SAMPLE. BSBCOM603 Plan and establish compliance management systems

Transcription

1 Student Workbook BSBCOM603 Plan and establish compliance management systems 1 st Edition 2015 Part of a suite of support materials for the BSB Business Services Training Package

2 Acknowledgment Innovation and Business Industry Skills Council (IBSA) would like to acknowledge EQUIP GROW LEAD PTY LTD for their assistance with the development of the resource for BSBCOM603B. This resource revised for BSBCOM603C by IBSA. Revised by IBSA for BSBCOM603 (2015) Copyright and Trade Mark Statement 2015 Innovation and Business Industry Skills Council Ltd All rights reserved. Apart from any use permitted under the Copyright Act 1968, no part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, or otherwise, without written permission from the publisher, Innovation and Business Industry Skills Council Ltd ( IBSA ). Use of this work for purposes other than those indicated above, requires the prior written permission of IBSA. Requests should be addressed to the Product Development Manager, IBSA, Level 11, 176 Wellington Pde, East Melbourne VIC 3002 or sales@ibsa.org.au. Innovation and Business Skills Australia, IBSA and the IBSA logo are trade marks of IBSA. Disclaimer Care has been taken in the preparation of the material in this document, but, to the extent permitted by law, IBSA and the original developer do not warrant that any licensing or registration requirements specified in this document are either complete or up-to-date for your State or Territory or that the information contained in this document is error-free or fit for any particular purpose. To the extent permitted by law, IBSA and the original developer do not accept any liability for any damage or loss (including loss of profits, loss of revenue, indirect and consequential loss) incurred by any person as a result of relying on the information contained in this document. The information is provided on the basis that all persons accessing the information contained in this document undertake responsibility for assessing the relevance and accuracy of its content. If this information appears online, no responsibility is taken for any information or services which may appear on any linked websites, or other linked information sources, that are not controlled by IBSA. Use of versions of this document made available online or in other electronic formats is subject to the applicable terms of use. To the extent permitted by law, all implied terms are excluded from the arrangement under which this document is purchased from IBSA, and, if any term or condition that cannot lawfully be excluded is implied by law into, or deemed to apply to, that arrangement, then the liability of IBSA, and the purchaser s sole remedy, for a breach of the term or condition is limited, at IBSA s option, to any one of the following, as applicable: (a) if the breach relates to goods: (i) repairing; (ii) replacing; or (iii) paying the cost of repairing or replacing, the goods; or (b) if the breach relates to services: (i) re-supplying; or (ii) paying the cost of re-supplying, the services. Published by: Innovation and Business Industry Skills Council Ltd Level Wellington Parade East Melbourne VIC 3002 Phone: Fax: reception@ibsa.org.au ISBN: Stock code: BSBCOM6031W First published: September st edition version: 1 Release date: September 2015

3 Table of Contents Introduction...1 Features of the training program...1 Structure of the training program...1 Recommended reading...1 Section 1 Establish a compliance culture...3 What skills will you need?...3 Compliance...3 Compliance standards...5 Important and relevant legislation Compliance culture The compliance manager Research skills Section summary Further reading Section checklist Section 2 Plan compliance systems What skills will you need? Compliance systems Personnel requirements Resource requirements Documenting systems Section summary Further reading Section checklist Section 3 Implement compliance systems What skills will you need? Implementation plan Objectives and activities Budget Monitoring the system Reviewing the system Reporting Section summary Further reading Section checklist Glossary... 76

4 Appendices Appendix 1 Compliance management system... 77

5 Student Workbook Introduction Introduction Features of the training program The key features of this program are: Student Workbook Self-paced learning activities to help you to develop an understanding of key concepts and terms. The Student Workbook is broken down into several sections. Facilitator-led sessions Challenging and interesting learning activities that can be completed in the classroom or by distance learning that will help you consolidate and apply what you have learned in the Student Workbook. Assessment tasks Summative assessments where you can apply your new skills and knowledge to solve authentic workplace tasks and problems. Structure of the training program This training program introduces you to compliance management. Specifically, you will develop the skills and knowledge in the following topic areas: 1. Establish compliance culture. 2. Plan compliance systems. 3. Implement compliance systems. Your facilitator may choose to combine or split sessions. For example, in some cases, this training program may be delivered in two or three sessions, or in others, as many as eight sessions. Recommended reading Some recommended reading for this unit includes: Baxt, R., 2005, Duties and Responsibilities of Directors and Officers, Australian Institute of Company Directors, Sydney. Biegelman, M., 2008, Building a World-Class Compliance Program, Wiley, USA. Davidson, P., Simon, A., Woods, P., Griffin, R. W., 2009, Management, Wiley Publishing, Milton. Hanrahan, P. et. al., 2007, Commercial Applications of Company Law, 9 th edn, CCH, Sydney. McLean, B. and Elkind, P., 2004, The Smartest Guys in the Room, Penguin, USA. Merna, T., 2008, Corporate Risk Management, 2 nd edn, Wiley, USA. Standards Australia, AS/NZS 3806:2006 Compliance programmes. BSBCOM603 Plan and establish compliance management systems 1 st edition version: Innovation and Business Industry Skills Council Ltd Page 1 of 85

