Directors are required to have oversight of compliance obligations in new guidance from AICD

The Australian Institute of Company Directors (AICD) launched new guidance on directors’ oversight of company compliance obligations in October 2024. The new Practice Statement outlines the key responsibilities directors have – to ensure their companies meet regulatory compliance. It emphasises the importance of proactive risk management, staying vigilant to potential compliance “red flags,” and challenging management where necessary to ensure alignment with legal obligations.

For organisations, this means a greater focus on compliance culture, regular audits, and leveraging GRC technology to monitor risks and get greater visibility of compliance obligations. Directors are expected to stay informed to better understand and address emerging compliance risks.

In this blog we explore what this new guidance means for company directors and the organisations they oversee. We also explore how GRC software can provide visibility of compliance obligations and their status to support organisations to align with the requirements.

Why have the AICD introduced these guidelines?

The AICD have introduced this new guidance due to increasing complex regulatory requirements, a slurry of risk & compliance failures, and the degree of ambiguity regarding who is responsible. The guidance is designed to ensure organisations take a more proactive structured approach to managing risk and compliance – ensuring visibility and accountability. The new mandates will require boards to take a more active role in compliance and encourage individuals to speak up when they witness cases of non-compliance to ensure they are addressed and resolved quickly. The aim is to reduce ‘compliance risk’ and learn from failures and near-misses.

What kind of compliance obligations does the regulation apply to?

Australian companies must comply with a variety of non-financial regulatory obligations, including work health and safety, employee rights, cybersecurity, and data protection. They are also bound by laws related to anti-money laundering, anti-bribery, and corruption. Additionally, many businesses are required to meet sustainability standards, such as climate risk reporting, emissions tracking, addressing modern slavery in the supply chain, closing the gender pay gap, and preventing workplace sexual harassment. There are also a whole host of industry specific and ESG related standards and regulations organisations must comply with to remain operational.

Regardless of a company’s sector or size, its obligations can be intricate, posing operational, compliance, and regulatory risks. These obligations require continuous oversight from directors. Non-compliance can lead to significant legal, financial, and reputational damage, potentially harming relationships with customers, employees, shareholders, and regulators.

When can Directors be deemed responsible for compliance failures?

A breach of a company’s legal or regulatory obligations doesn’t automatically imply that a director has violated their duty of care. Conversely, directors may still be held accountable for a breach of duty, even if the company hasn’t violated its compliance obligations. The AICD practice statement provides full guidance to support firms to distinguish between governance failures, organisational accountability, and individual wrongdoing.

It is therefore important for an organisation to have systems in place that ensure individuals are aware of the company compliance obligations, and that firms can provide evidence of the steps and processes they have implemented to ensure compliance. There must also be procedures for firms to address areas of non-compliance and log potential red-flags and near-misses to ensure they are addressed. Processes like these will make it clear to both organisations and regulators whether the compliance failure was down to the organisations compliance systems and a lack of communication or whether an individual was responsible for being deliberately negligible and overlooking requirements.

The AICD states that Directors must remain alert to ‘red flags’ that require further enquiry. These may include, for example:

• Lack of, or gaps in, reporting or lack of candour from management to the board on key compliance matters
• Critical reports or feedback from regulators suggesting poor risk management
• Persistent lack of investment in key systems and risk areas
• Frequent or increasing policy and protocol exceptions
• A risk category that is rated as high and/ or increasing
• Unresolved or repeat internal control deficiencies relating to compliance matters
• Lack of communication or information sharing across functional and business lines
• Lack of evidence or documented diligence to support management assurances
• High management confidence that risk controls are effective without regular review or verification
• Increased customer/supplier complaints
• Significant outsourcing of services with limited management oversight or control

*Source: AICD

How can GRC software support firms to align processes with the new AICD practice statement?

GRC (Governance, Risk, and Compliance) software can play a pivotal role in helping organisations align their processes with the new AICD practice statement. These systems offer out-of-the-box best-practice frameworks, templates, workflows, and forms to support firms to:

• Understand their compliance obligations.
• Implement governance checks, policies and procedures to ensure compliance.
• Track compliance failures and near misses.
• Manage risk.
• Implement controls.
• Enable staff to report potential regulatory compliance breaches and near-misses.
• Use case management workflows to rectify compliance breaches.

Here we detail how GRC software can support alignment with the AICD practice statement across several key areas:

1. Tracking of Compliance Obligations

Firms can use the GRC software to build a digital obligations library. Each applicable regulation and the requirements are captured in the system, and controls, processes, procedures and policies are put in place to ensure compliance. Ownership is allocated for each obligation and the steps that are implemented to ensure compliance.

Automated workflows are used to establish regular compliance monitoring & checks to monitor compliance status, and incident management workflows are used to escalate any red flags, compliance gaps, or near misses – so they can be rectified.

