Diligence, coordination and tech key to compliance: Fels

Fels, a well-known academic who most famously headed the Australian Competition and Consumer Commission (ACCC) from its inception in 1995 until mid-2003, is now acting as dean of the Australian and New Zealand School of Government. He was sponsored by Canon Australia to author the white paper, simply entitled Compliance, which offers companies guidance for formulating more concrete compliance plans.

With Parliament passing 300 pages of new laws every week and the overall legislative burden growing at 10 percent annually -- a rate that outstrips even Australia's 3 percent annual GDP growth -- companies are effectively fighting a losing battle in trying to keep up with constant changes in the laws, Fels says.

That puts a significant burden on IT staff, who in many companies are kicking off compliance efforts across the business by being charged with implementing comprehensive document management systems to create permanent archives of business communications. Indeed, a recent Canon survey of 152 customers found that nearly 62 percent were revisiting document management strategies because of the need for compliance with legislation such as the US Sarbanes-Oxley Act, CLERP 9, Basel II, ASX corporate governance regulations, Australian Standards or occupational health and safety regulations.

Although technology is clearly recognised as valuable a tool for ensuring compliance, Fels points out that it is only part of the total solution. Even in companies where the need for compliance is well recognised, he says, many times it is small mistakes that lead to major exposures for the entire company.

"I think most people in businesses try to obey the law," he explains, "but there are always some who don't understand. That's the problem, when a company has thousands of employees all over Australia and the world, and they don't know the finer points of the Trade Practices Act. If you have several thousand employees, any one of them could do something that could breach the law."

This problem echoes Fels' experience as the Commonwealth's head competition watchdog, during which time he headed investigations into anti-competitive behaviour on the part of Telstra, Visy Paper, Australia's specialist medical colleges, Universal Music and myriad other companies. In many cases, Fels says, the behaviour in question was due to mistakes on the part of individuals and not because of some comprehensive organisational conspiracy.

"Quite often, breaches are occurring at rather low levels of the organisation, and if you have a serious compliance system of reporting on behaviour, you may pick this up," Fels says.

Although document management is a kickstart for better compliance efforts in many companies, the real challenge for comes in making sure that the compliance culture is spread not just across the IT department implementing the solutions, but across the rest of the organisation. Indeed, says Fels, some companies have found their training regime to be so poorly structured that new employees go a full year without training -- during which time they have committed serious compliance breaches.

The implication of this issue is clear: for the IT executives charged with turning general compliance visions into enforceable policy, document management is only the beginning; staff training, compliance monitoring, regular reporting and an ongoing recognition of the value of compliance can all contribute to improving the regime.

To make this happen, IT executives need to work with other business-level executives to ensure that all technology initiatives are bundled in an understanding of their business relevance. Evolving support from standards such as the Australian Standard on Compliance Programs (AS 3806) and the 1500-strong Australian Compliance Institute reflect the progress made so far, but Fels is quick to point out that effective compliance requires constant vigilance.

"So many firms are now aware that just having some mechanistic compliance thing isn't going to serve the true purpose," he says. "There's always a need to keep up to date and to have good practice; having done one compliance program in the year, you have to come back, renew it, and keep pressing it."