View Current

Compliance Management Framework

This is the current version of this document. To view historic versions, click the link in the document's navigation bar.

Section 1 - Introduction

(1) This Compliance Management Framework (Framework) is a key feature of the University of Newcastle's (University) overall compliance management system. It affirms the University's commitment to compliance and establishes methods to support staff to manage compliance obligations, particularly those obligations imposed by law.

(2) Effective compliance management is an integral part of the University's governance arrangements and links with financial, risk, policy, environmental and health and safety systems, and is embedded within the University's culture. Compliance structures and practices support better decision making as well as the safeguarding of assets to achieve strategic objectives.

(3) Compliance is a shared responsibility, supporting behaviours, actions, and activities that are consistent with relevant laws, regulations, and University expectations.

(4) This Framework expands on the responsibilities described in the Compliance Management Policy. It describes systems for identifying, disseminating, monitoring and reporting on compliance management at the University including the role of the centralised Compliance Team in implementing a University-wide legislative compliance program.

(5) All University leaders are responsible for implementing this Framework in their respective areas and all University staff are individually accountable for their compliance with relevant obligations. All staff must report instances of non-compliance.

Top of Page

Section 2 - Purpose

(6) This Framework:

  1. provides key principles to guide compliance management;
  2. establishes some methodologies for integrating compliance into operations;
  3. facilitates some University-wide compliance assurance;
  4. supports University values and promotes ethical decision-making;
  5. supports the University's regulatory risk appetite; and
  6. aims for legislative compliance requirements being met through efficient processes.
Top of Page

Section 3 - Audience and Scope

(7) This Framework applies across the University, but not its controlled entities.

(8) In accordance with the University's Compliance Management Policy, controlled entities must ensure that effective controls are in place to support the management of their compliance obligations.

(9) While the specific activities outlined in this Framework are not expected to be implemented by controlled entities, they can be duplicated or adapted by the controlled entities to manage compliance. Compliance support can be provided by University Legal and Compliance in accordance with existing agreements.

Top of Page

Section 4 - Definitions

(10) In the context of this document:

Defined Term Meaning
Breach Register A register maintained by Legal and Compliance outlining alleged, suspected and actual non-compliance matters received by, or managed within, the University. Not available to all staff.
Breach Reporting The process of notifying the University of a potential risk of or actual non-compliance with a legislative obligation. Breach Reports are usually made and received via the legal portal in ServiceNow.
Compliance Commitment A requirement the University chooses to comply with even if not mandated externally.
Compliance Coordinator A person identified in the Compliance Register as being a key staff member with some responsibilities for coordinating activities (as relevant to their role or University-wide), to ensure University compliance with a piece of legislation.
Compliance Management Managing an organisation’s ability to comply and its compliance
Compliance Obligation All of the University's compliance requirements and compliance commitments are collectively referred to as compliance obligations. A compliance obligation is something the University either has to, or wants, comply with. The obligation can be imposed by law, policy, contract, formal directive, rule, procedure, code, standards or targets set internally. Alternatively, the Compliance Obligation can be associated with ethical, sustainability or quality goals, or other commitments made by the University.
Compliance Program / Legislative Compliance Program The University's legislative compliance program is a suite of interrelated mechanisms that address legislative compliance.
Compliance Register / Compliance Obligations Register A register of legislation the University must comply with (and associated information) maintained by Legal and Compliance. Available to all University staff.
Compliance Requirement A requirement imposed on the University that the University must comply with.
Legal Compliance / Legislative Compliance Adherence to obligations imposed by law – particularly State and Commonwealth Acts, but also associated Statutory Instruments such as Regulations, Orders and By-Laws. It also includes adhering to obligations imposed by any regulatory authority and in some cases, international laws. The terms Regulatory Compliance and Statutory Compliance are often used elsewhere with varying but similar definitions.
Responsible Executive A member of the Executive Leadership Team assigned responsibility for whole of University compliance for a piece of assigned legislation – as identified in the Compliance Obligations Register.
Top of Page

Section 5 - Lines of Responsibility

(11) The Council is the governing authority of the University, having control and management of the affairs and concerns of the University as per the University of Newcastle Act (1989).

(12) The Vice-Chancellor, as principal executive officer, oversees compliance management to ensure it is effective.

(13) The Risk Committee and Council actively monitor and evaluate the effectiveness of the University's compliance management system.

(14) The Executive Leadership Team, as the highest-level leaders in operational management, facilitate compliance assurance and support effective compliance management. As compliance owners, the Executive Leadership Team ensure that effective controls are in place to support the management of compliance obligations within the Council's risk appetite, as detailed in the University's Risk Management Framework.

