Policy

Compliance Management - Policy

Printer-friendly version
Body

1.0    Purpose and Scope

The University of Queensland (UQ, the University) operates in a highly regulated environment, requiring the University to identify and manage legal and regulatory compliance obligations across various jurisdictions. Compliance obligations include legal and regulatory requirements and commitments made by the University through its policies and undertakings.

The purpose of this policy is to establish a flexible compliance management framework that integrates systems, policies, procedures, and processes to meet UQ’s compliance objective. The framework is based on the ISO 37301:2021 Compliance Management System guidelines and adopts a risk-based approach to ensure that UQ can demonstrate compliance with its legal and regulatory Compliance Obligations.

This policy applies to all UQ staff, students, affiliates. UQ controlled entities are required to adopt a policy and/or processes that are consistent with this policy.

1.1    Compliance commitment and objective

UQ is committed to maintaining a strong compliance culture that ensures capacity to operate in a manner that is compliant with its legal and regulatory compliance obligations.

UQ’s compliance objective is to ensure it has efficient requisite systems, processes, and controls in place to enable it to demonstrate compliance with its compliance obligations effectively, within the parameters established by Senate through the Risk Appetite Statement (RAS). 

2.0    Principles and Key Requirements

2.1    Compliance principles

To meet its compliance commitment and objective, UQ will:

  1. adopt a Compliance Management Framework (CMF) that supports the implementation of proportionate, flexible, and sustainable compliance processes;

  2. ensure accountability and clarity of assigned compliance ownership, roles, and responsibilities;

  3. monitor the statutory and regulatory environment and maintain a register of key regulatory exposures;

  4. nurture and support a competent workforce and foster an organisational culture that is agile and responsive to compliance challenges and opportunities;

  5. provide a range of training and development opportunities that build capacity, awareness, and knowledge of compliance practices and processes;

  6. integrate compliance systems and procedures that support the efficient and effective management, monitoring, and assurance of compliance obligations and exposures;

  7. maintain a compliance breach management framework that provides a range of mechanisms for identifying, reporting, escalating, and responding to instances of non-compliance through efficient and effective intervention and remediation;  

  8. report on, and evaluate, compliance exposures and compliance performance through various governance channels and mechanisms that support efficient and effective oversight and monitoring of compliance.

  9. undertake a periodic review of the compliance management framework, systems, and processes that facilitate the enhancement and continuous improvement of compliance.

3.0    Roles, Responsibilities and Accountabilities

3.1    Compliance Governance

3.1.1    Senate Risk and Audit Committee

The Senate Risk and Audit Committee (SRAC) exercises oversight of the University’s governance, risk and compliance frameworks including policies, procedures, information systems and systems of internal control surrounding key financial and operational processes. The Committee also provides oversight of the leadership and direction in terms of organisational culture and ethical behaviour.

SRAC reviews and endorses reports and assurances on the University’s framework and processes to demonstrate compliance with its legal and regulatory compliance obligations, including any material compliance breaches and/or regulatory actions against the University.

3.1.2    Academic Board

The Academic Board and its committees contribute to and demonstrate the University’s commitment to academic governance, in compliance with the Higher Education Standards Framework (Threshold Standards) 2021. The Academic Board provides advice and assurance to the Senate Risk and Audit Committee on the management of academic and research risks.

3.1.3    Vice Chancellors Risk and Compliance Committee

The Vice-Chancellor’s Risk and Compliance Committee (VCRCC) provides advice and recommendations to the Vice-Chancellor and the Senate Risk and Audit Committee. The committee provides oversight of the implementation of any directives in relation to governance and compliance ownership, risk, and compliance exposure, to address any systemic issues or to further enhance controls and culture.

3.2    Roles and Responsibilities

3.2.1    Vice-Chancellor and President, and Senior Leadership Team

The Vice-Chancellor and President, with support of the senior leadership team, is accountable for the overall effectiveness of the compliance management framework, systems, and processes, including:

  1. setting the ‘tone at the top’ by demonstrating a commitment to achieving compliance objectives through the Compliance Management Framework and Compliance Ownership;

  2. allocating adequate and appropriate resources to develop, implement, evaluate, and improve compliance management;

  3. ensure alignment between strategic and operational objectives and compliance obligations.

3.2.2    Compliance Owners

Compliance Owners are accountable for compliance obligations and exposures assigned under their remit, this includes:

  1. awareness of compliance obligations and evaluating compliance risks;

  2. identifying and communicating compliance risks and exposures relevant to their area/function and implementation of appropriate controls to manage risks within tolerable levels;

  3. monitoring and measuring compliance performance of UQ wide compliance obligations;

  4. ensuring compliance requirements are supported by integrated policies, procedures, and processes;

  5. developing and facilitating training and supporting resources to develop staff capacity and awareness of compliance obligations and exposures;

  6. managing compliance breaches and remediation processes for compliance obligations;

  7. reporting to the VCRCC and other key stakeholders on compliance performance for compliance obligations;

  8. supporting and facilitating compliance assurance, review, and enhancement activities for Compliance Obligations.

