Latest Products

The State of Compliance

Friday 7 February 2020

Samantha Caroll from Ash St. Legal & Advisory

Long Read

This article was originally published in the GRC  Professional Conference 2019 EditionClick 
here to download a PDF version of this article.  

Samantha Caroll will be one of the speakers at the the AML & Financial Cirmes Summit on 20th April being held at the Grand Hyatt.

Earlier this year, the media reported an increase in investment into risk and compliance off the back of the Royal Commission.

Around the same time, the 
GRC Professional Magazine spoke to Randstad Risk and Compliance Team Leader, Andrew Wouterzwho indicated that investment and opportunities in risk and compliance were growing steadily.

“I think every company has its own situation, but generally, we are seeing that compliance has a seat further up the table than they did two-to-three years ago, and they have a lot more influence and power,” Wouterz said. “I think companies are on that journey now where they see compliance, and see the benefits and usefulness, but what we are hearing anecdotally, and seeing, is that a lot of companies are raiding their project spends, and they’re raiding them for anything associated with the Royal Commission.”

However, despite this growth, skilled risk and compliance professionals are still hard to find. At the #Accelerate Regtech Conference 2019 in March, Samantha Carroll from Ash Street Lawyers told attendees there was a genuine shortage of good compliance professionals in Australia.

“You cannot find good compliance people in the industry with deep expertise,” Carroll said. “Having seen the industry over the last 15 years, it has evolved. So, you might have people who have been in the industry for 15 years, but they have an old-school mentality when it comes to compliance.”

Earlier this month, GRC Professional Magazine took the chance to catch up with Carroll to find out what, from her perspective, has changed in the industry in the wake of the Royal Commission as it relates to risk and compliance.


Let’s begin with getting a sense of who you are and how you got into this space.

I chose to complete a legal and a business degree because I’ve always had a combined interest in the law and in how business operates. Certainly, it’s an interest I’ve had even from my school days.

I started in a private practice about 15 years ago, and while I was there, I had the opportunity to do what I would consider to be my first compliance-related task, which was to write a trade practices compliance manual for a large food manufacturer distributer that, at the time, was responding to an enforceable undertaking from the ACCC [Australian Competition and Consumer Commission]. I really enjoyed the matter, and I think that was because I was able to apply the law in a more practical business sense, so I was able to combine the two degrees together, which really appealed to me.

I think I must have said something to one of my friends who worked in a top-tier law firm at the time, and she said, “There’s a partner in my law firm and all he does is compliance. You should meet him.” I started as a junior in the governance and compliance practice at the firm and moved my way up to be the special counsel there.

Throughout that period, we worked on a number of matters that involved what I would classify as proactive compliance advice—that is, providing strategic compliance advice to compliance functions, reviewing and advising on compliance frameworks and reviewing and advising on, policies and procedures.

A lot of that work happened pre-GFC [Global Financial Crisis]. Then, when the GFC hit, there seemed to be an increase in regulatory matters, which meant an increase in the opportunities to advise on the law and the application of the law, and to represent clients in enforcement activities being undertaken by regulators, such as the ACCC and ASIC [Australian Securities and Investments Commission].

After almost a decade at the firm, I moved into an in-house role at a mid-tier bank. I started in the legal team, but predominantly, I was head of compliance there for about three years.

That’s quite a bit of background you have there! You talked about the difference between what compliance looked like before and after the GFC. I guess the thing people are talking about now is what does compliance look like before and after the Royal Commission and if there is a big difference?

What are some of the trends you’ve seen when it comes to organisations trying to meet their obligations? It would also be good to get a sense of what the trends were pre-Royal Commission and how have those trends changed post-Royal Commission?

I think pre-Royal Commission, there was possibly a bit more apathy around compliance, possibly an aftermath of the GFC and perhaps a lack of enforcement over certain obligations. What the Royal Commission has done, and a lot of the more-recent regulatory activity undertaken by other regulators, such as AUSTRAC [Australian Transactions Reports and Analysis Centre], is to shed a direct light onto compliance and where Australia is at in terms of its maturity in managing compliance risk.

While there has been some apathy, it is also generally the case that compliance has become more complex now because we have more legislative obligations than we ever had before. New laws and amendments to existing laws are constantly coming through, and a lot of these are on focused on social issues as well. So, interpreting the law is no longer a ‘black letter’ approach, as the legislation and regulatory requirements that sit alongside this are a blend of principles, expected behaviours, social consciousness and the black letter law, and all this makes it more complex to implement. For example, the Royal Commission Inquiry into Misconduct in the Banking, Superannuation and Financial Services Industry emphasised the need to look at norms and behaviours.

