Ultra Electronics, Balt SAS and Nazaha reporting: Global anti-bribery enforcement is testing compliance programs

Key takeaways / abstract

Policies matter. But they are not proof of control.

That is the larger message behind recent anti-bribery enforcement. Regulators are looking beyond written commitments and asking whether organizations can show how compliance works inside the business, especially where risk is created through agents, intermediaries, public sector contracts, gifts, hospitality, conflicts of interest and third-party relationships.

This pressure is growing because compliance teams are already operating in a more complex environment. PwC’s Global Compliance Survey 2025 found that 85% of respondents believe compliance requirements have become more complex in the last 3 years, while 77% said that complexity had negatively affected their company across 5 or more growth-related areas.

The OECD has also recognized the growing importance of internal controls, ethics and compliance programs in foreign bribery enforcement. Many companies have invested heavily in these areas because enforcement agencies increasingly assess compliance programs as a mitigating or exonerating factor in foreign bribery cases.

But there is still a gap GRC leaders need to close.

The issue is not whether a policy exists. The issue is whether the organization can prove the policy is active, understood, monitored and connected to real decisions.

What did Ultra Electronics show about proof of control?

The UK Serious Fraud Office announced on 1 May 2026 that Ultra Electronics Holdings Ltd had accepted responsibility for failure to prevent bribery. A judge approved a Deferred Prosecution Agreement requiring Ultra Electronics to pay a £10m penalty and £4.8m in SFO investigation costs.

The case related to 3 public sector contracts sought through the use of agents. These included a contract worth up to £200m awarded by Oman’s Ministry of Transport and Communications, as well as 2 further contracts sought in Algeria.

The financial penalty matters. But for GRC leaders, the reporting requirement matters just as much.

Ultra must provide annual reports for 3 years on the effectiveness of its anti-bribery and compliance program. That requirement turns compliance from a static commitment into an ongoing evidence exercise

A mature anti-bribery program needs to show:

• where anti-bribery risk sits
• who owns third-party risk
• how agent and intermediary risk is reviewed
• how evidence is captured
• how red flags are escalated
• how remediation is tracked after issues are found

That is the practical lesson from Ultra. Anti-bribery compliance cannot only live in policy documents, training decks and annual attestations. It has to be visible in how decisions are made, recorded and improved.

Why does Balt SAS matter for self-disclosure and remediation?

The Balt SAS resolution shows the other side of the same coin.

In March 2026, the DOJ declined to prosecute Balt SAS, a French medical device company, under its Corporate Enforcement and Voluntary Self-Disclosure Policy. The DOJ said Balt voluntarily self-disclosed the misconduct, fully cooperated with the Department’s investigation, timely and appropriately remediated the wrongdoing, and agreed to pay approximately $1.2m in disgorgement.

This is not just a legal footnote. It is a practical signal for compliance leaders.

The DOJ highlighted several actions that mattered:

• Balt identified the misconduct during an internal investigation,
• provided relevant facts,
• agreed to continued cooperation,
• took disciplinary action,
• ended problematic business relationships,
• delivered tailored compliance training,
• improved its compliance program and internal controls.

That matters because it shows that enforcement outcomes are not shaped by the existence of a policy alone. They are shaped by how quickly the organization detects issues, how clearly it escalates them, how it cooperates, and whether it can demonstrate meaningful remediation.

In practical terms, the Balt SAS resolution points to a more constructive model of compliance: not a static program sitting in the background, but an active system that helps the business find issues early and respond credibly.

As GRC Pundit, Michael Rasmussen puts it;

“The future of GRC is business-orchestration. It connects governance to objectives. It connects risk to uncertainty. It connects compliance to integrity. It connects performance to accountability.”

That idea is especially relevant for anti-bribery programs. Bribery risk often sits across third parties, sales teams, regional operations, public procurement, finance approvals, conflicts of interest, gifts and hospitality. If those activities are managed in disconnected systems, blind spots are inevitable.

The Balt case shows why compliance programs need to connect misconduct detection, escalation, internal investigation, third-party decisions, training, control improvements and remediation in 1 coherent view.

