Wednesday, 22 July 2009

How to make your compliance program sustainable

“Sustainability” is one of the buzz words of our age, one which even has some relevance to regulatory compliance. There are a number of indicia that a compliance program needs to have before it can be said to be sustainable. I would maintain that without these following features a compliance program will struggle and cease to be effective.

From the outset every organisation needs to have a compliance management system which, at least, contains the features discussed below.

First there has to be genuine top management support. This largely manifests itself in ensuring the compliance function is adequately resourced to meet the organisations regulatory requirements and that there is accountability.
In the course of his reasons for decision in Australian Competition and Consumer Commission v Australian Safeway Stores and George Weston Foods in relation to penalty Federal Court judge Mr Justice Goldberg referred to the duties of the board of directors and senior executives:  
‘It is very important in this area that responsibility be assumed and discharged by the board of directors and senior executives and management for compliance by the corporation with its obligations under the Act. It is the board of directors which supervises and ultimately controls the executive and operational aspects of a corporation’s commercial activities.’

The Board’s involvement in compliance translates into receiving regular and timely reports on high regulatory and common law risks for the organisation, compliance controls developed to manage these risks, how the controls are being maintained (reviews, audits, and incidents and their rectification).
Equally as important is the fact that the compliance function itself needs to have sufficient stature in the organisation and have “clout”.
.
Although compliance is everyone’s responsibility there needs to be someone overseeing the system as a “ringmaster” i.e. a Compliance Manager. As suggested above, that person needs to have sufficient status and authority (“presence” and “gravitas”) within the organisation to ensure that they are taken notice of. I would go further and argue that the Compliance Manager, however so called, should be part of the leadership/decision making team so that compliance issues can be identified from the word “go” and compliance built in early so that it seamlessly becomes part of the goods and services offered by an organisation. This is important because it casts the role of the Compliance Manager as an “in-house” consultant/adviser rather than someone who comes in late in the process and causes resentment by asking others to go back to the drawing boards and changing the design of goods and services therefore adding to the cost.

Skills in leading others are another feature of sustainability in compliance. There are two aspects to this. The first is what I call “tone at the top”, an expression which has become a compliance mantra for industry and regulators in recognition of organisational leaders’ significant influence on employee attitudes, and as a consequence, organisational behaviour. Those at the top are the ones who are noticed and from whom employees take their cue. The tone must be such that top management makes it clear that it wants compliance embedded seamlessly into the organisation’s activities. The second is the attributes of the Compliance Manager. He or she needs to be able to manage relationships, not subordinate, practice collegiality and be a competent advocate for compliance.

Building in compliance from inception is what I call “Compliance Design” and is an integral part of sustainability in compliance.

Every organisation needs to assess its regulatory obligations on an ongoing basis and the risk that lack of controls would pose for the organisation. This requires advocacy on the need for controls and collegiality in developing them. You also need to put the finger on who is responsible for operating those controls, whether they have the competencies to carry them out and ,if not, what training is required.
Compliance is not only about having processes but also ensuring that there is compliant behaviour. In this respect the right tone at the top is critical. Compliant behaviour is more likely to occur when staff are “sold” the reasons for compliance and are part of the system design, and then processes designed are empathetic to their particular day-to-day operations. Needless to say non conformance may require additional training, mentoring or coaching and, in the case of indifference, or intentional or reckless non conformance, some form of serious consequence.

Appropriate compliance behaviour can come about by regular formal training on relevant laws which “at risk” staff must conform to. Many companies do this training annually. However, that training needs to be reinforced between annual training sessions by keeping relevant regulatory issues “front of mind” throughout the year. In the trade practices area one device I recommend is being on the ACCC’s Web Alerts. A point on communications:

Limit them to your “real world” risks
Relate them to the real world your organisation operates in on a day-to-day basis;
Keep the message simple and understandable (no lawspeak).
Try “roadtesting” the material.
Understanding the message is the end game.

One potential weak link in any compliance program is to failing to ensure that newly recruited staff are reminded of their compliance obligations from day one. I am reminded of a Federal Court decision based on a breach of the competition law provisions of the Trade Practices Act where a new recruit had joined the company just after the annual trade practices training so was unaware of his responsibilities and so breached the TPA out of ignorance.

Another important aspect of sustainability is to have a proper maintenance/auditing program to make sure that the systems/controls you have developed are (a) being applied and (b) effectively so. It’s the equivalent of “kicking the tires” occasionally.

Having an independent review every so often gives the system a reality check to see that it is delivering effectively.

No comments:

Post a Comment