Firms often have thousands of pieces of legislation with which they must abide. But is 100% compliance possible, or even necessary?


Australian power companies know all too well what it means to be on the wrong side of the regulator.

In the past 18 months, five of the country’s major players have been slapped with hefty fines by the Australian Competition and Consumer Commission over the conduct of some of its salespeople, with the firms now banning the practice of door-to-door selling.

EnergyAustralia was one of the companies involved, and was hit with a $1.2m fine in April last year.

The company’s enterprise risk and insurance manager Brad Tymmons says the fine drove a “huge change” in the company’s risk appetite for regulatory breaches.

“We’re much more cautious; we improved our systems, and we put in a lot more resources. Our risk appetite for regulatory breach is now very low,” he says.

To help manage the regulatory risk, Tymmons has now risk ranked EnergyAustralia’s legal obligations – of which there are more than 6,000.

“We’ve risked ranked regulations as low, medium and high. Those that are high, we certify our compliance quarterly, [and] those at the medium and lower ends of the risk rankings we certify less frequently,” he says.

The company’s performance is then measured against that, with bi-monthly reports to the audit and risk committee that incorporate any regulatory breaches, near misses and changes to regulation.

“If there’s a change of regulation we can catch this proactively rather than reactively so we can put the right processes and systems in place to make sure we maintain our compliance with any regulation,” Tymmons explains.

But not every one agrees with assigning a risk rating to compliance issues.

Scentre Group chief risk officer Eamonn Cunningham says “regulatory compliance is not optional”.

“Our [regulation risk] appetite must be that there’s no option here – it’s binary – you either comply or you don’t and it would be a very brave organisation to set up a regime where they play in the grey space, they shouldn’t be. The whole intent must be about ensuring regulatory compliance as a base.”

So it Scentre Group 100% compliant?

“That can be a difficult question to answer. But an easy question to answer is – are you doing all that’s reasonably within your power to ensure that as far as you’re concerned the systems deployed are being compliant with prevailing law.”

And on this point, Tymmons and Cunningham agree.

Tymmons says: “I’m an advocate of regulation – there’s absolutely a need for regulation. The problem is [when] regulation comes into a company and you need to make changes to your processes and your systems so you can comply with that regulation.

“It does take a while for companies to establish the right people, processes and systems for regulatory changes and so you go through a period where you feel like it’s stifling growth and taking you away from business as usual.”

Nearly one-quarter (24%) of respondents to the StrategicRISK survey agree that regulation had stifled growth in the major jurisdictions that it operates.

And that is not expected to slow any time soon. In fact, more than half of risk managers (56%) expect regulation to increase in the next 12 months and yet only 11% of risk managers said they felt “very prepared” for incoming regulatory changes.

So should risk mangers take a ‘risk-based’ approach to compliance?

Michael Tooma, partner at Norton Rose Fulbright, thinks so.  

“We have an obsession around talking about law and compliance,” Tooma says. “We need to start looking at regulation and compliance a little bit differently.

“Is it desirable to comply with all laws? Should we actually be building in risk management in our legal compliance strategies?” he asks.

Relationship with compliance

Risk managers can only help with ‘rating’ regulatory risks, however, if they have a relationship with the individual or team responsible for ensuring the company’s compliance.

The primary responsibility for regulation in most firms (44%) lies with the in-house legal department, according to the StrategicRISK survey.

And, encouragingly, most risk managers are engaged with this function: 76% said they had ‘some involvement’ with their firms’ regulation, while a further 17% said they were ‘very involved’. Only 7% of risk managers said they had ‘no involvement’ in regulatory matters.

“Legal know the law while risk know the consequence of the law to the business,” one respondent said.

And while no risk managers would like their involvement with the legal/compliance function to decrease, risk managers were almost split down the middle between wanting their involvement with the function to increase (48%) or stay the same (52%).

“Changes to regulations and regulatory compliance inevitably impact business. It is the duty of risk managers to manage uncertainties resulting from regulatory changes that may impact business objectives,” an advocate said.

But others were happy with their involvement of regulatory matters.

“The balance is correct. The various functions need to have clearly defined roles and responsibilities with respect to the management of regulatory relationships, legal interpretation and advice on regulatory requirements and the risk personnel providing advice on the enterprise and operational risks associated with that regulator or regulatory matter,” one respondent said.

“It is not my primary function so it is sufficient that I only perform some monitoring procedures and ensure that it is being managed appropriately,” said another.

So while the jury is still out on the best way to manage the perceived regulatory burden, all risk managers concur that it’s their difficult job to help risk owners identify and understand the consequences of non-compliance.