Enforcement activities by regulators has also been increasing as a result of pressure from the community and Government on regulators themselves to take more action—and more severe action, at that.

So, the approach to compliance has really had to evolve because of these developments, and what the recent compliance failures highlighted by the Royal Commission and reviews such as those being performed by the ASIC Governance Taskforce have revealed is that the understanding of compliance, and compliance risk, and how it should be managed, isn’t as mature as what it needs to be in Australia. Certainly, there’s now a recognition that we need to mature our thinking and mature how we approach these things because what has been happening up until now does not appear to be working.

The other evolving trend in compliance is, of course, an increased interest in technology for compliance (RegTech) and the role RegTech is going to play in improving compliance. While I think there is definitely more interest in RegTech, we are yet to see a substantial improvement in the performance of compliance as a result of the application of technology. From my point of view, I guess the starting point for an organisation is to first have a really strong understanding of its compliance risks so it can correctly apply and prioritise technology in the right places. My sense now is that the approach to RegTech seems to be more reactive than strategic. And perhaps also some of the challenges arise because there is a general lack of clarity and consistency in what ‘good’ looks like for compliance, and that’s what people are really grappling with at the moment.
You mentioned the AUSTRAC actions, and obviously, we had Peter Soros at the Refinitiv event [Australian Regulatory Summit] earlier this year basically saying there would be more regulatory action to come in future—and we’ve certainly seen some interesting action since then. So, I guess we will see where all that will go!

So, we have increased enforcement and all these consultation papers released, and the regulatory guides coming out of ASIC etc., and risk and compliance professionals are trying to embed new systems. But one of the key questions our members are trying to answer for their organisations is: how do you implement these programs? In your opinion, how best does someone implement a compliance program, or what should the three lines of defence or responsibility look like, in a general sense?

We’ll start with the three lines of defence. The concept of the three lines of defence is certainly more-widely recognised in organisations today than what it was, say, a decade ago. Well, that is to say we have a lot more organisations adopting it as a risk management approach. Most boards and organisations can articulate reasonably well what it means (although the ASIC Governance Taskforce review suggested there remains some lack of understanding, even in our largest organisations). I guess the question upon which I have been reflecting recently is why is it still so difficult to understand how compliance operates within the three lines of defence? Whenever I discuss this with other compliance professionals, there are always differing views and approaches to managing compliance within this model.

No question: there are benefits for an organisation when compliance and risk work together. An integrated ‘GRC’ approach can remove unnecessary duplication and lead to more efficient processes and better outcomes for an organisation. However, having an integrated approach does not mean it is in the best interests of the organisation to treat compliance management and risk management as the same, because they are not the same. In fact, they are quite different. The three lines of defence comes from military planning and sport origins, and so the broad concept is that there are three layers of activities being performed to ensure the organisation is doing what it needs to manage and mitigate risk within its appetite. The ‘defence’ you are trying to establish in a compliance context is a due diligence defence—something that is enshrined in the law (both legislative and case law).

I think the challenge for businesses and boards is there is not yet a universally recognised definition of compliance risk and compliance risk appetite.

The other challenge, in my view, is in the legal concept of a due diligence defence. The due diligence defence at law has a strong emphasis on board and senior management responsibilities. There are a lot of views expressed that the board and its committees aren’t actually part of the three lines defence model. Given the strong emphasis on risk and this model over the last decade, perhaps this is why we are now seeing an issue with accountability at this level.

So, to summarise, I think the mistake many people make is in thinking that the three lines of defence is the way to implement a compliance management system. But actually, it’s something that the compliance management system needs to sit within and alongside. A compliance management system is a particular type of management system that requires key components to operate effectively and achieve its objectives. The only standardised guidance for implementation of a compliance management system presently is the International Standard on Compliance Management Systems – ISO19600. However, to the best of my knowledge, the International Standard is not formally recognised by Australian regulators, and while many organisations aspire to implement their compliance framework to meet the Standard, it is not deeply understood what ‘good’ looks like when implementing to meet this Standard.

For example, in the recent ASIC Corporate Governance Taskforce report into director and officer oversight of non-financial risk, the Taskforce focused on compliance risk as the primary risk for directors and officers. It was surprising, however, that despite this focus of the Taskforce on compliance risk, there was no commentary or reference to the International Standard.
That report in some ways echoed the APRA report that came out some months earlier, looking at self-assessments. Definitely some echoes there in terms of the self-assessment they did when they had the 36 different entities look at their own programs. Again, they mentioned non-financial risks, and they mentioned compliance as a risk, but of course there was no mention of the [compliance] standard.