6 Introduction Student Workbook Standards Australia, AS ISO 10002:2006 Customer satisfaction Guidelines for complaints handling in organizations (SSO 10002:2004, MOD). Standards Australia, AS/NZS ISO 31000:2009 Risk management Principles and guidelines. Standards Australia, AS ISO (Set): 2004 Records management. Tarantino, A., 2008, Governance, Risk and Compliance Handbook, Wiley, USA. Please note that any URLs contained in the recommended reading, learning content and learning activities of this publication were checked for currency during the production process. Note, however, IBSA cannot vouch for the ongoing currency of URLs. Every endeavour has been made to provide a full reference for all web links. Where URLs are not current we recommend using the reference information provided to search for the source in your chosen search engine. 1 st edition version: 1 BSBCOM603 Plan and establish compliance management systems Page 2 of Innovation and Business Industry Skills Council Ltd

7 Student Workbook Section 1 Establish a compliance culture Section 1 Establish a compliance culture This section is about establishing a compliance culture within your organisation and includes gaining an understanding of what compliance is and how it affects the operations of your organisation. It also covers a section on the role of the compliance manager and their ability to interpret and implement compliance standards and requirements. Scenario: Raising awareness What is compliance? What are the key issues? How can we protect the company reputation and ensure business performance? Every organisation needs to inform its employees and raise awareness of compliance issues. As the compliance manager, you must understand the compliance requirements for the organisation and create a culture where compliance is recognised as essential for risk minimisation. This means securing buy-in to the compliance program from senior management down. What skills will you need? In order to establish a compliance culture within your organisation you must be able to: identify the need for compliance interpret compliance standards and requirements establish compliance culture identify the compliance manager s role. Compliance Compliance may be defined as certification or confirmation that the doer of an action or the manufacturer or supplier of a product, meets the requirements of accepted practices, legislation, prescribed rules and regulations, specified standards, or the terms of a contract. Compliance cannot be viewed as a separate department or activity, but should be aligned with all of the strategies, objectives and activities of your organisation. Compliance must be reflected in every aspect of the organisation s culture and be integrated into your strategic, environmental, health and safety, financial, risk management, operational requirements and procedures. Good compliance is a necessity. Most companies are aware of how important it is to guarantee and improve integrity in their organisation. A company s reputation and image can be seriously damaged by incidents, malpractice and inconsistent behaviour. BSBCOM603 Plan and establish compliance management systems 1 st edition version: Innovation and Business Industry Skills Council Ltd Page 3 of 85

8 Section 1 Establish a compliance culture Student Workbook Standards, regulations and industry benchmarks are created in order to guide businesses in their daily operations and provide a basis for acceptable behaviour. However, understanding the issues surrounding compliance and interpreting the associated documentation can be frustrating for organisations. It is made more difficult by the variety of regulations that exist and the fact they keep changing. In 2006 Standards Australia issued AS 3806:2006 Compliance programmes which outlines 12 principles to help organisations with the implementation of an effective compliance program. This standard supersedes the previous AS 3806:1998. The objective of the standard is to provide principles and guidance for organisations designing, developing, implementing, maintaining and improving an effective compliance program. The Standard AS 3806:2006 outlines a four stage process of developing a compliance program: commitment, implementation, monitoring and measuring, and continual improvement. Commitment Implementation The four stages of compliance program development. These four stages contain 12 guiding principles which can be summarised in the following manner: 1. Senior management makes a commitment to its compliance obligations. 2. The compliance policies are endorsed by management and aligned with organisational strategy and objectives. 3. Resources are allocated for the development and implementation. 4. The objectives and strategy of the compliance program are endorsed. 5. Compliance obligations are identified. 6. Responsibility for compliance outcomes is established. 7. Training is provided to employees to enable them to fulfil compliance obligations. 8. Culture is created which supports compliance objectives. 9. Controls are established to manage compliance obligations and achieve outcomes. 10. Program performance is measured and monitored. 11. Demonstration of compliance through documentation and practice. 12. Program is continually improved. Monitoring and measuring Continuous improvement 1 st edition version: 1 BSBCOM603 Plan and establish compliance management systems Page 4 of Innovation and Business Industry Skills Council Ltd

