One way or another…Criminal liability of organisations where a senior manager commits an offence

On 29 April 2026, the Crime and Policing Act 2026 (“CPA”) was enacted bringing with it a significant change to the criminal liability of bodies corporate and partnerships (“organisations”) where a senior manager commits an offence within the actual or apparent scope of their authority.

The change is intended to provide a new statutory route to corporate liability on a strict attribution basis for all offences that is not reliant upon the common law identification doctrine under which the offence must be carried out by a person representing the directing mind and will of the body corporate. The change is due to come into force on 29 June 2026. 

Similar provision for corporate liability where a senior manager commits an offence while acting in the scope of their actual or apparent authority was introduced by the Economic Crime and Corporate Transparency Act 2023 (“ECCTA”). However, the purview of the ECCTA was confined to economic offences only. There is no such restriction on the offences within the scope of the new CPA provision, which applies to all offences. Consequently, one of the implications of the CPA provision coming into force is that the ECCTA equivalent is repealed. 

Scope of authority

The senior manager must be acting within the actual or apparent scope of their authority. This means that the act is consistent with the actions the senior manager was authorised to undertake or that would ordinarily be undertaken by a person in their position.

The requirement that the offence committed by the senior manager must have been committed within the actual or apparent scope of their authority is likely to limit the scope of offences to those which are germane to conducting a business and the sector(s) in which an organisation operates. Obvious examples might include economic, health and safety, environmental, modern slavery, data protection, and consumer protection offences.

It will be incumbent on the relevant enforcement authority to prove that the senior manager was acting within the actual or apparent scope of their authority when the offence is committed. This could feasibly be a matter in issue between the organisation and the enforcement authority. Where a senior manager’s responsibilities and accountabilities are unsettled it could be problematic for both sides. From an organisation’s perspective, this gives fresh impetus to the importance of good governance.

The safety, health and environmental enforcement regimes

Removal of reliance upon the identification doctrine is not a novel concept within the health and safety sphere. Prior to the introduction of the corporate manslaughter offence (corporate homicide in Scotland) by the Corporate Manslaughter and Corporate Homicide Act 2007 (“CMCHA”), the conviction of a company for manslaughter necessitated the identification of a directing mind of the organisation – a senior individual who could be said to embody the company in their actions and decisions. The CMCHA removed the identification principle and introduced the senior management test. The CPA provision is intended to replicate the definition of senior manager within the CMCHA.

In a safety, health and environmental context, strict attribution of corporate liability might feasibly occur if a senior executive was to direct employees to carry on an activity in breach of an enforcement notice, contravene any requirement imposed by an inspector/officer exercising their statutory powers, knowingly make a false statement, or intentionally obstruct an inspector/officer.

In respect of the safety, health and environmental (“SHE”) general duties, the attribution of secondary liability for organisations under the CPA is the antithesis. The general duties under SHE legislation are directed to the result that must be achieved by the organisation, and the liability of senior managers is secondary, predicated upon the offence first being committed by a body corporate, and then the individual’s liability eventuating only if the offence is proved to have been committed with their consent, connivance of, or to have been attributable to their neglect. Consequently, it is difficult to reconcile the two approaches to liability under the CPA and SHE regimes. This has the potential to complicate prospective prosecution of SHE offences using the CPA mechanism, yielding a fertile ground for contested proceedings or constraining its enforcement.

The senior management test

Senior manager under the CPA is defined in synonymous terms to senior management in respect of corporate manslaughter. A senior manager is an individual who plays a significant role in the making of decisions about how the whole or a substantial part of the activities of an organisation are to be managed or organised, or the managing or organising of the whole or a substantial part of those activities. 

The term senior manager applies to any individual who falls within the definition irrespective of their title, remuneration, qualifications or employment. It includes those in the direct chain of management and those in strategic or regulatory compliance roles. 

Examples of offices held by senior managers, include a company’s directors and other senior officers such as a CFO or COO, whether or not members of the Board, and others with significant roles in relation to a substantial part of the organisation’s activity, such as its human resources function could be caught by the definition. 

What is a substantial part of the organisation’s activities is increasingly important when the organisation concerned is large with complex governance and management arrangements. The term is not defined within the CMCHA. It apparently turns on a qualitative and not merely a quantitative assessment of the organisation’s activities. According to explanatory notes to the CPA, consistent with the ECCTA, the substantial part of a business relates to the importance of the activity over the operations of the organisation as a whole. Prosecution guidance for corporate manslaughter published by the CPS postulates that a regional manager could fall within the definition of senior management provided that the region constituted a substantial part of the activities of the organisation. Without more, that interpretation of what is a substantial part of an organisation’s activities is apparently different because it implies that it is the size of the activity relative to the operations of the organisation as a whole that is relevant. 

Risk mitigation

The strict attribution of corporate liability under the CPA is likely to be a cause of consternation to businesses posing a seemingly unquantifiable and unmitigated risk. According to the government, the cost to business is low given that the changes largely codify what already exists in law, and the reform will level the playing field between SMEs and large companies. Beyond this, there is a paucity of evidence of debate around the impacts of the provision. This includes addressing issues such as the likely actual scope of offences, nor how it can be reconciled with the raft of regulatory offences not premised on strict liability, which have in common fixing senior managers with secondary liability only once the offence committed by the organisation can be proved to be committed with the consent, connivance, or attributable to the neglect of the individual. 

It should be remembered that the CPA provision is parasitic, providing a mechanism for attributing corporate liability when the senior manager commits any offence within the scope of their actual or apparent authority. Consequently, the type of offences reasonably in contemplation are pre-existing, and to the extent that it is possible to control the risk of offending by senior managers, appropriate controls should already be in place.

Some organisations will perhaps have grasped the nettle when the ECCTA provision came into force but may now need to review their arrangements to reflect the broader scope of the CPA provision.

For organisations that have any doubt about that their governance arrangements remain robust and effective, their arrangements should be reviewed. Relevant considerations may include, but are not limited to, vetting, establishing clear lines of authority for senior managers, establishing competence, internal and independent assurance, monitoring and reporting, incident investigation, legal professional privilege, and cooperation and coordination across operational, compliance, and regulatory activities.