View Current

Compliance Management Framework

This is the current version of this document. To view historic versions, click the link in the document's navigation bar.

Section 1 - Introduction

(1) The University of Newcastle (University) is obliged to comply with various laws, policies and regulations arising from local, state, national and international authorities. Effective compliance management identifies, understands, manages and mitigates any risk of non-compliance with these obligations.

(2) Compliance management supports the University to make decisions and act in a manner that contributes to the University's ethical and social responsibility, and impacts all aspects of teaching, research and services provided to students, staff and the communities in which we operate.

(3) Effective compliance management is an integral part of the University's governance arrangements and links with financial, risk, policy, environmental and health and safety systems, and is embedded within the University's culture. Compliance structures and practices support better decision making as well as the safeguarding of assets to achieve strategic objectives.

(4) Compliance is a shared responsibility to support behaviours, actions and activities that are consistent with relevant laws and regulations.

(5)  This Framework:

  1. establishes the University's methodology for integrating compliance into operations;
  2. supports compliance practices;
  3. provides efficient and effective compliance controls;
  4. ensures that compliance requirements can be met without duplication of effort; and
  5. provides the key principles to guide compliance management and support the University's values, objectives, strategy and regulatory risk appetite.

(6) This Framework is based on the International Standard as adopted by Standards Australia – AS ISO 19600:2015 Compliance management systems – Guidelines.

Top of Page

Section 2 - Audience  

(7) This Framework applies to University in the entirety including all controlled entities.

Top of Page

Section 3 - Key Elements of Compliance Management 

(8)  This Framework supports the values, strategic objectives and the risk appetite outlined in the Risk Management Framework. It has been developed in accordance with, and supports, the following seven key elements of AS ISO 19600:2015:

Element Objective
Context of the Organisation Determine regulatory risks that might affect the University's ability to achieve its strategic objectives, and apply the principles of good governance.
Leadership Demonstrate ongoing commitment to compliance, and ensure that responsibilities and authorities are assigned and communicated.
Planning Implement actions to address regulatory risks, and establish compliance objectives at relevant functions and levels.
Support Set a tone of compliance management from top leadership and provide adequate resources and staff training to support a culture of compliance.
Operation Plan, implement and evaluate processes, including outsourced processes, to ensure they meet relevant compliance obligations.
Evaluate Performance Monitor, measure and evaluate the Compliance Management Framework including the adoption of processes to collect accurate and up to date information that demonstrates how compliance is achieved.
Improvement Establish a process to escalate non-compliance to the relevant management level and implement corrective actions to correct non compliance and the Compliance Management Framework if necessary. Evaluate the effectiveness of corrective actions.

Compliance Management Methodology

(9) The University's Compliance Management Policy confirms the approach to the continuous improvement of compliance and the systems and practices outlined in this Compliance Management Framework.

(10) Compliance management will:

  1. be performed continuously rather than as a response to an event; 
  2. adopt the seven key elements of compliance management, as outlined in this framework;
  3. include consultation with key stakeholders; and
  4. be supported by effective communication throughout the University.

Context of the Organisation

(11) The University's compliance management will involve the systematic identification of regulatory obligations relevant to current activities and services. Compliance obligations will initially be based on relevant external Acts and Regulations.

(12) Key regulatory obligations will be maintained in the Register of Compliance Obligations, maintained by Legal & Compliance. In doing so, Legal & Compliance will maintain the Compliance Management Framework and its associated documentation and provide resources and support to identify and communicate new and amended legislation.

(13) The Executive Committee (EC) are the compliance owners. Members of the EC are accountable for effective compliance management within their College/Division, and for identifying areas of non-compliance.

(14) Compliance obligations will be considered and assessed in the context of current and proposed activities and services to ensure the University has the ability to meet these obligations, manage the identified risks and support the needs and expectations of stakeholders.

(15) Compliance decisions will be assessed in consideration of external and internal issues, including, but not limited to:

  1. the political, legislative, social and cultural contexts;
  2. the economic, market and financial situation;
  3. internal policies, processes and resources; and
  4. community expectations.

