View Document

Compliance Management Policy

This is the current version of this document. To view historic versions, click the link in the document's navigation bar.

Section 1 - Background and Purpose

(1) This Policy outlines measures taken by the University to fulfill compliance obligations relating to its operations and maintains a high awareness of compliance obligations among staff and associates.

Top of Page

Section 2 - Scope

(2) This Policy applies to all:

  1. Employees
  2. Contractors
  3. Volunteers
  4. Council members

(3) Some compliance matters, such as those provided below, may be excluded from the requirements set out in this Policy and should be dealt with according to the prescriptions set under University policy, statute or legislation as relevant in the circumstances. These include but are not limited to:

  1. Disclosures of improper conduct relating to the University or a member, officer, or employee or contractor of the University pursuant to the Public Interest Disclosures Act 2012 (as amended from time to time) as covered by the University’s Public Interest (Whistleblower) Disclosure Policy;
  2. Disclosures made directly to the University Ombudsman;
  3. Disclosures made pursuant to staff and student complaints procedures;
  4. Reportable allegations, made pursuant to the University’s Child Safety and Wellbeing Policy;
  5. Research misconduct allegations dealt with by the Senior Deputy Vice-Chancellor (Research and Industry Engagement) (University’s Designated Person);
  6. Disclosures of injuries, incidents and hazards made pursuant to the University’s Occupational Health and Safety Policy and Procedures.
Top of Page

Section 3 - Policy Statement

(4) The University is committed to the highest level of compliance with relevant legislation, regulations, standards and codes. The University fulfills its compliance obligations through strong governance and leadership, the policy and delegations frameworks, staff training and communication and a culture of connectedness and accountability.

(5) As part of its Compliance Management Framework the University has appointed a network of Responsible Officers in relevant subject matter areas to identify, monitor and oversee compliance with all applicable Obligations (compliance remit), in partnership with Risk, Audit and Insurance.

(6) The University will support staff, contractors, volunteers and Council members to understand their role in managing compliance obligations by providing education, training and information. Compliance training relevant to the role will be provided to all staff, contractors, volunteers and Council members during the on-boarding process. Staff will be required to complete refresher and/or additional compliance training modules in accordance with their role and responsibilities.

Top of Page

Section 4 - Procedures

Part A - Roles and Responsibilities


(7) It is the responsibility of each business unit management team to ensure operations meet compliance requirements for their specific areas of operational control.

Employees, Contractors and Volunteers

(8) Members of the University community remain individually accountable for their actions. As outlined in the Code of Conduct, employees are required to uphold ethical, professional and legal standards of behaviour, and to comply with all applicable laws, regulations, standards, codes and University policies. Employees, contractors and volunteers also have obligations to report to their line manager any actual or potential breaches of compliance obligations.

Responsible Officers (ROs)

(9) Responsible Officers are employees with assigned responsibility by the Senior Executive Group (SEG). Responsible Officers are appointed based on their knowledge and expertise in the area they are responsible for overseeing, and are typically senior persons directly responsible for significant day-to-day compliance decisions. Under this policy, Responsible Officers are required to:

  1. Dedicate sufficient time to fulfilling duties as a Responsible Officer;
  2. Undertake induction and refresher training provided by Risk, Audit and Insurance;
  3. Remain familiar with the University’s Compliance Management Framework and their responsibilities;
  4. Monitor and oversee adherence (including cross portfolio and cross campus) with all compliance obligations for their areas of responsibility (Compliance Remit);
  5. Provide annual compliance attestations or other such reporting in a timely manner, in accordance with this and/or other University Policies, and promptly respond to requests for information as/where required;
  6. Notify Risk, Audit and Insurance of any deficiencies and or corrections required within their compliance remit to meet legislative requirements;
  7. Undertake in depth business impact assessments as a result of new or updated legislations with relevant stakeholders (cross campus and cross portfolio) and provide the assessment outcomes to Risk, Audit and Insurance when requested;
  8. Communicate any business or individual impact as a result of new or updated legislations to all impacted stakeholders (cross campus and cross portfolio, staff, contractors, volunteers, officers, Council members and/or committees;
  9. Organise training, including any required refresher training on relevant legislations within the compliance remit to all impacted stakeholders (including cross campus, cross portfolio, staff, contractors, volunteers, officers, Council members and/or committees);
  10. Provide guidance and support to employees, contractors and volunteers on relevant legislation within their compliance remit and promote a culture of compliance across the University;
  11. Action all compliance breaches within the compliance remit as soon as practicable and develop corrective action plan to reinstate compliance and mitigation plan to minimise risk of reoccurrence;
  12. Oversee remediation and mitigation of all breaches within the compliance remit until compliance is reinstated and controls are in place to reduce risk of reoccurrence;
  13. Report all breaches to Risk, Audit and Insurance using the prescribed form including remediation and mitigation plans;
  14. Ensure any breaches that have a mandatory regulatory reporting requirement is reported to the relevant regulatory body within required timeframes, refer to the Mandatory Reporting Matrix for details of the person responsible for reporting.

