When Regulated Markets Grow Teeth

Australian businesses accustomed to ‘toothless’ enforcement regimes are experiencing a rude shock. Regulators are growing teeth and are ready to bite businesses that experience lapses in compliance.  

 

Historically, Australia has lagged behind the United States, western Europe and Asia-Pacific countries such as Singapore in backing regulation with powerful enforcement.

 

However, poor corporate conduct and increased global privacy protection measures are increasing the Australian community’s appetite for penalties, fees, and fines.

 

What implications does this newfound appetite for punishment have for Australian businesses?

 

They need only to look at overseas experiences for an idea. Over the last nine years, regulators have fined financial services businesses alone $342 billion for regulatory failures. This has erased an estimated $850 billion in profits for the top 50 global banks.1

 

This year, the European Union’s General Data Protection Regulation (GDPR) – that aims to protect the data and privacy of EU citizens– became enforceable.

 

According to the Office of the Australian Information Commissioner, the GDPR applies to Australian businesses with establishments in the EU or that provide goods and services to EU citizens anywhere in the world.

 

Breaches of compliance may incur penalties of up to 4% of global annual revenue and a enforced shutdown of EU operations.

 

However, for financial service organizations, fines may be only one aspect of punishment for risk management breakdowns.

 

Regulators may require them to keep more capital available to deal with failures, or demand they dedicate more skilled employees to the areas accountable for breaches. Failures in compliance or breaches of private data can also incur billions in losses to an organization’s market capitalization in public markets. The entire financial services industry is built on trust, and the reputational impacts of a failure can also be long reaching and hard to quantify.

 

With compliance breaches presenting a higher risk of sizeable fines or other enforcement actions, boards and executives are under pressure to make compliance a key priority.

  

Big businesses – with the greatest resources and the most to lose from powerful enforcement – are scrambling to improve their compliance regimes. Other businesses are following suit.

 

Unsurprisingly, urgency in Australia is greatest in the financial services sector. Executives and boards are closely monitoring risk and compliance teams and allocating resources to upgrade their organisations’ capabilities in this area.

 

So what are the key regulatory risks businesses in Australia should protect themselves against?

 

The first is cyber-security, including data breaches. Nearly every board is watching this issue closely and directors want to know how customer, employee and intellectual property data, and financial and operational information, is being secured.       

 

The second – closely related – area of risk is regulatory failure, especially privacy breaches. Businesses are being required to comply with increasingly strict regulations and legislation governing the storage and handling of personal data.

 

The third is third- or fourth-party risk. This occurs when a business interacts with other organisations, and those organisations deal with other parties on behalf of that business. Boards and senior executive teams need to consider the implications of third or fourth parties operating in ways incompatible with their business’s values, culture or regulatory obligations.

 

This increasingly becomes an issue as more organizations outsource significant portions of their operations to third parties. Breaches involving third parties are on average 12% more costly to remediate, underscoring the need to continuously manage vendor risk.2

 

How can businesses identify risks in real time and respond in a coordinated fashion? The key is to create an integrated risk program across the organisation. This program needs to rest on a solid foundation that supports strategy, people, processes and technology.

 

The foundation comprises four elements:

 

 

However, Australia’s light touch enforcement regime means many businesses have not established this most basic foundation. I’ve worked with organizations with compliance budgets in the tens of millions of dollars and they are not yet doing the basics right. I would estimate that on a scale of 0 to 5 – 0 being businesses that use ad-hoc manual processes and spreadsheets to manage compliance and risk and 5 being businesses that have established a shared understanding of risk, a sound risk and compliance culture, executive sponsorship and a single source of truth – 90% of businesses score 1 or less.

 

To improve their score, businesses should weave the four foundational elements through the following pillars:   

 

Strategy: encompassing culture, sponsorship, plans, roadmaps and various activities to put them in place;

 

People: ensuring everyone from leaders to individual contributors are empowered and resourced to perform their tasks;

 

Processes: creating processes that deliver risk and compliance outcomes and ensuring teams, groups and stakeholders can follow them, and;

 

Technology: accelerating strategy, people and processes by enforcing processes; enabling collaboration and empowerment; driving engagement; helping execute strategies; and keeping people informed and involved.   

 

If you would like to learn more about how to create a successful integrated risk management program, please contact me at cliff.huntington@servicenow.com.