Working Towards A Compliance Program
Compliance is an important part of risk management. Risk management fits under the umbrella of corporate governance. Simple stuff really.
The "risks" in risk management have been briefly classified as financial, environmental, people and legal risks. Compliance can cover off many of these risks.
The parameters of legal compliance are set by Acts of Parliament, the courts and our regulators. The company does not set them.
Why have a Compliance Plan?
- To become a good corporate citizen;
- To avoid infringing the law;
- To avoid prosecution;
- To protect employees from prosecution;
- To avoid being sued for damages;
- To avoid payment of legal costs in being involved in litigation;
- To avoid distraction and distress on employees being involved in litigation;
- To avoid unnecessary disclosure of some sensitive issues.
Do company officers need such protection? Absolutely! Many Acts of Parliament impose personal liability on officers and employees these days.
Protection
The Federal Court in ACCC matters has shown that it will mitigate penalties if a defendant shows evidence of a culture of compliance.
Legislative environmental offences generally make corporations and senior officers liable, subject to a due diligence defence and the existence and quality of a compliance system to prove the diligence.
What the courts require
What do the courts require to see in compliance programs?
- A substantial and actively implemented system, reasonably capable of preventing, detecting and remedying breaches; and
- Successful implementation to prevent, detect and remedy breaches.
Downside of non compliance
On 3rd May 2002, the Managing Director of Wilson Transformers was personally fined $285,000 for several breaches. His company was fined $4 million. The action cost his company more than $900,000.00 to defend.
Many actions taken by company officers each day are basic compliance. But it is rare to find it being done in a structured fashion. That is, pursuant to a model or a policy. Some companies stick as much as they can in employee handbooks and manuals. Some have random policies confined to different teams.
The cost of compliance is tax deductible. Fines are not tax deductible. They just end up in the black hole.
What is a Compliance Program?
A compliance program is the program, which results from a company investigating and understanding its compliance responsibilities and the risks it faces in business.
Other components of a legal compliance program are:
- Adoption of a formal policy or policies;
- Continual compliance training;
- Integration of compliance into day to day operations;
- Requirement of relevant people to report on legal compliance as part of a regular management reporting procedure;
- Periodic auditing; and
- Remedial action as required.
Those responsibilities can come from:
A.
Laws such as: |
Corporations Act
Trade Practises Act
Occupational Health and Safety Legislation
Equal Opportunity Legislation
Privacy Legislation
Enviromental laws
Other laws as they affect the company ("legal compliance")
|
B.
The risks inherent in, and the challenges which may arise in commerce in relation to: |
Human relations
Workplace safety
Document security
Data integrity
Disasters
Customer complaints
Internal complaints
Disputes and litigation and the like ("risk management")
|
| ESSENTIAL ELEMENT |
SUGGESTED ACTION* |
| Commitment |
Appointment of a Compliance Committee of the Board.
Compliance is made a standing agenda item at Board Meetings or of the Audit Committee of the Board.
Appointment of a Compliance Manager or Senior Manager with overall responsibility for compliance (large organisations).
Appointment of a manager or supervisor with responsibility for compliance (small organisations).
Procedures in place to ensure and monitor regulatory compliance.
Clear statement from the CEO/Board to staff, agents, distributors, etc re company's commitment to compliance.
Providing adequate resources for compliance. |
| Compliance Policy |
Set out and widely distribute a clear policy of the company's commitment to compliance with laws and how this will be carried out.
Ensure that there are adequate requirements and procedures to ensure contractors, subcontractors, agents and distributors meet relevant compliance obligations. |
| Line Management Responsibility |
All line managers to be aware of and be responsible for compliance responsibilities in their business unit.
Line managers to be responsible for all staff in their business unit being aware of their (staff's) compliance responsibilities. |
| Resources and Authority |
Company needs to commit adequate resources to compliance such as:
- Compliance staff or staff with compliance responsibilities
- Manuals on compliance procedures, reference materials and databases;
- Adequate work tools and facilities; and
- Internal and external support mechanisms and networks (eg. staff newsletters).
