Journal of Law, Information and Science
|
|
Home
| Databases
| WorldLII
| Search
| Feedback
Journal of Law, Information and Science |
|
EUGENE CLARK, GEORGE CHO & ARTHUR HOYLE[1]
The Year 2000 Date has come and gone without major disaster. That this result was achieved was, in the authors' view, more to do with good management than luck. Moreover, by examining the way in which governments, business and other firms prepared for and handled the Y2K problem, we may learn some valuable lessons which will help ensure that future problems will be handled equally as well. In this way, organisations will not only prevent a legal disaster, but are likely to find that a proactive, integrated use of the law and a culture of compliance can bring wider benefits to the business and increased value for stakeholders. The Y2K problem and its resolution thus provides an excellent case study from which to draw many valuable lessons about the role of legal compliance and the changing nature of legal practice in a digital economy.
When the magic date of 2000 arrived and the prophets of death, doom and destruction caused by massive Y2K failures were proven wrong, the media seems to have uttered a big yawn and gone on to other and more exciting stories.
Few analysts or commentators, however, have picked up on the most significant aspect of the Y2K saga, a significance which the authors believe, show the beginnings of a quiet revolution. The fact of the matter is that the major reason things did not go tragically wrong, is that businesses, governments and other organisations were pro-active in raising awareness about the problem and committing resources, time and planning in acting proactively to prevent it from occurring. For many organisations, the Y2K exercise was an excellent example of risk management, strategic planning and cooperation on a wide scale. More than this, many firms were able to promote their Y2K readiness in such a way that it enhanced other business purposes, such as improving organisational systems, promoting teamwork, improving information systems, developing better links with customers, and enhancing linkages of trading communities or business chains.
This article is divided into three parts. Part I examines the impact of IT on the legal profession and the move to multi-disciplinary teams. Part II focuses on basic principles of legal compliance and the role of interdisciplinary teams in using legal compliance to both manage risk and achieve organisational objectives. Finally, in part III, the article turns to specific lessons which were learnt from the Y2K experience--lessons which should prove invaluable as organisations and society tackle future problems.
In requiring lawyers, IT specialists, managers and others to work together to resolve Y2K problems, we see the beginnings of something which is likely to become the dominant working model of the near future--teams of professionals from different disciplines working together within their own organisation to ensure that the information system lifeblood keeps flowing and that organisational life goes on. Because the Y2K problem had an impact on entire supply chains, government agencies, entire nations and international cooperation, the Y2K problem also required a remarkable degree of coordination, communication and knowledge sharing. These same qualities will prove to be invaluable in a global economy and Information Age.[2]
Globalisation and other forces such as technology have resulted in a legal profession which is rapidly changing. Among these changes are: an increasingly competitive market for legal services; the move, in countries such as Australia, to encouraging multiple disciplinary partnerships combining such areas as accountancy and law; increased global competition and the increasingly global nature of business; changes in the nature of legal work itself to encompass more preventive and risk management perspectives; and the increasing diversification of the profession which sees lawyers being employed by a wide range of employers and using their legal education in new capacities. The legal profession could learn much from accounting firms such as Arthur Andersen, which in 1989 formed Andersen Consulting and most recently Andersen Legal, thus dwarfing all competitors and evolving a new paradigm of multi-disciplinary service provision. This organization now has over 40,000 people worldwide in its consulting arm alone and is doing billions of dollars of business. It continues to grow at 20% per year and Anderson Legal is likely soon to be the largest law firm in the world.
Modern technology has also facilitated internationalisation. The fax machine, electronic mail, satellite communications, computers, electronic data interchange, and other new communications systems all evidence a world which is more interconnected and interdependent. Such developments have encouraged the growth of an international community of universities, researchers and students and the emergence of a global culture.
The globalisation of business, internationalisation of trade and the increasing prevalence of multi-cultural interdisciplinary teams are beginning to redefine the nature of work. In the not too distant future, legal teams working in different places, at different times and from different cultures will become commonplace. As stated by a recent Japanese academic,
Three new trends and three new industries riding these trends are seen as key driving forces for the world environment as it moves toward the 21st Century. They are engulfing all the world's economies, including that of Japan and its management model, critically affecting its shape and form for the next millennium. The three new trends, or "3 Is," taking the initial letters of their individual names, are informationalization, internationalization and individualization.[3]
Tomorrow's lawyers will work in law offices which will operate in a dramatically different environment than that which exists in the majority of today's organizations. Also sophisticated computer software and artificial legal intelligence will threaten those in the legal profession who depend upon performing routine tasks such as conveyancing. It is not that the knowledge acquired by the lawyer will become devalued; only that the type of knowledge that makes a lawyer valuable is changing. In the future, work that focuses primarily on routine transactions will face stiff competition from software programs that can do it faster, cheaper. As Paul Saffo of the Institute of the Future points out: "There is a lot less knowledge in knowledge work than we realize, and a lot of heavy lifting computers can do. It will free up people to think, and also cause a lot of pain. It's already happening with lawyers."[4] Thus, in the future there will be a premium, at all levels (undergraduate, pre and post admission), on legal education which provides students with higher order, critical thinking skills.
The advent of cyberspace as a major medium for communication and commerce has left lawyers and laymen alike searching for appropriate ways to redefine and reorder their legal relationships. This new technology makes a wealth of information universally accessible, adds to it at an unprecedented rate and puts it in a state of constant flux. "Paper trails" grow obsolete, national regulation and perhaps regulation at all, becomes impossible. Privacy becomes a hazy concept. Change becomes the norm.[5] In this brave new digital world, long-settled legal precedent can have only limited applicability. As Nimmer[6] puts it, “’Information’ has become the vibrant and important commercial asset in the United States and in most industrial countries.’ In laying the groundwork for this new world, courts and legislatures are struggling, though gallantly, to keep up with technological developments.