9 Student Workbook Section 1 Establish a compliance culture Compliance standards Your organisation needs to identify its compliance obligations and how they impact on its products, services and activities. These obligations should be the guide for the implementation, maintenance and continuous improvement of your compliance program. Your organisation will need to document these obligations in accordance with the size, structure, and operations of your organisation. It is helpful to build a list of the various sources that outline your compliance obligations. These may include: common law legislation and regulations industry codes and standards customary or indigenous law treaties, protocols and conventions directives orders from regulatory agencies permits and licenses judgements from courts and tribunals. The list may be expanded to include obligations that your organisation wants to adhere to. Some of these obligations may include: organisational requirements voluntary codes of practice commitments to the environment agreements with customers and community groups agreements with local authorities agreements with non-governmental and non-profit organisations. Sometimes compliance standards change, therefore it is important to stay in touch with any changes in laws, regulations or obligations that may affect your level of compliance. When changes occur, your program must adjust in order to remain compliant. To stay informed about these changes information can be accessed by: monitoring regulator s websites subscribing to mail lists and information services becoming a member of professional groups seeking advice from a legal advisor attending industry forums. BSBCOM603 Plan and establish compliance management systems 1 st edition version: Innovation and Business Industry Skills Council Ltd Page 5 of 85

10 Section 1 Establish a compliance culture Student Workbook Compliance standards need to be translated into your organisational context and recorded in a compliance policy document. This policy needs to give consideration to the following: organisation strategy, values and objectives organisation s structure and governance risks associated with non-compliance specific local and regional requirements extent to which compliance is embedded into operations internal policies, standards and codes how external relationships will be managed e.g. outsourcing. Before your organisation implements its compliance program you need to identify the risks and consequences associated with failing to comply with obligations. Risk management Compliance management and risk management go hand in hand. The potential risk posed to the organisation through non-compliance must be a consideration in establishing compliance management systems. The expected consequences should determine how strenuous the controls and processes for compliance are, and the severity of penalties for failure to comply. The Australian/New Zealand Standard AS/NZS ISO 31000:2009 Risk management Principles and guidelines (formerly AS/NZS 4360:2004) provides a guide for managing risk. The objective of this standard is to provide guidance to enable public, private or community enterprises, groups and individuals. For risk management to be effective, organisations at all levels need to ensure that their risk management program: creates and protects value is an integral part of all of the organisation s processes forms part of decision making explicitly expresses uncertainty is systematic, structured and timely is based on the best available information is tailored to the organisation takes human and cultural factors into account is transparent and inclusive is responsive to change facilitates continual improvement of the organisation. 1 st edition version: 1 BSBCOM603 Plan and establish compliance management systems Page 6 of Innovation and Business Industry Skills Council Ltd

11 Student Workbook Section 1 Establish a compliance culture The risk management process The diagram below 1 represents the process that can be implemented by organisations to assess risk and determine the potential consequences of a risk occurring, in order to develop a strategy for controlling the risk. Establishing the context Communication and consultation Risk assessment Risk identification Risk analysis Risk evaluation Risk treatment Monitoring and review 1 Source: Standards Australia, AS/NZS ISO 31000:2009 Risk management Principles and guidelines. BSBCOM603 Plan and establish compliance management systems 1 st edition version: Innovation and Business Industry Skills Council Ltd Page 7 of 85

12 Section 1 Establish a compliance culture Student Workbook AS/NZS ISO 31000:2009 views the analysis and evaluation of risk as two separate elements. An outline of the seven elements in the risk management process is as follows: Establishing the context Determine the scope of the project, both internally and externally. Establish the criteria by which a risk may be evaluated. Risk identification Risk analysis Risk evaluation Risk treatment Monitoring and review Communication and consultation Recognise potential hazards, that may prevent, diminish, delay etc. organisation or project objectives. Identify what are the consequences and likelihood of the risk taking place. Compare the potential rewards with the potential adverse outcomes including the likelihood of each. This allows decisions to be made regarding the priority and action required to manage the risk. The process of selecting which risks are to be managed and taking measures to limit the result of highest priority. Critically observe or measure the progress of the risk management process and make changes where they will be beneficial. Ensure stakeholders are aware of information applicable to them and appropriate to the risk level and the stage of risk management. As you can see, risk management is an extensive process. For the sake of this unit however, we will focus on the key steps of identifying risk and analysing risk, in light of their contribution to the compliance management process. 1 st edition version: 1 BSBCOM603 Plan and establish compliance management systems Page 8 of Innovation and Business Industry Skills Council Ltd

