View Document

Compliance Management Policy

This is the current version of this document. To view historic versions, click the link in the document's navigation bar.

Section 1 - Key Information

Policy Type and Approval Body Administrative – Vice-Chancellor
Accountable Executive – Policy Chief Operating Officer
Responsible Manager – Policy General Counsel & Director of Assurance
Review Date 29 November 2027
Top of Page

Section 2 - Purpose

(1) This Policy sets out the University’s approach to managing its compliance requirements. The University’s compliance framework is also intended to promote awareness and help engender a culture of compliance.

Top of Page

Section 3 - Scope

(2) This Policy applies to:

  1. Staff
  2. Contractors
  3. Volunteers (including honorary appointees; and
  4. Council members

(3) Certain compliance-related matters are excluded from requirements set out in this Policy and should be dealt with according to the specific processes set out in the applicable University policy or legislation. These include:

  1. Public Interest Disclosures - disclosures of improper conduct relating to the University or a member, officer, or employee or contractor of the University made under the Public Interest Disclosures Act 2012 (Vic). Public Interest Disclosures should be notified directly to the Independent Broad-based Anti-corruption Commission (IBAC) and advice can be sought from the University’s Public Interest Disclosure Coordinator in accordance with the Public Interest (Whistleblower) Disclosure Policy.
  2. Reportable Conduct – allegations of child abuse or misconduct. In accordance with the University’s Child Safety and Wellbeing Policy alleged breaches of the Child Wellbeing and Safety Act 2005 (Vic) should be reported to the University’s Child Safety Officer in the first instance.
  3. Research Misconduct - allegations of research misconduct which should be reported and managed in accordance with the Research Misconduct Procedure.
  4. Health and Safety - disclosures of injuries, incidents and hazards should be reported and managed in accordance with the University’s Health and Safety Policy and Procedures.
  5. Contractual compliance - In accordance with the University’s Contracts Policy, contractual compliance (including commitments to compliance requirements to which the University would otherwise not be bound) is the responsibility of the relevant Contract Manager.
Top of Page

Section 4 - Key Decisions

Key decisions Role
Approve the appointment of Responsible Officers (ROs) Senior Executive Group (SEG)
Determine the requirement for/adequacy of a compliance incident investigation University Compliance Manager
Top of Page

Section 5 - Policy Statement

General

(4) The University is committed to the highest level of compliance with applicable legislation and regulations (compliance obligations) and the relevant standards and codes to which the University has committed to complying (‘compliance commitments) (e.g. the Australian Code for the Responsible Conduct of Research (2018)) (together referred to as the University’s compliance requirements).

(5) The University identifies and assesses its compliance requirements using a risk-based approach that aligns with the University's Risk Appetite Statement set by the University Council.

(6) The University aims to fulfill its compliance requirements by having:

  1. a robust Compliance Management Framework which aligns with national and international standards;
  2. practical and efficient compliance practices; and
  3. effective compliance governance at the operational, executive, and Council levels.

(7) Managing compliance requirements effectively helps the University to:

  1. fulfil its research, learning, teaching, commercial and strategic objectives;
  2. maintain standards in line with community and government expectations;
  3. protect and enhance the University’s resources, reputation and public trust;
  4. avoid legal liability (and potential personal liability for staff and other members of the University community); and
  5. avoid enforcement action, criminal prosecution, fines, and other costs and penalties.

(8) The University’s Compliance Management Framework consists of this Policy, as well as:

  1. a network of Responsible Officers and Accountable Executives;
  2. a Compliance Register which is intended to set out all compliance requirements applicable to the University and associated Responsible Officer(s);
  3. regular compliance attestations and incident reporting;
  4. legally compliant policies;
  5. induction and ongoing training regarding key-compliance requirements; and
  6. periodic audits of key compliance requirements, as well as this Policy and the University Compliance Management Framework.

(9) All individuals are expected to comply with the University’s compliance requirements and promptly report incidents/breaches in accordance with this Policy and procedure.

(10) University leaders have additional responsibilities; in particular, University leaders must ensure that compliance management practices are implemented across all levels of the University in academic, strategic and operational planning, projects and processes from inception to conclusion.

(11) The University will support staff, contractors, volunteers and Council members to understand their role in managing compliance obligations and reporting compliance incidents by providing training and information as appropriate.

(12) Apart from the exclusions noted in Section 3 above, all actual or suspected breaches of the University’s compliance requirements must be reported to the University’s Compliance Manager as soon as practicable. The University’s Compliance Manager may determine the need for and adequacy of any internal investigation.

(13) Failure to comply with the University’s compliance requirements and this Policy, may result in disciplinary action and/or referral to external regulatory bodies.