What are some of the implications of this new cyber reality for the practice of law? One implication, noted by Nimmer, is that of convergence. Just a few short years ago areas such as computer law, intellectual property law and competition law used to be a specialties practiced by certain boutique law firms. In the inter-connected business world today, one can no longer in isolation carve out such a specialty. Modern technology and business practice have converged to make it necessary for all commercial lawyers to be aware of intellectual property law, competition law and so on. This has meant that specialists must increasingly widen their visions and forge new links with other specialists in law. But more than that, the lawyer must work closely together with colleagues in management and technology. In this resultant legal and managerial uncertainty, a new expert must also emerge who has both the technical depth and breadth of vision to ‘manage’ the realities of this new information age. The pace of change, the breadth and depth of technological advancements, the national and international scope of the commercial world—call for new technological Vikings willing to launch their boats into uncharted seas with unknown dangers and uncertain outcomes.
The Information Age also tends to blur the boundaries between disciplines. This is reflected in the emerging trend towards the multidisciplinary practice of law and it is likely that this will become increasingly permitted and practised in the next few years. This term can be understood in two ways. One is that a particular lawyer has qualifications in another discipline and personally practises in more than one area, such as law and accounting. This is not common and is not what we primarily have in mind. Rather we see it in the context of organisations offering services in more than one discipline, with people employed from various disciplines to provide a range of services across disciplines.
Lawyers are increasingly likely to be free to work in practices which will involve people from other disciplines. At present, most examples of multidisciplinary practice are legal services delivered by a legal division of an accounting firm or through the referral arrangements of a group of different types of service providers. However, in time what is meant by “law” is likely to be merged into wider categories based on client needs. To the extent that this occurs, then lawyers will need either dual qualifications or increased skills and understanding of other disciplines. Perhaps more significantly, the same may be true for other disciplines in relation to qualifications, skills and understanding of law.
Another result of the technological age is the shift in emphasis from goods to services. Yet, much of existing commercial law was designed to facilitate the sale of goods which are tangible and concerning which existing law provided great certainty. Today, however, the fastest growing sector of the economy is that of services and the same laws which deal with goods often fail to address or inadequately address the needs of this new economic reality.[7] This shift in emphasis from goods to services has required, and will continue to require, law makers and law firms to adjust to take advantage of available opportunities.
Not only has there been a shift from goods to services but those services have increasingly consisted of intangible assets, most notably information, as opposed to tangibles. This reflects the reality that in most modern economies, the values which shape the society are increasingly intangibles. This in turn has meant a new evaluation of traditional notions of, and rights in relation to, property law. Consider two short examples. Property consists of a bundle of privileges, powers and rights recognized by law with respect to particular subject matter. In reference to information this includes the right to copy, to use information, to disclose it, to protect its integrity, to transmit it and to access it. Note that these rights and privileges are quite different from tangible property law notions protected by doctrines such as trespass and conversion.[8] Another important feature of property law, that of transferability, differs for information as opposed to goods. In the case of goods, one is concerned about transfer of title. In the case of information, title may be less important than access rights, for example.[9] As a result of the importance of intangible property, intellectual property and related areas are one of the fastest growing areas of legal practice.
Intangibility makes it difficult to locate the producer of the product or service in time or space. This intangible quality of information also makes it easier to eliminate the middle links in a supply chain. As explained by Granat:
As our economy has become complex, the number of intermediaries in the chain between the consumer and the goods or services to be consumed has increased, each supposedly adding value by their contribution along the way. Disintermediation consists of any direct transaction or exchange of goods and services that bypasses a middleman, professional, specialist, or institution that is normally involved in such a transaction. The more intermediary a job or business is, the more vulnerable it is to disintermediation. The lawyer is the classic intermediary, acting as a broker, between the individual or corporation and our legal system. In every sector of our economy, disintermediation is creating major business opportunities by reducing the value-added chain to its most efficient number. Mail-order is one of the fastest growing sectors in retailing. Videocassette recorders are disintermediating television and movie theaters. HMO's are a disintermediating agent in health care. And do-it-yourself is disintermediating a host of fields….
Service economies are reacting and adjusting to having too many intermediaries. Every intermediation adds costs that are passed on to the consumer. Eliminating intermediation is one of the key ways to being the least-cost producer. The lawyer is the classic intermediary. Eliminate the lawyer in its traditional form and the cost of the legal product can be reduced dramatically. Where there is major regulatory reform opening up the market for legal services to competitors, the lawyer may in many cases be eliminated from most transactions, for example in conveyancing. Absent such deregulation, it becomes critical to design law firms where the lawyer's role is optimized without introducing diseconomies of scale. [10]
A ‘conflict’ view of law suggests that law has always been about the achievement of balance between conflicting values. In contract law, for example, the law has struggled to achieve certainty and predictability versus the need to be flexible enough to achieve justice in particular cases. One of the most profound questions in relation to this new form of property in an information age, is the need to achieve the appropriate balance between such public values as access to information and privacy protection versus the need to commercialize such information. This tension has been demonstrated in court decisions in the US and Australia in relation to proprietary interests in relation to data and databases.[11] Again, we see a shift in the nature of legal work which previously had clear lines of division between public and private. In Australia and New Zealand for example, this blurring of public and private has meant that government legal work is more likely to be contracted out and that government lawyers are having to compete with private concerns in tendering for legal work.
Another feature of the information age is the change which it brings to legal market structures. On the one hand, there is a greater move to centralization as computer companies seek greater integration of their products and services so that it becomes an essential component of the cyberspace infra-structure. On the other hand, this new and unregulated market with access to individual computers all over the world, makes it possible to develop more individualized sub-markets, markets which were unknown and unreachable prior to the creation of this information network. As John Naisbit and Patricia Aburdene point out in Megatrends 2000 (at 301), the demise of mainframes and the rise of individual pc’s has signaled the “triumph of the individual” and in many cases has meant the end of centralized control.[12]
The variable types and nature of data also encourage differentiated markets. Data can be molded into lots of different products. Can shape, bend, mold information for use by different groups, with different levels of secrecy, commercialization and so on.
Another feature of the new market for legal services is that accountants, insurance companies and other professionals are increasingly challenging the monopoly of lawyers over the provision of legal services. This coupled with the increased competition among law firms themselves has meant that the practice of law is increasingly being defined by the customers, those who purchase legal services. Again, as explained by Granat:
Information technology enables an organization to differentiate itself along several critical dimensions: 1) time; 2) space; 3) matter; 4) substitution of electronically-based information service for high-priced labor; 5) elimination of intermediaries through direct contact with the customer; and 6) customization of product or service to the particular needs of the single individual. The rise of information technology within the legal profession is predicted to have unanticipated consequences as the technology shifts from being the servant of our wishes to master of our destiny. The technology may soon escape lawyer’s control, change their routines, challenge the inefficiencies they enjoy as well as create opportunities for new forms of law firms and law practice.