13 Student Workbook Section 1 Establish a compliance culture Risks must be identified in order to be analysed and treated. Risks are recognised in two categories: 1. What, where and when? This aims at generating a comprehensive list of risks that may impact the objectives. 2. Why and how? Identify the circumstances in which this risk may be realised. What would be the cause of an exposure of resources (i.e. failure of..., lack of..., loss of..., injury to... etc.)? Why? How? What? Where? When? The analysis of risk requires you to determine likelihood of that risk occurring, and the expected consequence or impact if it does occur. These two factors combine to give us a risk rating, so that we know how it should be treated. When determining the likelihood of risk, we consider five levels: Rare Unlikely Possible Likely Frequent May occur only in exceptional circumstances, e.g. death of an employee at work. Event is unlikely to occur but is possible, e.g. an employee crashing a company car. Event could occur, e.g. rain on the day of an outdoor event. Event likely to occur once or more during the life of the project, e.g. first aid injury. Event will occur many times during the life of the project, e.g. a busy street. The next step in risk analysis is to assess the potential consequence or impact of the risk on the organisation and its objectives. The general levels of consequence are called: Catastrophic multiple injuries/death regulatory intervention net revenue loss or asset damage exceeds $xxxxx damage to reputation at international level long-term environmental damage (five years or longer). Major single stakeholder breach of licenses, legislation, regulation or mandated standards net revenue loss or asset damage between $xxxx damage to reputation at national level medium-term (one to five year) environmental damage. BSBCOM603 Plan and establish compliance management systems 1 st edition version: Innovation and Business Industry Skills Council Ltd Page 9 of 85

14 Section 1 Establish a compliance culture Student Workbook Minor breach of internal procedures or guidelines net revenue loss or asset damage between $xx adverse news in local media environmental damage, requiring up to $250,000. Insignificant Learning activity: One of each no breach of licenses, standards, guidelines or related audit findings net revenue loss or asset damage $x public awareness may exist, but there is little public concern negligible environmental impact. Think about your community or workplace and give an example of a each of these risks: Rare and catastrophic Frequent and insignificant Possible and moderate 1 st edition version: 1 BSBCOM603 Plan and establish compliance management systems Page 10 of Innovation and Business Industry Skills Council Ltd

15 Student Workbook Section 1 Establish a compliance culture Now that you have determined both the likelihood and consequence of risk, the two are combined to determine the rating. The most effective method of risk analysis is to generate a risk matrix. As shown on the example below, where the identified consequence meets the identified likelihood, a risk rating is given. Consequence Insignificant Minor Moderate Major Catastrophic Almost certain High High Extreme Extreme Extreme Likelihood Likely Medium High High Extreme Extreme Moderate Low Medium High Extreme Extreme Unlikely Low Low Medium High Extreme Rare Low Low Medium High High Important and relevant legislation As mentioned above, legislation is a key source for compliance requirements. Arguably, the greatest risk for an organisation is to be non-compliant with relevant regulations as this can incur significantly penalties. There are many areas of legislation that govern and apply to businesses generally, and even more regulations that apply to specific industry areas. Some key areas of legislation affecting businesses are listed below. WHS regulations WHS (workplace health and safety) laws vary throughout Australia according to the state parliament that passed the Act. For example in Queensland it is the Work Health and Safety Act While other states have different names to their acts covering the workplace, they all prescribe a similar set of requirements for all managers including supervisors of projects. These are: To ensure that work is performed in a safe manner and does not have any negative effect on the worker s health. To ensure sufficient information and education is provided so that the work could be undertaken safely. To ensure workers have a say in the safety of their own workplace by recognising and acting on risks and hazards in the workplace. BSBCOM603 Plan and establish compliance management systems 1 st edition version: Innovation and Business Industry Skills Council Ltd Page 11 of 85

16 Section 1 Establish a compliance culture Student Workbook To implement audit and control measures that verify the effectiveness of OHS activities. To ensure equipment and machinery is maintained in a safe condition. Learning activity: OHS Discuss the application of OHS to compliance. Describe three ways OHS legislation affects your role as the compliance manager. 1 st edition version: 1 BSBCOM603 Plan and establish compliance management systems Page 12 of Innovation and Business Industry Skills Council Ltd

