SAMPLE. BSBCOM603 Plan and establish compliance management systems

(1)

Part of a suite of support materials for the

BSB Business Services Training Package

Student Workbook

BSBCOM603 Plan and establish compliance

management systems

1st_{Edition 2015}

SAMPLE

Not

for

training

purposes

(2)

Acknowledgment

Innovation and Business Industry Skills Council (IBSA) would like to acknowledge EQUIP GROW LEAD PTY LTD for their assistance with the development of the resource for BSBCOM603B.

This resource revised for BSBCOM603C by IBSA. Revised by IBSA for BSBCOM603 (2015)

Copyright and Trade Mark Statement

All rights reserved. Apart from any use permitted under the Copyright Act 1968, no part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, or otherwise, without written permission from the publisher, Innovation and Business Industry Skills Council Ltd (‘IBSA’).

Use of this work for purposes other than those indicated above, requires the prior written permission of IBSA. Requests should be addressed to the Product Development Manager, IBSA, Level 11, 176 Wellington Pde, East Melbourne VIC 3002 or email [email protected].

‘Innovation and Business Skills Australia’_{, ‘IBSA}’_{and the IBSA logo are trade marks of IBSA.} Disclaimer

Care has been taken in the preparation of the material in this document, but, to the extent permitted by law, IBSA and the original developer do not warrant that any licensing or registration requirements specified in this document are either complete or up-to-date for your State or Territory or that the information contained in this document is error-free or fit for any particular purpose. To the extent permitted by law, IBSA and the original developer do not accept any liability for any damage or loss (including loss of profits, loss of revenue, indirect and consequential loss) incurred by any person as a result of relying on the information contained in this document.

The information is provided on the basis that all persons accessing the information contained in this document undertake responsibility for assessing the relevance and accuracy of its content. If this information appears online, no responsibility is taken for any information or services which may appear on any linked websites, or other linked information sources, that are not controlled by IBSA. Use of versions of this document made available online or in other electronic formats is subject to the applicable terms of use.

To the extent permitted by law, all implied terms are excluded from the arrangement under which this document is purchased from IBSA, and, if any term or condition that cannot lawfully be excluded is implied by law into, or deemed to apply to, that arrangement, then the liability of IBSA, and the purchaser’s sole remedy, for a breach of the term or condition is limited, at IBSA’s option, to any one of the following, as applicable:

(a) if the breach relates to goods: (i) repairing; (ii) replacing; or (iii) paying the cost of repairing or replacing, the goods; or

(b) if the breach relates to services: (i) re-supplying; or (ii) paying the cost of re-supplying, the services.

Published by: Innovation and Business Industry Skills Council Ltd

Level 11

176 Wellington Parade East Melbourne VIC 3002 Phone: +61 3 9815 7000 Fax: +61 3 9815 7001 Email: [email protected]

www.ibsa.org.au

First published: September 2015 1st_{edition version: 1}

Release date: September 2015

ISBN: 978-1-925379-20-4 Stock code: BSBCOM6031W

SAMPLE

Not

for

training

(3)

SAMPLE

Not

for

training

purposes

(4)

Appendices ... 77 Appendix 1 – Compliance management system ... 77

SAMPLE

Not

for

training

(5)

Student Workbook Introduction

Introduction

Features of the training program

The key features of this program are:

● Student Workbook – Self-paced learning activities to help you to develop an understanding of key concepts and terms. The Student Workbook is broken down into several sections.

● Facilitator-led sessions – Challenging and interesting learning activities that can be completed in the classroom or by distance learning that will help you consolidate and apply what you have learned in the Student Workbook.

● Assessment tasks – Summative assessments where you can apply your new skills and knowledge to solve authentic workplace tasks and problems.

Structure of the training program

This training program introduces you to compliance management. Specifically, you will develop the skills and knowledge in the following topic areas:

1. Establish compliance culture. 2. Plan compliance systems. 3. Implement compliance systems.

Your facilitator may choose to combine or split sessions. For example, in some cases, this training program may be delivered in two or three sessions, or in others, as many as eight sessions.

SAMPLE

Not

for

training

(6)

Introduction Student Workbook

● Standards Australia, AS ISO 10002:2006 Customer satisfaction – Guidelines for

complaints handling in organizations (SSO 10002:2004, MOD).

