An effective corporate compliance program is essential to good governance and risk management. Many businesses have invested significantly in compliance over the last decade yet continue to experience compliance breaches.
With a number of recent well-publicised compliance breaches, it is worth considering some of the key characteristics of an effective compliance program.
Why have a compliance program?
A business that does not have an effective compliance program is at greater risk of non-compliance. Regulators around Australia are actively searching for non-compliance and are often successful in their enforcement efforts against non-compliant businesses.
During 2015–16, ASIC completed 1,441 high-intensity surveillances and 175 investigations. ASIC secured 22 criminal convictions and of those 13 resulted in a custodial sentence.
During 2015–16, the ACCC was involved in 48 consumer protection court cases (19 new proceedings) resulting in penalties totalling more than $15 million.
In many instances, the severity of a penalty imposed for non-compliance can be reduced if a business can demonstrate that it had a compliance program in place.
The potential cost of non-compliance is much greater than the cost of implementing an effective compliance program.
Five tips for establishing an effective compliance program
Tip 1. Build the compliance program on ethical foundations
An effective compliance program needs to be based on a commitment to act ethically. Shareholders and other stakeholders value businesses that act ethically.
Compliance programs that are built on ethics are said to be values-based as opposed to compliance-based. A compliance-based program might seek to explain obligations in detail whereas a values-based program will seek to explain the ethical values that underpin those obligations.
By explaining the ethics behind obligations, employees will have a greater capacity to determine if their conduct is compliant and will be more likely to understand the boundaries of acceptable conduct.
Tip 2. Ensure the compliance program is easy to understand and implement
Compliance documentation itself should be written in plain language and include real life examples where required. The relevant Australian standard (AS 3806-2006) provides principles and guidance for businesses seeking to implement a compliance program.
One way to explain what might constitute non-compliance is to ask employees to imagine the result of their actions being published on the front page of a national newspaper.
Tip 3. Develop the compliance program on an ongoing basis
A compliance program needs to evolve over time. A compliance program should be updated as a business develops and in response to new regulatory developments.
An effective compliance program should anticipate and detail plans for managing regulatory changes.
A compliance program should be reviewed often and such a review may consider the responsiveness of the program, whether employees know and understand the program, and how the program compares to those used by competitors.
Tip 4. Cover key areas
The complexity of a compliance program will typically reflect the size of a business and level of regulation in that business’ industry.
As a minimum, a compliance program should include detail on the controls in place to manage regulatory risk, training, and tools available to employees to assess and report on potential breaches.
A compliance program should include procedures for document retention, a delegations policy, and policies and procedures covering key risks.
Tip 5. Ensure management involvement
A compliance program needs the commitment of management to be effective.
A single senior manager has the capacity to derail a compliance program. Their attitude is likely to percolate throughout the business and significantly increase the risk of non-compliance.
Some steps to ensure management involvement may include having the CEO or Managing Director draft an introduction to the compliance program, ensuring that the compliance program has been certified by the board, and ensuring that the compliance officer reports to (And can only be dismissed by) the board.