As mentioned above, the real significance of the Y2K non-event was the very fact that it was largely a non-event. The Y2K experience is an salient example of the role of legal compliance programs in government and business organisations operating in a global economy and Information Age. For this reason, this paper uses the Y2K issue as a case study about legal compliance and the interaction of managers , IT people, legal advisers and other professionals.
The Y2K problem must not be viewed in isolation. Best risk management practice requires that Y2K issues be seen within the broader context of general legal compliance and risk management. A successful compliance program is developed from sound underlying principles. A key to this success is that there is an involvement of every level in the organisation so that the planning and implementation is both top-down as well as bottom-up. A sound legal compliance program also is one which fits the needs of particular organisations. As well the program is an ongoing process of conception, implementation, evaluation and review and improvement. The focus is on prevention. Sound risk management programs also take into account and measure themselves against such developments, as the new Australian standard AS3806 which gives guidelines to businesses designing a compliance program. The powerful message of this new standard is that there is a conscious need for organisations to build a culture of legal compliance so that its operations are pro-active, preventative and participatory.
Although the focus below is on the Y2K problem, the principles discussed are applicable to all organisations operating in a digital economy, whether it be contracting with partners, product development, marketing, intellectual property protection, transport or international trade.
Released by Standards Australia on February 5, 1998 and drawing together comments from courts, opinions of legal practitioners and best practice, this Australian standard provides a guide to business in designing a compliance program or assessing whether their existing compliance programs are adequate. The AS3806 Standard establishes requirements for:
positive commitment to compliance at Board and CEO level communicated to staff;
positive promotion of compliance by all managers;
continuous monitoring and improvement of all compliance procedures;
the integration of all compliance procedures into the organisation's day to day operating procedures, systems and documents;
adequate numbers of senior staff with high status and sufficient 'clout', to take responsibility for compliance; and,
ongoing education and training of all staff.
While Australian Standards are not binding law, the ACCC has made it clear that it will regard AS3806 as the 'benchmark' for compliance programs. The standard is generic and can be used to assist both public and private organisations with developing, implementing and maintaining effective compliance systems in any form of legal, industry or in-house regulatory arrangements. According to Professor Fels, AS3806 is an essential reference document for any Australian company that was serious about compliance obligations. He pointed out that '[a] significant number of companies still come to the Commission with a compliance manual and a video and think that they have totally satisfied their compliance obligations ... nothing could be further from the truth! AS3806 demonstrates that much more is required.'[13]
Internationally there have been efforts to set industry standards. Commonly cited and widely accepted standards for Y2K compliance may be found at the following URL addresses:
Institution of Electrical and Electronic Engineers http://members.visi.net/~certus/year2000/IEEEP2000-1.rtf
British Standards Institution http://bsi.org.uk/disc/year2000.html
USA General Services Administration http://www.y2k.com/final%20gsa%20rule.htm
Information Technology Association of America http://www.itaa.org/definition.htm
In addition, Standards Australia has released a Y2K Code of Practice (HB120-1998) for small to medium-scale enterprises (SMEs). This code is given in non-technical, easy to understand language for senior business and project managers.[14]
Legal compliance is not something which can be left solely to one’s lawyers. Neither is it something which can be left to chance since a failure to take measured and appropriate steps may lead to exposure to legal action. A commitment to the concept of institutional corporate legal compliance not only avoids legal action but also has the potential to enhance the public face of the organisation as well as its overall performance.
The legal implications of any business strategy intended to deal with problems such as the Y2K bug are unlikely to be sufficiently emphasised unless senior management supports such an initiative. If a legal compliance strategy is emphasised by senior members of the organisation, then all employees may sit up and take notice.
It is also important that a specific member of senior management takes responsibility to see that legal risks are identified and a plan put in place to manage those risks accordingly. As noted by former US Assistant Attorney-General, John Shenefied:
'Without doubt the most important element in a successful compliance program is the undoubted commitment of company management toward making the program work. … Lack of a conviction on the part of top management will insure that a compliance program will fail ... If the head of a company does not take a program seriously, neither will anyone else. The commitment of top management must be visible, constant and sincere. And to state the obvious, the actions of top management must match the teachings of the compliance program.'[15]
The reach and scope of a legal compliance program intended to deal with issues such as Y2K must not be confined to the legality of a few obvious areas such as contracts and torts. Rather, the legal perspective must be all-pervasive, relevant to every aspect of the organisation and everyone in it. Legal compliance generally is part of every employee's job description, and in particular, given the pervasive nature of the Y2K problem, it was an important and relevant issue at all organisational levels.
In the final analysis, legal compliance will be effective only if it permeates the very bones of the organisation. An elaborate compliance manual and managers who preach the benefits of legal compliance are insufficient by themselves. To be truly effective, each employee must be their own compliance officer. This point was has been put forcefully by Warren E. Buffett, Chairman of Salomon Brothers, in testimony before the US Congress:
'I want the right words, and I want the full range of internal controls. But I also have asked every Salomon employee to be his or her own compliance officer. After they first obey all rules, I then want employees to ask themselves whether they are willing to have any contemplated act appear the next day on the front page of their local paper, to be read by their spouses, children, and friends, with the reporting done by an informed and critical reporter.
...
If they follow this test, they need not fear my other message to them: lose money for the firm and I will be understanding. Lose a shred of reputation for the firm, and I will be ruthless.'[16]
Employees will only act as their own compliance officer if there is excellent communication at all levels of the organisation. A well articulated strategic plan which incorporates legal aspects will encourage teamwork and communication. As a result of such communication, an organisation's efforts will 'snowball' and the organisation will grow — rather than fragment through uncertainty. If the organisation is serious about compliance, it will encourage employees to bring suspect practices to the attention of management so that the matter can be appropriately handled and the problem rectified. If certain employees have violated the law, they should be firmly dealt with as such conduct will expose not only themselves as individuals, but the organisation as a whole to legal liability. Accordingly, many organisations require managers to sign statements that they have complied with the law.
