Enterprise Compliance Management Framework - Policy

Printer-friendly version


1.0       Purpose and Scope

1.1        Context

UQ operates in a highly regulated environment, requiring the University to identify and manage legal and regulatory obligations across various jurisdictions. Obligations include legal and regulatory requirements and commitments made by the University through its policies and undertakings.

The purpose of this Enterprise Compliance Management Framework (ECMF) is to provide the structure, direction and oversight for the systematic, disciplined and consistent identification and assessment of legal and regulatory compliance obligations and for their effective and efficient management.

The ECMF is shaped by the University’s risk management and governance frameworks and supports the achievement of the University’s strategic objectives and priorities. It is consistent with the Australian Standard AS ISO 19600:2015 Compliance Management Systems.

1.2 Compliance Management Objective

UQ’s compliance management objective is to ensure it has the requisite capabilities and controls in place to enable it to demonstrate compliance with its obligations effectively, efficiently and within the parameters established by Senate through the Risk Appetite Statement (RAS). 

Under the Senate approved Risk Appetite Statement, UQ:

  • Has a Zero tolerance for intentional and material breaches of statutes, regulation and professional standards including those relating to research or medical ethics.
  • Has a Zero tolerance for criminal breaches, fraud and corruption, misuse of office or similar related activities.
  • Has a Zero tolerance for risks relating to actions that may put critical course accreditations and/or standards of operations in jeopardy.
  • Has a Very Low risk tolerance for breach of our privacy obligations to students, staff and other stakeholders.
  • Will seek opportunities to efficiently and effectively meet the requirements of internal policies and procedures.

1.3     Compliance Management Strategy and Scope

UQ’s compliance management strategy is underpinned by a risk-based, centre-led approach that incorporates the following core elements: 

  • Strategy and scope.
  • Governance and accountability.
  • Operational control.
  • Evaluation and improvement.  
  • Leadership commitment. 

The diagram below highlights the five core elements and the management actions that underpin them. It also demonstrates that compliance management is a continuously improving process integrated into our business structure and processes. 

This framework applies to the whole of UQ and its operations including all controlled entities.

2.0       Key Requirements

To ensure UQ has the requisite capabilities and controls in place to enable it to demonstrate compliance with its obligations effectively, efficiently and within the Senate approved RAS, UQ will:

1.    Adopt an enterprise wide approach to compliance management and ensure its processes and practices:

a.  Explicitly address legal and regulatory compliance.

b.  Are integrated into all organisational processes, activities and practices to enable compliance management to be an integral part of management thinking, discussions and decision making.

c.   Are context-driven and prioritised according to the assessed level of risk.

d. Are systematic, structured, timely and consistent with the UQ Enterprise Risk Management Framework (ERMF).

e. Harness technology to support documentation and evidence of compliance management to protect the integrity and reputation of the University.

f.  Are dynamic, iterative and responsive to change, facilitating continual improvement and enhancement of the University.

2.    Group its compliance obligations under meaningful categories (aligned with the risk categories as per the ERMF) and properly assess each obligation to identify the specific actions required of UQ. See Appendix A for compliance categories.

3.        Ensure clarity of roles, responsibilities and accountabilities to nominated University officers for effective management of obligations, including monitoring, reviews and provision of assurance.

a.  Compliance owners for each compliance obligation or category of obligation will be identified and held accountable for ensuring the University has requisite people, process and systems capabilities to meet and demonstrate compliance.

b.  In the case of operations in multiple jurisdictions, a comparative analysis of the applicable laws will be undertaken and the relevant compliance obligations assigned.

c.  Shared obligations will be allocated and coordinated on a case by case basis.

4.    Create and continually enhance a compliance management culture in which staff and managers at all levels are encouraged and supported to raise and respectfully discuss obligations, issues and opportunities for improvement.

5.    Identify, report and escalate instances of non-compliance and breaches together with associated risks. Non-compliances and breaches will be recorded and escalated in accordance with the ERMF - Risk Action Table and Consequence Rating Table and/or relevant policy.

6.    Develop and implement a Compliance Assurance Program (CAP) to assess and provide reasonable assurance that UQ has the requisite capabilities and is able to demonstrate compliance with its obligations. The CAP will apply the following criteria to assess the University’s compliance capabilities and controls:    

a.   Level of assessment and understanding of the obligations.

b.  Level of assessment and understanding of the specific activities required under each obligation.

c.  The adequacy and effectiveness of the people, process and systems capabilities to demonstrate compliance.

d.    Evidence of actual compliance.

e.    Evidence of non-compliance and corresponding remedial actions.

f.     Monitoring and reviews of controls to ensure their ongoing effectiveness.

7.    To the extent feasible, align compliance management and Internal Audit activities to ensure that independent assurance is timely and value-adding.