● Standards Australia, AS/NZS ISO 31000:2009 Risk management – Principles and

guidelines.

● Standards Australia, AS ISO 15489 (Set): 2004 Records management.

● Tarantino, A., 2008, Governance, Risk and Compliance Handbook, Wiley, USA. Please note that any URLs contained in the recommended reading, learning content and learning activities of this publication were checked for currency during the production process. Note, however, IBSA cannot vouch for the ongoing currency of URLs.

Every endeavour has been made to provide a full reference for all web links. Where URLs are not current we recommend using the reference information provided to search for the source in your chosen search engine.

SAMPLE

Not

for

training

(7)

Student Workbook Section 1 – Establish a compliance culture

Section 1 – Establish a compliance

culture

This section is about establishing a compliance culture within your organisation and includes gaining an understanding of what compliance is and how it affects the operations of your organisation. It also covers a section on the role of the compliance manager and their ability to interpret and implement compliance standards and requirements.

Scenario: Raising awareness

What is compliance? What are the key issues? How can we protect the company reputation and ensure business performance? Every organisation needs to inform its employees and raise awareness of compliance issues. As the compliance manager, you must understand the compliance requirements for the organisation and create a culture where compliance is recognised as essential for risk minimisation. This means securing buy-in to the compliance program from senior management down.

What skills will you need?

In order to establish a compliance culture within your organisation you must be able to:  identify the need for compliance

 interpret compliance standards and requirements  establish compliance culture

 identify the compliance manager’s role.

Compliance

Compliance may be defined as certification or confirmation that the doer of an action or the manufacturer or supplier of a product, meets the requirements of accepted practices, legislation, prescribed rules and regulations, specified standards, or the terms of a contract.

Compliance cannot be viewed as a separate department or activity, but should be aligned with all of the strategies, objectives and activities of your organisation. Compliance must be reflected in every aspect of the organisation’s culture and be integrated into your strategic, environmental, health and safety, financial, risk management, operational requirements and procedures.

Good compliance is a necessity. Most companies are aware of how important it is to guarantee and improve integrity in their organisation. A company’s reputation and image can be seriously damaged by incidents, malpractice and inconsistent behaviour.

SAMPLE

Not

for

training

(8)

Section 1 – Establish a compliance culture Student Workbook

Standards, regulations and industry benchmarks are created in order to guide businesses in their daily operations and provide a basis for acceptable behaviour.

However, understanding the issues surrounding compliance and interpreting the associated documentation can be frustrating for organisations. It is made more difficult by the variety of regulations that exist and the fact they keep changing.

In 2006 Standards Australia issued AS 3806:2006 Compliance programmes which outlines 12 principles to help organisations with the implementation of an effective compliance program. This standard supersedes the previous AS 3806:1998. The objective of the standard is to provide principles and guidance for organisations designing, developing, implementing, maintaining and improving an effective compliance program.

The Standard AS 3806:2006 outlines a four stage process of developing a compliance program: commitment, implementation, monitoring and measuring, and continual improvement.

The four stages of compliance program development.

These four stages contain 12 guiding principles which can be summarised in the following manner:

1. Senior management makes a commitment to its compliance obligations. 2. The compliance policies are endorsed by management and aligned with

organisational strategy and objectives.

3. Resources are allocated for the development and implementation. 4. The objectives and strategy of the compliance program are endorsed. 5. Compliance obligations are identified.

6. Responsibility for compliance outcomes is established.

7. Training is provided to employees to enable them to fulfil compliance obligations. 8. Culture is created which supports compliance objectives.

9. Controls are established to manage compliance obligations and achieve outcomes. 10. Program performance is measured and monitored.

11. Demonstration of compliance through documentation and practice. 12. Program is continually improved.

Commitment

Implementation

Monitoring and

_measuring

_improvement

Continuous

SAMPLE

Not

for

training

(9)

Compliance standards

Your organisation needs to identify its compliance obligations and how they impact on its products, services and activities. These obligations should be the guide for the

implementation, maintenance and continuous improvement of your compliance program. Your organisation will need to document these obligations in accordance with the size, structure, and operations of your organisation. It is helpful to build a list of the various sources that outline your compliance obligations. These may include:

● common law

● legislation and regulations

● industry codes and standards

● customary or indigenous law

● treaties, protocols and conventions

● directives

● orders from regulatory agencies

● permits and licenses

● judgements from courts and tribunals.

