The obligation to ensure adherence to general and specific laws applying to your company’s operations is at the heart of your responsibilities as a company director – both under the Corporations Act 2001 (Cth) and at common law. The most recent set of hearings before the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (Royal Commission) are a sage reminder of the need for organisations (of all sizes) to reflect on how they are managing issues of governance and compliance within their business. You can follow some of our previous coverage of the Royal Commission here (https://www.compliancequarter.com.au/three-financial-services-compliance-lessons-from-the-royal-commission/#_ftn1).
The consequences of failing to meet your obligations as a director can potentially expose the organisation to actions by shareholders, along with civil penalty enforcement action by the Australian Securities and Investments Commission (ASIC). The enforcement outcomes which can be sought by ASIC do not end with civil action but can also extend to criminal prosecution (depending on the facts) along with administrative disqualifications orders. Directors should also remember that their obligations are personal ones, which in some circumstances may also give rise to personal liability for debts and other losses incurred by the company.
Let’s now consider what it is that you should be asking as a director about compliance within your organisation in wake of recent events.
1. How do we manage our compliance obligations?
It may seem like a base line question to ask but it remains an important one for a director to ask no matter the size of the organisation and you shouldn’t feel uncomfortable asking it. Your obligations as a director are personal and do encompass you understanding how the organisation is managing legal and regulatory risk (inter alia) as part of the overall management of its operations. As such, it is important that you are familiar with the location and contents of the organisation’s compliance framework along with the policies and other controls that form part of that program — as an absolute minimum.
2. How are we embedding our compliance framework into everyday decision making?
It’s all good and well to have an elaborate set of compliance documentation and be able to point to that as your compliance framework, but if members of your organisation are not adhering to those mechanisms or understand how they apply to the work they are doing each day, then how effective is that compliance system in practice? As a director, you should be asking do we (as an organisation) need to better incorporate those controls into our work practices – of course, how you do so is a matter that should be approached based on the size and nature of your organisation.
3. How do we ensure that our compliance framework is current?
Compliance is not a set and forget suite of documentation you put in place and archive. How is your organisation managing its compliance obligations on an ongoing basis? Who within your organisation is monitoring changes in the law or keeping abreast of regulatory guidance by your relevant regulators so that your organisation remains on top of its compliance obligations on an ongoing basis. The directors of all companies should consider compliance as an evolving process and should ensure that the organisation has in place a mechanism that enables the compliance framework and controls to be updated as changes take place.
4. How are we testing adherence to our compliance obligations?
It is critical to have a compliance framework in place but if adherence to that framework is not being tested on a regular basis through monitoring and audits, how can you have confidence that the organisation is meeting its obligations? The process of periodic monitoring and auditing is just as key to managing compliance successfully as having a framework to start with. The governance around how that process takes place is also worth focusing on – are those charged with responsibility for monitoring and auditing sufficiently independent from the work processes to ensure that audits are transparent and robust?
5. What is our breach reporting process?
If a breach does take place, how does your organisation manage that process – both in relation to assessing the facts that give rise to the concern but also in how that is then escalated within the organisation. A common compliant by regulators is that organisations can have cumbersome and slow assessment processes that can result in breach reporting delays and an overly legalistic approach being applied to the process. Are your breach reporting systems operating so that you can meet any reporting deadlines prescribed by legislation? If not, how are you managing any delays in meeting those obligations when it comes to communication with the regulator and is that considered satisfactory?
6. What kind of relationship do we have with our regulators?
As a director, you should be familiar with the regulatory history of the company that you are a director of. Is there a regulatory history? If so, what is that history and how has the organisation managed the failings that gave rise to those concerns. What kind of relationship does the company now have with its regulators and how can we best manage that, so the company is considered as demonstrating a compliance mentality and posing minimal regulatory risk. It is important that your regulators have confidence in your ability to meet your regulatory obligations and act with candour in dealing with them.
It may be considered by some as a soft compliance skill but the art of maintaining sound regulatory relations is important in managing the reputation of the company and should be considered a part of the overall compliance framework.
If you would like us to run a free webinar for Company Directors, please leave a comment below or contact the Compliance Quarter by clicking here.