Policy Corporate Governance Compliance Framework

Compliance Framework

Print Friendly and PDFPrint Friendly


James Cook University (JCU) has a responsibility to identify and comply with range of legislative and regulatory requirements. An effective, organisation-wide compliance management system enables an organization to demonstrate its commitment to compliance with relevant laws, including legislative requirements, industry codes and organisational standards, as well as standards of good corporate governance, best practices, ethics and community expectations (AS ISO 19600:2015 Compliance Management Systems). .

The intent of a robust and integrated system of compliance is to provide assurance to the Vice Chancellor and University Council that the University is actively attentive to its legislative compliance obligations, considering impacts of any consequent changes, and ensuring that these are embedded in practice and procedures across the University.

1.1 Objectives

To achieve the objective of being a compliant organisation, JCU’s Compliance Framework aims to:

  • demonstrate a commitment to the highest standards of ethics and compliance with all applicable laws, regulations, rules and policies and promote a culture of compliance;
  • promote a culture of frank and open disclosure of compliance breaches without fear of victimisation or unfair treatment;
  • document and continuously review and update business processes to ensure they comply with applicable laws and regulations;
  • provide employees with training and assistance to become effectively involved in compliance activities to meet their obligations;
  • maintain monitoring and reporting systems to identify instances of non-compliance or system failure and to protect the University, its staff and students from deliberate or inadvertent breaches and consequent penalty;
  • take prompt action where necessary to address instances of non-compliance or other circumstances that present an unacceptable exposure to legal risk;
  • assess compliance against pre-determined objectives and assessment criteria; and
  • periodically review the compliance framework to ensure it is consistent with AS 3806 and generally accepted compliance management practice.


JCU’s compliance framework comprises a set of components that provide the foundations and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving legislative compliance management throughout the organisation. There are several policy and procedural documents, forms and registers which identify and manage JCU’s expectations around ethics and integrity in dealings with staff, students and others prescribed in the Code of Conduct, and the University’s obligations identified by this Compliance Framework.

The Compliance Framework has three pillars:

  1. inform (ensuring staff are aware of their obligations and the legislative changes that may impact their business unit’s activities);
  2. comply (an annual compliance declaration by obligation owners as identified in the Compliance Register); and
  3. assure (internal and external audit and review activity) - providing a formal approach to continuous improvement. There will also be regular monitoring and review of the Framework’s performance.

The Framework consists of:

  • the Compliance Policy established to identify intent, scope and responsibilities and accountabilities within the University for compliance;
  • supporting procedures, forms and registers; and
  • the University’s Compliance Register  (Obligation Owners will have responsibility for ensuring compliance with particular legislative obligations).

The framework will enable:

  • a robust and structured approach to compliance that is appropriate to JCU’s activities and operating environment; and
  • an approach consistent with the principles of AS ISO 19600:2015 Compliance Management Systems.

In moving to this Compliance Framework, JCU is reflecting the principles of the Standard within these four key aspects:

  1. commitment (by the governing body and senior management);
  2. implementation (responsibilities clearly articulated and assigned);
  3. monitoring and measuring (performance of the program is monitored and clearly demonstrable); and
  4. continual improvement.

3. INFORM (Identifying the University’s Legislative Compliance Obligations)

As a large and complex statutory authority, the University has a significant number of compliance obligations, at both the Commonwealth and State level. To ensure that the University can comply with all of its obligations, it is important to identify legislation and other legislative instruments which impose a compliance obligation. These obligations may arise because the University is, for example, an employer, a provider of goods and services, a statutory body or a recipient of Commonwealth funding. Compliance obligations might include:

  • reporting requirements (provision of statistics or information);
  • requirements for accreditation, registration or licensing;
  • complying with timeframes set down by the legislation for performing activities;
  • a requirement to provide a specified service or range of services;
  • restrictions or limitations on how these services can be offered; and
  • financial obligations.

