Risky business: why organisations doing business in Australia should re-evaluate their approach to risk management and compliance

Corporate governance, risk management and compliance have attracted considerable attention in Australia over recent months. 

Following a number of developments – including increased external scrutiny of corporate practices and new laws enhancing private sector whistle-blower protections – organisations with corporate activities in Australia cannot afford to sit back, rely on past practices and hope that it will all blow over: the time for re-evaluation is now. 

Recent developments that are driving many organisations to reassess their culture and the robustness of their internal policies and processes include:

• external scrutiny of corporate practices following the Financial Services Royal Commission and an escalating emphasis on the management of non-financial risks;
  
  
• the adoption of a ‘why not litigate’ stance from the corporate regulator, the Australian Securities and Investments Commission (ASIC);
  
  
• increasing accountability under vulnerable worker, labour hire licensing and modern slavery laws, with a name and shame approach from the regulators;
  
  
• the appetite of litigation funders in class actions; and
  
  
• new laws enhancing private sector whistle-blower protections and a growing appetite for law reform targeting corporate conduct.

The heightened focus on corporate governance, risk management and compliance has been driven partly by the findings of the recent Financial Services Royal Commission, which observed that ‘effective leadership, good governance and appropriate culture’ are ‘fundamentally important’. The Commissioner, the Hon Kenneth Hayne QC, recommended that regulators closely scrutinise the risk management policies of financial service providers.

In the wake of the Commission, Prime Minister the Hon Scott Morrison MP (who was Treasurer at the time) indicated that the Government would take action to reduce the perceived ‘lack of accountability’ in large corporations. It is likely that legislative change in the near future will place a greater emphasis on the adequacy of an organisation’s internal compliance procedures in identifying and mitigating risks that arise under its operating model.

ASIC is proactively pursuing high deterrence enforcement action via the newly established Office of Enforcement and a war chest to pursue its mandate to accelerate court-based enforcement matters. Historically, vicarious liability and Part 2.5 of the Criminal Code (Cth) (which extends liability for Criminal Code offences to corporations, equating the intentions of a corporation with its ‘corporate culture’) have been the predominant methods of determining whether a corporation can be held criminally responsible in Australia. However, there is a growing consensus that these models of liability are insufficient and a company’s criminal responsibility should be tied to the effectiveness of its internal policies.

A similar trend has been observed in other Western democracies. Given the success of the United Kingdom ‘failure to prevent’ model for bribery and tax evasion offences, the UK Serious Fraud Office has argued that it should be extended to all corporate economic offences. The UK Treasury Committee has echoed this submission and is currently pushing for legislative reform.

In Australia, the recent Crimes Legislation Amendment (Combatting Corporate Crime) Bill 2017 sought to introduce a ‘failure to prevent’ bribery offence, modelled on the approach under the UK Bribery Act. If enacted, this offence will impose strict liability on corporations for bribery offences committed by an organisation’s ‘associates’, unless the corporation is able to show it had ‘adequate procedures’ in place to prevent the crime. The Bill would also introduce a Deferred Prosecution Agreement scheme. The Commonwealth Attorney-General considered these reforms necessary to ‘encourage corporations to adopt adequate compliance measures’. Though the Bill lapsed in the Senate because of the 2019 Australian federal election, it seems likely the re-elected Government will seek to re-introduce it. 

The Federal Government has also asked the Australian Law Reform Commission to review the nation’s corporate criminal responsibility laws, with the goal of creating ‘a simpler, stronger and more cohesive regime’. Australia’s enforcement track record for corporate criminal offences has been very low to date. This review raises a real prospect that Australia will pursue a similar legislative framework to the UK for a much broader range of corporate economic offences. 

There is also a heightened environment of identifying and informing on wrongdoing. After several years of consultations, committee hearings and draft proposals, long foreshadowed reforms to Australia’s private sector whistle-blower regime were passed on 19 February 2019.[1] The range of matters which may be the subject of a protected disclosure under the Act is very broad, triggering obligations to protect confidentiality and rights to seek compensation for retaliation. Organisations are finding it challenging when scoping the detail which will be required to satisfy the legislative requirement for a whistle-blower policy. ASIC has published very detailed draft guidance, which is currently the subject of consultation. 

These reforms impose a significant compliance burden, and we think there is an insufficient appreciation of the challenges affected organisations have to address. Organisations will face penalties if they get this aspect wrong in practice. As importantly, an entity’s ability to maintain stakeholder confidence is enhanced considerably by pinpointing and resolving internal weaknesses before this information becomes public. 

Now is also an opportune time for organisations with activities in Australia to consider holistically how they encourage people to speak up, how they respond when issues are raised and how they maintain confidence in these processes after an allegation is substantiated. 

---