Compliance Framework Review for Utilities Provider
This case study centres on Talisman Technical’s advisory role in reviewing and improving a utilities provider’s Corporate Compliance Management System (CCMS). Tasked with evaluating the existing framework against ISO 37301 standards and developing a comprehensive improvement strategy, our multi-phase approach aimed to enhance compliance management practices, clarify obligation ownership, and create an actionable three-year implementation roadmap.
Background
The client is a major utilities service provider in Australia, serving hundreds of thousands of residential and commercial properties. As a heavily regulated utility provider, the company had developed a Corporate Compliance Management System (CCMS) aligned with ISO 37301 standards to manage compliance risks and enhance operational efficiency. The need for a compliance framework review emerged from several factors. Compliance obligations were complex and required a structured governance model. Additionally, a new Governance, Risk, and Compliance (GRC) system implementation presented an excellent opportunity to refresh compliance practices. Through initial discussions, several key challenges were identified. These included duplication of compliance efforts across different teams, lack of standardised compliance risk assessment processes, and the need for improved integration of compliance activities with overall risk management. Manual processes for compliance obligations tracking created administrative burden, while unclear obligation ownership and accountability hampered effective compliance management. The project objectives were to evaluate the current state of compliance maturity against ISO 37301 standards, define clear ownership of compliance obligations, provide recommendations on effectively embedding obligations within the business, and develop a strategic roadmap for improving compliance practices.
Approach
Our involvement in the project was structured into five phases. In the Establish & Onboard phase, we engaged stakeholders across the organisation, confirmed scope, timing, and collaboration tools, established project governance approach and routines, and developed a stakeholder engagement plan. During the Assessment & Analysis phase, we conducted stakeholder interviews and document reviews, assessed existing compliance policies and their integration with enterprise risk management, and identified gaps against ISO 37301 standards and best practices. We also developed and tested hypotheses about key issues in the compliance framework and created a comprehensive SWOT analysis of the current compliance management approach. The Strategy Development phase involved developing a Compliance Management Improvement Strategy focusing on people & culture, processes & governance, and systems & data. We defined “obligation owner” roles and created guidance on operationalising the framework. The team utilised the “ABCD Strategic Conversation” workshop method to navigate from current state to future vision, which proved effective in engaging stakeholders and building consensus. For Implementation Planning, we designed a three-year roadmap for compliance improvement, prioritised 16 specific initiatives to enhance compliance management, developed detailed project charters for key improvement initiatives, and established key milestones and performance indicators. The final Project Closure phase involved finalising deliverables, conducting a close-out meeting, and handing over all artefacts, including detailed implementation plans to ensure the client could execute effectively.
Outcomes
The execution of the project achieved significant milestones across several key areas. The Compliance Management Improvement Strategy established a three-year strategic vision centred on achieving an “Integrated” level of maturity, introduced structured compliance ownership roles, and defined compliance governance mechanisms to drive accountability across the organisation. For Obligations Ownership and Operationalisation, we developed a framework for allocating compliance responsibilities across teams, linked compliance obligations with risk owners to improve accountability, and created objective test criteria for assessing potential roles for assignment of obligation ownership. This approach removed ambiguity and created clear lines of responsibility. Risk and Compliance Integration was enhanced through the introduction of an integrated Three Lines of Defence model to improve compliance oversight, better alignment between legal compliance and enterprise risk management, and recommendations for integrating obligation ownership with risk ownership to simplify frameworks and reduce duplication. The implementation of the GRC System was addressed by creating plans for configuring and deploying a centralised compliance management system, developing approaches for automated compliance tracking, reporting, and audits, and designing integration of legal subscription services to automate legislative updates, significantly reducing manual effort. A framework for a Compliance Management Playbook for internal use was developed to support sustained implementation. The long-term benefits of this project are substantial. The client can expect improved compliance maturity through strengthened governance and assurance frameworks, operational efficiency from reduced duplication of compliance activities across teams, and enhanced regulatory readiness to ensure alignment with evolving regulatory requirements. Additional benefits include enhanced accountability through clarified roles and responsibilities, integrated governance with better alignment between risk and compliance functions, and automated processes to reduce administrative burden. The success of this project has positioned the client to significantly enhance its compliance management capabilities, integrate compliance more effectively with risk management, and create a more mature and efficient approach to meeting its regulatory obligations.