The Obligation Hierarchy
Published as a whitepaper by the Institute of Internal Auditors (IIA), Australia in June 2021
This article provides a bias-free framework for prioritising and categorising obligations for any sized organisation in any industry.
There is no clear industry-wide method for categorising (compliance) obligations.
Obligations are currently categorised into binary mode, for example, legal and policy, internal or external. It is like trying to describe all the colours in the rainbow as blue and non-blue. It simply does not capture the variations.
Another approach is to categorise obligations by risk topic such as WHS, Financial, Environmental, Anti-slavery, Regulatory, IT, Operational, etc. The problem with this approach is that the list can become never-ending and overlapping. Often regulatory itself is listed as a topic.
Poorly categorised obligations cause confusion and stress.
The solution is to:
- Separate compliance and obligations into two activities, obligational awareness and compliance administration as per the GORC model.
- Apply an obligation hierarchy based on the potential consequences for an organisation that will give internal auditors a clear framework with which to structure compliance reports by priority.
There are a number of problems with many current categorisations of obligations. Categories are not well defined, and bad definitions have created confusion, bias and increased organisational risk. Even after investing large amounts of money, almost no business actually knows how compliant they really are.
A number of attempts to categorise compliance obligations have come from the financial profession. This is a mature and well-organised profession with centuries of regulations and almost half a century of global standards. However, its categorisation into ‘legal’ and ‘non-legal’, while a good first step, categorises a non-binary subject into two categories.
This binary approach is doomed to failure as it does not allow room for variation.
There is no clear industry-wide method of categorising obligations and various methodologies create confusion and stress. Issues are confused and compliance reports are poorly structured with overlapping issues.
ISO 37301: Compliance Management Systems, which has superseded ISO 19600, defines compliance obligations as ‘requirements that an organization mandatorily has to comply with as well as those that an organization voluntarily chooses to comply with’ where requirements are defined as a ‘need or expectation that is stated, generally implied or obligatory’, the closest the standard comes to defining an obligation.
Compliance obligation: The widespread use of the term ‘compliance obligations’ causes confusion between compliance and obligations. An obligation is the order, rule, or request and compliance is defined as ‘the act of obeying an order, rule, or request’. For example, each manager has an obligation to stay within their budget, compliance is the act of not blowing the budget.
Legal and non-legal: One method of categorising obligations is by separating them into legal and non-legal. This, unfortunately, puts contractual obligations at the same level of risk consequence as national, state and local government statutory and regulatory obligations. Non-compliance to statutory and regulatory obligations can result in fines, jail terms, disqualification for directors and even a forced closure of the business, significantly higher risks than those imposed for contractual non-compliance.
Voluntary: The second problem is the misuse of the word voluntary with respect to obligations and compliance. An organisation may voluntarily decide not to meet a mandatory obligation, however, that does not make the obligation voluntary. For example, an organisation may voluntarily decide not to comply with all of its WHS obligations, however, under the WHS laws, all of the WHS obligations remain mandatory.
Voluntary, under the ISO definition, refers to the organisation’s self-imposed obligations. These will be explored in more detail in the proposed hierarchy.
Financial and non-financial: This categorisation causes bias. Many general compliance training courses focus almost exclusively on financial obligations by making mention of ASIC, APRA, ASX, ATO as well as the ACCC and ACNC. Occasionally other regulators like Workcover (WHS), OAIC (privacy) and the EPA (environmental) are mentioned.
The truth is that there are tens if not hundreds of other regulators and yet they are ignored, often because there is a financial and legal bias in the boardroom. According to Deloitte, Not even the federal government knows how many rules you are meant to obey. In fact, we don’t even know how many government bodies currently have the ability to set rules in the first place, let alone the number of rules those agencies have laid down.
Categorisation by risk topic: A further problem is that compliance is seen as subservient to risk and so obligations are categorised into risk topics, for example, financial risk, operational risk, strategic risk, WHS risk, IT risk, supplier risk, regulatory risk, market risk, etc. The issue here is that risk management, obligational awareness and compliance administration are all equal but separate activities. Some obligations and compliance requirements are not driven by risk.
