Compliance Catastrophe: Why Your Management System Isn’t Working
What do Optus and George Calombaris have in common?
Significant reputational damage caused by failure to comply or failure to have a system in place that they could rely on.
Recently, Certex Managing Director, Dianne Gibert, presented a national webinar with the Australian Organisation for Quality, ‘Compliance Catastrophe’. Dianne spoke to Quality Managers, internal auditors, and business owners. Just in time for World Quality Week in November, this article will highlight some key takeaways from her presentation.
What is a Management System?
A management system is a set of policies and procedures used by an organisation to ensure it can fulfil the tasks required to achieve its objectives.
These include:
Financial success
Safe operation
Product quality
Client relationships
Worker management
Legislative and regulatory conformance
A Management System Mantra
Know the legislation – ignorance is no excuse
Design policies and procedures to suit – every business is different
Implement and keep fresh
Maintain records
Instead of spending time looking for the best management system out there, think about it as a system for managing your business. Start with your business – What do you do? Where are the risks? What needs to be controlled? Then, check in with any standards (e.g. ISO 9001) to see what other controls are needed.
It will mean the difference between something being an accident or being negligible. The consequences of each are vastly different – an accident might cost you legal representations, but being negligible might cost you penalties, incarceration, and potentially the business.
Let’s consider some key compliance problem areas.
Privacy
7.9 million individuals across Australia and New Zealand were affected by the Medibank Latitude breach.
Are you holding too much personal information? Are your data systems secure? Are there checks in place for human error?
Privacy risks have enormous consequences. Further, the government is considering proposed amendments to the Privacy Act with greater accountability and harsher penalties for businesses.
What can I do?
Consider how upcoming legislative changes will affect you
Identify what data you collect and how you collect, store, and use it
Develop a Privacy Policy and Privacy Collection Notice
Provide privacy awareness training for workers
Security
“In Australia, we saw an increase in the number and sophistication of cyber threats, making crimes like extortion, espionage, and fraud easier to replicate at a greater scale. The ACSC received over 76,000 cybercrime reports, an increase of nearly 13 per cent from the previous financial year. This equates to one report every 7 minutes, compared to every 8 minutes last financial year.”
— Australian Cyber Security Centre Annual Cyber Threat Report, July 2021 – June 2022
Security is a complex and technical risk. Problems are often difficult to resolve and very expensive which is why controls are so important.
What can I do?
Avoid sending sensitive information via email
Protect your business with ISO 27001 Information Security Management Systems principles and/or certification
Adopt the Australian Signals Directorate’s Essential Eight
“While no set of mitigation strategies are guaranteed to protect against all cyber threats, organisations are recommended to implement eight essential mitigation strategies from the Strategies to Mitigate Cyber Security Incidents as a baseline. This baseline, known as the Essential Eight, makes it much harder for adversaries to compromise systems.”
— Australian Signals Directorate
Employee Engagement
When is a contractor an employee? Is having an ABN sufficient for contractor status?
The Fair Work Commission estimates that 64% of contractors do not have control over their own work. This would be a case of sham contracting.
If businesses are not providing the correct worker entitlements, they risk back payments, penalties, and reputational damage
What can I do?
Audit all contractors
Assess the level of control or independent authority the worker has over their performance (e.g. method of work, hours of work, ability to sub-contract)
Check working agreements against the national unfair contracts and remedy scheme
Other
Other key compliance problem areas include:
Supply chain management
Modern slavery
Collaboration
Business ethics – whistle-blowers, anti-bribery, anti-corruption
Work health and safety
Psychosocial Hazards
Risk controls
Anti-discrimination
Training
Remuneration levels
How to Avoid a Compliance Catastrophe
As the AOQ webinar title reflected, a compliance breach can be catastrophic – financially, reputationally, and personally.
Certex strives to encourage SMEs to improve understanding and management of their legal obligations.
Independent, external assessments are key to any effective management system. Our iSuite of Risk Assessments can help you identify gaps in areas of Privacy, Cybersecurity, WHS, Talent Engagement, Psychosocial Safety, and more.
Get on top of your compliance. Contact us to learn more.