8.    Continually review and optimise its compliance management function, framework, processes and practices.

3.0    Roles, Responsibilities and Accountabilities

3.1        Senate Risk and Audit Committee (SR&AC)

The Committee’s due diligence responsibilities include receiving compliance reports from the Vice Chancellor’s Risk and Compliance Committee and advising the Senate on significant compliance issues and breaches.

3.2        Vice Chancellor’s Risk and Compliance Committee (VCRCC)

The VCRCC provides oversight of the enterprise compliance function. Its responsibilities include providing assurance to the Vice-Chancellor and President and the Vice-Chancellor’s Committee (VCC) that UQ has the requisite capabilities and controls in place to demonstrate compliance with its obligations effectively, efficiently and within the RAS parameters and that any non-compliances are promptly and effectively remedied.   

3.3        University Senior Management Group (USMG)

Members of the USMG provide oversight and direction to Compliance Owners in their portfolio. A USMG member may also have accountabilities as a Compliance Owner or be recognised as an interested party for specific obligations. A USMG member’s responsibilities include:

1.    Ensuring accountability is assigned to a nominated University officer/s (Compliance Owner) for the identification and control of the compliance obligations in their portfolio;

2.    Communicating a clear message that the University will meet its compliance obligations;

3.    Providing appropriate resources to ensure requisite people, process and systems capabilities are in place to manage and demonstrate compliance; and

4.  Reviewing compliance performance and undertaking due diligence by inquiring on the management of compliance obligations in their portfolio and those of which they are an interested party. 

3.4        Compliance Owner

A Compliance Owner is responsible for:

1. Identifying and communicating compliance risks in their portfolio to USMG, relevant stakeholders and interested parties;

2. Advising the Manager, Enterprise Compliance on compliance obligations identified to ensure the accuracy and currency of UQ’s compliance register;

3. Ensuring staff who perform compliance activities have these responsibilities identified in their position descriptions, are appropriately trained and report any issues or concerns relating to their compliance activities;

4. Monitoring and reviewing compliance obligations and controls with sufficient frequency to ensure the currency and ongoing effectiveness of controls;

5. Timely response, rectification and reporting of compliance issues to stakeholders and interested parties and ensuring appropriate records are kept;

6. Seeking assurance on the effective management of their compliance obligations through participation in the Compliance Assurance Program; and

7. Facilitating any ad hoc reviews to meet SR&AC, VCC and/or VCRCC needs, and ensuring that any deficiencies identified through reviews and assurance processes are promptly rectified.

3.5  Manager Enterprise Compliance

The Manager Enterprise Compliance is responsible for:

1.    Ensuring that the ECMF is implemented, maintained and reviewed for effectiveness;

2.    Providing relevant training, communications and systems to support the identification and management of compliance obligations and related risks; and

3.    Implementing and maintaining the Compliance Assurance Program and providing reports as detailed in section 5.2.

4.0    Monitoring and Review

Under the oversight and direction of VCRCC, the following three separate groups of people within the University will undertake monitoring and review activities:

1.    First Line: Compliance Owners (frontline managers) own and manage function-related compliance obligations with support from staff who perform function-related compliance activities.

2.    Second Line: Manager Enterprise Compliance Manager assesses the effectiveness of the ECMF and provides assurance through the Compliance Assurance Program.

3.    Third Line: Internal Audit assesses and provides independent assurance on the ECMF and the effectiveness of the first and second lines of defense.

5.0    Recording and Reporting

5.1     Compliance Records

Records of compliance activities will be maintained by the Compliance Owner to demonstrate evidence of actual compliance or non-compliance and for monitoring and review purposes. Such records include registration forms/certificates, licenses, regulatory approvals, reports, breach notifications, details of remedial actions etc. Compliance records will be made available for the CAP.

5.2        Compliance Reporting

Under the ECMF, the following report will be produced: 


Report Title

Report Content

Report Producer

Report Recipient


Breach Reports

Report on all cases of non-compliances and breaches together with risks and remedial actions.


Compliance Owner

Manager Enterprise Compliance


Compliance Assurance Program Report

Report on level of compliance capabilities and controls per compliance category, including any significant risks and issues of concern and remedial actions.

Manager Enterprise Compliance in consultation with Compliance Owners


VCRCC, Compliance Owners and Enterprise Risk

Annual for each compliance category


Appendix A - Compliance Categories and Sub-categories

The following table outlines the UQ’s Compliance Categories and relevant sub-categories:



Compliance Category

Compliance   Sub-category





Research & Knowledge Transfer



Teaching & Learning






Growth and Commercialisation



Stakeholders, Relationships and Reputation



People, Safety and Culture

People and Culture











Governance, Legal and Compliance

Governance and Legal



Ethics and Integrity


Assets (non-IT)

Assets (non-IT)





Systems and Information Management

Systems (IT)



Information Management


Enabling Operations