Back (Small2)

UK Crime and Policing Act 2026

A Practical Assessment Approach to Senior Manager Liability

cropped_element

By Kevin M. Hyams 

Why I wrote this article

The UK Crime and Policing Act 2026 is not the same type of source requirement as those in many governance, risk and compliance frameworks that organisations normally assess.

It is not a detailed rulebook telling the organisation exactly what control to operate, what record to keep or what report to produce.

But section 250 still creates a practical governance and assessment problem.

Section 250 provides that where a senior manager of a body corporate or partnership, acting within the actual or apparent scope of their authority, commits an offence under the law of England and Wales, Scotland or Northern Ireland, the organisation also commits the offence, subject to the territorial limitation in subsection 250(2).

Section 250 came into force on 29 June 2026.

For responsible boards and executive management teams, the issue is not simply whether the organisation is aware of the new liability environment. The issue is whether the organisation can show that it has taken reasonable, evidence-supported steps to understand:

  • who may be in scope;
  • what authority those individuals have;
  • where risk may arise;
  • what controls are relied on;
  • what evidence supports the organisation’s position.

That is why I believe this topic belongs in a discussion of compliance assessments.

Not because the Crime and Policing Act 2026 should be turned into a legal memo. It should not.

And not because NORVA Solutions is trying to replace legal advice. It is not.

But because a board may be told what the law says and still need to ask a more practical question:

What have we done to assess this properly, and what evidence shows that we did?

A structured assessment can help turn that question into an evidence-supported position.

Start with NORVA’s one core question

At NORVA, our starting point is always one simple question:

Are we meeting the requirements that apply to us?

For section 250 of the Crime and Policing Act 2026, that question can be adapted like this:

Have we assessed the senior manager liability risk that applies to us — and can we show the evidence that supports the position we rely on?

That matters because section 250 is not only about knowing that the law exists.

It is about whether the organisation can explain and evidence its practical readiness.

A useful assessment position needs to address three supporting questions:

  • What applies? Which legal entities, activities, senior manager roles, authority arrangements and offence exposure areas are relevant?
  • Are we meeting it? Are governance arrangements, controls, training, escalation routes, investigation processes and reporting arrangements adequate for the risks identified?
  • Can we prove it? Is the assessment supported by documents, records, workpapers, ownership, residual risk ratings, evidence references and action tracking?

That is the point at which section 250 moves from a legal update into a practical compliance assessment.

What section 250 changes 

Section 250 creates a statutory route for corporate criminal liability where a senior manager commits an offence while acting within the actual or apparent scope of their authority, subject to the territorial limitation in the Act.

Put more simply:

  • a senior manager may commit a relevant offence;
  • the conduct may be within the actual or apparent scope of that person’s authority;
  • the organisation may also be treated as having committed the offence;
  • the assessment must consider the organisation’s own structure, activities, authority arrangements and evidence position.

Legal commentary describes the change as extending the senior manager attribution model beyond specified economic crime offences to a wider range of criminal offences.

So the practical issue is not only:

Have we read the law?

It is:

Can we show that we have assessed what this means for our organisation?

Why this is a Missing Middle problem

Many organisations will not want to turn section 250 readiness into a large system implementation project.

They may need to assess:

  • who may be in scope;
  • what authority those individuals have;
  • where relevant offence exposure may arise;
  • which controls are relied on;
  • whether escalation and investigation processes are suitable;
  • what evidence supports the organisation’s position.

But the response still needs to be structured, evidence-led and capable of being reported.

That is the Missing Middle.

It is the space between:

  • informal assessment work that may be too disconnected to support a clear, defensible position; and
  • larger enterprise systems or external delivery models that may be more than the organisation currently needs, can fund, or has the internal capacity to implement.

NORVA helps fill that gap by giving teams a structured, evidence-led way to assess what applies, document what they rely on and report the outcome — without turning the assessment into a major systems project.

It is structured and evidence-based enough for defensible compliance assessment work. Familiar enough to use without turning the tool into the project. Affordable enough to help organisations and advisers start the work without making the response heavier than the problem.

How section 250 fits into NORVA’s six compliance assessment phases

The UK Crime and Policing Act 2026 may not look like a typical GRC framework. But the assessment work can still be organised through NORVA’s six integrated compliance assessment phases.

Each NORVA smart template is designed to help the assessor move from policy commitment, to assessment evidence, to usable outputs. The editable principle-based policy document sets out the organisation’s governance commitment, while the smart template becomes the detailed assessment record showing what applies, what has been assessed, what evidence supports the position, what gaps remain and what outputs need to be reported.

