- Adopting a risk-based approach minimises non-compliance with product safety standards.
- AS3806 provides guidance for implementing the needed controls that maintain compliance.
In our previous article, we discussed the reasons to implement a product safety compliance program and the benefits it can bring to organisations, including enabling them to claim the section 85 defences and significantly mitigating penalties under the Trade Practices Act. This article will give an overview of AS3806, the Australian Standard for compliance programs, and then examine some common tricks and traps encountered by organisations implementing compliance programs in a product safety context.
What is AS3806?
The Australian Standard AS3806-1988: Compliance Programs was originally developed in response to the ACCC's need for an objective benchmark against which to assess the effectiveness of compliance programs.
While the 1998 standard was welcomed by organisations, regulators and compliance professionals alike, a number of perceived shortcomings impeded its effectiveness. This led to the development of the 2006 Standard (AS3806-2006) which marked a significant departure from the 1998 standard. In contrast to the previous standard which focused on the procedural and operational aspects of compliance, this standard adopted a principle-based approach.
Other key differences between the two standards include:
- the increased emphasis on the proactive testing of critical control points (Principle 9, AS3806-2006);
- there is now an explicit need to measure, assess and demonstrate the effectiveness of the compliance system (Principles 10 and 11, AS3806-2006); and
- the requirement to align compliance with the strategy and business objectives of an organisation (Principle 2, AS3806-2006).
AS3806-2006 now forms an independent standard for compliance and is recognised by many regulators as an appropriate benchmark for assessing the effectiveness of compliance programs. It is also regularly referred to by the ACCC when determining appropriate court orders and enforceable undertakings.
The Standard itself sets out 12 principles for the development, implementation and maintenance of effective compliance programs based around four key features: commitment, implementation, monitoring and measuring, and continual improvement.
The principles that relate to commitment are:
- Principle 1: Commitment by the governing body and top management to effective compliance that permeates the whole organisation.
- Principle 2: The compliance policy is aligned to the organisation's strategic and business objective, and endorsed by the governing body.
- Principle 3: Appropriate resources are allocated to develop, implement, maintain and improve the compliance program.
- Principle 4: The objectives and strategy of the compliance program are endorsed by the governing body and top management.
- Principle 5: Compliance obligations are identified and assessed.
The principles that relate to implementation are:
- Principle 6: Responsibility for compliant outcomes is clearly articulated and assigned.
- Principle 7: Competence and training needs are identified and addressed to enable employees to fulfil their compliance obligations.
- Principle 8: Behaviours that create and support compliance are encouraged and behaviours that compromise compliance are not tolerated.
- Principle 9: Controls are in place to manage the identified compliance obligations and achieve desired behaviours.
The principles that relate to monitoring and measuring are:
- Principle 10: Performance of the compliance program is monitored, measured and reported.
- Principle 11: The organisation is able to demonstrate its compliance program through both documentation and practice.
The principle that relates to continual improvement is:
Principle 12: The compliance program is readily reviewed and continually improved.
Tricks and traps in a product safety context
Organisations introducing compliance programs to ensure relevant standards are met often face significant challenges with implementation in the product safety context.
An example of this can be seen in the problems encountered by a toy manufacturer that outsourced part of its operations to Asia. Faced with the challenge of ensuring multi-jurisdictional compliance with product safety standards, the manufacturer received quality assurance via certification from the outsourcer. Unknown to the manufacturer, the outsourcer purchased its paint from a subcontractor of the vendor it was dealing with. This paint was uncertified and later found to contain lead.
The toy manufacturer relied on testing raw materials for compliance and did not test each batch of toys before it was shipped. This meant the lead paint was not detected until more than 22 million lead-painted toys had been shipped to retailers across the globe.
This gap in quality assurance and resultant compliance failure not only exposed the manufacturer to liability for breach of product safety requirements, but also led to a large-scale recall.
To implement AS3806-2006 and avoid the possibility of a compliance failure, many organisations adopt a risk-based approach that uses a combination of internal and external controls to achieve compliance (Principle 9, AS3806-2006). This means that where there is a higher risk of non-compliance, more rigorous controls will be implemented to ensure that the organisation meets the required product safety and information standards.
Where the situation is low-risk, the ACCC has indicated that it is prudent for suppliers to conduct periodic random batch testing (say at least once a year) using AS3806-2006 to work out control points needing checks.
Factors that may point to a higher risk of non-compliance and indicate the need for more frequent testing, or other controls, include:
- adverse outcomes on checks
- changes to product safety and information standards
- probability of unexpected outsourcing; and
- product or packaging changes (an example is here).
Some other tricks from AS3806-2006 that manufacturers and retailers should consider include:
- random batch testing of products and internal testing and product recall procedures (Principle 10, AS3806-2006)
- if third parties have taken over the certification role, to document the due diligence process of the assessment and selection of the certifier (Principles 6, 9 and 11, AS3806-2006)
- where the purchaser or seller is dealing across multiple jurisdictions, ensuring compliance with all relevant jurisdictional product safety standards (Principle 5, AS3806-2006); and
- if outsourcing, ensure the outsourcer is reputable and the contract specifies the product safety standards needed to be complied with in sufficient detail (Principle 6, AS3806-2006).
In our next article, we will discuss the impact of the impending reforms to the consumer policy framework and the national product safety regime on AS3806-2006 and wider trade practices compliance programs.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.