View Current

Compliance Management Procedure

This is not a current document. To view the current version, click the link in the document's navigation bar.

Section 1 - Preamble

(1) This Procedure was approved by Council on 29 October 2014 and is pursuant to the Risk and Compliance Management Policy and has the schedule: Risk Matrix Table.

Top of Page

Section 2 - Purpose

(2) To outline the requirements for recording, prioritising and monitoring the University's compliance obligations as part of an integrated risk-based compliance approach to effective corporate governance.

Top of Page

Section 3 - Scope

(3) This procedure applies to all staff and associates of the University.

Top of Page

Section 4 - Policy

(4) Refer to the Risk and Compliance Management Policy.

Top of Page

Section 5 - Procedure

(5) The University's compliance management program is based on the AS 3806-2006 Australian Standard: Compliance programs. The Compliance Management Framework articulates the process for identifying, recording, evaluating, prioritising and monitoring the University's compliance obligations. The Framework details a structure for responsibilities and accountabilities and specifies the broader compliance management approach for the University, which all staff are expected to follow.

Compliance obligations

(6) Compliance obligations relevant to the University are documented in the University's compliance obligation register which is maintained by the Risk and Compliance Office.

(7) Compliance obligations can be internal or external to the University and can be identified through a number of methods including monitoring of legislative and regulatory updates, facilitation of compliance working groups, and through other benchmarking activities.

(8) Compliance obligations are risk assessed by the Risk and Compliance Office and prioritised according to their inherent risk ratings, consistent with the University's Risk Matrix Table and the Risk Management Procedure.

(9) Compliance risks will be created for the obligations with very high and high inherent risk ratings. These will link to the University's strategic risk register and inform the University's compliance priorities. All compliance risks will be subject to the risk management process as prescribed by the Risk Management Procedure.

(10) The University Solicitor is available to advise all Faculties, Institutes or other areas (FIOAs) in respect of their legislative compliance obligations. The Risk and Compliance Office will work with the University Solicitor to determine the impact of non-compliance with the legislation and appropriately risk assess the new or amended compliance obligations.

(11) A Compliance Obligation Owner and a Compliance Implementation Officer will be determined for each compliance obligation, who will have overall responsibility for managing compliance with obligations throughout the University. The most appropriate staff to hold these positions will be determined by the University Executive and/or senior management in consultation with the Risk and Compliance Office.

(12) The Compliance Obligation Owner and Compliance Implementation Officer will, in consultation with the Risk and Compliance Office, determine which FIOAs the compliance obligation will apply to, and this will inform the FIOAs overall compliance profile.

(13) The Risk and Compliance Office will work with the Compliance Implementation Officer and Compliance Obligation Owner to identify key controls relating to the compliance obligation, and recording these in the compliance obligations register. Where additional controls are identified as being necessary, treatment plans will be developed for implementation by the Compliance Implementation Officer.

(14) Compliance obligations and their associated controls will be actively monitored by the Compliance Obligation Owner. Changes to compliance obligations and their associated controls can be made by the Compliance Obligation Owner.

(15) The Risk and Compliance Office will work with Compliance Obligation Owners and Compliance Implementation Officers to ensure that compliance obligations are managed proactively and proportionately according to their inherent risk ratings. The Risk and Compliance Office will have an assurance schedule which will include compliance risks.

(16) The Risk and Compliance Office will provide quarterly compliance reporting to the University Executive, the Audit and Risk Committee and any other University committee as appropriate.

(17) All members of the Executive, Executive Directors and Directors will participate in the University's annual compliance attestation process. This process will be managed centrally by the Risk and Compliance Office. Results will be reported to the Executive and Audit and Risk Committee. If breaches are identified, they will be subject to breach identification process below.

Breach identification and rectification

(18) All compliance breaches must be reported to the Risk and Compliance Office. Staff members should be proactive and raise compliance issues that are of concern to their manager as soon as possible to prevent escalation, in line with what is expected under the Code of Conduct. Compliance breaches may be reported to the Risk and Compliance Office anonymously.

(19) Compliance breaches of the University's legislative, regulatory and reporting obligations will be investigated by the Risk and Compliance Office as outlined in the Compliance Management Framework. Depending on the outcome of the preliminary investigation, the Director, Corporate Governance, Risk and Compliance Services will make a recommendation on the most appropriate course of action. This may include escalation and may lead to disciplinary proceedings.

(20) A breach team, including the Compliance Implementation Officer and/or Compliance Obligation Owner, will address the breach findings in consultation with the appropriate stakeholders. On completion, the Risk and Compliance Office will ensure that all actions are documented and recorded.

(21) Records of compliance issues and non-compliance incidents must be kept in accordance with the University's Information and Records Management Policy and Procedure.

Top of Page

Section 6 - Definitions

(22) For the purpose of this Procedure:

  1. Associates: contractors, consultants, volunteers, visiting appointees and visitors to the University.
  2. Attestation process: a verification process undertaken by all senior staff whereby they attest to compliance/non-compliance with the obligations that are relevant to their areas of operation throughout the University.
  3. Compliance: adhering to the requirements of laws, industry and organisational standards (including University policies and procedures). It can also include principles of good governance and accepted community and ethical standards.
  4. Compliance breach: an occurrence of non-compliance with legislation, regulations, codes of practice and standards, as well as University legislation, policies and procedures.
  5. Compliance management framework: a document outlining all the relevant components and processes for compliance management across the University to ensure consistency of compliance management application.
  6. Compliance management program: the totality of structures, including methodology, training, procedures and website that provide the foundation for the University's implementation, review and improvement of compliance management.
  7. Compliance obligation: laws, regulations, codes, standards, policies and procedures the University is required to comply with.
  8. Compliance obligation register: a record maintained by the Risk and Compliance Office used to identify the University's compliance obligations and to assess the risk, impact and likelihood of non-compliance with these obligations. Key compliance activities and controls for these obligations are documented within the register.
  9. Compliance profile: a description of a set of compliance obligations that can relate to the whole university, part of the university, or as otherwise specified. This typically includes some representation of the level/magnitude of the compliance obligations and associated risks involved.