Unfortunately, the law and lawyers are too often seen by business persons as obstructive — an intrusion into the ordinary day-to-day events of the business, and the Y2K problem is of course no exception. The perception all too often is that lawyers are a last resort to be called upon at a time of crises to put out 'legal fires'. Another popular metaphor, reflected in television programs such as LA Law, is the lawyer as 'hired gun' who will do the client's bidding, no matter how unethical or shady. Sadly, this is a perception which some lawyers even have of themselves. Increasingly, however, organisations and the legal profession have come to realise that legal knowledge can be an invaluable tool, a vital resource to business management which can assist an organisation in carrying out its goals and avoiding risks. In short, legal considerations must form part of a Y2K and other strategic plans.
An effective legal compliance system will naturally concentrate on prevention, looking at its information handling processes, identifying potential Y2K legal problems and taking action to eliminate them. The standard to be aimed for is the same as for technical Y2K fixes — no legal failures. Zero legal failures will most likely be achieved in a work environment where everyone understands the key legal context in which they do their job. Each department including product development, marketing and credit management should develop a set of policies specific to the particular risks involved.
It is important to appreciate that every organisation is unique; there is no one approach which will work well for all businesses. It is for this reason that legal advisers should have an excellent understanding of the business or government department involved and a sound rapport with the people whom they are advising. Indeed, the requirement for such 'intimate' knowledge of the legal needs of the particular business is a major reason why firms have increasingly employed 'in-house' legal counsel who bring their knowledge of the law to the day-to-day realities of the particular business operation.
The legal aspects of a compliance plan and business strategy will also vary depending upon the size of the organisation. A common assumption and misconception of small businesses is that they do not require a legal compliance program. Yet, a small organisation will be just as subject, for example, to trade practices and fair trading laws as a large or medium-sized organisation.
Two examples show the folly of the false assumptions made by small organisations. First, a small organisation will be devastated by a large legal judgment against it, whereas a large organisation, in contrast, will be more likely to survive. Take for example, the restrictive trade practices provisions of the Trade Practices Act 1974 (Cth). It could be that a large corporate competitor puts pressure on a smaller company to join in a uncompetitive practice. Both businesses will be potentially liable for fines up to $10 million if incorporated and $500,000 for individuals. Secondly, another scenario could be where a small business has a substantial degree of market power in a niché market. Even though it is small, the business will need to be aware of competition law constraints on its market behaviour. In other words the potential legal exposure is high and to fail to consider the legal aspects of marketing practices is to invite disaster. Finally, managers of small businesses are more likely to fail to recognise a serious legal violation or fail to take it seriously and are more likely to spend time in jail for a Trade Practices violation than managers from the top of the hierarchy.
Although even small businesses need to be concerned about legal compliance, the specifics of a legal compliance plan will vary depending upon the size of the organisation. A small business will usually not be able to afford to have a lawyer as a permanent member of staff. Instead, they will seek outside legal advice, hopefully from lawyers who understand the special problems of small business. The lawyer will keep the organisation appraised of new legal developments and also help train business staff in the importance of legal compliance. In contrast, middle size organisations may have a lawyer as in-house counsel. This legally trained person will bring legal perspectives to management and liaise with outside lawyers where special expertise is required. Large organisations will usually have a legal team of corporate or in-house lawyers who are involved at all levels of the organisation. Different team members will be able to specialise in particular facets of the business, for example, credit management, marketing, employment relations, intellectual property and corporations law.
The type of organisation and business involved is also an important consideration. Whether a business is fully integrated or operates at manufacture, wholesale or retail levels will raise different legal concerns. The manufacturer of a product must be especially concerned with product development, product standards, design, and safety. A wholesaler will be especially concerned about supply issues and contracts with retailers, as well as such issues as distribution, resale price maintenance, product ties and so on. A retailer will be especially concerned about advertising, pricing, credit control and consumer law.
Many other factors are also relevant. Well-established businesses will have different legal problems than those which are just starting out. A business which deals in a high-technology area may have quite unique intellectual property concerns. A business with a large number of employees in a highly unionised industry has different employment problems than one with few employees and with no union. In short, the legal strategy adopted by a particular business should fit the particular commercial context involved.
In a recent article, Bill Dee of the ACCC makes the important point that compliance programs must account for both the behavioural and procedural aspects of conduct.[17] In other words, sometimes the activity is one which is primarily caused by behaviour of particular individuals, for example, price fixing, market sharing, or the cutting off of supply. In other cases, the fault lies in a failure to have in place appropriate checks and balances. Examples are the failure to check contracts for TPA compliance, not having checking systems for labels, not clearing promotional materials and so on. Behavioural compliance is achieved by on-going education, providing incentives to do the right thing and auditing performance.[18] Procedural compliance, on the other hand, focuses more on systems and procedures operating within the business.[19]
Firms and government business enterprises should have in place a sound policy involving legal compliance and the facilities to put it into effect. As in all facets of the business, management must be dedicated to not only short term 'fire brigade’ activities such as Y2K risk containment, but also to regular improvement in this area. Quality legal compliance like all quality initiatives is not a once off activity, but a process of continual development. The legal compliance policy should be developed in consultation with all levels. It should be publicised and understood at all levels in the organisation.
With huge fines and more active monitoring of business by bodies such as the Australian Competition and Consumer Commission (ACCC), it is crucial for businesses to have a compliance program. Moreover, both the ACCC and the courts are looking for compliance programs with substance, that is, those which really make a difference in the organisation. For example, in Trade Practices Commission v TNT Australia Pty Ltd 1995 ATPR 41,375 at 40,168 the Court said:
'It is a most important factor in mitigation of the amount of a penalty that, in a particular case, there may be acceptable evidence of a corporate culture of compliance, and of concern to ensure that the contravention which as occurred will not be repeated.'
Similarly, the Full Federal Court in North West Frozen Foods Pty Ltd v Australian Competition and Consumer Commission 1996 ATPR 41-515 at p. 43,583 stressed the importance of compliance:
'Where, in addition, acceptable evidence is adduced, or the Commission agrees, that a program has been instituted the purpose of which is to ensure an understanding by executives of the requirements of the Act and of their obligations under it, and where a corporation has committed itself to future expenditure on such a program, there is the more reason to reduce the penalty. Where the Commission established to administer the Act is satisfied that an appropriate program has been undertaken, or the undertaking of it is proved to the Court, this is the most important matter to take into account on penalty.'
