While it’s not really the case, or not yet, these days it seems as though there are rules for just about everything, ostensibly helping to guide actions towards desired results. It’s all for our own good. Really.
Most rules are eminently sensible, some may be debatable, but a few no doubt ought to be shown the door as soon as possible.
Be that as it may, in general rules work, at least most of the time to the majority’s satisfaction. They provide boundaries, set expectations, hopefully facilitate the smooth working of society, and ideally lead to fairness overall.
Compliance with or adherence to the rules by all who are subject to them is the expectation, except where justifiably excusable in the eyes of the authorities. The consequences of non-compliance can range from trivial to life changing. Or worse.
Contracts of course are not exempt from rules and compliance requirements. Contract Managers know this, and no doubt spend a fair bit of their day dealing with these matters in some form.
What is contract compliance?
Contract compliance is based on conformance with a set of mandates that have been set not only internally and privately by the parties to a contract, but also externally and publicly by governments, standards bodies, industry associations and other organisations with some sort of oversight authority.
Contract compliance is achieved on a per-contract basis with the fulfilment of its obligations by all its parties, individually and jointly. That achievement is conditional on:
- a wide awareness and understanding of those obligations
- a sufficiently resourced, trained and supported workforce
- effective detection and remediation of any non-compliance
- timely adherence to compliance reporting requirements
- a management team committed to the achievement of high compliance.
Our earlier article How to manage contract obligations compliance briefly outlined a general approach for:
- Finding, categorising and assigning ownership of contract obligations
- Setting up compliance testing methods and timetables
- Reporting on compliance levels achieved
- Dealing with non-compliance.
This approach is based on the bulk of the compliance work being handled by the Contract Management team. Involvement of the Legal team is expected for advice about the more legalistic matters. Key stakeholders in each contract should be invited and expected to participate in compliance and other operational matters that fall within their areas of responsibility.
But there is a bigger picture to contract compliance, and that’s based on a closer look at the nature of obligations that are contained in, associated with, supporting or surrounding contracts and the ecosystems they operate within.
Here, we’ll cover the nature of those obligations in a bit more depth and highlight some of the operational matters that accompany the chase for compliance.
Internal compliance obligations
It’s fair to say that the classic focus of internal compliance obligations is concerned with performance of the contract. This covers aspects like how well:
- The organisation placed orders according to the agreed process
- The supplier delivered what was ordered when it was expected
- The organisation paid invoices on time
- Both parties followed the agreed contract change request process
- The organisation reported actual usage and paid for any excess usage.
These types of obligation and who they belong to can be specified in the contract, agreed at a process level between the parties, or both. Any consequences for non-compliance would typically be specified.
Different types of internal obligation might concern use of the contract. This could cover things like:
- Mandatory use of the supplier to obtain the specific products or services offered. This may arise if the contract contains an exclusivity clause, or a ban has been placed on the use of the only other available supplier
- Limitations preventing the organisation’s minority-owned subsidiaries or joint ventures from placing orders with the supplier
- Restrictions on who can use the supplier’s products or services, such as the organisation’s subcontractors or customers
- Controls on which individuals in the organisation are able to place orders with or request support from the supplier
- Organisational policies requiring order aggregation to obtain bulk order discounts, timely payment to obtain additional discounts, or authorisation prior to ordering any non-standard equipment models.
As with performance obligations, usage obligations need to be clearly identified, owned and managed. Systems or processes of some sort may be needed to support achievement of usage obligations, keeping details updated and allowing reporting of current status.
Some of these usage obligations might be shared with the supplier at a process level, such as lists of authorised subsidiaries, standard equipment models and people authorised to place orders or report operational problems. Continual maintenance of such lists is required to minimise any interruption to the regular flow of business.
External compliance obligations
There can be many compliance obligations on the organisation driven by some sort of external regulation. Some obligations may be specifically mentioned in a contract for emphasis and avoidance of doubt. Others may not be, on the basis that they are part of the generally accepted and expected way of doing business.
Some regulatory compliance regimes can impose very specific, inflexible criteria on entire industry sectors and individual organisations as the mechanism for achieving compliance with legislation or to meet industry standards. These regimes typically apply at the process level in the organisation, but can even influence staffing and elements of organisational structure.
Achieving and maintaining compliance with external obligations has three stages.
