View Current

Compliance Management policy

This is the current version of this document. To view historic versions, click the link in the document's navigation bar.

Section 1 - Preamble

(1) This Procedure is effective from 1 August 2022.

Top of Page

Section 2 - Purpose

(2) This Policy sets out how the University fulfils compliance obligations relating to its operations and maintains a high awareness of compliance obligations among staff and associates.

Top of Page

Section 3 - Scope

(3) This Policy applies to all staff and associates.

Top of Page

Section 4 - Policy

(4) The University is committed to the highest level of compliance with relevant legislation, regulations, standards and codes. The University fulfils its compliance obligations through strong governance and leadership, a culture of compliance and a robust set of policies and values.

(5) The University will implement effective compliance management practices, consistent with national and international standards, specifically ISO 19600:2015 - Compliance Management Systems and including references to AS3806:2006 - Principles.

(6) The University will maintain and implement policies which promote compliance with relevant legislation, regulations, standards and codes. In accordance with the Policy Framework policy authors must obtain legal advice from General Counsel when drafting policies relating to legislative obligations.

Staff awareness and training

(7) Staff and associates, as outlined in the Code of Conduct, must uphold standards of ethical and professional behaviour, and comply with all applicable legislation, regulations, standards and codes.

(8) The University will support staff and associates to understand their role in managing compliance obligations by providing education, training and information. Compliance training will be provided to all staff and associates during the on-boarding process. Staff will be required to complete refresher and/or additional compliance training modules in accordance with their role and responsibilities.

(9) Staff and associates must report actual or potential breaches of a compliance obligation in accordance with section 5 of this Policy.

Leadership roles and responsibilities

(10) The University will instill and maintain a high level of awareness among staff and associates of their compliance obligations. Responsibilities for fulfilling compliance obligations is spread across the University.

(11) The University Council is responsible for setting the tone for a culture of compliance at the University. The Council has approved a Risk Appetite Statement that stipulates that Deakin has no appetite for non-compliance with legislative and statutory requirements.

(12) The Audit and Risk Committee of Council is responsible for:

  1. the effective oversight of the compliance management processes
  2. ensuring that an appropriate program of compliance management is maintained by the University
  3. monitoring how actual or potential non-compliances are addressed and rectified, and reporting to Council as appropriate.

(13) The Academic Board is responsible for overseeing academic risks and compliance.

(14) The Vice-Chancellor, the Executive, and Director, Audit, Risk and Business Continuity are responsible for providing leadership and demonstrating commitment to the University's compliance management processes.

(15) The General Counsel is responsible for providing legal advice on matters relating to compliance with external legislation and University legislation.

(16) Compliance Obligation Owners are staff members with knowledge and expertise to manage compliance in their areas of responsibility. The relevant member of the Senior Executive Team or senior manager, in consultation with Risk, Compliance and Business Continuity, will nominate Compliance Obligation Owner(s) within each area.

(17) Risk, Compliance and Business Continuity is responsible for:

  1. maintaining the University’s compliance website to assist staff members and especially Compliance Obligation Officers to meet their compliance responsibilities
  2. the University's risk and compliance management requirements and practices, compliance management process support, and training
  3. reporting of compliance management activity to the Vice-Chancellor, Senior Executive Team, Audit and Risk Committee and Council
  4. maintenance of the University compliance obligation register
  5. partnering with Compliance Obligation Owners to ensure ongoing compliance, including to capture information relating to changing legislation, regulations, standards and codes to ensure implications for the University are well understood and actions implemented
  6. supporting Compliance Obligation Owners, where needed, in the investigation of non-compliance.
Top of Page

Section 5 - Procedures

Compliance obligation registers

(18) General Counsel and Risk, Compliance and Business Continuity will work with Compliance Obligation Owners to ensure that each area’s legislative compliance obligations are identified and recorded in a compliance obligations register.

(19) The General Counsel will provide legal advice on compliance obligations as required.

(20) Compliance obligation registers must detail each area’s compliance obligations and record information on responsibility for compliance outcomes and controls in place to manage the identified compliance obligations and achieve desired behaviours.

(21) Each area’s compliance obligation register must be reviewed at least annually to ensure that it is up-to-date.

(22) Risk, Compliance and Business Continuity will consolidate and distil information from each area’s compliance obligation register into the overarching University compliance obligation register.


(23) Risk, Compliance and Business Continuity will work with Compliance Obligation Owners to ensure that compliance obligations are managed proactively and proportionately according to current risk exposure and effectiveness of existing controls.