Corporate Governance, Risk, Internal Audit and Safety Committee

(10) The Corporate Governance, Risk, Internal Audit and Safety Committee (CGRIASC) is responsible, on behalf of the Council, for oversight of the of the Compliance Management Framework, including:

  1. Accountability for the effective operation of the Framework;
  2. Monitoring the key compliance requirements of the University;
  3. Ensuring that all breaches are rectified appropriately.

Risk, Audit and Insurance (RAI)

(11) Risk, Audit and Insurance is responsible for the establishment and ongoing management of the Compliance Management Framework including:

  1. Establishing and maintaining the Compliance Obligations Register;
  2. Ongoing review and continuous improvement of compliance functions;
  3. Managing the Responsible Officer network including provision of induction and ongoing training and support to develop and implement control measures to meet regulatory compliance requirements;
  4. Reviewing and undertaking risk analysis of compliance requirements relating to changing laws, regulations and standards and partnering with Responsible Officers to ensure implications for the University are well understood and any necessary adjustments are implemented effectively;
  5. Communicating all new or updated Priority One rated legislations to the Senior Executive Group and the CGRIASC;
  6. Reviewing the circumstances surrounding a breach, including the adequacy of the assessment and corrective action plan to ensure the actions are taken and the risk of reoccurrence is appropriately mitigated;
  7. Supporting Responsible Officers, where needed, in the investigation of all breaches;
  8. Reviewing, monitoring and reporting of all breaches to the CGRIASC on quarterly basis.

Part B - Compliance Management Framework

(12) The University Compliance Management Framework provides the structure, direction and oversight for the systematic, disciplined and consistent identification and assessment of legal and regulatory compliance obligations and for their effective and efficient management.

(13) The Framework details a structure for responsibilities and accountabilities and specifies the broader compliance management approach that the University has adopted.

(14) Risk, Audit and Insurance consults extensively with stakeholders across the University that have more specialised knowledge relevant to their particular areas of expertise to ensure that there is a coordinated approach to compliance.

(15) The Framework is developed and maintained by Risk, Audit and Insurance and endorsed by the Corporate Governance, Risk, Internal Audit and Safety Committee. It has been developed to encourage a positive compliance culture and minimise the risk of non-compliance. A review of the framework is undertaken every three years as part of continual improvement.

Part C - Prioritisation of Regulatory Compliance Obligations

(16) To assist the University achieve compliance, each Regulatory Compliance Obligation (as detailed within the University’s Compliance Obligations Register) is assigned a priority rating based on prescribed criteria.

(17) For more information please refer to the University’s Compliance Obligations Register.

Part D - Monitoring Changes to Regulatory Compliance Obligations

(18) Risk, Audit and Insurance provides notifications and high level assessment of legislative and regulatory changes to relevant Responsible Officer when changes are identified that may impact a Responsible Officer’s respective compliance remit.

(19) Regulatory compliance changes identified locally (at the business unit level) and/or that which has arisen under license, contract or code etc. should be brought to the attention of Risk, Audit and Insurance as soon as practicable.

(20) Upon receiving the legislative or regulatory change notification, Responsible Officers are responsible for assessing change notifications received from Risk, Audit and Insurance and respond to Risk, Audit and Insurance with details of the:

  1. likely business impacts;
  2. proposed response plan outlining what actions will be taken and the timeframe; and
  3. how they will oversee implementation of any required changes to meet new obligation requirements and reporting to the RMO progress and completion.

(21) Risk, Audit and Insurance will capture the likely business impacts and response plans on the University’s Regulatory Change Tracking Register and monitor these through to implementation.

Part E - Breach Assessment and Reporting

(22) As soon as reasonably practicable after becoming aware of an actual or potential breach, employees are required to inform their manager by completing Part A of the Breach Notification Form.

(23) Managers are responsible for reviewing Part A of the Breach Notification Form and completing Part B of the Breach Notification Form and providing this to the relevant Responsible Officer as soon as practicable.

(24) Responsible Officers are required to analyse the information and complete Part C of the Breach Notification Form and forward to the Risk and Compliance Advisor as soon as practicable.

(25) Material breaches must be reported immediately (generally within 24 hours of becoming aware of the breach) to the Risk, Audit and Insurance ( by the applicable Responsible Officer.

