View Current

Compliance Risks Identification Guidelines

This is the current version of this document. You can provide feedback on this policy to the document author - refer to the Status and Details on the document's navigation bar.

Section 1 - Purpose

(1) These Guidelines have been prepared to assist staff to complete the compliance section of the Risk Register.

(2) For legislative compliance risks, a Legislative Guide has been prepared that identifies which area of Charles Sturt University (the University) is specifically responsible for management of the compliance risk.

Top of Page

Section 2 - Glossary

(3) Nil.

Top of Page

Section 3 - Policy

(4) Nil.

Top of Page

Section 4 - Procedures

(5) Nil.

Top of Page

Section 5 - Guidelines

Part A - Identifying Compliance Risks

(6) There are three main sources of compliance risk for University centres:

  1. Internal Compliance - Risks associated with not complying with internal rules, policies and procedures.
  2. External Compliance - Risks associated with not complying with external laws and regulations.
  3. Other compliance - Risks associated with the operation of one-off programs or activities in Australia or overseas.

Identifying Internal Compliance Risks

(7) The cover sheet of every rule, policy and procedure lists the 'Responsible Office' (in the case of Academic Regulations, this is always the Deputy Vice-Chancellor (Academic)). This indicates the relevant business centre or committee that has overall compliance management responsibility for that rule, policy or procedure. These Offices are responsible for listing the relevant rule, policy or procedure in their Risk Register. The Risk Register aims to help Responsible Offices to identify strategies to ensure all staff and business centres comply with their responsibilities.

(8) For example, the Division of Human Resources would include a Risk Category: 'Non-compliance with Equal Opportunity Policy'. In this case, the Division is responsible for identifying 'systems' that will maximise compliance for the whole University, not only the Division of Human Resources.

Identifying External Compliance Risks

(9) The Legislative Guide lists major legislative obligations on the University and the 'Responsible Office' for compliance management. As for internal compliance, the Responsible Office must list this in the risk category e.g. 'Non-compliance with the Anti-Discrimination Act'.

Identifying Other Compliance Risks

(10) Other compliance risks will arise where business centres engage in one-off programs or activities e.g. conducting a course overseas through a third party provider. These risks are ordinarily identified in the Risk Register attached to the commercial business case or UCPC submission. For example, if a Faculty plans to run a new course in Chile, they will need to identify relevant Chilean and Australian laws with which the University must comply. These must also be notified to the University Secretary and Director, Governance and Corporate Affairs immediately and be included in the Legislative Register.

Part B - Completing the Compliance Section of the Risk Register

(11) Once you have identified the compliance risk, the area responsible must then incorporate this in their Risk Register and identify risk management strategies. Remember, the Responsible Office must development compliance management systems for the whole University - not just their own areas.

Risk Event

(12) Each compliance obligation or right should be listed in the 'Risk Event' column in the Risk Register (for example, Failure to comply with Anti-Discrimination Act).

Consequence

(13) The consequence of non-compliance should be listed in the 'Consequence' column (for example, penalty, damage to reputation, individual liability for staff member etc.).

Mitigating Action

(14) The 'Mitigating Action' column should record the actions currently in place in the area to manage the relevant compliance obligation (e.g. Equal Opportunity Policy , EEO Online Module Training required for all staff, Awareness Raising Bulletins on WNN, Complaints Policy and Procedures etc.).

Residual Likelihood Rating

(15) The residual likelihood rating is the probability of non-compliance arising in light of the mitigating actions that have been identified. The rating should be determined by reference to the likelihood rating table contained in the Risk Management Policy.

Residual Consequence Rating

(16) The residual consequence rating is the impact arising from non-compliance after taking into account the mitigating actions.

(17) The rating should be determined by reference to the consequence rating table for compliance (see below). Remember, the risk consequence rating must be 'low' to meet the University's compliance risk appetite. If the risk consequence rating is above 'low', then you should review your mitigation actions to see what else can be done to reduce the risk of non-compliance to 'low'. You may need to look at a range of options such as:

  1. developing a plain language guide for staff and students on how to comply with the obligation;
  2. conducting a regular training and development program that guides staff on how to manage the compliance risks;
  3. including awareness raising in induction for all new staff;
  4. conducting an awareness program (e.g. posters, email updates);
  5. obtaining regular certification in writing from staff on compliance (to ensure compliance and alert staff to the importance of the issue);
  6. include compliance as an item at staff meetings;
  7. set up a special committee with responsibility to manage compliance involving key staff who have the influencing capacity to affect behaviour;
  8. have an annual seminar presented by staff from the agency responsible for regulating the area;
  9. develop a 'best practice' award where staff are recognised for achievement in compliance;
  10. obtain expert advice (e.g. Legal Services, Office of Governance and Corporate Affairs, external advisor) on compliance strategies;
  11. appoint a specific officer as responsible for compliance;
  12. conduct regular compliance auditors or ask the Internal Auditor to undertake spot-checks throughout the year and make recommendations;
  13. incorporate compliance responsibilities into contracts with third parties.

(18) Standards Australia has published a standard on compliance programs that sets out a range of best practice strategies for compliance management. You may wish to consult this Standard in developing your mitigation actions. The Standard can be accessed online through the Library.

Risk Grade, Mitigation Effectiveness, Early Warning

(19) These columns should be completed in accordance with the Risk Management Policy.

Compliance Risk Consequences Rating

Low

(20) These risks should be recorded, monitored and controlled by the responsible manager. It is expected that specific responsibility for monitoring and implementing actions to manage these risks is assigned to an officer or group of officers and that this officer or officers have a good working knowledge of the compliance obligation. Actions might include an internal guideline setting out the obligation and a presentation at a staff meeting on the obligation and how it is managed.

Medium

(21) Mitigation actions should be implemented to reduce the likelihood and seriousness of non-compliance. Mitigation actions will depend on the consequences of non-compliance to the Faculty or Division and to the University. In addition to the strategies for low level risks, formalised responsibility for compliance coordination should be identified in the position description of an officer or officers, clear guidelines implemented within the area identifying the nature of the obligations or rights and processes for managing this. Awareness raising strategies should be implemented so all staff are aware of the obligation and its importance. Actions to be identified and endorsed at a Faculty or Division level.

High

(22) If uncontrolled, a risk event at this level may have a significant impact on the operation of a budget centre or the University as a whole. Mitigating actions need to be very reliable and should be approved and monitored in an ongoing manner by the responsible Dean or Executive Director. Management responsibility should be included in the position description of an identified officer or officers. Clear succession planning processes must be implemented for those officers. A formal policy and procedure should be developed and approved to ensure compliance at all times. It would be expected that risks at this level are discussed at regular intervals at management meetings within a Faculty of Division. Training must be provided to all staff that have responsibilities in relation to the matter and adequate resources made available to those staff to implement the policy and procedural requirements. Awareness raising exercises should be implemented for all staff. A clear reporting framework should be identified and the policy and procedure should identify clear triggers for reporting where a breach of the obligation is possible. The Vice-Chancellor must be advised immediately of current or emerging risks which have been graded at this level.

Extreme

(23) Activities and projects with unmitigated risks at this level must be avoided or terminated. This is because risk events graded at this level have the potential to cause serious and ongoing damage to the University, the community or the environment. For obligations listed at Extreme, immediate reporting of current, emerging or continuing risk exposures at this level to the Vice-Chancellor and to the Finance, Audit and Risk Committee is mandatory.