View Current

Compliance Management Procedure

This is the current version of this document. You can provide feedback on this policy to the document author - refer to the Status and Details on the document's navigation bar.

Section 1 - Introduction

(1) Charles Sturt University (the University) is to be a national University for excellence on education for the professions, strategic and applied research and the flexible delivery of learning and teaching.

(2) The University recognises that an important part of achieving its strategic direction is to have an effective system of governance, which includes conducting its activities in accordance with University policies and procedures, and the law, to enhance community confidence in its administration of public assets.

(3) To meet this commitment, each area will assess compliance risks as part of the annual development of Risk Registers and will identify how those risks will be managed in an effective and efficient manner.

Top of Page

Section 2 - Application

(4) This Procedure applies to all staff, students and organisational units of the University and its controlled entities.

(5) A reference to a compliance obligation in this Procedure includes a reference to:

  1. a rule, policy or procedure of the University approved by the Council, or under a delegated authority from the Council; and
  2. the laws of the Commonwealth, New South Wales and such other jurisdictions within Australia in which the University operates or to which a program of the University is subject (e.g. Victoria, Australian Capital Territory); and
  3. the laws of another country in which the University operates a facility or a program (e.g. Canada, China), or where the University is subject to legal obligations (e.g. countries that have regulations that govern the content of Internet sites viewable in that country).

(6) For the purpose of this Procedure, a reference to "law", "legislative obligations" and "legal" includes:

  1. legislation and statutes (or the equivalent in a foreign country);
  2. standards and requirements mandated under legislation (e.g. Building Standards);
  3. regulations made under legislation;
  4. sub-delegated legislation (e.g. rules of the University);
  5. common law obligations (e.g. duty of care); and
  6. interpretations of the same by a court of record.
Top of Page

Section 3 - Relationship to Risk Management Procedure

(7) This Compliance Management Procedure is made under the Risk Management Policy.

(8) Under clause 22b of the Risk Management Policy, the Council has authorised the Vice-Chancellor to develop and implement operational policies and procedures for risk management.

(9) This Procedure is made under the authority granted by the Council.

(10) The University is subject to a range of compliance obligations.

(11) Meeting the University's compliance obligations, and maximising the benefits of any rights or opportunities available under the law, is an essential component of managing risk and opportunity.

(12) Good risk and opportunity management is most effectively achieved when the risks associated with non-compliance, or failure to realise a benefit, are identified and processes implemented to ensure they are effectively managed.

(13) Under the Risk Management Policy, all managers and supervisors are responsible for managing the risks and opportunities associated with their areas and documenting their risk and opportunity management processes.

(14) The University's risk appetite for compliance risks is low. As a good corporate citizen, the University seeks to meet its compliance obligations to the best of its endeavours. The University will look to satisfy compliance obligations in the simplest and most effective way possible.

Top of Page

Section 4 - Purpose

(15) This Procedure defines how compliance is to be addressed under the University's Risk Management Policy. The principles and processes underpinning the Risk Management Policy apply to this Procedure and should be read together with the Risk Management Policy.

(16) The purpose of this Procedure is to:

  1. ensure a consistent approach to the identification and documentation of the University compliance obligations;
  2. integrate and align compliance management with the University's risk management systems and business processes;
  3. develop a culture of compliance awareness whilst maintaining a culture of innovation and realisation of opportunities within Charles Sturt University;
  4. ensure that compliance obligations are taken into account when making strategic management decisions;
  5. ensure the management of compliance obligations are integrated into standard management and accountability processes;
  6. develop an environment where staff assume responsibility for compliance obligations; and
  7. encourage continuous review and improvement of the University's compliance management processes.

(17) Non-compliance is a significant risk to University and can lead to:

  1. loss of authority to undertake specific activities essential to the operation of the University’s programs (and the possible loss of the ability to continue offering some programs);
  2. damage to the University's reputation and loss of community confidence in the University’s operations, honesty and integrity;
  3. damage to property or injury to person including death or disability;
  4. loss of an opportunity or a delay in the achievement of an opportunity;
  5. incorrect assessment of the potential value of a strategic initiative leading to a different result than that which was anticipated;
  6. pecuniary damage in the form of fines or compensation;
  7. personal liability incurred by individual officers (including, in the most serious cases the possibility of an officer being imprisoned or charged with a criminal offence or having a significant financial penalty imposed);
  8. remedial costs that would not otherwise be incurred; and
  9. avoidable disruption to business processes and activities;
  10. loss of a business opportunity.
Top of Page

Section 5 - Compliance Management Procedure

Compliance Register

(18) The University Secretary is the University's Compliance Co-ordinator. The Manager, Council Business, has day to day responsibility for compliance coordination within the University reporting to the University Secretary.