Compliance staff to have resources to ensure regulatory knowledge is up-to-date.
Compliance staff to have adequate clout eg. direct access to the CEO or Board. |
| Continuous Improvement |
Procedures in place to ensure continuous improvement in compliance.
Ensure that the compliance system represents current best practices and that these are tied to commercial and efficiency incentives. |
| Indentification of Compliance Issues/Operating Procedures for Compliance |
Conduct an audit of all business units to ensure that relevant risks are identified in each unit.
Develop appropriate mechanisms to ensure compliance by checking conduct to see if "behavioural" or "procedural" conduct involved.
If conduct is "behavioural":
- Establish regular and ongoing training which is validated;
- Ensure legal compliance is part of induction courses and annual development;
- Institute a regime of penalties including the ultimate penalty of dismissal, or disciplinary measures where an employee breaches the law and a high profile campaign to ensure that this is understood throughout the enterprise, particularly by those employees whose everyday activities may result in “behavioural” breaches of the Law;
- Give incentives for compliance (eg. is compliance implementation an element of job selection criteria, is compliance part of performance review), ie. a corporate ethos that does not begrudge the payment of incentives for compliance in recognition that any incentive provided would be a fraction of the liability saved;
- Not give incentives for non-compliance (eg bonuses where increased sales result from price fixing);
- Ensuring that compliance with the Law is included as part of the annual performance review.
If conduct is “procedural”:
Ensure that compliance standard are incorporated into:
- Computer systems;
- Forms;
- Contracts; and
- Administrative procedures.
Install a system to ensure timely advice of relevant changes to the Law; Set up an in-house compliance mechanism (eg. “in-house” advertising and promotional material committee, a sign-off system) to ensure that promotional and advertising material observes the Law from conceptual to sign off stage. |
| Training |
Arrange education and training of relevant employees in relation to legal compliance and risk management. |
| Complaints Handling System |
Set up a complaints handling system that is:
- Visible;
- Accessible;
- Responsive;
- Otherwise complies with AS 4269.
Record details of complaints to detect compliance failure. |
| Record Keeping |
Keep a log book/register to log complaints/compliance failure. |
| Identification and Rectification |
Set up a system to identify and classify compliance failure so that all, including systematic and recurring problems, can be rectified. |
| Reporting |
Set up a reporting system (eg. to CEO and Board).
Establish a “hot line” or other accessible and visible mechanism for staff to report breaches to those responsible for compliance. |
| Monitoring |
Set in place a monitoring strategy to ensure that all aspects of the compliance system are operating effectively.
Hold seminars, field inspections to remind and update staff on compliance procedures.
Undertake follow-up work or validation to ensure that the compliance message is understood. |
| Review |
Set in place a time and operational plan for a two yearly review.
Develop key performance indicators to see if compliance programs meet “pass/fail” criteria, including:
- How well the compliance policy and practices are understood by employees and outsourced agents;
- How many instances of compliance failure occurred in the period under review and the seriousness of the failure;
- What remedial action was taken to fix compliance failure and whether this in turn was effective;
- How often is monitoring undertaken and is it effective in detecting failures/weaknesses in the compliance;
- Are compliance procedures/systems up to date;
- How often is compliance training provided, to whom and what are the validations results;
- Are all line managers aware of their compliance responsibilities.
|
| Liaison |
Put in place a system to liaise with regulatory authorities, including:
- Compliance staff being placed on relevant mailing lists;
- Meetings with relevant regulatory authorities offices.
|
| Accountability |
Establish a regular compliance reporting system to Board and CEO regarding breaches detected (through complaints line and internal hot line), audits conducted and corrective action. |
* Source: Australian Competition and Consumer Commission, www.accc.gov.au
Gerard Kennedy, Principal, Macpherson + Kelley Lawyers. Ph: (03) 9794 2600; Email: gerard.kennedy@mk.com.au; Web Site: www.mk.com.au Macpherson + Kelley are specialist business lawyers, advising to public companies, foreign owned subsidiaries and private owned businesses.
First published: 16 June 2005.
Last updated: 27 June 2005.