View Document

Compliance Management Procedure

This is the current version of this document. You can provide feedback on this document via the 'Feedback' tab above.

Section 1 - Summary

(1) This Procedure outlines how Victoria University (VU) will implement its compliance management framework.

(2) The primary purpose of the compliance management framework is to provide clear accountability and responsibility for Key Compliance Obligations and to ensure the appropriate identification, allocation, reporting and oversight of University wide compliance controls.

(3) The framework supports the delivery of quality academic outcomes and student and staff experience and is critical to maintaining a positive reputation for VU and its people.

Top of Page

Section 2 - TEQSA/ASQA/ESOS Alignment

(4) HESF: 6.2 Corporate Monitoring and Accountability - Standards 6.2.1. a. and 6.2.1.k. 

(5) Standards for RTOs: Standard 7.1 and Standards 8.5 and 8.6.

Top of Page

Section 3 - Scope

(6) This Procedure applies to:

  1. All staff, students, Council members, Committee members, contractors, honorary and adjunct staff.
  2. All activities under the control or direction of Victoria University, whether conducted on or off University property or in a digital environment.
Top of Page

Section 4 - Definitions

(7) Accountable Officer: Member of the Vice-Chancellor's Group accountable for identifying, implementing and managing allocated compliance obligations.

(8) Responsible Officer: A senior manager that reports directly to a member of the Vice-Chancellor's Group member and is responsible for the operational implementation of compliance controls. 

(9) Compliance: Adhering to Relevant laws and regulations that apply to the University. 

(10) Compliance Register: The list of Relevant laws and regulations that have been identified by the University and allocated to accountable and responsible staff members.  This list is recorded in the University’s compliance system and displayed on the University intranet. 

(11) Controls: The existing actions, activities or procedures that support compliance with Relevant laws and regulations.  Controls may include policies and procedures, process documents (such as standard operating procedures and manuals) and education and awareness training.  

(12) Improvement Plan: Agreed actions that will be taken to achieve compliance with a Key Compliance Obligation. 

(13) Key Compliance Obligations:  Obligations set out in Relevant laws and regulations that, if not complied with, could result in a Material Non-Compliance. 

(14) Material Non-Compliance: Any breach that has the potential to: 

  1. impact on the University’s ongoing sustainability or licence to operate; or 
  2. result in significant financial penalties or fines, undertakings, criminal sanctions or reputational damage.  

(15) Relevant laws and regulations: Acts, regulations and other legislative instruments, educational codes and standards that the University is required to apply (not including industry or professional body standards relating to course accreditation).

(16) Subject matter expert (SME): Staff member considered to have expert knowledge and experience in operationalising requirements under Relevant laws or regulations.

Top of Page

Section 5 - Policy/Regulation

(17) Compliance Management Policy

Top of Page

Section 6 - Procedures

Part A - Summary of Roles/Responsibilities 

Roles Responsibilities
Council - Set and promote a positive compliance culture.
- Accountable for ensuring compliance with all relevant Commonwealth legislation and statutory requirements; state legislation and annual reporting requirements; institutional legislation, statues and regulations; and institutional policies (Terms of Reference 3);
- Monitor any lapse in compliance with all relevant legislation and regulations relevant to the provision of education and research services and oversee the implementation of corrective actions (Terms of Reference 6);
- Receive regular reports on compliance activities and audits in relation to all operations of the University (Terms of Reference 7).
Audit and Risk Committee - Set and promote a positive compliance culture.
- Approve the University’s compliance management framework (policy and procedure) for monitoring compliance risks (Terms of Reference 3(a)(i));
- Provide oversight and review the effectiveness of the compliance management framework. 
- Receive reports and monitor improvements for any Material Non-Compliance issues.
- Receive reports on compliance activities and audits in relation to the operations of the University.
Academic Board - Set and promote a positive compliance culture.
- The Academic Board also plays a leading role in ensuring that the University is compliant with relevant educational regulations. It is expected to work closely with the Audit and Risk Committee and provide advice to Council (Regulation 5: Academic Board Regulations 2021).
- Provide advice to the University Council and Audit and Risk Committee on academic and research legal and regulatory standards.
Vice-Chancellor's Group - Set and promote a positive compliance culture.
- Monitor allocated compliance obligations and ensure that operational steps are being taken to achieve compliance.
- Ensure that new or changing laws and regulations are added to the Compliance Register.
- Oversee compliance with allocated laws and regulations within their area of accountability. 
- Notify the Director Risk and Compliance of breaches within their portfolio and remedial actions taken.
- Develop and implement Improvement Plans to achieve compliance where appropriate.
Chief Financial Officer - Promote a positive compliance culture.
- Oversee the compliance management framework.
- Ensure provision of adequate resources to facilitate compliance management activities.
- Review and approve reports to governance bodies.
Director, Risk and Compliance - Promote a positive compliance culture.
- Develop, implement and monitor the compliance management framework to guide compliance management practices.
- Manage the identification, articulation and allocation of Key Compliance Obligations across the University.
- Provide alerts on changes to legal and regulatory requirements.
- Provide advice and support to operational areas responsible for implementing Controls and Improvement Plans.
- Coordinate monitoring, measuring and reporting on Key Compliance Obligations and annual attestations to the Vice-Chancellor's Group, Audit and Risk Committee and University Council.
- Assist in the identification and reporting of any Material Non-Compliances.
College/Research Centre/Business Unit Lead or equivalent - Set and promote a positive compliance culture.
- Monitor allocated compliance obligations and ensure that operational steps are being taken within their area of responsibility to achieve compliance.
- Implement Improvement Plans to achieve compliance where appropriate.
All staff - Comply with all Relevant laws and regulations. 
- Understand and implement compliance controls within their area of responsibility.
- Assess compliance requirements for all new tasks, projects and initiatives.
- Bring potential risks or events of non-compliance to management attention.