These obligations will be recorded in the University’s Compliance Register to be maintained by the Risk and Compliance Officer within the Office of the Chief of Staff. This Register will map the University’s obligations to business units and Obligation Owners. Identification of the University's statutory obligations, or changes in these obligations, will be an ongoing activity undertaken by the designated Obligation Owners and senior management. This will include Obligation Owners informing other employees of any amendments, initiating updates to the University’s Compliance Register (through the Risk and Compliance Officer), and undertaking any practical steps necessary to ensure compliance with existing, amended and new statutory obligations.

To ensure Obligation Owners and others are informed in a timely manner of Commonwealth and State legislative change across all areas of responsibility by jurisdiction and subject area, a subscription to a legislative alert service will be maintained. Policies, procedures and other documentation which reference legislation will be reviewed on any substantive change, particularly in those areas of actual or potential risk.

Where new or revised legislation creates obligations for the University, a Compliance Action Plan may be required. The template for a Compliance Action Plan is at appendix 1.

4. COMPLY (Management of Compliance)

Obligation Owners will be required to annually sign a Compliance Declaration specific to their area of responsibility which confirms the level of compliance with relevant legislation, provides details of any actual or potential breaches and any action taken, and the outcomes and recommendations in response to legislative change (if any) respective to their obligations. The aim is to proactively identify and report actual/potential breaches in accordance with the Annual Compliance Declaration Procedure..

Where there is non-compliance with a new standard or regulation, a Compliance Action Plan will be developed by the relevant Obligation Owner or at the University level in response with the assistance of the Risk and Compliance Officer, with timeframes and a risk assessment with mitigation strategies (where appropriate). This provides for a better understanding of the non-compliance risk exposure for specific activities rather than having a broad high risk around legislative compliance in general.

4.1 Reporting Incidents of Non-Compliance

Obligation Owners are required to identify and maintain records of all non-compliance incidents or potential breaches within their designated areas. Formal reporting on non-compliance incidents and their management is to be made to the Chief of Staff as and when such incidents occur. The Chief of Staff will advise the Vice Chancellor, Chair of Audit Committee and Chancellor of incidents of significance or notifiable issues. Compliance breaches may be identified through audit activity, self-disclosure, third party complaints, compliance certifications, and review or notification by regulatory agencies and other authorities.

Information received from Obligation Owners during this process is used to advise University Council through Audit Committee of high risk non-compliance incidents or significant compliance trends. Actions may be taken on the basis of this reporting by senior management to clarify any non-compliance which has not been satisfactorily addressed by an organisational area.

A staff member who wishes to report any incident of non-compliance should approach either the relevant designated Obligation Owner if the incident relates to a specific obligation or their manager or supervisor if the incident relates to an operational matter. It is also open to a staff member to make a Public Interest Disclosure in accordance with the relevant procedures, where circumstances warrant.

Reporting processes are outlined in the Legislative Alerts and Non-Compliance Reporting Procedure.

4.2 Corrective Actions

When a compliance breach is detected it is Management’s responsibility to:

  • investigate the circumstances relating to the compliance breach;
  • notify the compliance breach to the Obligation Owner;
  • ensure that timely and adequate corrective actions are taken to reinstate compliance; and
  • provide a copy of the Compliance Action Plan to the Chief of Staff.

Where a significant compliance breach occurs, and based on a risk assessment, a corrective action plan should be developed by Management in consultation with the Obligation Owner. The Obligation Owner will monitor the implementation of the corrective action plan to ensure that compliance is reinstated.

Where an Obligation Owner believes that Management’s response to a compliance breach is not appropriate, the matter should be escalated to the Chief of Staff for resolution.

5. ASSURE (Audit, Monitoring and Review)

The University is responsive to a number of external regulatory agencies for accreditation, certification and registration purposes (including vocational and professional bodies, the Tertiary Education Quality and Standards Authority, and others) and therefore subject to external audit or review, accreditation or self-review and reporting obligations. An assurance map will be compiled to capture these obligations.