What is happening in the Middle East in regard to anti-bribery?

In the Middle East, Saudi Arabia’s Oversight and Anti-Corruption Authority, Nazaha, reported 3,041 inspection rounds in April 2026.

According to Saudi Gazette reporting, this led to investigations into 259 suspects and the detention of 97 individuals in corruption-related cases. The suspects were linked to several government entities, including the Ministries of Interior, Defense, Health, Municipalities and Housing, Human Resources and Social Development, and Islamic Affairs, Dawah and Guidance.

For multinational organizations, the lesson is clear. Anti-bribery risk cannot be managed only at head office.

Global businesses often operate through local partners, public sector tenders, agents, distributors, suppliers and intermediaries. That creates a governance challenge. The organization needs to understand where exposure sits, which relationships carry higher risk, and whether risk-based controls are being applied consistently across regions.

The practical question is simple:

Can the business see which relationships, markets and activities create higher bribery exposure, and can it prove the right controls were applied at the right time?

If the answer depends on manual updates, scattered spreadsheets or after-the-fact evidence gathering, the program is already exposed.

Anti-bribery polices change in the EU

There is also strong advance in Europe on this topic.

On 21 April 2026, the Council of the European Union gave final approval to a new directive on combating corruption. The directive is intended to replace earlier EU anti-corruption instruments and harmonize aspects of corruption law across member states.

Legal analysis of the directive shows that it recognizes factors such as cooperation with authorities, effective internal controls and compliance programs, voluntary disclosure, and remediation as potential mitigating factors in enforcement.

For organizations with EU operations, this reinforces the need to reassess whether anti-bribery and corruption frameworks are not only documented, but operationally credible.

This is where the compliance burden becomes a GRC architecture problem.

The challenge is not just knowing the rules. It is connecting obligations, controls, third-party risk, conflicts of interest, evidence, reporting and remediation across the business.

The common thread: Anti-bribery policies are not enough

The common thread across these stories is not simply bribery. It is proof.

Regulators are asking whether organizations can show that anti-bribery risk is understood, owned and managed. That means compliance teams need more than a policy library. They need a connected view of how anti-bribery compliance actually operates.

What does that look like in practice?

• clear ownership of anti-bribery risk
• documented third-party due diligence
• evidence of review and approval decisions
• escalation routes for red flags
• audit trails for gifts, hospitality, conflicts and intermediaries
• training records linked to role and risk exposure
• remediation actions tracked through to completion
• reporting that shows trends, gaps and overdue actions

This is the difference between having a compliance program and being able to prove it works.

What should business leaders take from this?

For GRC leaders, the message is clear: anti-bribery compliance needs to be designed around evidence from the start.

A program that only works when someone manually pulls data together after an issue has already escalated will struggle under scrutiny. Regulators are not asking whether the organization can produce a policy. They are asking whether the organization can show how risk was identified, who owned it, what action was taken, and whether the response was effective.

That is where value-based GRC becomes important. Anti-bribery compliance should not be treated as a tick-box exercise that sits outside the business. It should help leaders make better decisions, protect growth, and act with integrity.

As  Paul Cadwallader, GRC Strategy Director, CoreStream GRC, puts it:

“GRC is not only about avoiding the downside. It should actively drive value. Value-based GRC enables you to unlock the upside and achieve what your organization truly wants.”

GRC leaders should focus on practical steps that make anti-bribery risk easier to own, monitor and evidence:

• Map where anti-bribery risk appears across the business.
• Identify which third parties, regions and contract types carry higher exposure.
• Connect policies, controls, training, approvals and incidents in 1 view.
• Track red flags and escalation decisions with a clear audit trail.
• Make remediation visible, owned and time-bound.
• Report on whether controls are working, not just whether they exist.

CoreStream GRC helps organizations bring risk, compliance, controls, third-party activity, evidence and reporting into  a holistic connected view. That matters because anti-bribery programs are only as strong as the evidence behind them.

Want to hear more?

FAQ on global anti-bribery enforcement