmark Estonia Finland France Georgia Germany Greece Hungary Ireland Italy Kazakhstan Kosovo Latvia Liechtenstein Lithuania Luxembourg Malta Moldova Netherlands Norway Poland Portugal Romania Serbia Slovakia Slovenia Spain Sweden Switzerland Tajikistan Turkey Ukraine United Kingdom Uzbekistan
Algeria Angola Bahrain Côte d’Ivoire Egypt Ghana Iraq Israel Jordan Kenya Kuwait Lebanon Liberia Mauritius Morocco Mozambique Nigeria Oman Qatar Saudi Arabia Senegal Sierra Leone South Africa Tanzania Togo Tunisia Uganda United Arab Emirates Yemen
Contact us
home Insights

Corporate compliance’s new friend: Risk management

Isaac Alfon
11/05/2026
Group of business people in a team meeting

UK businesses, and in particular listed businesses subject to the UK Corporate Governance Code, have been enhancing risk management. At the same time, the pressure on corporate compliance is increasing – corporate criminal office, economic crime, and tax fraud. This article outlines how risk management, if done appropriately, can help to meet the increased corporate compliance expectations. 

Corporate Criminal Offence (CCO) rules 

The CCO rules make it a criminal offence for businesses to fail to prevent the facilitation of tax evasion, whether in the UK or overseas. These rules apply to all businesses and cover everyone involved in the business, including third parties.  Penalties can include unlimited fines and reputational damage. The main defence is having reasonable prevention procedures in place to prevent tax evasion.   

In August 2025, HMRC announced the first-ever prosecution under the CCO rules, charging a Stockport-based accountancy firm and six individuals for allegedly facilitating tax evasion. 

This is a landmark case because the CCO does not require proof of intent by senior management. Liability arises simply from failing to implement reasonable prevention procedures. This is unlikely to be a one-off case. HMRC recently had 11 live investigations and 27 opportunities for investigations under review, targeting sectors such as accountancy, legal services, software, and labour provision. The message is clear: failure to implement reasonable prevention procedures carries real consequences.

Economic Crime and Corporate Transparency Act (ECCTA)

The CCO is not the only case of legislation expecting preventive measures. The ECCTA introduced a new offence of failure to prevent fraud from September 2025. This applies to large organisations and aims to hold businesses accountable for fraudulent acts committed by employees or agents.  

Fraud risk, a non-financial or operational risk, now carries direct criminal liability for organisations. Boards must ensure that fraud prevention measures are embedded within their governance frameworks, supported by training, monitoring and clear reporting lines. Failure to act could result in prosecution, unlimited fines and severe reputational damage.

Senior Accounting Officer (SAO)

Large organisations (turnover over £200 million or assets over £2 billion) must also designate a Senior Accounting Officer (SAO) who must personally certify to HMRC that the company has appropriate arrangements to manage tax risk and deliver correct and complete tax returns.  There are some parallels with the Senior Managers and Certification Regime (SMCR) adopted by UK financial regulators, which you can learn more about in our insight on Why tax risk requirements and the Senior Managers and Certification Regime overlap.  In both cases, there are expectations that the relevant individuals will take reasonable steps to ensure that their accountabilities are met.  Failure to do so can result in personal and corporate penalties (£5,000 each) and reputational damage. 

What can companies do about this? 

Together, these measures create a different compliance landscape. The expected “prevention measures” are really risk management.  

Risk management is no longer optional; it is a legal necessity. HMRC guidance has clarified that risk management needs to be effective, which includes a few key points.

  • Risk assessments tailored to companies’ operations. 
  • Due diligence on clients and third parties. 
  • Training and awareness for staff members. 
  • Periodic reviews to ensure procedures remain effective. 

At the same time, listed companies face new expectations under the enhanced provision 29 of the UK Corporate Governance Code. This requires boards to:

  • broaden risk management to include non-financial risks
  • attest in annual reports that risk controls are effective.

This marks a significant shift from previous practice. Boards must now adopt a holistic approach to risks and controls across operations, strategy, and compliance, including fraud, cyber, and regulation.  

There is an opportunity to leverage the risk management investments and infrastructure enhanced to meet the expectations of enhanced provisions 29, extending them to address additional legislative obligations covering tax risk and economic crime prevention.  This is a case of effective by design. 

There are several benefits to businesses that can arise as a result.

  • Avoid duplication of effort.
  • Effective reduction of exposure to enforcement action.

However, the FRC Governance Code is just the catalyst to meet expectations of prevention procedures. Other companies, not in scope, can also put in place a fit-for-purpose risk management system that reflects the nature of the risks to which the business is exposed and covers various legislative requirements. 

The bottom line

The cumulative effect of these corporate compliance requirements, plus the first CCO prosecution, should be a wake-up call for businesses. Compliance is no longer about ticking boxes; it is about demonstrating proactive and effective risk management. With new offences arising from legislation, organisations must act now to strengthen their risk and control frameworks and protect their reputation. This covers:

  • Accountability – ensuring clarity on who the boards look to when things go wrong, and how individual responsibilities enable accountable individuals to discharge responsibilities.
  • Appetite – clarity on how much risk businesses are prepared to accept.
  • Controls – the right level of control to ensure your business stays on track with its ambitions.
  • Assurance and testing – building confidence and knowledge in your approaches.

How Crowe can help you 

At Crowe, we help organisations navigate the growing complexity of governance, assurance and tax compliance by assessing the maturity of your risk management and control frameworks. 

We’ve supported a wide range of organisations in implementing effective governance, internal audit and tax compliance strategies that work in practice, not just on paper, including meeting regulatory expectations under the CCO, ECCTA and SAO.

To discuss how to enhance your risk and control framework, please get in touch with your usual Crowe contact today.

Disclaimer

The information set out in this publication is for information purposes only and is based on our understanding of legislation, whether proposed or in force, and market practice at the time of writing. It does not constitute advice to undertake a particular transaction. Appropriate professional advice should be taken on specific issues before any course of action is pursued. Any advice provided by a Crowe tax specialist will follow only after consideration of all aspects of our internal advice guidance.

Contact us

Isaac Alfon
Isaac Alfon
Director, ConsultingLondon
+44 (0)20 7842 7207
Emma Locken
Emma Locken
Partner, Corporate TaxLondon
+44 (0)20 7842 5325

Related services

Consulting Risk and Governance Corporate Tax