The list may be expanded to include obligations that your organisation wants to adhere to. Some of these obligations may include:

● organisational requirements

● voluntary codes of practice

● commitments to the environment

● agreements with customers and community groups

● agreements with local authorities

● agreements with non-governmental and non-profit organisations.

Sometimes compliance standards change, therefore it is important to stay in touch with any changes in laws, regulations or obligations that may affect your level of compliance. When changes occur, your program must adjust in order to remain compliant. To stay informed about these changes information can be accessed by:

● monitoring regulator’s websites

● subscribing to mail lists and information services

● becoming a member of professional groups

● seeking advice from a legal advisor

● attending industry forums.

SAMPLE

Not

for

training

(10)

Compliance standards need to be translated into your organisational context and

recorded in a compliance policy document. This policy needs to give consideration to the following:

● organisation strategy, values and objectives

● organisation’s structure and governance

● risks associated with non-compliance

● specific local and regional requirements

● extent to which compliance is embedded into operations

● internal policies, standards and codes

● how external relationships will be managed e.g. outsourcing.

Before your organisation implements its compliance program you need to identify the risks and consequences associated with failing to comply with obligations.

Risk management

Compliance management and risk management go hand in hand. The potential risk posed to the organisation through non-compliance must be a consideration in establishing compliance management systems. The expected consequences should determine how strenuous the controls and processes for compliance are, and the severity of penalties for failure to comply.

The Australian/New Zealand Standard AS/NZS ISO 31000:2009 Risk management –

Principles and guidelines (formerly AS/NZS 4360:2004) provides a guide for managing

risk. The objective of this standard is to provide guidance to enable public, private or community enterprises, groups and individuals.

For risk management to be effective, organisations at all levels need to ensure that their risk management program:

● creates and protects value

● is an integral part of all of the organisation’s processes

● forms part of decision making

● explicitly expresses uncertainty

● is systematic, structured and timely

● is based on the best available information

● is tailored to the organisation

● takes human and cultural factors into account

● is transparent and inclusive

● is responsive to change

● facilitates continual improvement of the organisation.

SAMPLE

Not

for

training

(11)

The risk management process

The diagram below1 represents the process that can be implemented by organisations to

assess risk and determine the potential consequences of a risk occurring, in order to develop a strategy for controlling the risk.

1_{Source: Standards Australia, AS/NZS ISO 31000:2009 Risk management – Principles and guidelines.} Risk assessment

Establishing the context

Risk identification Risk analysis Risk evaluation Risk treatment M on itor in g a nd re vi ew Com m un ic at ion a nd c on su lta tion

SAMPLE

Not

for

training

purposes

(12)

AS/NZS ISO 31000:2009 views the analysis and evaluation of risk as two separate elements. An outline of the seven elements in the risk management process is as follows:

As you can see, risk management is an extensive process. For the sake of this unit however, we will focus on the key steps of identifying risk and analysing risk, in light of their contribution to the compliance management process.

•Determine the scope of the project, both internally and externally. Establish the criteria by which a risk may be evaluated.

Establishing the context

•Recognise potential hazards, that may prevent, diminish, delay etc. organisation or project objectives.

Risk identification

•Identify what are the consequences and likelihood of the risk taking place.

Risk analysis

•Compare the potential rewards with the potential adverse outcomes including the likelihood of each. This allows decisions to be made regarding the priority and action required to manage the risk.

Risk evaluation

•The process of selecting which risks are to be managed and taking measures to limit the result of highest priority.

Risk treatment

•Critically observe or measure the progress of the risk management process and make changes where they will be beneficial.

Monitoring and review

•Ensure stakeholders are aware of information applicable to them and appropriate to the risk level and the stage of risk

management. Communication and consultation

SAMPLE

Not

for

training

purposes

(13)

Risks must be identified in order to be analysed and treated. Risks are recognised in two categories:

1. What, where and when? This aims at generating a comprehensive list of risks that may impact the objectives.

2. Why and how? Identify the circumstances in which this risk may be realised. What would be the cause of an exposure of resources (i.e. failure of ..., lack of ..., loss of..., injury to... etc.)?

