View Document

Compliance Management Policy

This is the current version of this document. To view historic versions, click the link in the document's navigation bar.

Section 1 - Background and Purpose

(1) The purpose of this Policy is to promote and facilitate excellence in governance and continuing improvement in compliance with all applicable laws and regulations.

(2) La Trobe University is committed to ensuring that it complies with all applicable laws and regulations.

(3) This Policy describes La Trobe University’s approach to compliance, and details the key compliance responsibilities of the University’s Responsible Officers, and the broader university community.

Top of Page

Section 2 - Scope

(4) This Policy applies to all:

  1. Employees
  2. Contractors
  3. Volunteers
Top of Page

Section 3 - Policy Statement

(5) La Trobe University is committed to ensuring that it complies with all applicable laws and regulations, and striving to meet the requirements of those standards and codes of practice that apply to its day-to-day activities and responsibilities.

(6) The University operates a decentralised Compliance Management Framework, with a network of appointed Responsible Officers in relevant subject matter areas to identify, monitor and oversee compliance with all applicable Obligations (compliance remit), in partnership with the Risk Management Office. 

(7) The Risk Management Office has responsibility for developing and maintaining the Compliance Management Framework and providing advice and support to Responsible Officers as needed.  The partnership between the Risk Management Office and Responsible Officers underpins effective compliance by the University. 

(8) Members of the University community remain individually accountable for their actions.  As outlined in the Code of Conduct, employees are required to uphold ethical, professional and legal standards of behaviour, and to comply with all applicable laws, regulations, standards, codes and University policies.  Employees, contractors and volunteers also have obligations to report to their line manager any actual or potential contraventions of compliance obligations (see Compliance Breach Management Policy).

Roles and Responsibilities

Management

(9) It is the responsibility of management to implement the compliance process for their specific areas of operational control.

Employees, Contractors and Volunteers

(10) It is the responsibility of employees, contractors and volunteers to ensure that they are aware of the compliance requirements pertaining to their role within the University, ensure that their actions are compliant with all applicable compliance obligations, and University policy, and to undertake training in accordance with the compliance program. Employees, contractors and volunteers must report and escalate compliance concerns to their line manager.

Responsible Officers (ROs)

(11) Responsible Officers are employees with assigned responsibility by the Senior Executive Group (SEG), based on their knowledge and expertise in the area they are responsible for overseeing, and are typically senior persons directly responsible for significant day-to-day compliance decisions. Given the geographic footprint of the University, and the diverse nature of its operations, the University relies on its network of Responsible Officers to ensure adherence with all applicable obligations within their remit. Under this policy, Responsible Officers are required to:  

  1. dedicate sufficient time to fulfilling duties as a Responsible Officer;
  2. remain familiar with the University’s Compliance Management Framework and their responsibilities;
  3. ensure Compliance Obligations for their area(s) of compliance responsibility are identified, understood and documented in the University’s Compliance Obligations Library and notifying the Risk Management Office of any deficiencies and or corrections required to the Library including new legislation, compliance obligations, and RO allocation(s);
  4. monitor and oversee adherence (including cross portfolio and cross campus) with all compliance obligations for their areas of responsibility (Compliance Remit)
  5. undertake business impact assessments with relevant stakeholders (cross campus and cross portfolio)
  6. provide guidance and support to employees, contractors and volunteers on relevant legislation or other Obligations, and promote a culture of compliance across the University;
  7. monitor, report and oversee all actual or potential breaches in accordance with the University’s Compliance Breach Management Policy, ensuring the adequacy of corrective action plans to reinstate compliance and mitigate risk of reoccurrence.
  8. providing certifications or other such reporting in a timely manner, in accordance with this and/or other University Policies, and promptly respond to requests for information as/where required.

(12) For more information please refer to the University’s Responsible Officer Register.

Corporate Governance, Audit and Risk Committee

(13) The role of the Corporate Governance, Audit and Risk Committee (CGARC) is to provide oversight, on behalf of the Council, of the Compliance Management Framework, including:

  1. Accountability for the effective operation of the Framework;
  2. Monitoring the key compliance requirements of the University; and
  3. Ensuring that actual or potential breaches are rectified appropriately.

Risk Management Office

(14) The Risk Management Office is responsible for management of the Compliance Management Framework:

  1. Establishment and maintenance of the Compliance Register;
  2. Partnering with Responsible Officers to ensuring ongoing compliance;
  3. Review risk analysis and prioritisation of compliance requirements;
  4. Ongoing review and continuous improvement of compliance functions;
  5. Supporting ROs, where needed, in the investigation of actual or potential breaches;
  6. Capture of information relating to changing laws, regulations and standards and partnering with ROs to ensure implications for La Trobe are well understood and any necessary adjustments are implemented effectively
  7. Recommendation and facilitation of compliance rectification activities.