Top of Page

Section 6 - Procedures

Part A - Governance

University Council and Corporate Governance

(14) The University Council is responsible for the oversight of the University’s compliance management practices. Council sets the University’s Risk Appetite Statement, which presently states that the University has a low appetite for non-compliance with any compliance requirement.

(15) The Corporate Governance, Risk, Internal Audit and Safety Committee (CGRIASC) is responsible, on behalf of the Council, for approving and overseeing the University’s Compliance Management Framework, including ensuring:

  1. accountability for the effective operation of the Framework (which rests with the Vice-Chancellor and Chief Operating Officer);
  2. key compliance requirements of the University are monitored;
  3. reported breaches are remedied appropriately; and
  4. compliance gaps identified via the internal audit program are rectified.

Academic Board

(16) Academic Board is responsible for overseeing academic compliance requirements. This includes ensuring that the policies for which the Academic Board is the approving body, comply with all relevant compliance requirements.

Part B - Roles and Responsibilities

Individuals

(17)  In accordance with the University’s Code of Conduct, all staff, volunteers and Council members are required to:

  1. uphold ethical, professional and legal standards of behaviour; and
  2. comply with all applicable laws, regulations, standards, codes and University policies.

(18) Contractors are similarly required to comply with applicable laws, regulations, standards, codes and University policies when delivering services to or on behalf of the University in accordance with contractual requirements and/o directions issued pursuant to University legislation.

(19) All individuals within scope of this Policy must also:

  1. complete prescribed compliance training as part of their induction, as well as any mandated ongoing compliance training that their manager and/or the University requests they undertake and within the required timeframe;
  2. contact the relevant Responsible Officer listed in the Compliance Obligations Register, or the Compliance Manager via compliance@latrobe.edu.au if in any doubt about the University’s compliance requirements or their role as Responsible Officer;
  3. report any actual or possible compliance breaches or raise any compliance concerns as soon as practicable to:
    1. their line manager or the relevant Responsible Officer listed in the Compliance Obligations Register; and
    2. the Compliance Manager via compliance@latrobe.edu.au.

University Leaders

(20) It is the responsibility of each University Leader (e.g. Business Unit manager) to ensure that:

  1. the policies and procedures for which they are responsible, are up to date and when they reference legislation, that they are regularly reviewed to ensure the legal information they contain is current (the Compliance team can assist as required);
  2. their internal business processes embed and comply with the University’s compliance requirements;
  3. compliance incidents/incidents are reported to the Compliance Manager as soon as practicable;
  4. they engage in continuous improvement by reviewing the adequacy of controls and recommend/implement new ones as appropriate;
  5. their staff are aware of and comply with the University’s compliance requirements, policies and procedures;
  6. compliance responsibilities are included in position descriptions as appropriate; and
  7. staff are encouraged to raise compliance concerns and participate in compliance training activities.

Responsible Officers

(21) Responsible Officers are staff who have been assigned responsibility for a specific compliance requirement as part of the Compliance Management Framework.

(22) The University Compliance Manager will make recommendations to the relevant SEG member to endorse the appointment of a Responsible Officer from within their portfolio for compliance requirements as appropriate.

(23) The University Compliance Manager will report to SEG twice a year (every 6 months) on Responsible Officers who have been appointed based on a SEG members endorsement. The Senior Executive Group is ultimately responsible for approving or varying the appointment of Responsible Officers.

(24) Responsible Officers are:

  1. position based appointments (and include those acting in the relevant position);
  2. appointed based on their knowledge and expertise in the area for which they are responsible/oversee; and 
  3. are typically senior positions directly responsible for significant compliance decisions (including major new controls/processes etc).

(25) Responsible Officers are required to:

  1. monitor and oversee adherence to the compliance requirements within their areas of responsibility and ensure adequate controls are in place to mitigate against a compliance breach(es);
  2. review and report on their area’s adherence to compliance requirements and formally attest to their compliance when requested by the Compliance Manager;
  3. communicate ongoing compliance requirements to staff (including any relevant changes/amendments), organise training and provide guidance to staff;
  4. report actual or potential breaches as soon as practicable to the Compliance Manager and external regulators where required. A Compliance Incident Form should be completed outlining what has occurred, the possible cause (where known), steps taken to remediate (if any) and the mitigation plan/additional controls to be implemented to reduce the risk of re-occurrence. See Part C - Compliance Incident Reporting for further information.
  5. oversee any remediation and mitigation plans within their compliance remit.
  6. notify the Compliance Manager via compliance@latrobe.edu.au if they identify any errors or omissions in the Compliance Obligations Register.

Senior Executives

(26) The Vice-Chancellor is responsible for ensuring an appropriate Compliance Management Framework is in place at the University, providing leadership and demonstrating commitment to the University's compliance management practices.

(27) Each SEG member is accountable for effective compliance within their own portfolios.