3.2.3    Heads of organisational units / Managers and Supervisors

Heads of organisational units / Managers and Supervisors are responsible for managing day-to-day compliance within their area(s). This includes responsibility for:

  1. Maintaining and monitoring compliance obligations and controls with sufficient frequency to ensure controls are effective, and fit for purpose;

  2. ensuring all staff within their organisational unit or area comply with UQ’s compliance management framework and supporting policies, procedures and processes;

  3. advising Compliance Owners and other key stakeholders of compliance exposures and risk within their area;

  4. ensuring staff have the appropriate competence through training and support that enables them to fulfill compliance requirements within their functional areas;  

  5. reporting and contributing to the management of compliance breaches and remediation processes for compliance obligations within their area;

  6. supporting and participating in compliance assurance, review, and enhancement activities as directed.

  7. proactively modelling and championing an engaged compliance culture among their teams and peers.

3.2.4    Governance and Compliance Unit

The Governance and Compliance Unit is responsible for the operation of the compliance management framework, including:

  1. maintaining the Compliance Legislation Register;

  2. providing guidance and advice to stakeholders on current, new, and emerging compliance exposures, in consultation with Compliance Owners and other key stakeholders;

  3. facilitating and supporting the monitoring, review, and enhancement of the Compliance Management Framework, systems and processes;

  4. reporting to Compliance Owners and the Vice-Chancellor’s Risk and Compliance Committee on compliance exposures and compliance performance.

3.2.5    Staff, Students and Affiliates

All staff, students, and affiliates must:

  1. comply with UQ’s compliance obligations and supporting policies, procedures and processes;

  2. report compliance concerns and suspected areas of non-compliance; and

  3. participate and complete any required training.

4.0    Monitoring, Review and Assurance

4.1    Compliance Owners

Compliance owners are accountable for monitoring, reviewing, assurance, and management of compliance exposures under their remit.

4.2    Managers and Supervisors

Managers and Supervisors are responsible for monitoring and supporting the review assurance and management of compliance exposures within their organisational unit or area.

4.3    Governance and Compliance Unit

The Governance and Compliance unit is responsible for the monitoring, review of the implementation of the Compliance Management Framework, policy, and supporting systems and processes, to ensure they are effective and meet the needs of UQ.

4.4    Internal Audit

The Internal Audit group undertakes independent audits and provides assurance on compliance exposures and compliance obligations as per the Senate approved annual audit plan.

5.0    Recording and Reporting

The Compliance Legislation Register records compliance ownership for key compliance instruments and associated compliance obligations that UQ has exposure to.

New and existing compliance exposures are reported through relevant Compliance Owners and disseminated or escalated through to stakeholders as needed.

Compliance owners are responsible for maintaining records of compliance and reporting on compliance performance for the compliance obligations they are responsible for.

Managers and Supervisors are responsible for maintaining appropriate records of compliance as required, and reporting to the Compliance Owner on compliance performance within their portfolio / area(s) of responsibility.

All staff are responsible for reporting and escalating concerns on non-compliance through the established channels.

All records supporting instances of non-compliance are recorded and stored securely in approved systems of record.

6.0    Appendix

6.1    Definitions, Terms, and Acronyms

Compliance Breach - a compliance breach occurs when there is a failure to meet the requirements of a compliance obligation.

Compliance Management Framework - comprises the key systems, processes, and policies that underpin the University’s approach to managing compliance through a risk-based approach.

Compliance Obligation –externally imposed obligations that are established through law/legislation, regulations, codes, professional standards, and other licensing or contractual obligations; and internally approved UQ policy and procedures that assure regulatory compliance.

Compliance Owner(s) - UQ staff that have been assigned accountability for the management of specified statutory and legal compliance obligations and risks that the University has exposure to. Compliance owners are recorded in the compliance legislation register.

Remediation - Refers to the actions taken to treat a compliance breach to ensure that the compliance obligation(s) is/are fully met and that the associated risk level is mitigated through a systematic and documented approach.

Senior Leadership Team –comprises executive management functions that support the Vice Chancellor in the effective management of strategic, operational, and financial matters for the University, including compliance.

6.2    Related Policy Areas

This policy should be read in conjunction with the UQ:

Custodians
Director, Governance and Risk
Custodians
Director, Governance and Risk