(15) Executive Leadership Team ensure that:

  1. staff are undertaking regular training;
  2. identified internal controls are operating;
  3. there is regular, timely review of regulatory risks;
  4. areas of non-compliance have been effectively reported and corrected;
  5. appropriate operational policies, processes and procedures are in place and reviewed;
  6. policies, processes and procedures are consistent with the document hierarchy and approval processes outlined in the Policy Framework.

(16) Legal and Compliance, as subject matter experts, provide guidance for compliance management and ensure it is carried out properly.

(17) Governance and Assurance Services and the internal audit function, as independent experts, check on the effectiveness of controls for compliance risk.

(18) All staff have compliance responsibilities. In all operational areas, leaders must take action to ensure their staff are able to comply with their obligations.

Top of Page

Section 6 - Compliance Principles

(19) Staff at all levels of the University should embrace the following principles to guide compliance decision-making. These principles are relevant to obligations arising from legislation, policies, licences, standards, agreements or any other compliance commitment made by the University.

(20) Principle 1:  Compliance efforts should be prioritised by taking a risk-based approach.

(21) Principle 2: Ethical considerations must be factored into compliance decisions.

(22) Principle 3: staff should identify and consider all compliance obligations whenever planning, implementing or reviewing a University system, program, activity or process and when making decisions or exercising delegated authority.

(23) Principle 4: Compliance must be considered in the context of both current and proposed (future) University activities.

(24) Principle 5: Systematic monitoring of compliance obligations is central to meeting compliance objectives.

(25) Principle 6: When compliance decisions are made, relevant external and internal factors must be considered, including:

  1. political, legislative, social, and cultural contexts;
  2. the economic, market, and financial situation;
  3. University Rules, policies, procedures, and resources, particularly the University's Ethical Framework; and
  4. community expectations.
Top of Page

Section 7 - Legislative Compliance Program

(26) The University's legislative compliance program has been designed to be active, positive, and business-aligned. An active compliance program is preventive not just reactive and passive. A positive compliance program incorporates a facilitative, enabling compliance function instead of simply performing a policing function. A business-aligned compliance program considers the risk appetite, strategic goals, operational environment, values and governance structures within the organisation.

(27) The University's legislative compliance program is comprised of these seven components:

  1. Compliance Register;
  2. Compliance Breach Management and Breach Register;
  3. Legal Compliance Handbook;
  4. Compliance Support and Monitoring;
  5. Mandatory Compliance Training;
  6. Compliance Assurance;
  7. Compliance Management Reporting;

(28) The components of this program integrate with other University processes and structures that support compliance management, including:

  1. Governance Rule;
  2. Delegation of Authority Framework, Guidelines and Delegations Register;
  3. Assigned responsibilities for individuals, Committees, Working Groups, and teams;
  4. Policy Framework and Policy Library;
  5. Support from Governance and Assurance Services;
  6. Ethical Framework;
  7. Staff Code of Conduct;
  8. Risk Management Policy and Risk Management Framework;
  9. Operational and Strategic Risk Profiles.

(29) The seven components of the legislative compliance program will be reviewed and evaluated to ensure they remain fit for purpose and to ensure continuous improvement is achieved.

Top of Page

Section 8 - Compliance Register

(30) Any State or Commonwealth Act that is identified to impose legal obligations on the University is listed in the Compliance Register.

(31) For each Act listed in the Compliance Register, further information is provided that:

  1. details some compliance obligations for the University in relation to that Act;
  2. identifies associated Regulations, Instruments or Standards, if relevant;
  3. lists the areas of the University impacted by the obligations; and
  4. identifies the Responsible Executive and Compliance Coordinator/s.

(32) Legal and Compliance, in consultation with Responsible Executives and Compliance Coordinators, will maintain and monitor the Compliance Register to ensure it is up to date.

Top of Page

Section 9 - Compliance Breach Management

(33) A Breach Register is maintained by Legal and Compliance. It describes alleged legislative breaches, and other significant suspected or substantiated non-compliance events and incidents. The Breach Register includes a consequence scale rating for each breach record, outlines follow-up actions taken and other key details relevant to the assessment and management of the matter.

(34) Notification of any legislative non-compliance (or suspected breach of legislation) must be made to Legal and Compliance immediately through the online breach reporting tool. Non-compliance may occur as a one-off incident, or present as problems that are systemic, longer term, or broader issues.

(35) Any person, including a member of the public, can report suspected or actual non-compliance.

(36) Reports of non-compliance may also be received via the University's complaint mechanisms, by lodging a public interest disclosure in accordance with the Public Interest Disclosure Policy, or by reporting a privacy breach to the Privacy and Right to Information Officer.

(37) Incidents that are relevant to work health and safety or hazard identification are managed separately through the Work Health Safety Incident Management System.

(38) In managing a report, Legal and Compliance will allocate and escalate the matter to the relevant Responsible Executive or Compliance Coordinator (or other University leader, team, or group).