(19) The Compliance Register will be constituted by:

  1. the CSU Policy Library (non-academic policies) maintained by the Manager, Council Business - a register of University administrative policies, procedures, rules, guidelines and other internal compliance obligations;
  2. the CSU Policy Library (academic policies) maintained by the Academic Secretary - a register of University academic policies, procedures, rules, guidelines and other internal compliance obligations; and
  3. the Legislative Guide maintained by the Manager, Council Business - a register of major identified external legislative obligations.

(20) The Manager, Council Business and the Academic Secretary are responsible for ensuring that the CSU Policy Library is current and accessible to staff and students.

(21) The Manager, Council Business, will annually request executives and managers to review the Legislative Guide with respect to their area and to advise of any changes. Executives and managers must assist the Manager, Council Business, in the review of the Legislative Guide.

(22) Executives and managers are responsible for advising the University Secretary, during the year of any changes or amendments to legislative obligations. Changes and amendments include new legislation, changes in interpretation of legislative obligations by the courts, new or changed regulations or legislative requirements. The University’s Senior Legal Officer will also monitor the legal environment and advise the University Secretary, of any changes.

Top of Page

Section 6 - Risk Register

(23) A Risk Register is required for all Faculties, Divisions, Schools, Research Centres and Budget Centres.

(24) Risk Registers should be updated as and when required, and must be reviewed and updated annually to support the development of Annual Operational Plans.

(25) Risk Registers must be developed in accordance with the Risk Register Procedure.

(26) The Risk Register Procedure includes a risk register template consisting of some headings and a table that reflects the nature of the information that is to be addressed.

(27) The template includes a section to address compliance risks and opportunities.

(28) The University Secretary may approve a plain language Guideline on completing the compliance section of the Risk Register, including a guide on risk consequences for compliance matters. Business centres must consult the Guideline in developing their Risk Registers.

Top of Page

Section 7 - Compliance Managers

(29) The Vice-Chancellor has overall responsibility for compliance on behalf of the Council.

(30) The following officers are designated as Compliance Managers with respect to the following areas:

  1. Vice-Chancellor - with respect to executive and governance matters;
  2. Deputy Vice-Chancellor (Academic) - with respect to academic programs of the University (including academic committees under the Academic Senate);
  3. Deputy Vice-Chancellor (Research, Development and Industry) - with respect to research units, graduate studies and consultancies services;
  4. Deputy Vice-Chancellor (Students) - with respect to student administrative divisions and services of the University;
  5. Executive Director, Human Resources - with respect to human resources and services of the University; and
  6. Chief Financial Officer - with respect to financial, administrative and commercial divisions and services of the University and its controlled entities.

(31) Compliance Managers may appoint an officer or body with specific day to day and coordinating responsibility for a particular area or areas of compliance (e.g. Work, Health and Safety).

Top of Page

Section 8 - Responsibilities

(32) Compliance Managers have oversight responsibility for compliance in their area of responsibility and are expected to provide leadership within their area of accountability for maintaining and continuously improving compliance management in their areas including:

  1. promoting an ethical and positive compliance culture within their area;
  2. communicating to those in the University expected to comply with obligations of the existence of those obligations and the behavioural requirements;
  3. identifying University-wide compliance risks and working with other Compliance Managers to ensure the consistent identification, assessment and management of risks across areas;
  4. ensuring that compliance obligations are identified and documented in accordance with this Procedure with respect to their areas of accountability;
  5. immediately reporting to the Vice-Chancellor (or Chancellor in the case of the Vice-Chancellor) any unacceptably high emerging or residual compliance risks. Compliance Managers will, if they deem it necessary, terminate an activity that is assessed as an unacceptably high risk of non-compliance;
  6. supporting managers in their area to ensure compliance, including making resources available to support compliance;
  7. coordinating compliance within their area to minimise unnecessary duplication or to assign coordination responsibilities where obligations cross multiple areas;
  8. support policies, systems, procedures, education and training to guide the behaviour of staff, and where appropriate, students and others;
  9. actively monitoring compliance management within their area; and
  10. reporting each quarter to the Finance, Audit and Risk Committee on significant issues of non-compliance, including where actions have been undertaken or proposed.