1. Discovering external obligations
The thing about regulatory compliance is that organisations are obliged to find out what they’re obliged to do. There’s no passing the buck on this. There are no excuses.
A few examples of well-known regulatory regimes include:
- CCPA: California Consumer Privacy Act
- GDPR: EU General Data Protection Rules
- HIPAA: US Health Insurance Portability and Accountability Act
- ISO: International Standardisation Organisation
- PCI DSS: Payment Card Industry’s Data Security Standard
- SOX: US Sarbanes-Oxley Act covering corporate financial disclosure.
The regulatory regimes that apply to an organisation can depend on many things, including the following:
- The industry(s) it’s in
- The country where it’s headquartered
- The countries where it operates
- The countries it obtains products and services from
- The nature of the products and services it obtains or provides
- The purpose for which those products and services could be used
- The people who could use its products and services
- The nature of the data it processes
- The countries where that data is stored and processed
- The countries whose governing law is specified in its contracts.
To start with then, an organisation needs to know, and have readily accessible, all the types of information listed above, and possibly more.
If an organisation’s been in the business for a while, it’s likely to be pretty well aware of this necessary information and the relevant regulatory regimes.
But if the business is starting up or branching out, expanding into new areas in terms of products, services, geographies and so on, it needs to discover what new obligations it’s going to face, manage and comply with.
Contract owners and any people responsible for investigating new lines of business and other opportunities could be tapped for relevant information if it isn’t already being collected.
This information enables a focussed search for applicable regulatory regimes and will produce a higher level of confidence in the findings than just taking a punt and hoping for the best.
This search really should happen before any contracts are agreed in these new areas, to ensure inclusion of any contract-level elements that deal with regulatory regime obligations.
Bear in mind that many contracts could be subject to many regulatory compliance regimes. It depends on the contract eligibility criteria each regime specifies.
Gatekeeper's audit dashboard for obligations
Hint: Don’t ignore new regulations or legislation that’s under development in the search for applicable compliance regimes. Many regulators provide advisory notices about such developments, often in conjunction with requests for submissions from organisations with vested interests in matters that could be addressed.
Heeding such advance notice can deliver valuable payback:
- It provides forewarning of regulations that may well be pertinent to the organisation
- It allows tracking of how the regulations and their potential implications are shaping up
- It can guide early thinking about the organisation’s possible compliance approaches
- It can reveal obligations that have a retrospective element, requiring action to be taken by the organisation even before the regulations are enacted in order to be compliant in those obligations following the enactment date.
CCPA for instance, from its enactment date forward, obliged applicable organisations to provide consumers with information regarding the 12-month period preceding the date of their request for that information.
Contract Managers are almost certainly going to be involved and may need help, particularly if the organisation new direction involves new legal jurisdictions. Help could be obtained from:
- Other Contract Management team members, if they’ve been there, done that
- The organisation’s Legal team, if it has one and they have the time
- Regulatory tracking services, if budget is available
- Specialist consultants, if a big budget is available.
Practically speaking, an in-house Legal team is the preferable option if available, due to their commitment to the organisation, onsite presence if not actual accessibility, low cost and short escalation path.
As an added bonus, they are more likely to have the budget to cover use of a regulatory tracking service because organisational compliance requirements can apply to more than just its contracts.
Such a service can be a very useful tool for organisations subject to many different jurisdictions, particularly those using different languages than the organisation’s standard business language.
Australian band The Cruel Sea provided some relevant advice in one of their songs, although more in respect of non-compliance than otherwise, but pertinent nevertheless:
‘Better get yourself a lawyer, son. You better get a real good one’.
2. Implementing and operating contract compliance achievement approaches
Once the organisation understands the totality of regulatory regimes it is subject to in respect of its contracts, it has to figure out how it’s going to achieve compliance with each element of each regime. This is a risk management exercise that is likely to involve policy, strategy, planning, people, processes and technologies. It will probably be big even if it starts small.
It could also involve any of the organisation’s related parties and third parties that have contingent contract obligations due to the services they provide. The organisation may need to manage or report on these other parties in some fashion under some regulatory compliance regimes.
The potential consequences of failing to achieve contract compliance depend on how widely, how deeply and how often non-compliance occurs. This makes it important that approaches for achieving compliance across all regimes are comprehensive, robust, adaptable, adopted, and applied proactively.