(28) SEG is responsible for approving:

  1. Responsible Officers in relation to the University’s compliance requirements on the recommendation of the Compliance Manager; and
  2. online compliance training upon induction and on an ongoing basis (e.g identifying the relevant cohort/regularity etc).

Assurance Group

(29) The General Counsel & Director of Assurance is responsible for providing legal advice on matters relating to legislative compliance obligations (including University legislation).

(30) The Compliance Manager and broader Assurance Group is responsible for the establishment and ongoing review and management of the University’s Compliance Management Framework, which includes:

  1. maintaining the University’s Compliance Obligations Register;
  2. assessing and assigning a ‘priority rating’ based on the University’s Risk Management Framework and the inherent risks, namely:
    1. Very High – Priority One (P1)
    2. High – Priority Two (P2)
    3. Medium – Priority Three (P3)
    4. Low – Priority Four (P4)
    5. Very Low – Priority Five (P5) 
  3. managing the Responsible Officer network including the provision of induction, ongoing training and support to assist Responsible Officers develop and implement controls to meet compliance requirements;
  4. liaising with Responsible Officers regarding compliance attestations;
  5. liaising with Responsible Officers to ensure controls are maintained, periodically reviewed and tested to ensure their continuing effectiveness;
  6. developing and providing training as appropriate and maintaining training records;
  7. partnering with Responsible Officers to ensure the implications of changes to compliance requirements are understood and any additional controls are implemented as appropriate;
  8. reviewing or investigating the circumstances surrounding a compliance incident/breach, including the adequacy of the assessment and corrective action plan proposed or undertaken by the University Leader and/or Responsible Officer(s), to ensure appropriate actions are taken and the risk of re-occurrence is appropriately mitigated;
  9. maintaining a Register of noncompliance’s, near misses and investigations.
  10. reporting to SEG and the Corporate Governance, Risk, Internal Audit and Safety Committee (CGRIASC) of Council on at least a quarterly basis regarding:
    1. new or amended Priority One and Priority Two Legislation and likely implications;
    2. Priority One and Priority Two breaches/incidents reported in the previous quarter (other than those of a minor or technical nature); and
    3. major compliance uplift programs of work and/or recommendations regarding significant compliance gaps or risks identified.

Part C - Compliance Incident Reporting

(31) As soon as reasonably practicable after becoming aware of an actual or potential compliance breach (i.e. a compliance incident), individuals within scope of this Policy are required to inform their line manager (in the case of staff), as well as University’s Compliance Manager. The initial report of the compliance incident can be made verbally or in writing via email to compliance@latrobe.edu.au.

(32) Compliance incidents must be reported promptly in order to ensure that any mandatory reporting timeframes to external regulators can be met. Where a compliance incident involves a Priority 1 or Priority 2 compliance requirement, it should be reported to the Compliance Manager within 24 hours of the person becoming aware of the matter.

(33) An Incident Notification Form may need to be completed to assist with the assessment, investigation and reporting processes.

(34) The Compliance Manager/Compliance Team will provide advice to individuals and relevant Responsible Officers regarding the assessment, containment and investigation of the incident with a view to identifying the cause and implementing  rectification/mitigation measures to limit the risk of a further incident.

(35) Depending on the seriousness of the potential breach and steps already taken to contain and/or investigate the incident, the Compliance Manager may require an investigation to be undertaken either by the Responsible Officer, a member of the Assurance Group or an independent, external party.

(36) University Leaders and Responsible Officers are responsible for the rectification of all incidents and ensuring mitigation measures are implemented in a timely manner.

(37) Where an incident is subject to an external mandatory reporting requirement, it must be reported to the relevant regulatory body within required time frame by the relevant Responsible Officer or designated individual prescribed in Policy or the relevant compliance requirement.

Part D - Reporting Correspondence/Notices from Government Agencies or External Regulators

(38) A copy of any correspondence/notice received from a government agency or regulator in relation to the University’s compliance requirements (e.g. a letter of concern, notification of an investigation, review or site visit, review outcomes/findings, letters of warning/enforcement, infringements etc) should be forwarded to Legal Services via legal.services@latrobe.edu.au in addition to:

  1. the Responsible Officer listed on the Compliance Obligations Register; and
  2. the Compliance Manager via compliance@latrobe.edu.au.
Top of Page

Section 7 - Definitions

(39) For the purpose of this Policy:

  1. controls: the policies, procedures and processes put in place to ensure the University complies with its with legislative obligations.
  2. inherent risk: is the risk that the University could encounter when there are no controls or preventative measures in place to mitigate the risks and or meet the regulatory requirements.
  3. residual risk: is the risk that still remains or exists even with the preventative measures and controls in place.
Top of Page

Section 8 - Authority and Associated Information

(40) This Policy is made under the La Trobe University Act 2009.

(41) Associated information includes:

  1. Compliance intranet
  2. Compliance Obligations Register