The analysis of risk requires you to determine likelihood of that risk occurring, and the expected consequence or impact if it does occur. These two factors combine to give us a risk rating, so that we know how it should be treated.

When determining the likelihood of risk, we consider five levels:

Rare May occur only in exceptional circumstances, e.g. death of an _{employee at work.}

Unlikely Event is unlikely to occur but is possible, e.g. an employee crashing a _{company car.}

Possible Event could occur, e.g. rain on the day of an outdoor event.

Likely Event likely to occur once or more during the life of the project, e.g. _{first aid injury.}

Frequent Event will occur many times during the life of the project, e.g. a busy _street.

The next step in risk analysis is to assess the potential consequence or impact of the risk on the organisation and its objectives. The general levels of consequence are called:

Catastrophic ● multiple injuries/death

● regulatory intervention

● net revenue loss or asset damage exceeds $xxxxx

● damage to reputation at international level

● long-term environmental damage (five years or longer).

Major ● single stakeholder

● breach of licenses, legislation, regulation or mandated standards

● net revenue loss or asset damage between $xxxx

● damage to reputation at national level

● medium-term (one to five year) environmental damage.

What? Where? When? Why? How?

SAMPLE

Not

for

training

purposes

(14)

Minor ● breach of internal procedures or guidelines

● net revenue loss or asset damage between $xx

● adverse news in local media

● environmental damage, requiring up to $250,000. Insignificant ● no breach of licenses, standards, guidelines or related

audit findings

● net revenue loss or asset damage $x

● public awareness may exist, but there is little public concern

● negligible environmental impact.

Learning activity: One of each

Think about your community or workplace and give an example of a each of these risks: Rare and catastrophic –

Frequent and insignificant –

Possible and moderate –

SAMPLE

Not

for

training

(15)

Now that you have determined both the likelihood and consequence of risk, the two are combined to determine the rating. The most effective method of risk analysis is to generate a risk matrix. As shown on the example below, where the identified consequence meets the identified likelihood, a risk rating is given.

Consequence

Like

lih

oo

d

Insignificant Minor Moderate Major Catastrophic Almost

certain High High Extreme Extreme Extreme

Likely Medium High High Extreme Extreme

Moderate Low Medium High Extreme Extreme

Unlikely Low Low Medium High Extreme

Rare Low Low Medium High High

Important and relevant legislation

As mentioned above, legislation is a key source for compliance requirements. Arguably, the greatest risk for an organisation is to be non-compliant with relevant regulations as this can incur significantly penalties. There are many areas of legislation that govern and apply to businesses generally, and even more regulations that apply to specific industry areas. Some key areas of legislation affecting businesses are listed below.

WHS regulations

WHS (workplace health and safety) laws vary throughout Australia according to the state parliament that passed the Act. For example in Queensland it is the Work Health and

Safety Act 2011. While other states have different names to their acts covering the

workplace, they all prescribe a similar set of requirements for all managers including supervisors of projects.

These are:

● To ensure that work is performed in a safe manner and does not have any negative effect on the worker’s health.

● To ensure sufficient information and education is provided so that the work could be undertaken safely.

● To ensure workers have a say in the safety of their own workplace by recognising and acting on risks and hazards in the workplace.

SAMPLE

Not

for

training

(16)

● To implement audit and control measures that verify the effectiveness of OHS activities.

● To ensure equipment and machinery is maintained in a safe condition. Learning activity: OHS

Discuss the application of OHS to compliance. Describe three ways OHS legislation affects your role as the compliance manager.

SAMPLE

Not

for

training

(17)

Privacy Act 1988

The Australian Privacy Principles regulate the way information is handled by private sector organisations, including: ● use ● collection ● data quality ● data security ● openness

● access and correction. There are several key obligations around information collection:

Whenever possible collect information directly from the

person.

Only collect information that is necessary.

Collect information by fair means.

Take reasonable steps to let people know that personal

information has been collected and what is going

to be done with it.

Do not disclose information about the person to a third party that you are collecting

information from.

Take care about the type of information contained in messages left on answering

machines.

Generally, personal information should only be used and disclosed for the purpose for which it was collected.

Learning activity: Application of Australian privacy principles

Discuss the application of privacy to compliance. Describe three ways these principles affect your role as the compliance manager.