External and Internal: Often obligations are split into external (legal) obligations and internal obligations driven by internal policies and procedures. The problem is that these are not mutually exclusive. Many policies and procedures are put in place to ensure an organisation meets its statutory and regulatory obligations. For example, WHS policies and procedures are put in place to make the organisation is satisfying the WHS legislation.
The other problem with the internal/external split is that all mandatory and voluntary obligations have external root causes. The root causes of mandatory obligations are obvious, namely government statutes and regulations; voluntary obligations have less obvious external root causes.
Variants on the classic PESTLE analysis provide a useful method for uncovering the external root causes for voluntary obligations.
- Consumers reject poor quality products and services so organisations implement policies and procedures (obligations) to ensure their products meet their consumers’ quality requirements.
- Increasingly, consumers are demanding ethical products and services which is driving an explosion in ethical policies and procedures.
- Shareholder and consumer activism is increasingly holding directors to account for their ethical actions; investors and shareholders demand profitability, driving the requirement for operational efficiencies.
Using PESTLE and other strategic models to analyse the root causes of an organisation’s obligations is a worthwhile exercise for internal audit. This analysis provides a clear answer to the question ‘Why are we spending time and money on this obligation?’ which provides opportunities for evaluating and improving effectiveness.
The Obligation Hierarchy
The introduction to ISO 37301 states ‘An effective, organization-wide compliance management system enables an organization to demonstrate its commitment to comply with relevant laws, regulatory requirements, industry codes and organizational standards, as well as standards of good governance, generally accepted best practices, ethics and community expectations.’
The hierarchy below proposes a ranking system for all obligations, including those mentioned above.
Level 1 - Governmental
Government obligations include all international, federal, state and local government statutory and regulatory obligations.
Some apply to:
- Almost every organisation in the world for example company tax, workplace health and safety.
- Almost every organisation in a country for example many small businesses are exempt from onerous privacy reporting laws.
Specific industries with their own regulations for example aged care, childcare, education, hospitality, food manufacture and distribution.
Sometimes, particularly with operational obligations, standards are included in the legal obligations, however, not all standards are legal obligations
Level 2 – Critical
The next level includes those obligations an organisation imposes on itself to ensure the continuity of its business or those events that would have a critical impact on the business and impair its ability to continue operating.
All of the obligations listed in the business continuity plans (BCP) would be included at this level. Any obligation necessary to minimise or mitigate high-risk events with a high likelihood of occurring would also be included such as
- Software backup
- A plan B if a key supply chain is disrupted
- A pandemic plan
- Functional backup generators in the event of a power failure.
There have been many instances of organisations forgetting the BCP basics. For example, at least one high tech organisation forgot to check its backup generator and when the power failed, the entire data centre was left without power
Level 3 – Essential
This level includes all obligations driven by best practice and international, national or industry standards (most of which are not legal obligations) and contractual obligations.
Meeting ISO9000 ‘Quality management systems’ standards or maintaining public liability insurance is not a legal requirement nor generally a business continuity requirement. It is however good business practice and may sometimes even be a contractual requirement.
Contractual obligations are between two parties and are different to the international, federal, state and local government obligations noted in level 1 ‘Governmental’, however they are operationally essential.
Level 4 - Ethical
Driven by changing societal pressures, organisations may also impose ethical obligations on themselves such as equal pay for all genders, ethical sourcing policies, gender and race board diversity etc.
In time, many of these ethical obligations become law for example the Modern Slavery Act 2020. In addition, bribery and corruption is an offence under section 70.2 of the Schedule to the Criminal Code.
Level 5 – Discretionary
This level of obligation is mainly driven by economic or brand issues. Assets are maintained because it makes economic sense to maximise return on investment (ROI) and operational life of the asset. Equipment is maintained to maximise operational efficiency and minimise downtime. Many of these obligations are manufacturer recommendations.