So, you’ve touched on the challenges and there seem to be quite a few—and probably more you could bring up, if you needed to! I guess the next question is about a comment I heard you make earlier this year when you spoke about the availability of skilled compliance professionals. The big thing at the beginning of this year was that there was going to be this ‘big spend’ in risk and compliance off the back of the Royal Commission.
Are we seeing that now? Or is it still a challenge? Are we actually seeing more compliance professionals? Or are we still having this ‘drought’, with all the different institutions trying meet their obligations and remediate?

I would say this definitely remains an issue. I guess the reason why there is a challenge is that there is a considerable increase in demand for compliance professionals and, broadly speaking, not enough professionals to meet that demand.
We’re hearing from a lot of clients that it’s challenging to find people with sufficient expertise—that is, those at a more senior level to manage compliance functions, perform senior compliance roles or to oversee the extensive amount of regulatory changes. Also, there is an increasing amount of remediation activity happening, particularly in larger institutions, that swallows up any of the remaining expertise in the market. So, it’s definitely an issue still and potentially getting worse.
One of our members did say recently that she got the impression sometimes that most people are spending most of their resources on remediation, rather than on improving their programs.

Absolutely, there is definitely a sense that institutions are focused on reactive activities rather than proactive activities in compliance, but this is more out of necessity due to the environment in which they are operating, as opposed to a lack of will or desire to work on proactive measures.
So, with that in mind, with the challenges that you’ve mentioned and considering the shortage of compliance professionals in this space, how can industry meet these legislative expectations, and how can they meet these new regulatory expectations in market without having those compliance professionals? How can they implement those compliance programs to improve consumer outcomes?

I think the only answer is to work smarter, as ‘more resources’ is not necessarily the answer in every case.

What I mean by ‘smarter’ is that compliance professionals are going to have to work more efficiently and more effectively through a range of activities to optimise available resources. Some of the activities I would suggest may need to be considered would be:

  • To rationalise the current approach to managing compliance and weed out any unnecessary activities being performed by compliance that aren’t adding value or achieving better compliance or performance by the business. Compliance functions can have a tendency to focus on form over substance. While the form is important, there are opportunities to look for better ways to achieve compliant outcomes. A particular area that comes to mind is the evaluation of compliance obligations through the use of a compliance obligations register. In my view, there is an opportunity to rethink this approach with a greater focus on compliance risks rather than a line-by-line assessment of each obligation.
  • To consider the role technology can play in more effective and efficient work practices within the compliance function and its own activities but also business activities. For example, compliance functions could look at things like compliance incidents’ management, which can take up a lot of time if it is a manual process. Compliance activities performed by the business should also be reviewed to determine what efficiencies could be gained from the use of technology. Technology-assisted compliance activities are increasingly being called ‘compliance by design’.
  • Assessing the role outsourcing could play in the management of compliance. For example, if an organisation has a shortage of experts, it could think about what it can access externally to fill any internal gaps it may have or to use its resources more efficiently. Outsourcing compliance activities could include using external experts to do some of the development work for compliance controls or framework documentation, getting service providers to perform monitoring or utilising external training provider services.
We haven’t spoken very much about technology. Have you seen a big uptake in the use of these types of technologies and the use of data analytics to help with the compliance programs that exist?

Yes and no. There is definitely an increase in interest, but as noted earlier, I think it’s still an area that is still maturing.

Some examples I have come across where RegTech is being used includes organisations using platforms to manage risk and compliance frameworks, chat-bots to assist with advice on answering questions around compliance requirements, and data analytics for monitoring. On the business side of things, technology is being used to improve compliance in customer identification and on-boarding and any other activities that streamline the provision of services or products to customers.
What advice do you have for risk and compliance professionals working in what can seem like a slightly hostile environment, trying to make sure their organisations meet regulatory and community expectations?    

There are probably five key points or pieces of advice I would give:

  • Firstly, to ensure there is clear understanding at the board and executive level on the types of compliance risks being faced by the organisation, and how those risks are being managed.
  • Secondly, to ensure you are escalating reporting on compliance in sufficient detail because lack of detail has been an issue that has been identified in recent reviews. Getting the right detail at a governance level is important to ensure the board and the executive management clearly understand the compliance risks/issues and what needs to be done to address those risks/issues, including any barriers or challenges that may be faced when doing so.
  • The third piece of advice would be to work closely with your risk management personnel to ensure compliance is embedded appropriately into risk management practices and the three lines of defence model but that the three lines of defence is not the only focus for compliance management.
  • The fourth would be to develop strong foundational documentation that sets out the compliance framework in a way that is specific to the organisation, and that’s also well-structured and purposeful.
  • And the fifth would be to ensure that reporting on compliance incorporates meaningful measurement and metrics that focus not only on effectiveness but also on the performance of the compliance management system.