This complete visibility of what the obligations are and what the company has implemented to comply acts as an audit trail to prove compliance and highlights accountability for any areas of non-compliance.

2. Risk Management

Having a best-practice risk management programme in place is a great way to meet some of the requirements outlined in the AICD practice statement. GRC software offers best-practice frameworks, templates, workflows, and forms to implement a best-practice risk management programme straight out-of-the-box. Firms can build a risk register including all types of risk, from operational and enterprise risk to compliance and cyber risk. Key Risk Indicators can be established for each risk, and risk levels are monitored through regular risk assessments or by linking the platform to other systems and data sources. Workflows are used to fully automate the ‘risk assessment’ process, staff simply receive an automated email and complete an online form, and all data entered feeds directly into the platform.

When risk levels are high the system alerts the relevant parties and case management workflows enable firms to escalate the risk and fully document when and how it was resolved. Having adequate oversight of compliance risk at all levels of the business supports firms to align with the AICD practice statement. Using GRC software directors can easily get visibility of compliance & operational risk – enabling them to step in where needed.  

3. Controls & Control Monitoring

To achieve compliance and manage risk, a company must have a series of controls in place. Controls might be a policy or procedure, it might be a regular check or inspection, it might be training, it might be a piece of safety of security equipment. Whatever the control is, the organisation will need to undertake regular control checks & control testing to ensure the controls are effective. GRC software makes it easy to document the entire ‘control management’ process – fully documenting the process empowers directors to easily get visibility of gaps and control failures that could jeopardise compliance. Case management workflows are also used to escalate control gaps and document remediating actions. This enables visibility of control gaps (and the compliance processes affected) enabling accountable individuals to take action and supporting directors to be fully aware of any issues.

4. Governance

GRC software supports the development of robust governance frameworks by clearly defining roles, responsibilities, and processes related to compliance. This ensures that directors and management are aligned in their understanding of compliance obligations and governance expectations. By facilitating communication and collaboration among different departments and formalising processes & procedures, GRC tools help create a culture of compliance throughout the organisation, as advocated by the AICD.

5. Incident Management & Case Management

GRC software streamlines incident reporting and case management processes, allowing organisations to quickly document and address compliance incidents & breaches. Staff of all levels can log an ‘incident’ – this might be a control failure, a compliance gap, a breach of policy, or anything that could compromise compliance. This functionality enables firms to assess the impact of compliance related incidents, implement corrective actions, and prevent recurrence, which is essential for maintaining compliance with the AICD’s recommendations on providing visibility into areas of non-compliance, escalating compliance failures and clarifying ownership.

6. Policy Management

Effective GRC software provides tools for creating, distributing, and managing policies across the organisation. This ensures that all employees are aware of their obligations and responsibilities and are operating in accordance with company policies. By maintaining up-to-date policies and tracking amendments, approvals, and employee attestations, organisations can foster a culture of compliance and accountability, as highlighted in the AICD practice statement. If a member of staff is seen to be in breach of a policy, this can be captured in the system and the actions taken can be fully documented.

7. Whistleblowing

Many GRC platforms offer a discreet online whistleblowing portal. This provides a simple anonymous route for employees to report suspected cases of misconduct or non-compliance. Automated workflows escalate instances to the relevant team and facilitate case management until the incident is resolved. This demonstrates to the AICD that the organisation is proactive in dealing with potential misconduct that could impact compliance and provides clarity over who was responsible.

8. Audit Management

Firms are typically audited against their compliance obligations – either with regular internal audits or scheduled external audits from the regulators themselves. GRC software can also support firms to formalise the audit process. Firms can use the software to plan and schedule their audits and capture the findings via online forms – creating a complete view of all audits and their outcomes. Case management workflows can also be used to escalate and resolve non-conformances – documenting the entire audit process. Similar audits can be cloned for easy set up. The tools make it easy for firms to learn from previous audit findings ensuring continuous improvement. Documenting the entire audit process demonstrates to the AICD that firms are taking compliance seriously and actively addressing compliance failures.

By utilising GRC software to manage these key areas, firms can effectively align their processes with the new AICD practice statement, ensuring they meet their legal and regulatory obligations while fostering a culture of compliance and governance.

Conclusion

Aligning with the AICD’s new practice statement requires organisations to take a proactive and structured approach to compliance oversight. Leveraging GRC software provides the tools necessary for directors and their firms to gain visibility into compliance obligations, manage risks, and monitor controls effectively. From tracking regulatory requirements to incident reporting, policy management, and regular audits, GRC platforms empower firms to create a culture of accountability and compliance. By adopting these technologies, companies can not only meet their legal obligations but also enhance their governance frameworks, ensuring long-term sustainability and trust with stakeholders.

If you are interested to know more about how GRC software can support your organisation to align processes with the new guidance outlined by the AICD request a demo of the Camms platform.