Organisations often impose discretionary obligations to maintain their brand and staff and customer morale, such as cleaning the floor of the shop every day, washing the office windows once a month, completely remodelling retail stores every three years, replacing laptops every three years, etc. These discretionary obligations often produce a positive ROI.
Discretionary obligations can be and are often ignored or delayed. If there is a pattern of ongoing non-compliance with discretionary obligations, it can lead to fatal consequences.
Non-compliance to discretionary obligations can lead to fatal consequences:
On 25 October 2016, four people died on a family ride at Dreamworld on the Gold Coast in Queensland, Australia. The water pumps had already failed twice, and the ride should have been shut down until maintenance had been carried out. Dangerous ad-hoc modifications had been carried out over the years and there had been no proper safety assessment since the ride opened in 1986.
The ride had a history of accidents with rafts flipping in 2001, 2004, 2005, 2008 and 2014, but no action was taken to fix the fundamental problem and previous safety audits showed a water level safety sensor could have been installed for less than $3,000.
On 28 September 2020, the operators of Dreamworld pleaded guilty to three charges relating to the deaths of four people and were fined $3.6 million.
Level 6 – Legacy
The final level of obligations are legacy obligations. These are obligations that fall into the ‘we’ve always done it this way’ basket. The obligation hierarchy model exposes them, providing an opportunity to either eliminate them or update the relevant procedure.
Legacy compliance costs are red tape and can be one of the largest unnecessary costs in a business. The IIA WhitePaper Reducing and Better Managing Red Tape, explores this topic in more detail.
Recommendations and Conclusion
Recommendation 1: Whilst the new ISO standard 37301 has greatly improved the definition, the author would recommend that the definition of the term ‘compliance obligations’
is changed to the definition of the term ‘obligations’ and compliance be defined as ‘the act of meeting all the organizations obligations’.
Recommendation 2: The question ‘Are we at risk of non-compliance?’ is a valueless question because the answer is always ‘Yes’. No matter how well an organisation is governed, documents expire and there will always be non-compliance.
Using the obligation hierarchy, the organisation and internal audit can ask better governance questions:
- Do we have the correct policies and procedures in place to meet all our governmental obligations, whatever they may be?
- Do we have policies and procedures in place to ensure continuity of our business when faced with critical events?
- What essential best practices and industry standards are we committed to and what policies and procedures are in place to make sure we are meeting those obligations? Are we meeting our contractual obligations? What policies and procedures do we have in place to ensure delivery of our products and services is not adversely impacted.
- Do we have policies and procedures in place to meet our ethical obligations?
- What asset maintenance policies and procedures do we have in place to maximise the ROI lives of our assets? What discretionary policies and procedures do we have in place to protect our brand and our values?
- What legacy policies and procedures can we get rid of and why?
Once the governance questions have been answered and the organisation is aware of all its obligations, follow up compliance questions can be answered
- Can we provide current and up to date documentary evidence we are meeting all our obligations?
- Where are we non-compliant?
- Why are we non-compliant?
- What are we doing about it?
Expanding the ISO 37301 definition of compliance obligations into six levels of obligation will drive a greater awareness and understanding of obligations by directors, business owners and managers.
Bibliography and References
‘Building a Forward-Looking Board’, McKinsey Quarterly, February 2014.
IIA-Australia Factsheet ‘Compliance Program’
IIA-Australia White Paper, ‘Reducing and Better Managing Red Tape, 2020
IIA-Australia White Paper, ‘GORC – The new and improved GRC with added O’, 2021
‘Compliance’, Cambridge Dictionary Online, accessed 4 April 2021
‘Getting out of your own way: Unleashing productivity’, Building the Lucky Country: Business imperatives for a prosperous Australia no. 4, pg. 19, Deloitte, 2014, h accessed 30 March 2021
My thanks to Andrew Cox and Michael Parkinson of the IIA who helped edit the IIA Whitepaper.