Compliance Catastrophe: Why Your Management System Isn’t Working

What do Optus and George Calombaris have in common? 

Significant reputational damage caused by failure to comply or failure to have a system in place that they could rely on.  

Recently, Certex Managing Director, Dianne Gibert, presented a national webinar with the Australian Organisation for Quality, ‘Compliance Catastrophe’. Dianne spoke to Quality Managers, internal auditors, and business owners. Just in time for World Quality Week in November, this article will highlight some key takeaways from her presentation. 

What is a Management System? 

A management system is a set of policies and procedures used by an organisation to ensure it can fulfil the tasks required to achieve its objectives. 

These include: 

• Financial success 

• Safe operation 

• Product quality 

• Client relationships 

• Worker management 

• Legislative and regulatory conformance  

A Management System Mantra 

1. Know the legislation – ignorance is no excuse 

2. Design policies and procedures to suit – every business is different 

3. Implement and keep fresh 

4. Maintain records 

Instead of spending time looking for the best management system out there, think about it as a system for managing your business. Start with your business – What do you do? Where are the risks? What needs to be controlled? Then, check in with any standards (e.g. ISO 9001) to see what other controls are needed.  

It will mean the difference between something being an accident or being negligible. The consequences of each are vastly different – an accident might cost you legal representations, but being negligible might cost you penalties, incarceration, and potentially the business.  

Let’s consider some key compliance problem areas.  

Privacy 

7.9 million individuals across Australia and New Zealand were affected by the Medibank Latitude breach.  

Are you holding too much personal information? Are your data systems secure? Are there checks in place for human error?  

Privacy risks have enormous consequences. Further, the government is considering proposed amendments to the Privacy Act with greater accountability and harsher penalties for businesses. 

What can I do? 

• Consider how upcoming legislative changes will affect you 

• Identify what data you collect and how you collect, store, and use it 

• Develop a Privacy Policy and Privacy Collection Notice 

• Provide privacy awareness training for workers  

Security 

“In Australia, we saw an increase in the number and sophistication of cyber threats, making crimes like extortion, espionage, and fraud easier to replicate at a greater scale. The ACSC received over 76,000 cybercrime reports, an increase of nearly 13 per cent from the previous financial year. This equates to one report every 7 minutes, compared to every 8 minutes last financial year.”   
— Australian Cyber Security Centre Annual Cyber Threat Report, July 2021 – June 2022 

Security is a complex and technical risk. Problems are often difficult to resolve and very expensive which is why controls are so important.  

What can I do? 

• Avoid sending sensitive information via email 

• Protect your business with ISO 27001 Information Security Management Systems principles and/or certification 

• Adopt the Australian Signals Directorate’s Essential Eight  

“While no set of mitigation strategies are guaranteed to protect against all cyber threats, organisations are recommended to implement eight essential mitigation strategies from the Strategies to Mitigate Cyber Security Incidents as a baseline. This baseline, known as the Essential Eight, makes it much harder for adversaries to compromise systems.”   
— Australian Signals Directorate 

Employee Engagement 

When is a contractor an employee? Is having an ABN sufficient for contractor status? 

The Fair Work Commission estimates that 64% of contractors do not have control over their own work. This would be a case of sham contracting.  

If businesses are not providing the correct worker entitlements, they risk back payments, penalties, and reputational damage 

What can I do? 

• Audit all contractors 

• Assess the level of control or independent authority the worker has over their performance (e.g. method of work, hours of work, ability to sub-contract) 

• Check working agreements against the national unfair contracts and remedy scheme 

Other 

Other key compliance problem areas include: 

• Supply chain management 

• Modern slavery 

• Collaboration 

• Business ethics – whistle-blowers, anti-bribery, anti-corruption 

• Work health and safety 

• Psychosocial Hazards 

• Risk controls 

• Anti-discrimination 

• Training 

• Remuneration levels 

How to Avoid a Compliance Catastrophe 

As the AOQ webinar title reflected, a compliance breach can be catastrophic – financially, reputationally, and personally. 

Certex strives to encourage SMEs to improve understanding and management of their legal obligations.  

Independent, external assessments are key to any effective management system. Our iSuite of Risk Assessments can help you identify gaps in areas of Privacy, Cybersecurity, WHS, Talent Engagement, Psychosocial Safety, and more.  

Get on top of your compliance. Contact us to learn more.