Summary: With increasing expectations that directors be responsible for compliance failures, we look at how boards can manage compliance risk whilst not taking over the role of management, and the clear benefits of doing so.
Directors duties + compliance risk
As the regulatory load and focus on enforcement continues to rise in the COVID-19 economy, the risk of compliance failure for corporate boards appears greater than ever. This risk is heightened when there is a disconnect between the board’s expectations for compliance, and belief of compliance occurring, compared to the reality of what is actually occurring within the organisation. This ‘disconnect’ is usually a result of one, or a combination of, the following factors:
- the business assumes that the board doesn’t really want to know the nature of day-to-day operations (as it is just interested in profitability);
- the board and/or the business is unaware of or unclear as to the implications of the rapidly changing regulatory requirements; and
- business managers do not want to be the bearer of bad news (how could they have let the non-compliance happen).
Removing the disconnect
How then can boards remove this disconnect? Due diligence, conducted by the board, is the key.
There is a large body of legal authority and opinion as to where a director can ‘draw the line’ and comfortably rely on management. However, this authority will not stop the compliance failures and the broader fall out that inevitably follows.
Boards can manage the risk of reliance on management, whilst not taking on the role of management, by: (1) implementing a system of cross-checks by persons not directly involved in the business to test that it is operating effectively to identify non-compliance and regularly report on these issues; and (2) requiring remediation of any lax practices, failures to comply with policies and procedures or legal requirements so that fewer compliance failures occur subsequently.
The system of cross-checks should be overseen by the board and reported on directly to the board. Their precise form will depend upon the size and nature of the business and the opportunity to deploy technology to assist with the review - it may be as simple as an annual compliance survey and follow-up audit. The key element will be, however, the interpretation of the audit results and the design and implementation of remediation steps for the identified lax practices and compliance failures.
The external audit and application of insight works to identify practices which perhaps have become acceptable within an organisation but should not be, and to normalise the discussion required to implement effective change. Companies with a lax approach to compliance have been seen to transition to ‘best practice’ after introducing a system of external oversight.
The change which follows may be transformative. In some cases, external auditing has shown business units operating directly in contravention of the law or at high risk of doing so. In some instances, the non-compliance was a result of the ‘disconnect’ described earlier. In other cases, it has been from a failure to properly reflect the legal requirements in policies and procedures through a desire to draft policies consistent with a particular format or style or a failure to reflect the complexity of the legal requirements.
Even within an organisation with a strong culture of compliance, the board should expect independent cross-checks to identify some instances of suspected non-compliance with company policies and procedures, and indeed laws. In our experience, this is less worrying than an approach which assumes compliance. This is because, the larger and more complex the organisation’s operations, the less likely it is that there are no suspected or potential compliance failures. And it is the continued failure to identify and remediate these smaller compliance issues that can lead to significant, manifest, problems.
To enhance the benefits obtained through this audit we recommend beginning as soon as possible. The sooner problems are identified the sooner they can be remediated, lessening the risk of non-compliance becoming ‘systemised’ within the organisation. It is also important to carefully consider who is appointed as an external advisor. For example, do they have existing strong relationships with the business impacting their ability to identify problems? Do they have a proven track record of designing and conducting audits to effectively identify legal risk and then advising on effective and practical remediation steps?
What about COVID-19?
The COVID-19 pandemic should bring additional impetus for boards to review their company’s compliance risk. First, this is because the pandemic increases compliance risk as globally many will shift their focus to shorter term monetary issues rather than what can be seen as ‘red tape’. Secondly, the regulatory framework within which companies must operate is changing rapidly – not all businesses will be able to adapt fast enough. Thirdly, as the market changes many organisations are considering a restructure. This restructuring brings opportunity to re-consider business models, systems, policies and procedures from a compliance perspective. Lastly, in difficult economic conditions, there is a strong incentive to invest in avoiding a significant compliance failure which may bring with it, catastrophic reputational, legal and financial penalties.
How Cite Legal can assist?
Cite Legal offers market leading expertise in designing and conducting regulatory investigations and audits within Australia and overseas. Cite Legal advises on the implications of the results including remediation steps such as education, and amendments to policies and procedures. In particular, we can assist with:
- identifying the major areas of compliance risk;
- designing and conducting an audit program to assess these risks;
- reporting on the outcome and identify the remediation steps adequately targeted to the instances of non-compliance and legal risk identified in the report.