SAMPLE

Not

for

training

(18)

The Australian Securities and Investments Commission (ASIC)

The Australian Securities and Investments Commission (ASIC) is Australia’s corporate, markets and financial services regulator. It is an independent Commonwealth

government body with most of its work being carried out under the Corporations Act

2001. ASIC regulates Australian companies, financial markets, financial services

organisations and professionals who deal and advise in investments, superannuation, insurance, deposit taking and credit. ASIC’s main role to consider in relation to this unit is its responsibility for ensuring that company directors and officers carry out their duties honestly, diligently and in the best interest of their company.

ASIC administers many acts or parts of acts, as well as relevant regulations made under them, however the following are the main two:

● Corporations Act 2001

● Australian Securities and Investments Commission Act 2001.

The other acts involve insurance, superannuation and medical indemnity.

The Corporations Act 2001 sets much of the legislative framework for the conduct of companies and their directors in relation to corporate governance. Internal controls need to be implemented and maintained to ensure compliance with the legislation

administered by the delegated authority, ASIC.

The Australian securities and investments commission act 2001 makes provision for ASIC to ensure the performance of the financial system and entities in it, to assist investors and consumers in the financial system with appropriate information, and to administer and enforce the law effectively.

Learning activity: Director’s responsibilities

Search the ASIC website <http://www.asic.gov.au> (viewed July 2015), using the search term ‘director’s responsibilities’. Name two director’s responsibilities listed under the heading ‘What does the law expect of you’ and for each describe a process or mechanism that you could put in place to help ensure compliance with this directive.

1. 2.

SAMPLE

Not

for

training

purposes

(19)

Company records compliance

Under corporations’ law, directors are personally responsible for keeping proper company records. These could be grouped into financial records and company housekeeping records.

Up-to-date financial records must be kept so that they can:

● accurately record and justify the company’s transactions

● illustrate the financial position of the company and its performance. Companies should maintain current and accurate financial records in order to ensure that:

● it is able to prepare accurate financial statements of the company

● these financial statements may be properly audited

● the company is compliant to tax laws.

Basic financial records that companies may be required by

law to keep

General ledger

● Records all transaction and balances (revenue, expenses, assets, liabilities). Otherwise, summarises these balances detailed in other records.

Cash records

● For example, deposit books, cheque butts, petty cash records, bank statements. Debtor and sales records

● Outlines the money made or owing to the company, for example, delivery dockets, invoices and statements issued, debtors and their balances.

Creditors and purchase records

● Outlines the money spent or owed by the company, for example, purchase orders, invoices and statements received creditors and their balances.

Wage and superannuation records

● Funds paid to employees.

A register of property, plant and equipment

● Shows the transactions and balances relating to individual items. Inventory records

● Value of the items that makes up the company’s inventory. Investment records

● For example, certificates and notices related to dividends or interest. Tax returns and calculations

● For example, goods and services tax returns and statements, income tax, fringe benefits.

Deeds, contracts and agreements

● Legal documentation.

SAMPLE

Not

for

training

(20)

Learning activity: Recordkeeping

Good recordkeeping practices are not just applicable to the financial operations of a business. List other areas of business operations where records should be retained and give examples of types of records of documentation that may be included. Describe the impact you would expect from failure to keep sufficient and accurate records.

SAMPLE. BSBCOM603 Plan and establish compliance management systems

BSB Business Services Training Package

Student Workbook

BSBCOM603 Plan and establish compliance

management systems

SAMPLE

Not

for

training

purposes

SAMPLE

Not

for

training

Table of Contents

SAMPLE

Not

for

training

purposes

SAMPLE

Not

for

training

Introduction

Features of the training program

Structure of the training program

Recommended reading

SAMPLE

Not

for

training

SAMPLE

Not

for

training

Section 1 – Establish a compliance

culture

What skills will you need?

Compliance

SAMPLE

Not

for

training

Commitment

Implementation

Monitoring and

measuring

improvement

Continuous

SAMPLE

Not

for

training

Compliance standards

SAMPLE

Not

for

training

Risk management

SAMPLE

Not

for

training

The risk management process

SAMPLE

Not

for

training

purposes

SAMPLE

Not

for

training

purposes

SAMPLE

Not

for

training

purposes

_measuring

_improvement