New regulations or changes to those existing often allow a period of time between enactment and enforcement to allow organisations time to establish their compliance achievement approaches.
Organisations that become subject to a regulatory compliance regime after its enforcement date is reached may or may not be granted a honeymoon period with respect to compliance readiness. It all depends on the specific regime, so this needs to be determined and dealt with accordingly during planning that will lead to take-up of the obligations.
Compliance management, the development and operation of compliance approaches, is not a trivial activity. It requires the right culture and commitment from the organisation. It needs to be treated in a structured manner. It requires the constant attention of many people, from the top of the organisation to the bottom, but needs to be driven from the top. It needs to be integrated with the organisation’s general risk management governance. Its adoption should be mandatory.
The detail of a compliance management approach is too complex to be treated here, but some key features might include:
- Written policies and supporting strategies covering compliance management
- Integration of compliance into processes and procedures
- Standards of conduct updated to cover compliance
- A compliance oversight body, if one doesn’t already exist
- Roles and responsibilities development and assignment
- Initial and annual refresher training in compliance, with evidence of attendance
- Details of organisational regulatory compliance regime applicability
- Methods for finding contracts subject to each regulatory compliance regime
- Records of which contracts are subject to what regulatory compliance regimes
- Records of all internal and external compliance obligations related to contracts
- Specifications of compliance approaches for each obligation
- A schedule of obligation compliance monitoring and reporting activities
- Methods of tracking changes to relevant regulatory compliance regimes
- Methods for assessing the applicability of regulatory compliance regime changes
- Methods for collecting and reporting compliance performance data
- Options for treating any discovered non-compliance and preventing recurrence
- KPIs for defining and monitoring the effectiveness of compliance methods
- Self-assessment checks to prevent surprises during external compliance audits
- Obligations compliance guidelines for development of new business activities.
There is plenty of information available online to provide guidance about sensible approaches to follow. As an example, while it may be over the top for most, details about the elements of a compliance approach can be obtained from the standard for a Compliance Management System, ISO 19600:2014.
The standard doesn’t need to be followed slavishly, as close adherence to it is not required unless an organisation intends to obtain certification for its system. It can provide some insights into the factors that need consideration when preparing a generalised compliance approach.
Input from many stakeholders across the organisation will be necessary to ensure that the proposed compliance approaches are sensible, practical and achievable. It’s important that contract stakeholders contribute to this effort, because they’ll invariably end up having to do some of the compliance work.
It’s sufficient that a compliance approach only has to work well enough to achieve its purpose, and easily enough that adoption is rapid and widespread. It should be flexible enough to deal with the changes that will almost certainly be required.
A wide range of compliance management software is available with varying levels of capability and sophistication to support the compliance approaches preferred by the organisation.
Now, it goes without saying but it still needs to be said: an organisation’s first priority in regard to contract compliance is to comply with the approaches it has set up to achieve both regulatory and internal compliance.
This level of organisational compliance needs to be rigorously and regularly reviewed, reported on, and remedied when issues are discovered.
To ensure that organisations don’t overlook or disregard this, particularly in highly regulated industries, it’s often the case that penalties are applied by the regulator for an organisation’s internal compliance failure that has led to a regulatory compliance failure.
An example might be the unauthorised release of confidential customer details – a regulatory compliance failure – caused by the theft of a laptop containing those details in plain unencrypted text – an internal compliance failure.
3. Keeping up with changes to external obligations
There are three main reasons why an organisation’s external obligations can alter:
- Time passes. As organisational life goes on, so does the contract lifecycle.
New contracts get started, possibly introducing new external obligations.
Existing contracts may reach their expiry dates and terminate, reach end of term and not get renewed, or get terminated early for some reason. This could reduce the number of external obligations. Existing contracts might also be modified in some manner, either during their term or during renewal negotiations at end of term. This might result in an increase or decrease in external obligations.
Finally, normal or abnormal activity in a contract that is subject to various regulatory compliance regimes might trip some kind of compliance limit, say a revenue tier or number of customers, that results in the contract now being or no longer being subject to the relevant regime or certain obligations under it.
Existing approaches for dealing with these normal contract lifecycle changes should be augmented to handle the to and fro of external obligations applicability that might accompany such changes, based on stage 1, external obligations discovery, and stage 2, implementing and operating contract compliance achievement approaches.