(15) For detailed roles and responsibilities under this Policy, please refer to Compliance Management Framework - Roles and Responsibilities.

Top of Page

Section 4 - Procedures

Part A - Compliance Framework

(16) Implementation of the Compliance Management Framework involves coordination by the Risk Management Office for: 

  1. identification and prioritisation of Regulatory Compliance Obligations; 
  2. assessment and evaluation of compliance risks (in conjunction with Legal Services and Responsible Officers); and the
  3. monitoring, review and reporting against compliance performance (in conjunction with Responsible Officers). 

Part B - Prioritisation of Regulatory Compliance Obligations 

(17) Compliance obligations are assigned a risk-based management priority. This enables them to be ‘grouped’ into priority categories to define the level of activity required around each element of the compliance management process. 

(18) To assist the University achieve compliance, each Regulatory Compliance Obligation (as detailed within the University’s Obligations Library) is assigned a priority rating based on prescribed criteria (see section 5 Definitions for details). 

(19) For more information please access a copy of the University’s Regulatory Compliance Obligations Register.

Part C - Monitoring Changes to Regulatory Compliance Obligations 

(20) To support the University’s Responsible Officers discharge their functions and duties, the Risk Management Office provides notifications of legislative and or regulatory changes, as/when changes are identified that may impact a Responsible Officer’s respective compliance remit. 

(21) Responsible Officers are responsible for: 

  1. Proactively identifying and liaising with the Risk Management Office on any indicative changes to legislative requirements in their subject matter area, and assessing the likely effect to La Trobe;
  2. Once changes to acts, regulations, standards and or codes have been passed, assessing the change and responding to the Risk Management with details of: 
    1. likely business impacts; 
    2. proposed response plan outlining what actions will be taken and the timeframe; and 
  3. overseeing implementation activities to ensure compliance is maintained. 

(22) This information is captured on the University’s Regulatory Change Tracking Register and monitored to implementation. Risk Management Office will seek updates at least quarterly on the status to completion. Where the change required is significant, more frequent monitoring may be implemented. 

(23) Regulatory compliance changes identified locally (at the business unit level) and/or that which has arisen under license, contract or code etc. should be brought to the attention of the Risk Management Office. 

(24) The Risk Management Office also maintains a Regulatory Change Mailbox to assist Responsible Officers in monitoring legislative and regulatory changes. 

Part D - Compliance Assurance Reporting 

(25) Under this policy, Responsible Officers are required to provide a periodic certification, at the frequency specified below, on compliance against compliance obligations, as relevant to their remit. 

Ad-hoc Compliance Certifications (On-going) 

(26) Ad-hoc Certifications are required from each Responsible Officer on an as needs basis, as prescribed, for example, under:

  1. contract;
  2. internal or external audit reviews; and/or 
  3. annual reporting requirements (pursuant to Financial Management Act 1994, or other laws). 

Annual Compliance Certification  

(27) Annual Certification is required from each Responsible Officer, as soon as practicable after the end of each financial year, in respect of the applicable ‘Reporting Period’ (i.e. 1 January to 31 December), detailing: 

  1. Compliance achieved across the Responsible Officer’s Compliance Remit according to the ratings: 
    1. Compliant;
    2. Partially Compliant; and 
    3. Non-Compliant. 

(28) Details of any actual or potential breach identified during the reporting period, including: 

  1. any un-reported breaches (actual or potential)– see Compliance Breach Management Policy for definitions; 
  2. planned and/or completed remedial actions; 
  3. associated delivery timeframes; and 
  4. accountable persons.

(29) Details of any significant compliance risks together with a detailed overview of the agreed treatment plan to remediate those risks. 

(30) Responsible Officers are also required to report on actual or potential breaches, in accordance with the Compliance Breach Management Policy

(31) Annually a University compliance report will be prepared detailing compliance risks, and strategies to improve compliance. The Risk Management Office is responsible for reconciling responses and preparing summary reports for SEG and the CGARC. 

