The Australian Institute of Company Directors (AICD) obtained an opinion from a King's Counsel regarding whether a compliance failure by an organisation would result in Directors being deemed to have breached their duties. The opinion reaffirms the established legal position that this is not the case, provided Directors have exercised due care and diligence. Understanding what this entails in practice can be challenging.
Navigating compliance challenges feels like a never-ending battle
In recent years, it seems there's always breaking news about major organisations tripping up on compliance. The financial services sector especially finds its leaders grappling with an avalanche of regulatory demands. Think CPS 230, FAR, DDO, breach reporting, complaints handling, AML, cyber rules, scams, and data privacy requirements, to name a few.
Moreover, company Directors are facing increased scrutiny on how well they govern their company's compliance with obligations. This has been a theme of AUSTRAC, ASIC and APRA enforcement actions in recent years.
With the rise of ESG and AI, managing these considerations is becoming increasingly complex
Organisations have been dealing with ESG related issues for several years, tackling everything from disclosure requirements and greenwashing risks, to business model challenges such as identifying customers who fall outside their climate risk appetite. AI introduces its own set of governance and risk management issues. ASIC recently released report 798 highlighting the current gaps in AI governance across financial services, which puts the industry on notice that stronger governance is an urgent priority. Crucially, these challenges should not be viewed in isolation. AI is an ESG issue and is within the scope of existing laws and regulations, including scam and data privacy laws, and conduct and disclosure requirements.
Focus areas for Directors
In order to demonstrate effective governance over compliance obligations, Directors need to:
- ensure they have an awareness of the company's regulatory obligations, particularly those where a breach would give rise to the risk of material financial or reputational damage to the Company,
- oversee that the Company has a suitable framework for managing compliance and that the focus of this framework in different areas of compliance is commensurate with the risk,
- apply professional scepticism to what is reported by management, and
- be alert to, and ensure the appropriate responses to any red flags that emerge.
Some questions that may help include:
Do you have a mature understanding of your key regulatory obligations?
- While this may seem like an obvious one to which most organisations would answer "of course we do", when you look behind some recent high profile compliance failures, you find organisations that have not done enough to specifically understand how they need to change their processes and controls, and ensure the capability and capacity of teams. This is especially common with recent reforms.
Have you identified and measured the specific compliance risks your organisation faces?
- When it comes to compliance risk not all regulatory obligations are equal and it is critical that organisations understand the specific impact non-compliance will have on their business. For example, while many organisations are subject to the anti-money laundering regime, the risks and consequence of money laundering eventuating varies significantly from one organisation to the next. Conducting a meaningful risk assessment helps management prioritise their resources and Directors know where to focus their oversight.
Does your organisation have a healthy culture and practice of constructive challenge?
- At the heart of effective risk management is a strong culture. A culture which embraces the early and candid communication of potential risks might be the single most important attribute of those that do well on compliance.
Is 'red' status reporting embraced or discouraged?
- When there is a compliance failure, Directors and other stakeholders often ask why they were not provided advanced warning that the failure could occur. Unfortunately, in some organisations there is a (somewhat human) bias towards reporting good news. Establishing a culture where management are supported to report 'red' status early and candidly, can help immensely. Of course reporting 'red' alone is not sufficient. Management must also report the plan to return to 'green', demonstrate commitment to and execution of that plan, and feel that they are able to access the resources needed to do so.
Are you paying enough attention to the external environment?
- With business as usual becoming ever more complicated and transformation feeling like a permanent state, the internal challenges can become all consuming. It is important that directors remain attuned to challenges their competitors are grappling with, innovations in technology, changes in consumer and market behaviour, shifting regulator priorities and offshore developments.
Are you learning and evolving from past mistakes?
- Mistakes are a great teacher but in some instances organisations fail to embed the lessons learned. Investing in the required changes to culture, capability, process and controls is needed to prevent similar issues recurring, and will undoubtedly pay off in the long run.
Considerations for management to move towards more sustainable, strategic compliance
To achieve compliance requires ensuring the right human capability and capacity is in place, and that business processes and supporting technologies are designed to meet obligations. Data availability, integrity and stewardship is both critical, and one of the most challenging areas in practice. With this in mind, some practical considerations for management are outlined below.
Take a holistic view
Companies will benefit substantially by ensuring a complete view of compliance obligations, is considered when making changes to business processes and systems, addressing data challenges and adding and training people ('dig up the road once'). In many cases, while it is known that the regulation applies, the organisation has not done enough to specifically understand how they need to change their processes, controls, governance and culture to ensure compliance.
By way of example, currently some organisations maintain separate processes and controls to meet overlapping regulations to monitor third parties, such as CPS 230, DDO, monitoring of authorised representatives and material outsourcing for APRA regulated entities. Oversight of these various compliance areas can be simplified by shifting to a single framework, which can be applied across multiple obligation sets.
Ensure effort and investment is commensurate with the risk
Executives and Directors need to be clear on which aspects of non-compliance present the risk of giving rise to material reputational or financial harm to the Company. Consider those risk areas that represent an existential risk, as well as those that are critically important. Ensuring that these areas get sufficient focus and investment is important, as is being clear on which of these are enduring versus those that stem from topical and temporary geo-political, economic or regulatory challenges.
Connect incident and issue data to compliance obligations
In some organisations, boards do not receive a holistic view of compliance. Instead Directors need to do the work themselves of bringing together the information in separate reports they receive from complaints, legal, risk and operational teams. Disaggregated reporting can make compliance red flags hard for busy directors to find.
Good compliance reporting includes concise commentary on what has changed in the external and internal environment and whether the compliance status is inside or outside the risk appetite. Reporting should also be clear on the direction of travel – is it getting better or worse in our organisation, and what must be done to move things in the right direction.
AI is not a nice to have
AI is increasingly critical to getting compliance right. Governed appropriately, AI has extraordinary potential to uplift compliance at a much lower cost, and some organisations are beginning to unlock its benefits. Monitoring complaints and sentiment, assessing credit and pricing for risk, detecting fraud and scams are just some examples of where AI holds considerable promise. Conversely, these are all examples of areas where good governance is critical such as to avoid the introduction of bias and unfair treatment of vulnerable customers, or to inappropriately deny certain customers access to insurance.
Led by some of Australia’s most respected risk and legal practitioners, our Risk and Regulatory team work with clients to assess, manage and leverage risks, understand obligations and implement new regulation in a way that is practical, sustainable and strategically aligned.