Australia’s Adequate Procedures Guidance
Today we have a guest column from Mary Shirley, chief compliance officer at ScionHealth.
Earlier this year Australia passed new anti-corruption legislation known as the Crimes Legislation Amendment (Combating Foreign Bribery), and in August the government released voluntary guidance to help corporations understand the “adequate procedures” — that is, the elements of an effective compliance program as Australia sees them — that would help them to avoid falling foul of the law.
As an antipodean myself, I’m encouraged to see Australia taking steps to catch up with other countries on how seriously it takes anti-corruption. Let’s review the six elements detailed by the Australian Attorney General and what they mean for compliance professionals, both locally in Australia and for those anywhere in the world who have an Oceania or Asia-Pacific remit.
The Six Elements of Adequate Procedures
The six elements of adequate procedures to prevent the commission of bribery are as follows (and should feel familiar to corporate compliance officers).
1. Fostering a control environment to prevent foreign bribery
Similar to other jurisdictions, proportionality is emphasized. The guidance is quite clear that the higher risk of bribery your organization faces, the more sophisticated your control environment ought to be.
Notably, a “robust culture of integrity” receives a lot of attention under this section. Despite tone from the top having its own element (mentioned below), there are multiple references to leaders playing a part in control environment efforts, including a specific call-out for sufficient resources to monitor senior leadership’s adherence to a culture of integrity. It’s clear from the suggestions in this section that the Australian government expects senior leaders to play a critical role in a robust compliance program — and rightly so.
Another interesting item: This is the first time I’ve seen government guidance direct businesses to take periodic surveys of the workforce to evaluate compliance culture; until now, this action has only been a shared best practice within the compliance community, usually referred to as “culture of integrity” surveys).
2. Responsibilities of top-level management
Tone at the top is discussed in the first element, but the second element provides a comprehensive list of suggestions for organizations to demonstrate that the highest echelons of the organization (including the board where relevant) are invested in fostering a culture of integrity. Experienced compliance officers may find some inspiration in this section to “level up” your existing efforts.
So what might all this look like in practice? The Australian guidance gives an example of top management “endorsing bribery prevention publications.” So perhaps your global CEO could do a LinkedIn post about this new Australia guidance and how it fits in with the company’s approach to doing business honestly and fairly.
3. Risk Assessment
The guidance provides considerable detail for how to conduct a risk assessment, which should be very helpful for organizations doing this for the first time. For example, the guidance mentions consulting with employees on the front line (interviewing only the first few tiers of an organization is not going to give a holistic view of risk) as well as speaking with external stakeholders such as investors.
I suspect that not everyone currently conducts risk assessments that go beyond internal information sources; this suggestion to seek outside validation is a good way to bolster your existing risk assessment practices. This element also suggests a risk register in conjunction with a risk assessment, as well as information about conducting due diligence.
4. Communication and Training
The communication section opens with a particularly compelling objective: “The main goal for internal communication is for the anti-bribery compliance program to be at the forefront of the employee’s mind.” This means that communication efforts shouldn’t just be pushed out at regular intervals throughout the organization; the communication must be impactful and memorable too. That’s of course the ideal for us in the compliance function, but it may not already be specifically included in your KPI arsenal.
Along similar lines, the guidance states that training should be “continuous.” I’m not sure that once-a-year compliance training would fit the spirit of that word, so companies that haven’t yet moved to training as an ongoing initiative may need to revise their training schedule.
It’s interesting that the best practice of including relevant case studies and real-life scenarios is specifically mentioned. In my experience this is a common ask from learners; they want guidance that’s both practical and relevant.
5. Reporting foreign bribery
For a reporting mechanism to be considered effective, the guidance says it should be “visible, secure, confidential, accessible, and provide adequate protections.” Having an independent avenue (typically from an external hotline provider) to make reports is often considered to be best practice in the compliance field , but the Australian guidance expressly provides that an internal reporting mechanism may be sufficient, presumably if that system meets all of the stated effectiveness requirements. Despite this, the guidance also acknowledges that an externally run option could encourage reporting by reporters who aren’t comfortable using internal channels.
6. Monitoring and Review
This section refers to continuous improvement in conjunction with monitoring and review, a fairly standard expectation. The guidance specifically suggests asking compliance-related questions during employee exit interviews. Unlike U.S. guidance, however, Australia has not called out data analytics by name (but it does propose that analysis of investigations can help to inform monitoring and review).
What This Means for Compliance Officers
The Australia guidance has considerable overlap with pre-existing guidance from the United States and the United Kingdom — so for compliance officers accustomed to those U.S. and U.K. expectations, Australia won’t put you fundamentally out of sorts.
That said, the arrival of Australia’s guidance might prompt global organizations to prioritize a review of your compliance program, or perhaps to undertake an audit in Australia this year to check your program’s robustness there. (This may mean putting forward a business case for traveling to Australia to conduct onsite monitoring and review efforts! Hey, I don’t make the rules.)
Companies that may not have a mature compliance program in place at this time (such as smaller organizations in less highly regulated industries with some, but not extensive, international presence), will have some work to do to implement a control framework and compliance program best practices in line with the guidance. It might help to review the U.K. Ministry of Justice guidance and U.S. Justice Department Evaluation of Corporate Compliance programs guidance to supplement the suggestions in the Australian guidance and it never hurts to network with responsible staff at companies with a similar demographic to learn what they are doing.
If your organization doesn’t already have a dedicated compliance team or person, now is the time to consider what makes sense for your business. For smaller companies, for example, perhaps someone could wear the compliance hat as a part-time responsibility. Note that the guidance requires that the compliance function is adequately resourced and autonomous, so give some thought to reporting lines as well as budget. Have a rationale for why the specific resourcing you select is defensible in light of your risk exposure.
General Comments
One important point to remember is that the guidance is not mandatory. As the document itself says, “This guidance is not intended to be used as a ‘checkbox’ approach to implementing an effective anti-bribery compliance program. Instead, it outlines elements that could be included in such a program and suggests types of controls that should be considered.” So look to this guidance for inspiration to build adequate anti-bribery procedures for your organization, not as a recipe to be followed to the letter.
In addition to this guidance, the Australian government has provided further resources on the Attorney-General Department’s website.
The guidance also states that a company can have adequate procedures in place and still suffer bribery violations; no company’s compliance program will be perfect. Establishing adequate procedures is the goal, and (as we’ve seen in other jurisdictions) can result in regulators declining to prosecute.
The Act came into force on 8 Sept. 2024, so if your organization hasn’t yet made a start on assessing your compliance programs in light of the guidance — well, the best time to do that was a month or so ago. The next best time is now.
Final Word on Australia
As an antipodean, I’m encouraged to see Australia taking steps to catch up with other countries in how seriously it takes anti-corruption.
Just 10 years ago, compliance roles were almost non-existent down under. More recently, Australia in particular has incorporated compliance roles, with financial services taking the lead and life sciences/healthcare following behind. New Zealand still trails behind, but the field is definitely growing.
When a country revises its anti-corruption laws and provides guidance on how to comply with that legislation, it puts companies on notice that they should be dedicating resources to compliance. Hopefully New Zealand will follow shortly, and Australia will engage in appropriate enforcement activity so that our efforts are not in vain.
Radical Compliance always welcomes guest columns from corporate compliance officers. If you have something you’d like to submit, drop us a line at [email protected] any time.