Key Points:

Although organisations which clearly meet the existing requirements of AS3806 should need to do little, the publishing of the international standard is a good opportunity to do a health check on their current compliance frameworks.

A new international compliance standard is currently being developed that will provide a globally recognised compliance benchmark for public, private and not-for-profit organisations.

The International Organisation for Standardisation (ISO) Project Committee ISO/PC 271 – Compliance programs has developed a final draft (ISO 19600:2014) which has now been approved to proceed for publication. The Committee is chaired by Mr Martin Tolar, Managing Director of the GRC Institute, and was charged with the development of the first international compliance standard. Standards Australia is acting as secretariat to the Committee and was assisted by an Australian Drafting Committee.

Mr Tolar has said that “The standard once finalised will provide an international benchmark for all organisational compliance programs and builds upon the experiences derived from the Australian compliance standard AS 3806 since 1998.”

Mr Tolar added, “Standards Australia and the Australian Committee have played a leading role in developing the standard through the rigorous international approval process that has taken well over three years from inception to completion. This period was necessary to ensure that all relevant member nations’ requirements are considered and so that a practical yet robust standard is established. This will be a significant positive factor in promoting international business sustainability.”

As noted above, much of the drafting work undertaken in developing the new standard is being undertaken by an Australian committee. A current author of Australian Legal Compliance: Making it Work and Clayton Utz Governance and Compliance partner, Randal Dennings, was appointed by the Law Council of Australia to represent it on the Australian committee.

The new standard is important as it has the potential to be adopted by regulators internationally as the accepted benchmark for making out due diligence defences, and ultimately for the assessment of adequacy of organisational efforts in the context of breaches or control failures.

Key enhancements of AS3806 that were incorporated into the international standard

Key enhancements of AS3806 that were incorporated into the international standard include the need for organisations to:

  1. Articulate the relationship between the compliance management system and an organisation’s other related functions such as governance, risk, audit, legal, environment, health and safety.
  2. Determine the scope of the compliance management system (ie. does its coverage only extend to legislation, license conditions, contractual obligations etc.? Or does it extend to all legal risks, or even wider, all legal obligations, including those voluntarily assumed, such as commitments made to customers and the broader community as well as mandatory obligations?).
  3. Focus upon the linkage between the risk and compliance analyses and functions of the organisation – so that they may operate together synergistically, and in particular assess the organisation’s control processes effectiveness from both perspectives.
  4. Be able to demonstrate evidence of the operation of the compliance management system in practice – particularly in seeking to achieve compliance targets, measurable goals and objectives (including outsourced functions) within the context of an accurate and regular reporting framework to the Board and Top Management.
  5. Take active steps to continue to develop and strengthen a healthy organisational compliance culture linked to stated compliance behaviours.

In summary, organisations who clearly meet the existing requirements of AS3806 should need to do little to meet the requirements of the international standard. This being said, the publishing of the new standard will provide a timely opportunity for organisations to do a “health check“ on their current compliance frameworks and make any adjustments as required ahead of any potential regulatory adoption.