Even tougher at the top?

Being elevated to a senior position in an organisation has had mixed implications over the years in terms of regulatory risk. It’s essential for organisations, directors and managers to track that shifting risk over the years to keep it in proper and current proportion – particularly this year with two significant developments: the Crime and Policing Act 2026 (‘CPA’) and the Sentencing Act 2026 (‘SA’).

Background

Historically, when things went badly wrong, managers and directors involved in making key decisions might occasionally face the threat of, say, a gross negligence manslaughter prosecution, but that failure did not automatically reflect on the company. Only if the failures could be imputed to the ‘directing mind’ of the company could they be brought to bear – a very rare event indeed.

The Health and Safety at Work etc Act 1974 long made provision for prosecution of directors, managers and secretaries where they caused corporate offences through their consent, connivance or neglect, but for many years this was a little used power because for a long time the threat was no more than a modest fine. In time, similar provisions were introduced in other sectors – fire safety, environmental and so on – building on the same concepts of consent, connivance and neglect.

Then came the Corporate Manslaughter and Corporate Homicide Act 2007 (‘CMCHA’), allowing for prosecution of a company where a gross failure at a senior management level caused a death. The aim was to remove the bar that the ‘directing mind’ test had presented. An initial deluge of referrals for consideration eventually gave rise to a trickle of prosecutions that has never really a flow – never into double figures for any given year.

Alongside that, the Health and Safety (Offences) Act 2008 threatened to do what many felt CMCHA had failed to do – to hold directors to account – with modest financial penalties for directors being replaced with prison sentences up to 2 years, and then the Sentencing Guidelines Council issued guidance that stiffened resolves and sentences, making the threat prison for decent folk who’d made mistakes a significant and realistic prospect.

In the meantime, new offences had been introduced that touched on a similar corporate / managerial cross over – e.g. bribery and the associated failure to prevent offence that a company might commit as a result introduced by the Bribery Act 2010, and more latterly fraud offences and the failure to prevent fraud counterpart introduced by the  Economic Crime and Corporate Transparency Act 2023 (‘ECCTA’), which came into force in late 2025.

In the same way that directorial liability was replicated across sectors in the wake of the 1974 Act, corporate liability for directorial and managerial default threatens to spread in a wholly unprecedent and largely unanticipated way: if businesses were unprepared for the threat of failure to prevent fraud, as many commentators feared, many will be slow to recognize the sheer scale of the new risk on the horizon. It’s not just obvious historic concerns, like bribery and safety compliance, that loom large but whole swathes of previously unconsidered individual criminality that might now be brought to bear in a corporate context.

Crime and Policing Act 2026

When it comes into force, CPA is broad and far reaching in scope. Section 254 of the Act will impose a new category of corporate offending on companies and partnerships wherever an offence arises where a ‘senior manager’ is acting within the actual or apparent scope of their authority.

What is a senior manager?

Echoing the test for CMCHA, it is someone who plays a significant role in the making of decisions about how the whole or a substantial part of the activities of the company or partnership are to be managed or organised, or the managing or organising of the whole or a substantial part of those activities. So, in the same way that a company might be held to account under CMCHA for senior management failings causing death though gross breach of duty, they will now be held to account for any criminality conducted by a senior manager within the actual or apparent scope of their authority.

What does it cover?

Potentially anything that fits the brief – anything within their authority, so possibly acts of violence or sexual offences, myriad fraud offences, compliance breaches, failures to comply with court orders (note the intention expressed in the explanatory notes, that it should cover ‘both those in the direct chain of management as well as those in, for example, strategic compliance roles’). The ambit is broad – again, the explanatory note observes an intention to cover not just ‘individuals who perform an executive function or are board members, it covers any individual who falls within the definition irrespective of their title, remuneration, qualifications or employment status’.

Expect arguments over extent of actual and apparent authority: the explanatory notes again make plain that the authority need not be to commit the given criminal act but to act in the general sphere: so, security might lead to violence; financial control to fraud; personnel management to issues of modern slavery; IT/data control to issues under applicable legislation.

What were once shameful individual transgressions that no doubt carried reputational harm but no more now threaten serious criminal liability.

How great is the risk?

Companies have faced corporate manslaughter investigations probably every week if not every day since CMCHA came into force. Consider that this is the case even in a heavily regulated, well-resourced and well understood area where compliance levels are, across the board, relatively high as a result. Extension of that form of liability to other areas, without theoretical limit, is likely to expose gaping procedural holes that leave companies exposed not just to investigation but prosecution and conviction.

It remains to be seen how it will be used in practice but it may be that this provides a further backdoor route to prosecution for a raft of offences where primary routes already exist. Why bother to prove the corporate case if the company is already hung by a directorial admission?

Sentencing Act 2026

At the same time, whilst CPA threatens new areas of risk, SA provides a glimmer of hope to those actually facing individual prosecutions such as those under section 37 of the 1974 Act. But it may be a glimmer of hope that companies come to regret.

Section 1 provides for presumed suspension of prison sentences of 12 months and under save in exceptional circumstances.

Threatened penalties of up to two years, delineated by the Sentencing Guidelines Council in careful detail might now lose some of the terror they carried before: even for the highest category of criminality (that is ‘very high culpability’ and high risk of death or serious injury), the starting point for a court would be 18 months; factor in discount for credit for an early guilty plea of up to 1/3 and even that sort of case might fall into the category of a presumed suspension. Considering that many cases are ‘pitched’ at lower thresholds with starting points of 1 year or even 6 months, the likelihood of an immediate custodial sentence is greatly reduced.

Make no mistake though – SA does not extinguish the risk of prosecution or conviction.

What the practical effect of all of this remains to be seen.

Will directors, who have traditionally fought hard against individual liability, rush for early pleas to duck under the 12 month threshold and secure a presumed suspended sentence?

If so, will companies find themselves implicated by such strategic admissions, rendering corporate defence significantly more difficult?