- The organisation morphs. Whether anticipatory, opportunistic or reactive in nature, the ways in which an organisation can change are only limited by imagination, resources, the law and where applicable, shareholder approval.
Bear in mind that organisational changes can be additive, such as acquisitions, mergers and takeovers, where the contracts and associated obligations of the additions increase the organisation’s regulatory compliance load, or reductive, such as divestment and dissolution of parts of the organisation which can reduce the compliance load.
Whatever the cause, the way an organisation changes could modify its regulatory compliance profile and associated activities.
This means the organisation needs to rerun stage 1, external obligations discovery, with additive changes in mind, to determine if there are indeed any changes to be made to its external obligations inventory.
Where there are changes to obligations or their number, a return to stage 2, implementing and operating contract compliance achievement approaches, may be needed to establish ways to handle those changes.
- The regulations evolve. They can contain elements of conflict, error, impracticality, silence, uncertainty and unreasonableness. Improbable and unanticipated situations can occur, unintended consequences might surface. Control of the responsible regulatory body might change hands. Political ends might need to be met or payback made.
Alternatively, a set of regulations can be replaced in their entirety by a completely new set, or more rarely, rescinded.
When regulation change happens, and that’s usually not in accordance with any particular schedule, vulnerability to the risk of non-compliance increases in accordance with the level of ignorance about those changes, because what you don’t know can hurt you.
Whatever the cause, changes to a set of regulations may result in changes to its compliance regime. There could be knock-on effects on the way the organisation operates in order to accommodate the compliance changes.
A regular review should be conducted of all applicable regulatory compliance regimes to check if a change program is planned, under way or complete. Use of a regulatory tracking service for this purpose may be well worth the expense.
When information about such changes becomes available, a return to stage 2, implementing and operating contract compliance achievement approaches, may be needed to establish ways to handle those changes.
Maintaining a high level of awareness about changes to external obligations is a critical risk mitigation activity. It wouldn’t be a surprise to find that it’s actually an obligation in some regulatory compliance regime or other.
Remember: You can’t get ahead if you don’t keep up. You’re likely to fall behind.
Key and important contracts
Practically speaking, it’s clear that there are limits on the number of people who can be involved in, and the amount of time and money that can be spent on, contract compliance activities. Accordingly, the focus will normally be limited to just those few contracts considered key – critical for the organisation’s purpose – or important – significant to the organisation’s purpose.
There’s nothing to stop a regulatory compliance regime being applicable to a contract that might be viewed as not key or important enough to warrant regular obligation compliance attention. Finding such contracts could be problematic given their volume relative to the key and important contracts.
The discovery of any such contracts, particularly those subject to compliance regimes that levy significant penalties for non-compliance, should change their status to key or important.
Ignorance of a law is not accepted as an excuse for its violation, even though nobody could reasonably be expected to be aware of every law currently in force. There is however an established expectation that anybody engaging in undertakings that are uncharted territory for them will discover and familiarise themselves with any laws applicable to those new undertakings.
A similar situation exists with contract compliance. The parties to any contract are effectively obliged to make themselves aware of all their obligations under the contract, internal and external, in order to fulfil them.
Claiming to be too busy or time-poor to acquire that awareness or achieve all obligations is not an acceptable excuse for any noncompliance. Don’t go there.
Acquiring and documenting that awareness is the easy part.
Maintaining that awareness over time in today’s uncertain and continually changing environment will be an effort.
Designing, implementing, operating and maintaining effective compliance management approaches will likely prove challenging. Certainly initially, but even with increasing match fitness, given the Hydra-like growth of regulation.
If you’re complacent, ignorant, indifferent or recalcitrant about contract compliance, or give it short shrift, you really are asking for trouble.
Takeaway: you do not, repeat NOT, want to attract the attention of any regulator. Ever.
You do not want to be the poster child for regulatory delinquency, the ones who get made an example of by way of an extraordinary penalty as a disincentive or salutary lesson to other potential offenders. Naming-and-shaming is the modern-day equivalent of being humiliated via the stocks and pillory of yesteryear, with financial assault replacing the physical abuse.
Is there a cost in achieving contract compliance? Absolutely.
Is it worth it? Paul McNulty, a former US Deputy Attorney General, said:
‘If you think compliance is expensive, try non-compliance’.
If you would like more information about contract compliance or how to deal with it, then contact us today.