That distinction matters for section 250.

The policy explains the organisation’s intended governance position.

The assessment records the practical work performed to support it.

Phase 1 — Scope: assess what applies, focus where risk justifies it, and no more

The first question is not: how much work can we do?

It is: what needs to be assessed, and why?

For section 250, scoping may include consideration of:

  • which legal entities are being assessed;
  • whether they are bodies corporate, partnerships or other relevant structures;
  • which business units, functions, activities and locations are included;
  • whether UK and non-UK activities are relevant;
  • which parts of the organisation may involve senior manager authority;
  • whether exclusions have been made and documented;
  • where inherent risk justifies deeper assessment.

This phase should begin with the right subject-matter assessment template, anchored to relevant source requirements and supported by an editable principle-based policy document.

That policy helps lay the foundation for governance.

The assessment then records what applies, what does not apply and where deeper work is justified.

A critical part of this phase is the inherent risk assessment. Inherent-risk functionality helps assessors consider risk before relying on controls or mitigation. Scoping should be guided by what applies and by the level of inherent risk associated with the requirement, activity, process or obligation being considered.

For section 250, this means the assessment should not assume all parts of the organisation carry the same level of importance.

  • Some functions may involve greater authority.
  • Some roles may create greater apparent authority risk.
  • Some activities may create higher offence exposure.
  • Some control gaps may matter more than others.

Value: teams begin with structure, source alignment, policy context, and a risk-based focus — giving them a clearer, faster, and more defensible way to decide what should be assessed, where deeper review is justified, and why.

Phase 2 — Maturity Assessment: understand current readiness and the assurance path

Once the scope is clear, the organisation needs an early view of current readiness.

For section 250, that may include whether the organisation has:

  • a current legal entity and group structure record;
  • an up-to-date organisation chart;
  • a senior manager population or role map;
  • clear delegated authority records;
  • current role descriptions;
  • committee terms of reference;
  • approval limits and signing authorities;
  • documented escalation routes;
  • investigation procedures;
  • senior manager training or briefing records;
  • board or committee reporting.

The maturity assessment should identify whether each relevant control, process or document is:

  • validated;
  • documented;
  • undocumented;
  • pending;
  • a gap.

This gives management a practical view of where the organisation stands before moving into deeper analysis.

It also helps avoid two common problems:

  • assuming something is in place because people believe it exists;
  • moving too quickly into detailed testing before the current state is understood.

In areas where non-compliance could have serious consequences, fully validated key controls may be the desired assurance position. But a practical assessment should also recognise where the organisation is today, what level of assurance is reasonable for the risk, and what timeframe is realistic for moving from the current state to the target state.

That judgement should be based on:

  • inherent risk;
  • consequences of failure;
  • available evidence;
  • resource capacity;
  • cost-benefit;
  • management’s appetite for assurance.

This is not about giving comfort to weak practice.

It is about recognising that a responsible organisation may need a logical, staged and evidence-supported path from current readiness to stronger assurance.

Value: teams can understand current readiness, define the assurance level they are aiming for and document a credible path from today’s position to a stronger, evidence-supported control environment.

Phase 3 — Gap Analysis: identify what needs attention and what risk remains

The next step is to classify the preliminary assessed response for each applicable requirement.

For section 250, potential gaps may include:

  • no agreed senior manager population;
  • role descriptions that do not reflect actual responsibilities;
  • delegated authority records that are outdated;
  • approval practices that differ from formal authority;
  • unclear apparent authority created by titles or external communications;
  • limited mapping between offence exposure and business activity;
  • weak evidence of training or awareness;
  • unclear escalation routes where a concern involves a senior manager;
  • insufficient board reporting on residual risk and remediation.

But the value of gap analysis is not just listing weaknesses.

It is understanding what those weaknesses mean.

Built-in risk assessment functionality prompts the assessor to consider the potential for control failure and the effect that failure could have on the assessed risk. It also records directional impact and speed of onset, supporting a Risk Heat Map and Risk Register.

For section 250, that matters because management does not only need to know that a gap exists.

It needs to understand:

  • whether the controls relied on are sufficient;
  • whether residual risk is acceptable;
  • whether the risk is improving, stable or worsening;
  • how quickly the risk could materialise;
  • what should be prioritised.

A gap in a low-risk administrative area may not require the same response as a gap affecting senior manager authority, escalation, investigation or evidence preservation.

Value: gaps become visible in risk context. Residual risk is better understood. Management can see not only what needs attention, but also how quickly and in what direction the risk may develop.