(16) Compliance requirements will be re-assessed whenever there are:

  1. new or changed activities or services;
  2. changes in the structure or strategy of the organisation; or
  3. significant external changes including political, legal, economic and financial circumstances, market conditions, and community relationships.

(17) Compliance owners will provide an annual attestation to confirm the effective management of regulatory risks.


(18) Compliance owners (the Executive Committee members) will support the effective management of compliance within their respective Faulty/Division by ensuring that relevant and appropriate operational policies, processes and procedures are in place to support a compliance culture, and are developed in consideration of the document hierarchy and endorsed approval process as outlined in the Policy Framework.

(19) Compliance owners will ensure that non-compliant behaviours are addressed responsibly and promptly. Areas of non-compliance will be reported immediately upon identification, to Legal & Compliance for review.

(20) Legal & Compliance will maintain oversight of this Compliance Management Framework and provide the Council, Executive Committee and compliance owners with specialist governance support, including:

  1. the maintenance of a University wide register of significant legislative obligations (Register of Compliance Obligations);
  2. providing regular and timely updates regarding new or amended legislative obligations;
  3. identification of regulatory risks and assisting in ensuring that these are managed in line with Council's risk appetite; and
  4. ensuring that processes to support compliance management are appropriately documented.

(21) Legal & Compliance supports compliance owners in assessing the effectiveness of controls and processes to mitigate regulatory risks and in reviewing actions to report and rectify non-compliance.


(22) Council supports a risk-based approach to compliance management, undertaken in line with this Compliance Management Framework and supported by the Risk Management Framework.

(23) Regulatory risks and current management actions to address these risks, are detailed in the College/Division operational risk registers. These risks are subject to regular and timely review processes.

(24) Areas of non-compliance will be assessed to determine the risks associated with non-compliance and to decide the remedies required. Areas of non-compliance will be reviewed by Legal & Compliance to consider remediation actions and to determine investigation and reporting activities.

(25) Significant areas of non-compliance will be reported by Legal & Compliance immediately to the Vice-Chancellor and relevant Executive. The Vice-Chancellor and General Counsel, Legal & Compliance will report this information to the Risk Committee. Non-compliance is considered significant where the outcome includes:

  1. breach of legislative obligations which may result in loss of life;
  2. a material fine or penalty;
  3. an impact on the ongoing operations of the University for a period greater than two months;
  4. prosecution;
  5. required reporting to a regulator leading to an external investigation; or
  6. reputational damage causing loss of confidence or adverse impact over a prolonged period.


(26) To support the ongoing development of a compliance culture, training and support processes are available, including:

  1. staff induction training programs to support the link between the organisation’s values and compliance as an essential component to achieve organisational objectives;
  2. ongoing staff training programs tailored to the regulatory risks and obligations related to their roles and responsibilities;
  3. support and assistance in the identification, recording and monitoring of regulatory risks;  
  4. adoption and implementation of the Compliance Management Policy, this framework and reporting processes to support management of compliance; and
  5. on-going and open communication regarding compliance, organisational expectations, the benefits of and achievements in meeting compliance obligations.

(27) To support effective monitoring:

  1. processes are in place to appropriately report breaches of compliance obligations (see Clause 19, 25 and 26);
  2. management practices are in place to appropriately respond to identified breaches of compliance obligations (see Clause 37);
  3. staff are enabled and encouraged to raise compliance concerns to the appropriate level of management either formally as a Public Information Disclosure (see Public Interest Disclosures Policy) or through the Complaint Management Procedure; and
  4. the public and other authorities are supported, enabled and encouraged to raise compliance concerns to the appropriate level of management through avenues such as Public Information Disclosure (see Public Interest Disclosures Policy) or through the Complaint Management Procedure.

Compliance Operations

(28) Identification and management of regulatory risks across the University is supported by a central specialist, independent business unit within Legal & Compliance.

(29) Compliance owners are responsible for ensuring that effective controls are in place to support the management of compliance obligations within the Council's risk appetite.

