The challenges of maintaining compliance in an outsourced environment
Outsourcing is very common and often viewed as the most appropriate way to get a job done. It makes sense to get the ‘experts’ in as contractors when you haven’t got the skill set within your organisation or it is not ‘core business’
When outsourcing functions, the expectation is that the contractor will comply with all relevant legislation, regulations and standards, and in fact, contracts will often contain clauses such as “the Contractor is to comply with all relevant Federal, State, Territory and Local Legislation, Regulations and Standards.” But what does relevant mean? Has it been defined? What does compliance look like?
If our organisation was managing that function would we not have an assurance program that ensured all of the requirements are being met? So why not do that for contracts?
Perhaps the biggest assumption that we have is that by outsourcing the functions, we have outsourced compliance as well. Nothing could be further from the truth.
If a contractor commits a breach, the contracting organisation is held accountable and liable in the eyes of the Regulator. Whilst it can be argued that any fines received can be passed on to the contractor, there are consequences that will be retained by the contracting organisation. What if the breach leads to a loss of licence? What if the issue becomes front page in the national media? These consequences cannot be passed on.
Let’s look at an illustration. We are a Government Department responsible for demolishing houses that have been discovered to contain asbestos. We outsource the work to professionals and ensure there is a contract clause that specifies the requirement to dispose of the asbestos material in accordance with Legislation and Regulations. A photograph appears on the front page of the newspaper showing a representative of the contractor organisation disposing of the asbestos in a pit that has been dug in bushland 30km out of the city. The article also highlights that the contractor has been engaged by the State Government and asks the very salient question – how was this allowed to happen?
The reality is this that if you were actually doing that activity in your organisation you would be responsible and accountable for the compliance against the regulations and the legislation and the standards. You would have a compliance register and you would be getting assurances that those compliance obligations are being met. So why is it that, when we outsource, we are not seeking the same assurances?
You need to assure yourself that a) the contractor is meeting their contractual obligations and b) meeting the compliance obligations.
That’s why I advocate that in every contract there should be a compliance register which clearly specifies the legislation, regulation and standards that the contractor needs to comply with, and how they are to demonstrate compliance (including the assurance activities you will conduct).
In addition, when approaching industry the pricing schedule should contain the facility to cost compliance, in that way, further assurance can be achieved.
We need to become more informed buyers and understand that there is a cost to compliance and, in doing so, we will reduce the risk of an incident that leads to a compliance breach and impacts on the organisation.
For more information about the Paladin Risk Management courses click here. There’s a risk to not managing risk!