(26) Relevant business unit management, under guidance from Responsible Officers, are responsible for rectification of all breaches and must ensure implementation plans are actioned in a timely manner. Regular updates on the implementation plan must be provided to Risk, Audit and Insurance.

(27) In circumstances where the Responsible Officer believes relevant business unit management’s response to a breach is inadequate, the matter should be referred to Risk, Audit and Insurance for resolution.

(28) Any breaches that have mandatory regulatory reporting requirements must be reported to the relevant regulatory body within required timeframes by the Responsible Officer or designated authority, refer to the Mandatory Reporting Matrix.

(29) Where a Governing Body or Committee is responsible for overseeing compliance, notification is required to be made by the Responsible Officer to that Governance Committee, in accordance with its terms of reference.

(30) Risk, Audit and Insurance provides a quarterly Breach Notification Report to the Corporate Governance, Risk, Internal Audit and Safety Committee (CGRIASC).

Part F - Privacy Breaches

(31) Where an actual, potential or suspected privacy breach has been identified, the Privacy Officer should be notified as soon as possible via

(32) The Privacy Officer is responsible for initiating the University’s Data Breach Response Plan as set out in the University’s Privacy Policy.

Part G - Whistle-blowing and Protected Disclosures

(33) The University encourages employees and the broader University community to report details of any actual or potential breach they identified, or that has recently been detected but are concerned may not have been adequately raised or addressed.

(34) The University recognises that whistleblowing (otherwise known as protected disclosures) is an important way of ensuring effective governance. Employees are encouraged to read the Public Interest (Whistleblower) Disclosure Policy which outlines the additional mechanisms in which they can report any actual or suspected misconduct.

Part H - Annual Compliance Attestation

(35) Responsible Officers are required to complete an annual compliance attestation covering their area of responsibility using the self-assessment questionnaires provided by Risk, Audit and Insurance.

(36) The annual compliance attestation will be completed by 30th of June each year and uploaded to the La Trobe Comply Online website ( detailing:

  1. compliance achieved across the Responsible Officer’s Compliance Remit according to the ratings:
    1. Compliant;
    2. Partially Compliant; or
    3. Non-Compliant.
  2. Details of any significant compliance risks together with an overview of the agreed treatment plan to remediate the risks.

(37) Risk, Audit and Insurance will submit a summary report to SEG and CGRIASC detailing the University’s compliance status, risks and strategies to improve compliance.

Top of Page

Section 5 - Definitions

(38) For the purpose of this Policy and Procedure:

  1. Breach: a breach is a contravention of a compliance obligation. Significant or material breaches may be reportable to the regulator(s).
  2. Compliance: compliance is the outcome of an organisation meeting its various Compliance Obligations, made sustainable by embedding it in the culture of the organisation and in the behaviour and attitude of people working for it.
  3. Compliant: by providing a ‘Compliant’ assurance, a Responsible Officer is certifying that the University’s operations and activities are fully compliant with obligations imposed under a particular act, regulation, standard or code.
  4. Compliance Obligation: Compliance Obligations are those imposed by law, regulation, standard, code and other licensing or contractual obligations to which the University is bound.
  5. Compliance Obligation Register: means the register which lists external legislation, regulations, codes, guidelines and standards which identify the University’s obligations. The Compliance Obligations Register operates as an overall guide which the University has to comply with and includes priority ratings for all listed items. The obligation register also identifies the relevant Responsible Officers within the University.
  6. Material Breach: a material breach has one or more of the following characteristics:
    1. indicates a systemic concern;
    2. is required to be reported to an external body (such as a regulator, ombudsman, or accreditation body); and/or
    3. relates to a Priority One Act regulation, Standard or Code, as determined by risk.
  7. Non-Compliant: A ‘Non-Compliant’ assurance deems the University noncompliant with the majority of obligations imposed under a particular Act, Regulation, Standard or Code within the Responsible Officers Compliance Remit. Explanation and overview must accompany each partial compliance determination outlining remediation or mitigation activities to be undertaken to reinstate full compliance.
  8. Partially Compliant: By providing a ‘Partially Compliant’ assurance, a Responsible Officer is certifying that the University’s operations and activities are compliant with the majority of obligations, but not all, imposed under a particular act, regulation, standard or code within the Responsible Officers Compliance Remit. Explanation and overview must accompany each partial compliance determination outlining remediation or mitigation activities to be undertaken to reinstate full compliance.
  9. Priority Rating: Compliance obligations are assigned a management priority. This enables them to be ‘grouped’ into buckets, which specifically defines the level of activity required around each of the elements of the compliance management process. Due to the diversity of operations, prioritisation is critical to focus resources in recognition of the University’s obligation to comply.