Unfortunately many due diligence and compliance systems give little if any protection. A system which is comprised only of a legal manual and the occasional lecture is not good enough. Management must be committed to making it work. This takes skills which go well beyond legal and auditing skills. You need a pro-active system so that people understand what to do and management ensures that what ought to be done is done.[20] The challenge is to make sure the organisation receives the benefits from the legal knowledge it has.[21]
All organisations should also consider the formulation of a compliance manual, including technology law issues and the way in which they are to be dealt with. One of the best ways to train new employees and to make sure that everyone knows what to do is to have a compliance manual. In fact, the preparation of such a manual can go a long way to developing and maintaining a real ethos of 'quality control' in the culture of an organisation.
A compliance program will help minimise breaches of the law, although this is no guarantee that such breaches will not occur. However, it should also be noted that the existence of a well designed and properly implemented compliance program has often been a factor which courts have considered in assessing a lower penalty should a breach of the law occur. On the other hand, an ineffective program which is not followed or regularly updated will provide little comfort. There would be minimal cost involved in developing a compliance manual catering for the whole range of the organisation’s activities, as opposed to just handling Y2K issues.
The management literature suggests that it may be important to undertake the following steps when designing a compliance program generally and for the Y2K problem in particular.
(i) Identify what needs to be done and the resources required. An example would be the training which must be devoted to it.
(ii) Develop a plan which satisfies the needs. A clear written policy with detailed aims and objectives is needed. Define responsibilities and implement a system.
(iii) Develop a quality loop where you write down what you do, justify it; do what is written, record what you did, review it and correct what you do.
An essential component of a quality compliance program is that it be written. If a legal compliance program is written down:
it will more likely be followed;
it forces all to think about the system;
everyone will have a clear idea of what is going on;
should a mistake be made, it will more likely be found and corrected before significant damage is done;
courts will take the presence or absence of a legal compliance ethos into account in assessing damages; and,
a written compliance program will be necessary to meet Australian as well as ISO standards.
(iv) Conduct a legal compliance audit As noted above, having a compliance manual is one thing; following it is another. The audit must serve as a 'reality check' to see if quality expectations about products and services are being fulfilled. The audit will also ascertain where an organisation may be vulnerable to legal exposure to problems both direct and to downstream effects. The legal audit will also enable an organisation's lawyers to give proper advice regarding any sensitive legal matters which may have been uncovered and to eliminate the potential for future violations.
An initial compliance audit is the first step towards the development of a legal compliance program. However, the program must be maintained on a continuing and regular basis. Accordingly, it is very important that organisations routinely conduct a compliance audit to evaluate the extent to which standards are being complied with. Should the audit reveal areas in which the company is falling down, it is also crucial that immediate steps be undertaken to improve the performance of the individuals or unit concerned.
(v) Form a quality legal review team Many businesses set up a legal quality team, for example, taking into account the requirements of AS 3806. Non-application specific quality standards such as British Standard 7229-1989 suggest three levels of audit:
First party or internal audit performed by the organisation itself.
Second party audit performed by one organisation (for example, customers) on another.
Third party audits carried out by an independent agency (for example, a law firm).
What should be measured? Examples include complaints from customers, competitors, warranty claims and returned products. In short, any area in which a potential legal dispute may arise. Questions should also be asked about the legal knowledge of employees and the effectiveness of their training.
(vi) Readjust as necessary One of the best definitions of success is 'the constructive application of failure'. A sound legal compliance program will use the information gained from the audit to make adjustments to its business procedures and training to ensure that legal compliance is achieved and maintained through the critical period, and that an ongoing framework of general compliance remains.
(vii) Keep up to date and re-educate Legal compliance is not a matter of formulating a once-off plan. The vast proliferation of new laws, regulations and standards at international, national, state and local levels points to how important it is to keep up to date. Thus, management and employees must regularly re-train to make sure that their knowledge of the laws governing their industry is current. This is the best way to avoid both problems with administrative agencies and potential law suits.
The failure of a business to provide adequate training has often received adverse comment from the courts. For example, in regard to the Trade Practices Act 1974 (Cth) in assessing a penalty for infringement of the TPA, LOCKHART J noted in Trade Practice Commission v ICI Australia Operations Pty Ltd (1992) ATPR 41-185, 'There is no evidence that [the three executives directly involved] received any compliance training before, during or since the commission of the offences.'
Similarly, in Trade Practices Commission v CSR Ltd (1991) ATPR 41-076, the Court noted that despite the fact the defendant had a compliance program which included a manual and set of lectures, the program had not been updated for ten years and no lectures had been presented to employees in the three years leading up to the violation. The lesson to be learned is that employers should specifically identify the legal risks faced by particular employees and make sure that those employees receive sufficient legal education so that employees know what is going on and can take proper action, including seeking legal advice to prevent a problem rather than doing nothing until a lawsuit has already been filed.
(viii) Participate in Industry Bodies and Trade Associations One of the best ways to maintain a competitive edge is to keep informed about what is happening in the industry by way of Y2K experience and remediation schemes and systems and to have some input into the direction a particular industry is headed and to be actively involved in collective associations relevant to solving the Y2K problem in your particular industry. Similarly, industry or trade representatives today frequently are asked to be represented on most agencies and councils which advise the government in its policy making on the Y2K problem.
(ix) Insure against legal risk Another vital element of legal risk management is adequate insurance coverage. An organisation's insurance cover should be regularly reviewed and monitored, especially in light of changes to the law which heighten exposure to the risks of litigation. This is especially true for areas such as product liability which can involve expensive and protracted litigation. Unfortunately, many businesses fall down in this area as exemplified by studies which show that many firms do not have adequate management risk policies. For example, despite the introduction of a new and more comprehensive product liability law in Australia a few years ago, many firms have not re-evaluated their insurance policies in light of the legislative changes.[22]
If there is an important lesson to be learned from problems caused by interruption to computer supervised or managed manufacturing systems, such as the flow-on effects of the recent gas explosion in Victoria, it is that prudence dictates that appropriate contingency plans for dealing with interruptions be laid.
