Managing the compliance of contractors

Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on facebook
Facebook

Start with a risk assessment.

A risk assessment is a means of identifying the risks that your business faces and assessing the likelihood of them occurring. It also involves determining the controls you currently have in place to manage those risks, as well as whether or not any additional controls are necessary.

When you are considering if your contractors are a compliance risk, look at their role, responsibility, applicable regulatory penalties and existing controls. We’ve looked at the need for more comprehensive risk assessments in previous posts, if you don’t have sufficient resources to conduct such an assessment consider hiring a third party to do so.

The formality of the controls should depend on the risks.

There are no hard and fast rules. You should design controls to achieve your goal and they should be proportional to the risks. Similarly, they should be sufficient to mitigate the risks to an acceptable level, but no more than that.

For example, if you are procuring a supplier who has complete access to your production system and is therefore a high risk, you will need proportionately high controls in place. In this case, the control would include stringent checks on their security standards, a detailed and robust contract that covers confidentiality provisions and clear procedures for how they behave whilst working on your site.

Ensure compliance with law, regulations, and specific controls.

To ensure compliance with law, regulations, and specific controls:

  • Select the right contractors to be the most compliant.
  • Provide training on the law, regulations, and specific controls.
  • Ensure that contracts clearly state your expectations regarding compliance with law, regulations, and specific controls.
  • Monitor compliance with plans as work progresses.

Give clear instructions, expectations, and responsibilities.

Make sure that your contractors understand what is expected of them. They should know what is permissible and what is not, as well as who to contact if they have any questions or concerns. A contractor shouldn’t be forced to guess if something is unclear or off-limits.

Provide sufficient training and supervision.

You’re responsible for ensuring that contractors receive sufficient training and supervision. The level of training and supervision they need should be determined by the type of work they’re doing and their skill level.

Maintain oversight throughout the contract period.

Maintain oversight throughout the contract period.

This is more than just a matter of signing off on monthly invoices. It means regularly checking in with the contractor to ensure that things are running smoothly and that no problems are being ignored.

If contractors have genuine concerns about your requirements, don’t ignore them. If you do, you won’t gain any advantage from their expertise and skills; in fact, you may cause them problems and set yourself up for failure.

Periodically audit and evaluate contractor practices.

  • Periodically audit and evaluate your contractors’ practices. Contractor compliance can be ensured in a number of ways, such as internal audits, third-party audits, work product audits, process and facility audits.
  • Frequently audit the contractor’s work product. This is the simplest way to ensure that the contractor is complying with your operating policies. Of course, this is not always possible or practical–in some cases you might have to rely on implicit deferred trust (which we’ll discuss below), but in many cases you can request a review of the contractor’s deliverables at regular intervals to make sure they’re meeting your specifications.
  • Hire a third party auditor if possible. It’s better to leave auditing up to an independent expert rather than doing it yourself–you don’t want any potential bias against contractors affecting how they’re assessed

Follow up with remediation when necessary.

It’s important to follow up quickly with any contractors who are non-compliant, and to take steps that protect against non-compliance in the future.

Know your contractors as well as you know your employees who work for you

You [should] know your contractors as well as you know your employees who work for you…

In many cases, contractors are an extension of your business. They can bring their own risks, vulnerabilities, and threat actors. Therefore, they can introduce new risks and vulnerabilities and new threat actors along with that. In addition to that, they can introduce new compliance obligations and requirements. So we have to be aware of all of this when we’re looking at our compliance process…

Compliance isn’t just about the technology it’s about the people, it’s about the processes and procedures behind it (the ins-and-outs) that helps make a successful compliance program…

More to explorer

Autumn leaves falling with copy space on black background

Avoiding Compliance Atrophy: The Critical Role of Assurance Reviews for Growing Energy Retailers

As energy retailers expand their customer base and operations, ensuring ongoing compliance with regulatory obligations can become increasingly challenging. A key risk is “compliance atrophy” – where initially compliant documents, processes and systems slowly deteriorate and waste away over time if not regularly monitored and reviewed. What is compliance atrophy? Compliance atrophy is typically a result of documents, processes and systems being ‘updated’ or ‘reworded’ to reflect changes in focus for the business and input from other stakeholders including marketing

person holding debit card

AER payment difficulty framework review

The Australian Energy Regulator (AER) is conducting a review of the consumer protections available under the National Energy Customer Framework (NECF) for those experiencing payment difficulties. On 14 May 2024, the AER released an issues paper for consultation. The review is driven by the commitment in Action 8 of the ‘Towards Energy Equity’ strategy in which the AER committed to considering whether improvements could be made to the NECF to ensure that consumers experiencing payment difficulties are identified early, engaged

Technicians installing photovoltaic solar panels on roof of house.

Compliance Quarter’s Submission to the AER’s Review of the Compliance Procedures and Guidelines

On 11 April 2024, Compliance Quarter put forward its submission on proposed changes to the AER Compliance Procedures and Guidelines. The AER is reviewing its Compliance procedures and guidelines, which set out the manner and form in which energy businesses in jurisdictions that have adopted the National Energy Retail Law must submit compliance information and data to the AER. We argue that there should be consideration of measures to incentivise early reporting of potential breaches. These may, for example, take the

Leave a Reply

Your email address will not be published. Required fields are marked *