Part B - Compliance Management Process

Laws and Regulations 

(18) The University takes a risk-based approach to the management of compliance with Relevant laws and regulations.

(19) Four tiers of Relevant laws and regulations have been identified to allow for the appropriate consideration and prioritisation of Key Compliance Obligations. They are: 

  1. Tier 1 – Laws and regulations critical to the University’s licence to operate as a higher and vocational education institution
  2. Tier 2 – Laws and regulations with University wide obligations where beaches may incur criminal penalties or significant fines or result in significant reputational damage. Tier allocated using financial penalties, reputation and legal and regulatory risk categories of the VU Risk Assessment Matrix. Tier 2 risk rating is 'high'.
  3. Tier 3 – Laws and regulations with University wide obligations where breaches may incur regulator fines or penalties or create reputational damage. Tier allocated using financial penalties, reputation and legal and regulatory risk categories of the VU Risk Assessment Matrix. Tier 3 risk rating is 'medium'.
  4. Tier 4 – Laws and regulations that have a localised impact to one or more operational areas of the University with compliance managed locally. Tier allocated using financial penalties, reputation and legal and regulatory risk categories of the VU Risk Assessment Matrix. Tier 4 risk rating is 'low'.

(20) Relevant laws and regulations identified by tier can be accessed at Legislation Master.

(21) For each relevant law or regulation identified an Accountable Officer will be allocated. Accountability will apply where there is substantive oversight of operational activities within that portfolio. 

Monitoring changes to laws and regulations

(22) Accountable and Responsible Officers should engage with relevant regulators, industry and professional bodies to remain informed as to potential changes to Relevant laws and regulations.  

(23) The Risk and Compliance Function will monitor legislation and subscribe to industry updates and notify relevant stakeholders of any changes.

Key Compliance Obligations

(24) Key Compliance Obligations are identified within the law or regulation in consultation with the Accountable Officer, Responsible Officer and relevant Subject Matter Expert and the Risk and Compliance Function.  A Responsible Officer is assigned for each identified obligation. Responsibility will apply where operational activities are undertaken within that area. 

(25) The Responsible Officer in consultation with the relevant Subject Matter Expert will implement controls in daily practice to achieve compliance with the identified Key Compliance Obligation. Controls can include policies and procedures, process documents (such as standard operating procedures and manuals) and education and awareness training.  

(26) The Risk and Compliance Function will assist the Responsible Officer and relevant Subject Matter Expert to identify current controls and record those controls within the centralised compliance system. Links will be made with the VU Policy Library.

(27) After identifying current controls, in consultation with the relevant Subject Matter Expert, the Responsible Officer will assess their effectiveness and risk rate the Key Compliance Obligations using the VU Risk Matrix.  The Risk and Compliance Function will assist with this process. 

(28) If compliance is not achieved the Responsible Officer in consultation with the relevant Subject Matter Expert will develop an Improvement Plan to achieve and maintain compliance. 

(29) Improvement Plans will be recorded in the centralised compliance system and monitored by the Risk and Compliance Function. 

Annual Attestation

(30) The Accountable and Responsible Officers will complete an annual attestation of compliance for allocated laws and regulations and Key Compliance Obligations.

(31) The attestation will also identify any non-compliances for the reporting period and steps taken to rectify compliance.

(32) Attestations will be collated and reported to the Vice-Chancellor's Group, Audit and Risk Committee and University Council.

Governance Reporting

(33) The Director Risk and Compliance will monitor, measure and report on the University’s compliance to the Vice-Chancellor's Group, Audit and Risk Committee and University Council on an annual basis. Academic Board will receive a report relating to academic and research laws and regulations.  Reporting is risk based and will include, where relevant:

  1. updates on new or emerging laws and regulations or significant changes to existing laws and regulations;
  2. VU’s compliance with Key Compliance Obligations and the delivery of improvement plan items; and
  3. the annual attestation process. 

Breach reporting

(34) All staff must report any identified or potential non-compliances with relevant laws or regulations to their Responsible Officer and/or Director, Risk and Compliance via compliance@vu.edu.au.

(35) The Responsible Officer in consultation with the Accountable Officer and Director, Risk and Compliance will assess the non-compliance and identify any remediating actions.

(36) In the event of a Material Non-Compliance, remediation (identification and allocation of actions) will be completed by the relevant Accountable Officer in consultation with the Vice-Chancellor's Group and Director, Risk and Compliance.

(37) The Accountable Officer will identify and report Material Non-Compliances to relevant regulators and other external agencies in accordance with Relevant laws and regulations.  

(38) Following identification of a Material Non-Compliance, the Accountable and Responsible Officers will undertake a root cause analysis, identify lessons learned and actions required to mitigate the recurrence of the event. 

(39) The Director, Risk and Compliance will take steps to report Material Non-Compliances to the Vice-Chancellor's Group and the Audit and Risk Committee at the earliest opportunity.  Reports on Material Non-Compliances related to academic laws and regulations will also be provided to the Academic Board.

External regulators

(40) Contact by external regulators responsible for the laws or regulations applicable to the University (e.g. audits, reviews, conditions, compliance notices or requests for information) must be notified to the relevant Accountable Officer and Director, Risk and Compliance upon receipt.  

(41) The Risk and Compliance Function will provide support with responses and processes related to requests.  Responses to regulators must be approved by the relevant Accountable Officer.  

(42) The relevant Accountable Officer will report the regulator request and outcome to the Vice-Chancellor's Group and relevant governance bodies.