Phase 4 — Risk and Control Matrix Assessment: test the controls management relies on

At this point, the assessment moves from early understanding to the controls the organisation intends to rely on.

For section 250, that may include controls and mitigation activities relating to:

  • senior manager identification;
  • actual authority mapping;
  • apparent authority review;
  • offence exposure mapping;
  • policy ownership;
  • training and awareness;
  • approval controls;
  • escalation routes;
  • whistleblowing and speak-up arrangements;
  • independent investigation;
  • evidence preservation;
  • board reporting.

This phase should assess whether the relevant controls are:

  • properly designed;
  • implemented;
  • operating effectively;
  • owned;
  • evidenced;
  • remediated where needed.

This is where the assessment moves from:

We believe this is in place

to:

We have tested what we rely on and updated the assessment position where evidence required it.

This phase also creates a reconciliation point between preliminary assessment work in the maturity and gap analysis phases and the tested assessment reached after design, implementation and operating effectiveness work has been performed.

That is important.

If testing confirms the preliminary view, the organisation has stronger support for the position being reported.

If testing changes the view, the assessment can be updated, qualified or linked to remediation.

For section 250, that means an organisation should not simply preserve the first view reached in a workshop or early review. The final position should reflect what testing, evidence and control review actually showed.

Value: the organisation can connect requirements, controls, owners, evidence, risk ratings, test results and remediation actions in one structured assessment record — while reconciling preliminary conclusions with tested results so the final assessment position is more accurate, supportable and evidence-based.

Phase 5 — Documentary Evidence: support the assessment position and produce evidence on demand

This phase is central.

For section 250, relevant evidence may include:

  • legal entity records;
  • organisation charts;
  • senior manager registers;
  • delegated authority matrices;
  • approval workflows;
  • job descriptions;
  • committee terms of reference;
  • system access records;
  • training records;
  • policy attestations;
  • whistleblowing records;
  • investigation protocols;
  • board or committee minutes;
  • gap registers;
  • remediation action plans.

This matters because an unsupported assessment conclusion may not be accepted, even where management believes the relevant control or process is in place.

In regulatory, audit, inspection or assurance reviews, the practical question is often not simply whether a control exists.

The question is closer to:

How did you ensure that the control was properly designed, implemented and operating effectively during the period under review?

That question requires documentary evidence.

A walkthrough of a single instance may help demonstrate that a control has been properly designed and implemented. But where management intends to rely on the control, the organisation may also need representative evidence that the control operated effectively during the period under review.

If that evidence cannot be produced when requested, the control may be difficult to rely on, and the assessment position may be weakened.

For section 250, this evidence discipline is particularly important because the assessment may need to show not just what the organisation believed, but what it documented, tested, reviewed and reported.

Value: the organisation can move from saying “we believe this control works” to showing the evidence that supports the position relied on.

Phase 6 — Inspection-Ready Deliverables: make the assessment usable, reportable and credible

Finally, the assessment needs to produce outputs that people can use.

For section 250, useful outputs may include:

  • assessment scope statement;
  • senior manager register;
  • actual authority map;
  • apparent authority review;
  • offence exposure map;
  • control readiness assessment;
  • evidence register;
  • gap analysis;
  • residual risk assessment;
  • remediation action plan;
  • board or committee summary;
  • action owner and target date tracker.

Preparing final assessment reports is often one of the most time- and energy-consuming parts of the compliance assessment process.

The reports are where the whole assessment must come together:

  • scope;
  • evidence;
  • gaps;
  • residual risk;
  • remediation actions;
  • conclusions.

Different audiences may need different views of the same assessment.

Senior management may need status and action reporting.

The board may need residual risk and oversight reporting.

Auditors, regulators or inspectors may need evidence and control support.

Clients may need a clear, professional explanation of the work performed and the outcome reached.

When deliverables are clear, practical and well presented, they do more than report the work. They showcase the assessor’s judgement, discipline, professionalism and focus.

NORVA’s smart templates are designed to generate presentation-ready reports as assessment data is entered, with more than 20 reports available in each smart template.

The aim is to produce outputs from the assessment record itself, rather than manually rebuilding the story at the end.

Value: teams save time, reduce reporting pressure and produce actionable outputs that can be used by management, the board, auditors, regulators, inspectors or clients — while presenting the assessment work in a clear, professional and evidence-supported way.

What should the board ask for?

The board does not need a legal memo alone.