(33) Executives, managers, supervisors of the University, and its controlled entities, have day to day responsibility for the management of compliance in their areas and are responsible for incorporating compliance management into standard management practices by:

  1. actively monitoring compliance management and quality assure compliance activities and reporting within their area;
  2. identifying and determining appropriate actions to address operational compliance risks within their area of responsibility in accordance with University policies and procedures;
  3. developing and maintaining a register of material risks of non-compliance;
  4. maintaining the Legislative Register by monitoring current and emerging compliance obligations and obtaining legal advice where required;
  5. developing policies, systems, procedures, education and training to guide the behaviour of staff, and where appropriate, students and others;
  6. implementing actions with respect to compliance management as directed by the Compliance Managers, Vice-Chancellor or the Council;
  7. immediately reporting on the management of significant emerging or residual risks of non-compliance to the Compliance Manager for their area;
  8. reinforcing compliance responsibilities in position descriptions and discussions at performance reviews; and
  9. ensuring the inclusion of risk management responsibilities in duty statements, induction, professional development and performance management.

(34) The Vice-Chancellor may approve the establishment of Compliance Committee (for example, for compliance with radiation safety law) where this is appropriate to the management of compliance risks or required under legislation. Where a Compliance Committee is appointed, the Committee has the same responsibilities as an Executive, manager or supervisor under clause 33 in addition to any other responsibilities that may be set out in the relevant legislation. Where a provision of this Procedure is inconsistent with an obligation set out in the relevant legislation, the legislation will override this Procedure.

(35) All staff are responsible for ensuring that they meet compliance obligations in the management of their day to day activities, and those of their colleagues. All staff are required to:

  1. be aware of, and integrate processes to comply with, the compliance obligations affecting their own activities and functions;
  2. continuously comply with all relevant compliance obligations;
  3. observe all relevant University policies and procedures concerning compliance;
  4. report breaches, risks, hazards, incidents and complaints in accordance with University reporting procedures; and
  5. refer to the relevant University procedure before they act if they are uncertain as to what is compliant behaviour in a given situation.

(36) The Manager, Risk and Assurance shall:

  1. monitor compliance with this Procedure;
  2. conduct spot checks of the integrity of compliance certifications and Risk Registers;
  3. develop tools (e.g. self-assessment checklists) to support staff to quality assure compliance management;
  4. report and make recommendations to the University Secretary and Director, Governance and Corporate Affairs, Vice-Chancellor and the Finance, Audit and Risk Committee on compliance matters.
Top of Page

Section 9 - Annual Compliance Certification

(37) Compliance Managers will annually certify to the Vice-Chancellor that they have in place an appropriate compliance system for those compliance obligations for which they have oversight responsibility including that:

  1. a risk assessment has been conducted for each area of responsibility with respect to compliance;
  2. relevant processes and systems have been implemented to manage compliance risks effectively;
  3. all areas have been compliant for the preceding twelve months (or if not, area of non-compliance and the reasons for non-compliance); and
  4. how areas intend to improve their program in the next twelve months to better manage compliance risks.

(38) The Manager, Council Business, (on behalf of the Vice-Chancellor) will collate the annual certificates of compliance for noting by the Finance, Audit and Risk Committee (to be provided to the first scheduled meeting of the Committee with respect to the previous year).

Top of Page

Section 10 - Incident Reporting

(39) Compliance risks assessed as 'high' must be immediately reported to the Vice-Chancellor. Where the risk relates to an academic matter under the authority of the Academic Senate, the risk must also be immediately reported to the Deputy Vice-Chancellor (Academic) and Presiding Officer, Academic Senate.

(40) The Vice-Chancellor or the Deputy Vice-Chancellor (Academic) (if the risk is related to an academic matter under the authority of the Academic Senate) must immediately report to the Chair, Finance, Audit and Risk Committee regarding:

  1. any alleged compliance breach of a serious nature;
  2. a serious imminent risk of non-compliance;
  3. legal action or serious complaint regarding compliance; and
  4. compliance risks assessed as 'extreme'.

(41) In making a report under clause 40, the Vice-Chancellor or the Deputy Vice-Chancellor (Academic) (if the risk relates to an academic matter under the authority of the Academic Senate) will detail remedial action taken to resolve the compliance risk, as well as strategies and controls in place, or being developed, to better manage compliance risks.