(24) Compliance obligation owners in consultation with the Risk and Compliance Unit undertake a risk assessment of current, new or amended compliance obligations, using the Risk Management policy Schedule A: Risk Matrix. The risk assessment is included in the Faculty, Institute and Portfolio risk profile.

(25) Compliance risks inform the University's Headline Risk Report and the University's compliance management priorities in accordance with the University’s Risk Appetite Statement.


(26) This Policy mandates two types of reporting, both coordinated by Risk, Compliance and Business Continuity. Other University policies require reporting on compliance with those policies. Such reporting may inform but is separate to the reporting required under this Policy.

Annual compliance attestation

(27) Members of the University’s Senior Leadership Team are required to complete an annual compliance attestation covering their area of responsibility to the Vice-Chancellor and Chief Financial Officer.

(28) Senior leaders must consult with Compliance Obligation Owners in their areas (unless they are themselves that person) to complete the attestation.

(29) Risk, Compliance and Business Continuity will consolidate all attestations into a report to the Audit and Risk Committee and Council to accompany consideration of the University’s annual financial statements and Annual Report.

Reports on instances of notifiable non-compliance

(30) For the purposes of this Policy, a notifiable non-compliance (actual or potential) is classified as a contravention of a compliance obligation (legislative or regulatory) that is either notifiable to a regulator and/or external body or represents a significant material non-compliance.

(31) Any staff member or associate who becomes aware of a notifiable non-compliance must:

  1. coordinate immediate action to contain the instance of notifiable non-compliance
  2. ensure evidence that may be valuable for an investigation is maintained and not compromised
  3. immediately report notifiable non-compliances to the Compliance Obligation Owner, who must assess the report and escalate it as necessary to the relevant member of the Senior Executive Team, the Vice-Chancellor, Regulator and/or the General Counsel
  4. concurrently notify Risk, Compliance and Business Continuity by emailing:

(32) The University requires notifiable non-compliances to be reported to the Senior Executive Team, Vice-Chancellor, Audit and Risk Committee and Council as soon as possible after they occur.

(33) All staff and associates, who may access confidential and personal information in the course of managing non-compliances must comply with the requirements of the Privacy policy.

(34) Staff who are aware of a notifiable non-compliance and fail to report the non-compliance may be subject to disciplinary action in accordance with the Staff Discipline procedure.

(35) In addition to the reporting set out at clause 32 above, Risk, Compliance and Business Continuity will report on notifiable non-compliances and remedial and improvements actions implemented to the Audit and Risk Committee annually, Senior Executive Team quarterly and other University committees as appropriate.

Top of Page

Section 6 - Definitions

(36) For the purpose of this Policy:

  1. Associates: contractors, consultants, volunteers, visiting appointees and visitors to the University
  2. Compliance commitment: requirement that an organisation chooses to comply with.
  3. Compliance obligation: Compliance obligations are those imposed by legislation, regulations, standards and codes to which the University is bound.
  4. Compliance obligation register: a record maintained by Risk, Compliance and Business Continuity, Faculties, Institutes and Portfolios used to identify the University's compliance obligations and to assess the risk, impact and likelihood of non-compliance with these obligations. Key compliance activities and controls for these obligations are documented within the register.
  5. Incident: An incident is a form of non-compliance or other control failure that is not a reportable non-compliance (i.e. contravention of a statutory or regulatory obligation). Incidents may include a breakdown of business process or operational procedures not otherwise deemed to be a contravention of a Compliance Obligation. An example of this may be system downtime that may affect compliance. Incidents fall outside the scope of this Policy and are to be dealt with by the relevant business unit.
  6. Material: A material non-compliance will depend upon the individual circumstances of the breach. A number of factors may contribute to a material non-compliance - the number or frequency of similar non-compliance, the impact of the non-compliance or likely non-compliance and an application of a lesson is learnt leading to quality improvement and training.
  7. Non-compliance: an occurrence of non-compliance with applicable legislation, regulations, standards and codes. An unintentional or deliberate act or omission, which leads to the University and/or staff member(s) failing to meet their compliance obligations.
  8. Notifiable non-compliance: a legislative non-compliance reportable to the regulator or government authority
  9. Risk: is the 'effect of uncertainty on objectives' as defined in ISO 31000: 2018 Risk Management - Principles and Guidelines. Risk is typically characterised by reference to potential events, and measured in terms of a combination of the likelihood of the event occurring and the consequence if the event was to occur.