Economic pressures through the 1980s and 1990s, have resulted in the reduction of inventory costs in manufacturing industries through the adoption of just-in-time (JIT) stock ordering and delivery techniques. This has meant that at any one time, on hand stocks are at such a level that anything more than a small interruption to supplies could prove catastrophic. Problems can be expected to occur for firms using JIT when their supply forecasting horizon extends beyond January 1, 2000, especially in industries which typically have long cycle times of 2-3 months such as semi-conductors.[23]
Any decision to temporarily shift from JIT stockholding to stockpiling is not a simple matter, as the philosophy and its associated physical arrangements are integrated into the organisation’s infrastructure, with specialised equipment layout, shift scheduling, warehouse capacity and the like.[24]
Added to this is the probability that in the 12 months leading up to January 1, 2000, other users of the same raw materials or finished products sought to increase their own stockholdings, with a resultant surfeit of demand over supply and the increase in stocks. While this situation provided a temporary boom as producers increased production to meet this higher demands, there is a down side in that in the period after January 1, 2000 demand, and therefore production, is expected to fall off as businesses draw down on their stock at hand and seek to return to JIT.[25]
Once a firm has gone to JIT, the options for returning to 'bloated' inventory are limited by such simple factors as a lack of physical storage space and the reversion of efficiencies made in manufacturing and therefore adversely impact of the firm’s competitiveness vis-á-vis firms with satisfactory legal compliance.
Recognition of the potential for the lack of downstream legal compliance to cause expensive, and in some cases potentially fatal, interruptions to essential components by the five largest US car makers was evident in their Y2K plans. Chrysler, Ford Motor Company, General Motors (GM), Volvo, and Toyota Motor Manufacturing North America worked with an industry trade group to survey 125,000 global suppliers of automotive components. These surveys helped the industry assess how prepared they were, and helped the car makers to determine what they needed to do to get on track for Y2K compliance. All five car markers reported that the ongoing effort helped to ensure that they were not caught off guard by problems that could have been foreseen and also made suppliers more aware of exactly what needed to be done.[26] In Europe, Volkswagen, Daimler-Benz, BMW, Porsche, Peugeot, Citroen and Renault contracted with AIAG to distribute the survey to their suppliers.
In taking this approach, these manufacturers clearly recognised that JIT is not just about minimising a company’s inventory investment by having a certain level of stock at hand at any one time, but is about sharing demand projections into the future, so that the supplier can be ready with material when it is needed.[27]
As learning organisations, it is useful to identify several specific strategies which were utilised by firms dealing with the Y2K, which strategies point the way to best practice in dealing with other system wide problems.
A major feature of Y2K preparations was the audit of a firm's technology. Consistent with modern developments in auditing theory and practice, organisations should audit their performance so that they meet organisational goals and ensure that what is said to be done is actually done. An audit should also have much in common with an on-going evaluation of process and outcomes. Where the firm is involved in a value chain, this audit will also have to consider the linkages with suppliers, transporters and all others who are part of the business network.
Importantly, dealing with problems such as the Y2K bug required a disciplined effort with legal, technical and management perspectives all contributing. In tackling a major problem, such as the Y2K , a business or organisation should establish a Y2K Task Force to conduct the audit. Modern organisations will increasingly rely on such interdisciplinary teams. Such teams will also collaborate with teams in related organisations to form a business network which in a global economy can span across numerous countries.
Addressing the Y2K problem had to be a firm-wide effort. The clear lesson is that management should allocate sufficient time, personnel and budget resources to address testing and correction of hardware, facilities, databases and software. There should also be an established procedure for regular reporting by the Task Force to the organisation’s senior management and directors. In short, the organisation should develop a unified approach to compliance which both avoids risks and achieves business goals. As shown by the expenditures on Y2K, legal compliance costs money and sufficient resources must be allocated to it if risk management is to be achieved and other business gains are to be realised.
The Y2K issue also highlights the reality that what happens to suppliers and others in a business network can have an impact on all members of the network. In conducting their legal audit firms had to identify for each element developed and/or supplied by a third party, the relevant third parties and these vendors reviewed to determine the scope, if any, of the vendor's ongoing contractual obligation to ensure Y2K compliance. In this effort, it was important to determine whether there was a specific Y2K warranty, a warranty that the element would satisfy the specifications, or maintenance obligations that include compliance.
The discussion about networks leads to another lesson learnt from dealing with the Y2K issue. In dealing with the Y2K issue, many directors and officers became more aware of their legal exposure. To avoid personal liability, directors and officers came to realise that they had to meet the applicable legal standards of care in action to solve the Year 2000 problem at their company. The lesson: directors and officers' efforts should be carefully documented to defences under the due diligence and business judgment in the event of litigation over the company's failure to solve a problem in whole or in part. The Y2K problem should be seen as a continuing evolution of notions of corporate governance through which officers, directors and board members must find their way. As the public becomes more involved as shareholders, one would predict that risk management policies such as audit and remuneration committees will become more prevalent. The challenge for 21'st Century leaders will be to know when to take risks and when to play safe and to have in place policies and procedures so that one can balance entrepreneurial flare with due caution.
As they were preparing for Y2K issues, many firms also became more focused on the importance of understanding and carefully reading the fine print of their contracts with others. Of course, it is imperative to take such precautions BEFORE the contract is signed. One should be especially careful to review any indemnification provisions and any liability insurance policies taken on behalf of the corporation's officers and directors. Where any deficiencies in coverage are found, appropriate remedial action should be taken. Management should also review third-party agreements and correspondence related to software licenses, hardware purchases, maintenance service agreements and similar arrangements to determine the appropriate apportionment of liability for any compliance failures.