It needs a practical assessment report that explains:

  • who may be in scope;
  • what authority those people have;
  • how apparent authority has been considered;
  • where offence exposure may arise;
  • what controls are relied on;
  • what evidence supports the organisation’s position;
  • what gaps remain;
  • what residual risk has been identified;
  • what remediation is required;
  • who owns each action;
  • when progress will be reported.

The board-level question is simple:

Can management show us the assessment, the evidence, the gaps, the residual risk and the action plan?

That is the practical assessment position that section 250 readiness should aim to produce.

How NORVA supports this work

NORVA does not turn section 250 into something it is not.

It remains a legal provision. Organisations should obtain legal advice where interpretation, territorial scope, offence-specific exposure, privilege, or contested senior-manager status requires legal judgment.

NORVA helps teams move from awareness of section 250 to a practical assessment record: what applies, what has been assessed, what controls are relied on, what evidence supports the position, and what needs to be reported.

NORVA’s Excel-native smart templates are designed to help compliance teams, internal auditors and advisory firms turn requirements into structured assessment work.

For section 250, that means helping the organisation move through a practical sequence:

This is the Missing Middle in practice.

Not an informal note.

Not a heavy enterprise implementation.

But a structured, familiar and evidence-led way to assess what applies, decide whether the organisation is meeting it, and document the evidence that supports the position relied on.

Conclusion

The UK Crime and Policing Act 2026 may not look like a typical GRC framework.

But section 250 still creates a practical compliance assessment question:

Can the organisation show that it has assessed the senior manager liability risk that applies to it — and can it evidence the position it relies on?

That is why this topic belongs within NORVA’s normal assessment approach.

It can be scoped.

It can be assessed.

Gaps can be identified.

Controls can be reviewed.

Evidence can be documented.

Outputs can be reported.

And, most importantly, the organisation can move from legal awareness to a more evidence-supported assessment position.

If it applies, assess it. If you rely on it, document your evidence.

If section 250 applies to your organisation or your clients, the first step is not to overcomplicate the issue.

Start with one clear question:

Can we evidence the assessment position we are relying on?

NORVA’s Excel-native smart templates are designed to help teams answer that question in a structured, practical and evidence-supported way. 

Source and legal review note

Because this article discusses a legal provision from a compliance assessment perspective, the following note is included for clarity.

This article is provided as practical compliance assessment content. It is not legal advice, does not determine legal obligations or criminal liability, and should not be relied on as a substitute for legal review. Organisations should obtain advice from appropriately qualified legal advisers when interpretation, territorial scope, contested senior-manager status, offence-specific exposure, privilege-sensitive matters, or liability consequences require legal judgement.

FAQ

What is the compliance assessment question raised by section 250 of the Crime and Policing Act 2026?

 The practical assessment question is whether the organisation can show who may be treated as a senior manager, what authority those individuals have, where liability risk may arise, what controls are relied on, and what evidence supports the organisation’s position. 

When is section 250 reported to be coming into force?

Section 250 is reported by legal sources as coming into force on 29 June 2026.

Why is section 250 relevant to compliance assessment?

Section 250 is relevant to compliance assessment because it creates a practical need to assess senior manager roles, actual authority, apparent authority, offence exposure, governance controls, escalation routes, evidence and reporting. 

Is section 250 the same as a normal GRC regulation?

No. Section 250 is different from many detailed GRC frameworks because it does not set out a long list of operational controls. But it still creates a practical governance and evidence question that can be assessed through a structured compliance assessment process.

How does NORVA’s six-phase assessment model apply to section 250?

NORVA’s six phases help structure the work by moving from scope and inherent risk assessment, to maturity assessment, gap analysis, risk and control matrix assessment, documentary evidence and inspection-ready deliverables.

How can a principle-based policy support section 250 readiness?

A principle-based policy can help define the organisation’s governance commitment, scope, roles, responsibilities and review expectations. The assessment then records what applies, what has been assessed, what evidence supports the position, what gaps remain and what outputs need to be reported.

How can NORVA help with section 250 assessment work?

NORVA helps by turning the issue into a structured Excel-native smart template assessment, guiding teams through scope, authority mapping, inherent and residual risk assessment, control readiness, evidence, gaps and reporting.

Source and legal review note

This article is provided as practical compliance assessment content. It is not legal advice, does not determine legal obligations or criminal liability, and should not be relied on as a substitute for legal review. Organisations should obtain advice from appropriately qualified legal advisers when interpretation, territorial scope, contested senior-manager status, offence-specific exposure, privilege-sensitive matters, or liability consequences require legal judgement.