The annual Internal Audit Work Plan may also include a rolling compliance audit, using a risk based approach, to assure the Vice Chancellor and Audit Committee that the University is maintaining or working towards compliance, or to assess whether any business improvement implemented to meet legislative change is fit for purpose and meets requirements.

In order to effectively manage compliance obligations, an annual review of compliance processes will be undertaken. This will include:-

  • the review and updating of the compliance and risk registers;
  • notification of any previously un-reported compliance breaches, issues or complaints; and
  • audit of compliance processes, as applicable.

The risk of compliance failure should be reassessed whenever there are:-

  • new or changed activities or services;
  • changes to the structure or strategy of the University;
  • significant external changes; or
  • changes to compliance obligations.

5.1 Compliance Performance Reporting

Formal reporting mechanisms on compliance activities include:

  • Annual Compliance Declarations by Obligation Owners of compliance with legal, regulatory and other obligations;
  • regular reporting, by the Office of the Chief of Staff to Vice Chancellor's Advisory Committee and Audit, Risk and Compliance Committee of Council on major developments, issues and compliance incidents including the status of implementation of corrective action plans;
  • provision of an annual, risk-based plan of compliance activities to Audit, Risk and Compliance Committee for review and approval; and
  • reviews of the Compliance Policy and the Compliance Framework (to align with reviews of the Risk Management Framework and Policy), including an assessment of their effectiveness and recommendations for improvement.


The University Council is ultimately responsible for approving the Compliance Framework and Policy, and through Audit Committee oversees the adherence, monitoring and review of the University’s Compliance Framework. Audit Committee is also responsible for reviewing and making recommendations to Council regarding the Compliance Policy.

The Vice Chancellor is responsible for leading a compliance culture across the University through promoting and supporting the Compliance Policy and Framework. Detailed responsibilities for University staff include:

University Executive

The University Executive are responsible for ensuring that appropriate resources, systems and processes are in place to implement the Compliance Framework across the organisation, comply with legislative and regulatory requirements within their specific areas of operational responsibility, and ensure that any potential or actual legislative non-compliance has been identified and is being managed appropriately. Specifically:

  • remaining aware of the compliance obligations (including monitoring for changes in legislation and regulation) within their areas of control;
  • identifying individual staff members requiring training and ensuring their participation as required to ensure ongoing compliance;
  • reporting non-compliance or potential non-compliance to the Obligation Owner and the Chief of Staff;
  • undertaking corrective actions to compliance breaches in a timely manner;
  • certifying compliance for their area of control; and
  • encouraging behaviours that create and support compliance and a compliance culture.

Chief of Staff

The Chief of Staff has overall responsibility for the control and coordination of the Compliance Framework and for coordinating the implementation of the compliance process in all areas of the University with compliance responsibilities with the support of the Risk and Compliance Officer. Specifically:

  • developing, implementing and ensuring continuous improvement of the Compliance Framework;
  • overall coordination of the Compliance Program and ensuring that all responsible areas of the University fulfil their compliance responsibilities;
  • identifying, in conjunction with Obligation Owners, compliance requirements and training needs and promoting awareness of compliance obligations;
  • maintaining the University’s Compliance Register;
  • providing advice to relevant staff and Obligation Owners on new or changed legislation, its content and application to the University where appropriate;
  • reporting compliance breaches to management and University Executive and ensuring that appropriate and timely corrective actions are undertaken;
  • conducting regular compliance audits; and
  • reporting to vice Chancellor's Advisory Committee and Audit, Risk and Compliance Committee of Council.