17 Student Workbook Section 1 Establish a compliance culture Privacy Act 1988 The Australian Privacy Principles regulate the way information is handled by private sector organisations, including: use collection data quality data security openness access and correction. There are several key obligations around information collection: Whenever possible collect information directly from the person. Take reasonable steps to let people know that personal information has been collected and what is going to be done with it. Only collect information that is necessary. Do not disclose information about the person to a third party that you are collecting information from. Collect information by fair means. Take care about the type of information contained in messages left on answering machines. Generally, personal information should only be used and disclosed for the purpose for which it was collected. Learning activity: Application of Australian privacy principles Discuss the application of privacy to compliance. Describe three ways these principles affect your role as the compliance manager. BSBCOM603 Plan and establish compliance management systems 1 st edition version: Innovation and Business Industry Skills Council Ltd Page 13 of 85

18 Section 1 Establish a compliance culture Student Workbook The Australian Securities and Investments Commission (ASIC) The Australian Securities and Investments Commission (ASIC) is Australia s corporate, markets and financial services regulator. It is an independent Commonwealth government body with most of its work being carried out under the Corporations Act ASIC regulates Australian companies, financial markets, financial services organisations and professionals who deal and advise in investments, superannuation, insurance, deposit taking and credit. ASIC s main role to consider in relation to this unit is its responsibility for ensuring that company directors and officers carry out their duties honestly, diligently and in the best interest of their company. ASIC administers many acts or parts of acts, as well as relevant regulations made under them, however the following are the main two: Corporations Act 2001 Australian Securities and Investments Commission Act The other acts involve insurance, superannuation and medical indemnity. The Corporations Act 2001 sets much of the legislative framework for the conduct of companies and their directors in relation to corporate governance. Internal controls need to be implemented and maintained to ensure compliance with the legislation administered by the delegated authority, ASIC. The Australian securities and investments commission act 2001 makes provision for ASIC to ensure the performance of the financial system and entities in it, to assist investors and consumers in the financial system with appropriate information, and to administer and enforce the law effectively. Learning activity: Director s responsibilities Search the ASIC website < (viewed July 2015), using the search term director s responsibilities. Name two director s responsibilities listed under the heading What does the law expect of you and for each describe a process or mechanism that you could put in place to help ensure compliance with this directive st edition version: 1 BSBCOM603 Plan and establish compliance management systems Page 14 of Innovation and Business Industry Skills Council Ltd

19 ` Student Workbook Section 1 Establish a compliance culture Company records compliance Under corporations law, directors are personally responsible for keeping proper company records. These could be grouped into financial records and company housekeeping records. Up-to-date financial records must be kept so that they can: accurately record and justify the company s transactions illustrate the financial position of the company and its performance. Companies should maintain current and accurate financial records in order to ensure that: it is able to prepare accurate financial statements of the company these financial statements may be properly audited the company is compliant to tax laws. Basic financial records that companies may be required by law to keep General ledger Records all transaction and balances (revenue, expenses, assets, liabilities). Otherwise, summarises these balances detailed in other records. Cash records For example, deposit books, cheque butts, petty cash records, bank statements. Debtor and sales records Outlines the money made or owing to the company, for example, delivery dockets, invoices and statements issued, debtors and their balances. Creditors and purchase records Outlines the money spent or owed by the company, for example, purchase orders, invoices and statements received creditors and their balances. Wage and superannuation records Funds paid to employees. A register of property, plant and equipment Shows the transactions and balances relating to individual items. Inventory records Value of the items that makes up the company s inventory. Investment records For example, certificates and notices related to dividends or interest. Tax returns and calculations For example, goods and services tax returns and statements, income tax, fringe benefits. Deeds, contracts and agreements Legal documentation. BSBCOM603 Plan and establish compliance management systems 1 st edition version: Innovation and Business Industry Skills Council Ltd Page 15 of 85

20 Section 1 Establish a compliance culture Student Workbook Learning activity: Recordkeeping Good recordkeeping practices are not just applicable to the financial operations of a business. List other areas of business operations where records should be retained and give examples of types of records of documentation that may be included. Describe the impact you would expect from failure to keep sufficient and accurate records. 1 st edition version: 1 BSBCOM603 Plan and establish compliance management systems Page 16 of Innovation and Business Industry Skills Council Ltd