Part E - Consequences of Policy Non-Compliance

(32) Compliance with this Policy is mandatory, failure which may result in:

  1. mandated compliance training;
  2. monitoring/supervision of activities; and/or
  3. disciplinary action in accordance with University policy.
Top of Page

Section 5 - Definitions

(33) For the purpose of this Policy and Procedure:

  1. Breach: a breach is a contravention of a compliance obligation. Significant or material breaches are generally reportable to the regulator(s). See below.
  2. Compliance: Compliance is the outcome of an organisation meeting its various Compliance Obligations, made sustainable by embedding it in the culture of the organisation and in the behaviour and attitude of people working for it. 
  3. Compliance Obligation / or Obligations:Compliance Obligations are those imposed by law, regulation, standard, code and other licensing or contractual obligations to which the University is bound. 
  4. Material Breach: a material breach (actual or potential) has one or more of the following characteristics:
    1. indicates a systemic concern;
    2. is required to be reported to an external body (such as a regulator, ombudsman, or accreditation body); and/or
    3. relates to a Priority One Act regulation, Standard or Code, as determined by risk.
  5. Priority Ratings Criterion (Overview): Compliance obligations are often assigned a management priority. This enables them to be ‘grouped’ into buckets, which specifically defines the level of activity required around each of the elements of the compliance management process. Due to the diversity of operations, prioritisation is critical to focus resources in recognition of the University’s obligation to comply.
  6. Priority One: Means the ‘Catastrophic and Major Category’ Risk Assessment Definitions contained in the University’s Enterprise Risk Profile (as amended from time to time). For example: 
    1. Long term severe health impacts on multiple numbers of people or fatalities
    2. Budget blow-out of >15% or losses of >$5 Million 
    3. Reputation and standing of the University affected nationally and internationally. Long term irreconcilable loss of confidence in LTU, and or loss of confidence /standing for several months
    4. Significant legal action, criminal prosecution, major negative sanctions or imposition of significant permanent onerous obligation
    5. Loss of teaching licenses. 
    6. Significant penalties or fines > $5M 
  7. Priority Two: Means the ‘Medium Category’ Risk Assessment Definition contained in the University’s Enterprise Risk Profile (as amended from time to time). For example: 
    1. Any obligations that are not classified as Priority 1 or Priority 3
    2. Severe injury, multiple causalities or long term negative health effects
    3. Budget blow-out of 10-15% or unanticipated losses of 500K-$5M
    4. Adverse media coverage or public dissatisfaction lasting from days to weeks 
    5. Substantial financial penalties with costs of > $500K
  8. Priority Three: Means the ‘Minor to Minimal Category’ Risk Assessment Definitions contained in the University’s Enterprise Risk Profile (as amended from time to time).  For example: 
    1. Injuries Incident requires medical attention or simply first aid  
    2. Budget blow-out of <10% or unanticipated losses of < $500K 
    3. Limited local public dissatisfaction and stakeholder interest
    4. Breaches result in no disruption to performance of duties and are confined to internal policies or procedures.
    5. Financial penalties with costs of < 500K 
  9. Compliant: By providing a ‘Compliant’ assurance, a Responsible Officer is certifying that the University’s operations and activities are fully compliant with obligations imposed under a particular act, regulation, standard or code.
  Definition Instruction
Partially Compliant By providing a ‘Partially Compliant’ assurance, a Responsible Officer is certifying that the University’s operations and activities are fully compliant with the majority of obligations imposed under a particular act, regulation, standard or code within the Responsible Officers Compliance Remit.
Certifications of partial or non compliance are to be accompanied by a detailed explanation and overview of the remediation and or mitigation activities undertaken or agreed to reinstate full compliance. These responses should be added in the comments field of the certification form prior to submission.
If an obligation is not applicable, the response must specify details of the exemption, including (where applicable) any controls in place to ensure compliance with the conditions imposed. The date and period of the exemption should be noted.
Non-Compliant A ‘Non-Compliant’ assurance deems the University non-compliant with the majority of obligations imposed under a particular Act, Regulation, Standard or Code within the Responsible Officers Compliance Remit. As above.
Compliance deficiencies
Compliance deficiencies are broadly defined as an actual or potential contravention of a compliance obligation. Please refer to the University’s Compliance Breach Management Policy for further details.
Where a compliance deficiency has previously been reported during the period, the Responsible Officer will simply need to note the exception and cross reference to the Breach, when providing an attestation.
Compliance assurances may also be required under contract or legislative instrument e.g the Financial Management Act’s Ministerial Orders, including funding bodies.
The requirements of which must be considered when making attestations.
Top of Page

Section 6 - Stakeholders

Responsibility for implementation- La Trobe University’s Responsible Officers.
Responsibility for monitoring implementation and compliance – Risk Management Office.