(39) Management and remediation of non-compliance incidents may include, but is not limited to:

  1. conducting investigations into reports of non-compliance incidents;
  2. ensuring the breach is addressed responsibly and promptly through corrective action;
  3. reporting to external regulators or other entities if relevant; and
  4. reviewing compliance controls to ensure they are adequate to maintain compliance.

(40) Legal and Compliance may review remediation actions, investigations and compliance reporting activities undertaken across other areas of the University.

(41) Significant areas of non-compliance will be reported by Legal and Compliance immediately to the Vice-Chancellor and relevant Executive. The Vice-Chancellor and General Counsel will report this information to theRisk Committee. Non-compliance is considered significant where the outcome includes:

  1. breach of legislative obligations which may result in loss of life or serious injury;
  2. a material fine or penalty;
  3. an impact on the ongoing operations of the University for a period greater than two months;
  4. prosecution;
  5. required reporting to a regulator leading to an external investigation; or
  6. reputational damage causing loss of confidence or adverse impact over a prolonged period.
Top of Page

Section 10 - Legal Compliance Handbook

(42) A Legal Compliance Handbook will be developed and maintained by Legal and Compliance to provide guidance for the Compliance Team, Responsible Executives and Compliance Coordinators regarding relevant procedures and activities that are undertaken to meet legislative compliance objectives.

Top of Page

Section 11 - Compliance Support and Compliance Monitoring

(43) Legal and Compliance will promote a culture of compliance and assist in facilitating compliance by providing support across the University.

(44) Legal and Compliance will:

  1. provide compliance related coaching and support to relevant stakeholders;
  2. monitor for new legislation and changes to key legislation and, where resources allow, communicate this to relevant stakeholders in the University;
  3. broadly deploy a program of awareness across the University to promote compliance;
  4. where requested and appropriate, provide input into policy documents, training programs and other activities that support legislative compliance and/or mitigate risk of non-compliance; and
  5. where requested and appropriate, assist in the development of internal compliance controls.

(45) Responsible Executives and Compliance Coordinators will:

  1. integrate compliance considerations into business operations;
  2. monitor and review existing policy and procedural documents to promote and enable compliance;
  3. ensure their staff complete relevant training and other relevant people complete required training and induction;
  4. conduct regular reviews of their assigned legislation;
  5. communicate any known changes to their assigned legislation to Legal and Compliance;
  6. ensure any operational changes that are required because of pending regulatory change are implemented by the date required;
  7. complete regular and continual self-assessments as to the risk of non-compliance with their assigned legislation, including how risks will be mitigated and the internal controls in place; and
  8. facilitate and respond to instances of non-compliance and regulatory risk.
Top of Page

Section 12 - Mandatory compliance training for staff

(46) A mandatory compliance training program has been developed by the University to ensure University staff understand some of key responsibilities in high-risk areas. Please refer to Mandatory Compliance Training Procedure.

(47) Mandatory compliance training is generally delivered via online training modules when a person commences employment with the University. For some courses there are annual refreshers or other recertification requirements.

Top of Page

Section 13 - Compliance assurance

General

(48) Council has delegated the monitoring of compliance to the Risk Committee, supported by other standing Committees of Council, as relevant. The responsibilities of the Committees are contained in the Committee Charters.

(49) A review of the effectiveness of the implementation of this Framework may be undertaken by Internal Audit as required.

(50) Legal and Compliance may request information from University staff relevant to significant compliance concerns or high-risk areas at any time.

Compliance Declarations

(51) Each year, Responsible Executives and Compliance Coordinators listed in the University's Compliance Register will be asked to provide information to be reported to Council. The process may involve self-assessment or an attestation to provide reasonable assurance that legislative obligations are understood, controls are in place to manage compliance risk and all known breaches have been reported and managed.

Top of Page

Section 14 - Compliance Management Reporting

(52) It is essential that the Vice-Chancellor, Council, and its committees are actively involved in overseeing compliance management. To facilitate this, Legal and Compliance will regularly report to the Vice-Chancellor, Council, and Risk Committee on compliance matters including:

  1. areas of elevated regulatory risk (as they become known);
  2. significant incidents of non-compliance (as they arise);
  3. results of compliance declarations (annually);
  4. alleged and actual non-compliances recorded in the breach register (annually); and
  5. general updates on compliance management performance across the University (when requested).
Top of Page

Section 15 - Related Documents

(53) Compliance Management Policy

(54) Ethical Framework

(55) Risk Management Framework

(56) Complaint Management Policy

(57) Mandatory Compliance Training Procedure

(58) Risk Committee Charter

(59) Governance Framework for Controlled Entities

(60) Australian Standard: AS ISO 37301:2023 Compliance Management Systems — Requirements with guidance for use.