We are already beginning to see the emergence of a number of post Y2K lawsuits in which the issue is whether a firm's insurance policy covers the cost of Y2K remediation. After Y2K, firms are more likely to realise that another important company asset consists of the its insurance policies. Firms should locate and inventory all policies (including first party property and casualty and business coverage, third party liability, errors and omissions, directors and officers coverage, and fiduciary policies). The company should then conduct a careful legal analysis of each policy to determine (1) whether any policies provide coverage for fix costs, and (2) whether the company and its directors and officers are adequately protected from potential claims arising from technology and other failures
The Y2K issue also made firms cautious about what they might be getting into should they merge with or acquire another firm. In a global economy, many have predicted an increase in merger and acquisition activity, the most recent example of which was the AOL and Time-Warner merger. Yet, a global and networked business world is very vulnerable in that technology faults in one part of the organsiation can have major ramifications elsewhere in the chain or network. Completing an M&A transaction without due diligence and contractual safeguards on technology issues is a prescription for inheriting a potentially enormous liability and compounding a company's existing problems. The due diligence process requires expert assistance to determine reliably the nature, extent and potential problems the acquiring company may inherit. The M&A contracts should include representations, warranties and indemnities on the subject, and, where appropriate, escape clauses in the event post-acquisition due diligence reveals problems larger than anticipated. The company should approach due diligence no differently than environmental due diligence is now customarily conducted, but with even greater care because the potential liabilities are larger.
Another result of the Y2K experience for many firms was an increased awareness of intellectual property issues. The catch-phrase of the Information Age is 'knowledge management' and the Y2K issue highlighted some of the legal difficulties and uncertainties which exist in this area. Achieving Year 2000 compliance often required inter-company access to information that was sensitive and proprietary. Protecting the company's trade secrets and intellectual property, while at the same time obtaining necessary access to other companies' proprietary information, is not a simple matter of drafting and signing non-disclosure agreements. Establishing the legal framework for innovative escrow arrangements, monitored access and usage procedures and other new legal mechanisms were required. Given that trade secrets and intellectual property are increasingly the life blood of many companies, this challenge was overcome only through legal creativity and an unprecedented degree of inter-company cooperation. In short, a firm's intellectual property is one of its most valuable assets and it must be managed.
Another useful strategy emerging from the Y2K experience was the effective use made by some firms of the Internet to keep people aware of and advertise Y2K readiness by referring everyone to a single source of the latest information about a company's Y2K status.
The Y2K problem also highlights how important it is for firms to keep up to date with latest developments. One of the best ways to do this is to be proactive in the industry. In the case of Y2K, it was commendable how whole industries cooperated, exchanged information and provided assistance. Governments, too, should be commended for their proactive work in providing assistance with the Y2K issue. It is hoped that the same spirit of cooperation and whole of government and industry approach can be applied to other major problems.
Notwithstanding the media's attraction to major disasters ,it is often the case that what doesn't happen is more significant that what does; that what goes on behind the scene is more important than what is prominent in the headlines. In the case of the Y2K problem, the real story is the remarkable effort and spirit of cooperation evidenced by firms, governments and others in ensuring that we entered the Year 2000 with reason to celebrate. There are many valuable lessons to be learnt from this experience which will greatly assist lawyers, managers, directors, IT people and all who continue to work so that the benefits of a Digitial Economy and the dreams of an Information Age are fully realised.
Australian National Audit Office (ANAO) 1998 Getting Over the Line. Selected Commonwealth Bodies Management of the Year 2000 Problem, Canberra: AGPS.
Anderson, S 1996 'Directors at risk from policy flaws', The Australian Financial Review, July 30, 1996, p. 2.
Asher, A 1997 'Carrot and stick--recognising compliance', ACCC Journal No 9, June, p. 2.
Ashton-Davies, S 1998 The Australian, August 25, 1998, p.54.
Attorney General Department E-news on Copyright No 4, October 23, 1998.
Bennett, A 1996 'Expensing computer change to 4-digit years in 2000 is appropriate, practitioner says', BNA Management Briefing, July 23, 1996.
Burkholder, S 1996 'Switching computers to 4-digit years in 2000 to be an expense, not capitalized', Taxation, Budget and Accounting (BNA), July 19, 1996, no. B9 at G-3.
Cairncross, F 1998 'Time runs out', The Economist, September 19, 1998.
CCH Trade Practices Reporter, 1-356 at p. 824
Clout, J 1998 'Y2K dangers are still being ignored', Australian Financial Review, December 15, 1998, p. 39.
Cohen, F 1994 A Short Course on Computer Viruses (2nd ed.), New York: Wiley Professional Computing, p. 2.
Comeggs, WB 1992 Antitrust Compliance Manual: A Guide for Counsel and Executives of Business and Professions, 2nd ed. New York: Practising Law Institute.
Deacons Graham & James 1998 Year 2000 Statement. 500 Days Left. Are you Ready?
De Jaeger, P 1998 Chilling litigation – building bug-free software is virtually impossible, but where is the line between reality and being responsible for your product? Behind the News, CMP Media October 12, 1998, Issue 704.
Dee, B 1997 'Characterising conduct as 'behavioural' or 'procedural': a new paradigm', ACCC Journal, No 12, December, p. 20-23.
Eisenstein, L & Button, KK 1998 'Year 2000 contingency planning: A legal perspective' Electronic Commerce & Law Report, Vol. 3 No. 39, October 14, 1998, pp. 1216-18.
Enterprise Computing Vol 20, Issue 36, September 7, 1998.
Finding a Balance. Towards Fair Trading in Australia, Canberra: AGPS, 1997.
First B-D enforcement cases brought over failure to report on Y2K readiness, Electronic Commerce & Law Report, Vol.3, No.41 October 28, 1998 p.1251.
Head, R 1998 'Insurers Weigh Y2K Risk' in The Australian, August 25, 1998, p.54.
Hughes, G 1986 'Computer contracts - the maze of implied terms', The Australian Accountant, Vol. 56, No. 5, (June), 64.
Hugo, I 1998 Managing Y2K: A Code of Practice for Small and Medium Enterprises, Standards Australia.
James, D 1997 'The benefits you perceive come from the knowledge you receive', Business Review Weekly, May 5, p. 74.
Jinnett J 1996 'Legal issues concerning the Year 2000 'Millennium Bug'', URL http://www.year2000.com/archive/legalissues.html.
Krieger, M 1996 'Drafting tip: the threat of 2000 calender clause protection', Cyberspace Lawyer, v. 1 (2) (May), 1996.
Litigation concerns: A big priority, Electronic Commerce & Law Report, Vol.3, No.41 October 28, 1998 p.1252.
