• Section 1 - Introduction
• Section 2 - Audience  
• Section 3 - Background
• Section 4 - Key Elements of the Compliance Management System
• Section 5 - Approach to Compliance
• Section 6 - Compliance – Context of the Organisation
• Section 7 - Compliance – Leadership
• Section 8 - Compliance – Planning 
• Section 9 - Compliance - Support
• Section 10 - Compliance Operations
• Section 11 - Compliance - Performance Evaluation
• Section 12 - Compliance – Continual Improvement
• Section 13 - Corporate Governance Principles
• Section 14 - Review
• Section 15 - Appendices

Section 1 - Introduction

(1) In general, compliance means conforming to a rule, such as a specific, policy, standard or law. Compliance contributes to the University's ethical and social responsibility and impacts all aspect of activities including teaching, research and services provided to students, staff and the communities in which we operate.

(2) Regulatory compliance refers to the activities to ensure awareness of, and steps taken to comply with, relevant laws, policies, and regulations arising from local, state, national or international obligations.

(3) Compliance is a shared responsibility to support behaviours, actions and activities being undertaken in a manner consistent with relevant laws and regulations. The outcome is to maintain academic excellence and ethical best practices to support the Council's risk appetite.

(4) Effective compliance processes are an integral part of the University's governance arrangements and made sustainable by linking with financial, risk, policy, environmental and health and safety systems and being embedded within the culture. Compliance structures and practices support better decision making and the safeguard of assets to achieve strategic objectives.

(5)  This Framework sets out the process for integrating compliance into operations, to assist in understanding actions to support compliance practices, providing efficient and effective compliance controls and to ensure that compliance requirements can be met without duplication of effort.

Section 2 - Audience  

(6) This Framework applies to UON in the entirety including all controlled entities.

Section 3 - Background

(7) Compliance management is the co-ordination of activities to identify compliance obligations and the implications for current, and proposed, activities.

(8) An effective compliance management framework will assist the University Council, Risk Committee, Vice-Chancellor and Executive in obtaining reasonable assurance that:

1. the University's strategic and corporate objectives are supported by effective management systems and processes to enable compliance with relevant legislation, guidelines or authorities;
2. regulatory compliance can be monitored, managed and reviewed in a timely and effective manner; and
3. the effectiveness of reporting of compliance and key controls are continuously reviewed and improved where necessary.

(9) This Compliance Management Framework provides the key principles that guide compliance management and processes to support the University's values, objectives, strategy and regulatory risk appetite.

(10) This Compliance Management Framework is based on the International Standard as adopted by Standards Australia – AS/NZS ISO 19600:20015 Compliance management systems – Guidelines.

Section 4 - Key Elements of the Compliance Management System

(11)  This Framework supports the values, strategic objectives and the risk appetite outlined in the Risk Management Framework. UON’s Compliance Management Framework has been developed in accordance with, and supports, the seven key elements of ISO 19600:

1. Context of the organisation - determining regulatory risks that might affect UON’s ability to achieve the strategic outcomes and applying the principles of good governance.  
2. Leadership - demonstrating ongoing commitment to compliance and ensuring that responsibilities and authorities are assigned and communicated.
3. Planning - implementing actions to address regulatory risks and establishing compliance objectives at relevant functions and levels.
4. Support - the tone at the top to ensure resources are available and staff training supports a compliance culture.
5. Operation -  planning, implementing and evaluating the processes, including outsourced processes, to meet compliance obligations.
6. Performance evaluation -  monitoring, measuring and evaluating the Compliance Management Framework, maintaining procedures for collecting accurate and up-to-date information, to ensure compliance performance is achieved.
7. Improvement -  establishing a clear process to ensure noncompliance is escalated to the relevant management level, taking prompt action to correct noncompliance and implementing corrective actions and changes to the framework as necessary.

Section 5 - Approach to Compliance

(12) Council adopted a Compliance Management Policy confirming the approach to the continuous improvement of compliance and in the systems to support the Compliance Management Framework.

(13) Compliance should be performed continuously and is not just about responding to events. The University supports a compliance approach which involves the process of establishing the context of compliance within the University, the leadership culture and planning actions to support decision making. Effective compliance processes also include establishing, developing, implementing, evaluating, maintaining and improving the effectiveness and responsiveness of a compliance system.

(14) Compliance processes include consultation with key stakeholders and is communicated widely throughout UON.

Section 6 - Compliance – Context of the Organisation

(15) The University's compliance processes involve the systematic identification of regulatory obligations to support current activities and services. Compliance obligations are initially based on relevant external Acts and Regulations.

(16) Key regulatory obligations are maintained in a Register of Compliance Obligations.

(17) The Executive Committee are the Compliance Owners and are accountable for the operation of an effective compliance management process within their Faculty/Division, and for identifying areas of non-compliance.

(18) Assurance Services is responsible for maintaining the Compliance Management Framework, associated documentation, and providing resources to support the identification and communication of new and changes to legislation.

(19) Compliance obligations are considered and assessed in current and proposed activities and services to ensure that UON has the ability to meet compliance requirements, manage the identified risks and to support the needs and expectations of stakeholders.

(20) Compliance decisions are assessed in consideration of external and internal issues, such as the regulatory, social and cultural contexts, the economic situation and internal policies, processes and resources.

(21) Compliance requirements are reassessed whenever there are:

1. new or changed activities or services;
2. changes in the structure or strategy of the organisation; or
3. significant external changes including political, legal, economic and financial circumstances, market conditions, customer and stakeholder relationships.

(22) Assurance Services will support Compliance Owners in providing an annual attestation to support the effective management of regulatory risks.

Section 7 - Compliance – Leadership

(23) Compliance Owners support the effective management of compliance within their respective Faulty/Division by ensuring that relevant and appropriate operational policies, processes and procedures are in place to support a compliance culture.