Obligation Owners

Obligation Owners will work closely with the Chief of Staff and will have responsibility for providing guidance and support to all employees; monitoring legislation, regulations and codes for any changes or new statutory requirements; reporting non-compliance issues, whether systemic, recurring or one-off; and ensure that legislative requirements are met within their Divisions. Specifically:

  • ensuring that the compliance requirements for their areas of compliance responsibility are identified, understood and documented (in the Compliance and Risk Register where appropriate).
  • monitoring identified legislation and regulations for change and ensuring that compliance continues to be maintained, including providing advice to the Risk and Compliance Officer if such change impacts the University’s Compliance Register;
  • providing guidance and support to staff on compliance with legislative obligations (including new or changed obligations) relevant to their areas of responsibility;
  • monitoring and reporting non-compliance;
  • complete the Annual Compliance Declaration; and
  • encouraging behaviours that create and support compliance and a compliance culture.

Managers and staff

Commitment must be demonstrated by managers by making themselves fully aware of the University’s legislative obligations within their area of accountability or span of control. All staff are responsible for:

  • adherence to the compliance obligations relevant to their position;
  • performing their duties in a lawful and safe manner;
  • undertaking training as required on compliance activities and initiatives;
  • undertaking corrective actions to compliance breaches in a timely manner; and
  • reporting and escalating compliance concerns, issues, complaints and failures.


The table below summarises the key actions, reviews and reports required by JCU’s Compliance Framework. It details who is responsible for each activity and the required timing. In dependent review may also be sought to confirm the University’s approach to compliance is consistent with best practice.





Review Compliance  Policy

Review the currency and effectiveness of JCU’s Compliance Policy

Council to approve on advice of Vice Chancellor and Audit Committee

(review to be coordinated by Chief of Staff)

Every two years in August

Review Compliance Framework

Review the currency and effectiveness of JCU’s Compliance Framework

Audit Committee to consider on advice of Vice Chancellor

(coordinated by Chief of Staff)

Every two years in August

University’s Compliance Register

Identify and review legislative obligations and nomination of Obligation Owners

Vice Chancellor's Advisory Committee to initiate, Audit Committee to review (coordinated by University General Counsel)

Annually in July

University’s Risk Register

Review current status of Compliance Action Plans, potential or actual breaches and other relevant issues

Vice Chancellor's Advisory Committee (Obligation Owners to coordinate)

Audit Risk and Compliance Committee (coordinated by Chief of Staff)

Every 6 months by VCAC and Audit, Risk and Compliance Committee in November

Compliance Declarations

Review current status of key risks,  Risk Treatment Plans, incidents  and other relevant issues

Obligation Owners, reported to Vice Chancellor's Advisory Committee and Audit, Risk and Compliance Committee (coordinated by Risk and Compliance Officer)

Annually in November


Ensure staff are aware of the Compliance Framework, Policy and Procedures and their obligations.

Chief of Staff and Risk and Compliance Officer (Obligation Owners to assist)

Introduction for all new staff at on-line induction with more detailed session for Obligation Owners within three months of commencing.

Related Policy Instruments

Compliance Policy

Legislative Alerts and Non-Compliance Reporting Procedure


Appendix 1 Compliance Action Plan template


NOTE: Printed copies of this policy are uncontrolled, and currency can only be assured at the time of printing.

Approval Details

Policy DomainCorporate Governance
Policy Sub-domainRisk, Assurance, Regulatory and Compliance

Policy Custodian

Vice Chancellor

Approval Authority


Date for next review


Revision History


Approval date

Implementation date



21-102/12/202117/12/2021Minor revisions to reflect amended policy and new proceduresChief of Staff
20-130/07/202001/08/2020Minor amendments and revisions after internal audit review.Chief of Staff
18-106/12/201818/01/2019Minor amendments to clarify responsibilities regarding completion of annual Compliance Statement, administrative amendments and amendment to review of Compliance Framework from annually to every two years.Chief of Staff




Revisions to Framework

Chief of Staff




Framework established

Chief of Staff


Compliance, standards of compliance, compliance framework, obligations

Contact personChief of Staff