Lyons T 1997 'Legal guidelines on Millennium date change issues' URL http://www.year2000.com/archive/legalguide.html.
Macleary, J 1998 ‘Millennium bug bill reaches $10b’, The Australian, December 2, pg. 25.
Mealey's Year 2000 Report No. 7/98. URL http://www.westlaw.com
and URL: http://mealeys.com.ipr.html#y2k.
Meyer, JA 1998 'Y2K changes climate for mergers, acquisitions', Electronic Commerce & Law Report Vol.3, No.41 October 28, 1998, p.1253.
Meyer, RL & Hock SL 1997 'Legal issues and risks of the Year 2000 problem', URL http://www.year2000.com/archive/meyer-hock.html
New Zealand Herald, February 22, 1997.
Omnibus spending bill includes $3.4 billion in emergency funds for Y2K computer glitch, Electronic Commerce & Law Report, Vol. 3, No.41 October 28, 1998 p.1252.
Pusey J 1997 'Year 2000 impact analysis', URL http://www.year2000.com/archive/impact.html
Raysman, R & Brown, P 1998 ‘Preparing for a Y2K compliance audit’, The New York Law Journal, January 13, pp. 35-39.
Reid WS & Brower S 1996-97 'Beyond awareness: ten management and ten legal pitfalls regarding the Year 2000 computer problem that you may not have considered yet', URL http://www.year2000.com/archive/beyond.html.
Sharpe, B 1997 'Legal due diligence system ineffective', Australian Company Secretary (August) p. 287
Taylor, M 1998 ‘No assurances from audit office’ The Canberra Times December 21, p.3.
Tomasic, R, Jackson J & Woellner, RH 1996 Corporations Law: Principles, Policy and Process, Sydney: Butterworths
[1] Eugene Clark is Pro Vice-Chancellor and Professor of Law, University of Canberra. George Cho is Assoc Professor of Geographic Information Systems and the Law and Arthur Hoyle is Lecturer in Law at the University of Canberra. They are the authors of Y2K: Avoiding the Legal Byte, Prospect Publishing 1999. Parts of this chapter have appeared in the above mentioned Y2K Prospect publication and in and Going Digital 2nd Edition, also by Prospect Publishing, Sydney.
[2] Fels, Prof Alan (1999), 'Compliance programs--the benefits for companies and their stakeholders', ACCC Journal, Issue 24 (December), pp. 14-18.
[3] Mizutani, Eiji, ‘The Japanese management model--from ningen soncho to jiyu to jiko sekinin’, Benefits & Compensation International, Vol. 27, No. 3 Pg. 8-18; ISSN: 0268-764X, Pension Publications Ltd 1997.
[4] Forbes 22 May, 1995, at 240.
[5] See generally, Nimmer, Raymond T, Information Law, Warren, Gorham & Lamont, Boston, 1996 and 1997 Supp.
[6] Ibid, at p. ix.
[7] Ibid.
[8] See, J Shoven, “Intellectual Property Rights and Economic Growth” in Intellectual Property Rights and Capital Formation in the Next Decade 46 (1988).
[9] Nimmer, op cit, at par 2-10.
[10] Granat, RS, ‘The New Economy and the Virtual Law Firm of the Future: Introduction to Change in Structure of the Legal Profession’, URL Http://www.digital-lawyer.com/virtual2.html (Centre for Law Practice Technology).
[11] See eg, Feist Publications, Inc v Rural Telephone Serv Co, [1991] USSC 50; 499 US 340, 111 S Ct 1282, 113 Led2d 358 (1991); Lotus Dev Corp v Borland Int’l, Inc[1995] USCA11 37; , 49 F3d 807 (1st Cir 1995), aff’d [1996] USSC 5; 116 S Ct 804 (1996). See generally, Nimmer, op cit, at par 2-10.
[12] Cited in Nimmer, at par 1.02.
[13] Note that business can now have access to more than 6000 Australian Standards available (for a subscription) on-line at URL: http://.www.standards.com.au/software-services/products/asonline/default.htm.
[14] This Code of Practice is available from Standards Australia officers as well as their on-line catalogue at URL http://www.standards.com.au. See also Hugo, I 1998 Managing Y2K: A Code of Practice for Small and Medium Enterprises, Standards Australia.
[15] Comeggs, WB (1992) Antitrust Compliance Manual: A Guide for Counsel and Executives of Business and Professions, 2nd ed. New York: Practising Law Institute, p. 4.
[16] ibid. pp. 364-65.
[17] Dee, B (1997) 'Characterising Conduct as 'behavioral' or 'procedural': a new paradigm', ACCC Journal, No 12, December 1997, p. 20-23.
[18] ibid, p. 21.
[19] ibid, p. 22.
[20] Some leading cases include Supermarkets v Nattras (1972) AC 156; Timpson v Nattrass (1973) Crim LR (QB) 197. See Sharpe, B 1997 'Legal Due Diligence System Ineffective' (August) Australian Company Secretary, p. 287; Asher, A 1997 'Carrot and stick--recognising compliance' ACCC Journal No 9, June, p. 2.
[21] James, D (1997) 'The benefits you perceive come from the knowledge you receive', Business Review Weekly, May 5, 1997, p. 74.
[22] See Anderson, S (1996) 'Directors at Risk from Policy Flaws', The Australian Financial Review, July 30, 1996, p. 2.
[23] Duncan Kinder JIT and Y2K Shutdown PLI Year 2000 Law List <PLI-Y2K LAW@PLLEDU> November 5, 1998.
[24] Duncan Kinder JIT and Y2K Shutdown PLI Year 2000 Law List <PLI-Y2K LAW@PLLEDU> November 4, 1998.
[25] Don Taylor JIT and Y2K Shutdown PLI Year 2000 Law List <PLI-Y2K LAW@PLLEDU> November 3, 1998.
[26] Automakers get a jump start on Y2K compliance with trade group. URL http://www.infoworld.com/cgi-bin/displayArchive.pl?/98/36/e03-36.61.htm.
[27] Thomas Workman JIT and the Y2K Shutdown PLI Year 2000 Law List <PLI-Y2K LAW@PLLEDU> November 5, 1998.
AustLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.austlii.edu.au/au/journals/JlLawInfoSci/1998/13.html