(24) Compliance Owners support the ongoing commitment to compliance by ensuring that non-compliant behaviours will be addressed responsibly and promptly. Areas of non-compliance will be reported immediately upon identification, to the Director, Assurance Services for review.

(25) Assurance Services supports the Compliance Owners by providing a centralised corporate compliance process. The Director, Assurance Services operates with an independent and direct reporting line to the Vice-Chancellor and the Chair of the Risk Committee. Assurance Services will maintain an oversight of the Compliance Management Framework and provide the Council, Executive Committee and Compliance Owners with specialist governance support.  

(26) To support effective and timely compliance functions Assurance Services supports Compliance Owners:

1. with the maintenance of a University wide register of significant legislative obligations (Register of Compliance Obligations);
2. by providing regular and timely updates regarding changes to or new legislative obligations;
3. in the identification of regulatory risks and assisting in ensuring that these are managed in line with Council's risk appetite; and
4. to ensure that processes to support regulatory risk management are appropriately documented.

(27) Assurance Services supports Compliance Owners in assessing the effectiveness of controls and processes to mitigate regulatory risks and in reviewing actions to report and rectify non-compliance.

Section 8 - Compliance – Planning 

(28) Council supports a risk-based approach to compliance management and is undertaken in line with this Compliance Management Framework and supports the Risk Management Framework.

(29) Regulatory risks and current management actions to address these risks, are detailed in the Faculty/Division operational risk registers. These risks are subject to regular and timely review processes.

(30) Areas of non-compliance are assessed to determine the risks associated with non-compliance to determine the remedies required. Areas of non-compliance will be reviewed by Assurance Services to consider remediation actions and to determine investigation and reporting activities.

(31) Significant areas of non-compliance will be reported immediately to the Vice-Chancellor and relevant Executive. The Vice-Chancellor and Director, Assurance Services will report to the Risk Committee. Significant non-compliance may include:

1. breach of legislative obligations which may result in loss or life;
2. a material fine or penalty;
3. may impact on the on ongoing operations of the University for a period greater than two months;
4. subject to prosecution;
5. require reporting to a regulator leading to external investigation;
6. or may result in reputation damage causing loss of confidence or adverse impact over prolonged period.

Section 9 - Compliance - Support

(32) To support the ongoing development of a compliance culture, training and support processes are available including:

1. staff induction training programs to support the link between the organisation’s values and compliance as an essential component to achieve organisational objectives;
2. ongoing staff training programs tailored to the regulatory risks and obligations related to their roles and responsibilities;
3. support and assistance in the identification, recording and monitoring of regulatory risks;  
4. adoption and implementation of compliance policy, framework and reporting processes to support management of compliance; and
5. through on-going and open communication regarding compliance, organisational expectations, the benefits of and achievements in meeting compliance obligations.

(33) To support effective monitoring:

1. processes are in place to appropriately report breaches of compliance obligations;
2. management practices are in place to appropriately consider and respond to breaches of compliance obligations;
3. staff are enabled and encouraged to raise compliance concerns to the appropriate level of management either formally as a Public Information Disclosure or through the Complaints handling processes; and
4. the public and other authorities are supported, enabled and encouraged to raise compliance concerns to the appropriate level of management through avenues such as Public Information Disclosures and Complaints handling processes.

Section 10 - Compliance Operations

(34) Compliance is embedded within the operations and the identification and management of regulatory risks is supported by a central specialist, independent business unit.

(35) Compliance Owners ensure that effective controls are in place to support the management of compliance obligations and that these controls ensure that the regulatory risks are within the Council's risk appetite.

(36) Assessment of the effectiveness of controls to manage regulatory risks are undertaken by Internal Audit and External Audit. The results of these audits are provided to the Risk Committee, Executive Committee and Compliance Owners.

(37) Compliance Owners should ensure that outsourced activities and services meet compliance standards and commitments including, but not limited to, meeting expectations as outlined in the Ethical Framework.

(38) Compliance Owners will report annually to the Vice-Chancellor on the management of regulatory risks and compliance with relevant regulatory obligations.

Section 11 - Compliance - Performance Evaluation

(39) Compliance Owners are responsible to ensuring the effectiveness of the internal controls in place to monitor compliance within their Faculty/Division. Monitoring processes may include:

1. ensuring staff have undertaken regular training;
2. ensuring that identified internal controls are in place and operating;
3. regulatory risks have been subject to a timely and regular review; and
4. areas of non-compliance have been effectively reported and corrected.

(40) The effectiveness of the implementation and maintenance of the Compliance Management Framework will be undertaken by Internal Audit on a cyclical basis.

(41) Annually a report of non-compliance will be provided to the Risk Committee detailing the actions taken to improve compliance. Any areas of emerging regulatory risk will also be included in this report.

Section 12 - Compliance – Continual Improvement

(42) To support continual improvement this Framework and the effectiveness of compliance practices will be reviewed by Assurance Services annually.  

Section 13 - Corporate Governance Principles

(43) Corporate governance refers to the process by which the University is controlled and governed in order to achieve objectives. The Council is committed to establishing and maintaining an organisational culture that ensures compliance functions as an integral part of all activities.

(44) To support the effective compliance practices, annually the Compliance Owners will provide an attestation to the Vice-Chancellor supporting the effective identification of and compliance with relevant rules, practices and legislative obligations.

(45) The responsibility for effective Compliance Management Framework practice is undertaken by all University leaders and staff. Specific roles and responsibilities for compliance are outlined below.

Section 14 - Review

(46) This Framework and the effectiveness of compliance practices will be reviewed by Assurance Services annually.

Section 15 - Appendices

(47) Compliance Process Diagram

(48) Compliance Terminology and Definitions