(30) The design and operational effectiveness of controls to manage regulatory risks are periodically assessed by Internal Audit and External Audit. The results of these audits are provided to the Risk Committee, Executive Committee and compliance owners by Legal & Compliance.

(31) Compliance owners should ensure that outsourced activities and services meet compliance requirements and commitments including, but not limited to, meeting expectations as outlined in the Ethical Framework.

(32) Compliance owners will report annually to the Vice-Chancellor on the management of regulatory risks and compliance with relevant regulatory obligations.

Performance Evaluation

(33) Compliance owners are responsible for ensuring there are effective internal controls in place to monitor regulatory compliance within their College/Division. Monitoring processes may include:

  1. ensuring staff have undertaken regular training;
  2. ensuring that identified internal controls are in place and are operating effectively;
  3. regular, timely review of regulatory risks; 
  4. ensuring areas of non-compliance have been effectively reported and corrected; and
  5. review of associated policy and procedure documents.

(34) A review of the effectiveness of the implementation and maintenance of this Compliance Management Framework will be undertaken by Internal Audit, as required.

(35) An annual report of non-compliance will be provided to the Risk Committee by Legal & Compliance detailing the actions taken to improve compliance. Any areas of emerging regulatory risk will also be included in this report.

Continual Improvement

(36) Compliance owners are responsible for ensuring that appropriate corrective and preventive actions are implemented to address areas of non-compliance in a timely manner and in accordance with the requirements of this framework. All measures to address non-compliance must be monitored for their effectiveness.

(37) To support continual improvement this Framework and the effectiveness of compliance practices will be reviewed by Legal & Compliance annually.  

Top of Page

Section 4 - Corporate Governance Principles

(38) Corporate governance refers to the process by which the University is controlled and governed in order to achieve objectives. The Council is committed to establishing and maintaining an organisational culture that ensures compliance functions are an integral part of all activities.

(39) To support effective compliance practices, compliance owners are required to provide an annual attestation to the Vice-Chancellor confirming the effective identification of and compliance with relevant rules, practices and legislative obligations.

(40) The responsibility for effective compliance management is undertaken by all University leaders and staff. Specific roles and responsibilities for compliance are outlined below.

University Council
The University Council and its Committees have responsibility under the University of Newcastle Act (1989) for overseeing governance activities across the University.
The University Council, via the Risk Committee is responsible for evaluating the effectiveness of the key components of this Compliance Management Framework.
Risk Committee of Council
The Risk Committee is responsible for assisting Council in:
a. evaluating the soundness of the compliance system at the University;
b. reviewing the outcomes of compliance processes;
c. informing University Council of the adequacy and effectiveness of the University's compliance processes.
The Vice-Chancellor is responsible for:
a. ensuring that a compliance management system is established, implemented and maintained.
b. providing leadership for the University's compliance culture;
c. maintaining the Compliance Management Framework and internal controls to manage the University's material compliance obligations; 
d. reporting to the Council and Nominations and Governance Committee as to whether the regulatory risks are being managed effectively.
Executive Committee (Compliance Owners)
The Executive Committee:
a. provide advice to the Vice-Chancellor on matters of compliance and provide leadership in portfolio areas;
b. review and shape the Register of Compliance Obligations;
c. consider compliance reports;
d. review the outcomes of the compliance processes;
e. consider emerging regulatory changes and facilitate assurance that the regulatory risk exposures are being managed appropriately.
Legal & Compliance
Legal & Compliance:
a. support compliance owners on matters of compliance and provide leadership in portfolio areas;
b. manage and maintain the Register of Compliance Obligations;
c. investigate and report on areas of non-compliance;
d. assist in the preparation of compliance reports;
e. review the outcomes of compliance processes;
f. consider emerging regulatory changes and facilitate assurance that the regulatory risk exposures are being managed appropriately.
All Staff
All staff:
a. recognise, communicate and respond to expected or emerging compliance obligations;
b. implement compliance plans within area of responsibility;
c. update progress on compliance plans and reporting.
Top of Page

Section 5 - Appendices

(41) Compliance Process Diagram