Compliance Framework

1. COMMITMENT TO COMPLIANCE

James Cook University (JCU) has a responsibility to identify and comply with range of legislative and regulatory requirements. An effective, organisation-wide compliance management system enables an organization to demonstrate its commitment to compliance with relevant laws, including legislative requirements, industry codes and organisational standards, as well as standards of good corporate governance, best practices, ethics and community expectations (AS ISO 19600:2015 Compliance Management Systems). .

The intent of a robust and integrated system of compliance is to provide assurance to the Vice Chancellor and University Council that the University is actively attentive to its legislative compliance obligations, considering impacts of any consequent changes, and ensuring that these are embedded in practice and procedures across the University.

1.1 Objectives

To achieve the objective of being a compliant organisation, JCU’s Compliance Framework aims to:

• demonstrate a commitment to the highest standards of ethics and compliance with all applicable laws, regulations, rules and policies and promote a culture of compliance;
• promote a culture of frank and open disclosure of compliance breaches without fear of victimisation or unfair treatment;
• document and continuously review and update business processes to ensure they comply with applicable laws and regulations;
• provide employees with training and assistance to become effectively involved in compliance activities to meet their obligations;
• maintain monitoring and reporting systems to identify instances of non-compliance or system failure and to protect the University, its staff and students from deliberate or inadvertent breaches and consequent penalty;
• take prompt action where necessary to address instances of non-compliance or other circumstances that present an unacceptable exposure to legal risk;
• assess compliance against pre-determined objectives and assessment criteria; and
• periodically review the compliance framework to ensure it is consistent with AS 3806 and generally accepted compliance management practice.

2. COMPLIANCE PROGRAM

JCU’s compliance framework comprises a set of components that provide the foundations and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving legislative compliance management throughout the organisation. There are several policy and procedural documents, forms and registers which identify and manage JCU’s expectations around ethics and integrity in dealings with staff, students and others prescribed in the Code of Conduct, and the University’s obligations identified by this Compliance Framework.

The Compliance Framework has three pillars:

1. inform (ensuring staff are aware of their obligations and the legislative changes that may impact their business unit’s activities);
2. comply (an annual compliance declaration by Deputy Vice Chancellors, Provost, and the Vice Chancellor); and
3. assure (internal and external audit and review activity) - providing a formal approach to continuous improvement. There will also be regular monitoring and review of the Framework’s performance.

The Framework consists of:

• the Compliance Policy established to identify intent, scope and responsibilities and accountabilities within the University for compliance;
• supporting procedures, forms and registers; and
• the University’s Compliance Register  (Responsible Officers will have responsibility for ensuring compliance with particular legislative obligations).

The framework will enable:

• a robust and structured approach to compliance that is appropriate to JCU’s activities and operating environment; and
• an approach consistent with the principles of AS ISO 19600:2015 Compliance Management Systems.

In moving to this Compliance Framework, JCU is reflecting the principles of the Standard within these four key aspects:

1. commitment (by the governing body and senior management);
2. implementation (responsibilities clearly articulated and assigned);
3. monitoring and measuring (performance of the program is monitored and clearly demonstrable); and
4. continual improvement.

3. INFORM (Identifying the University’s Legislative Compliance Obligations)

As a large and complex statutory authority, the University has a significant number of compliance obligations, at both the Commonwealth and State level. To ensure that the University can comply with all of its obligations, it is important to identify legislation and other legislative instruments which impose a compliance obligation. These obligations may arise because the University is, for example, an employer, a provider of goods and services, a statutory body or a recipient of Commonwealth funding. Compliance obligations might include:

• reporting requirements (provision of statistics or information);
• requirements for accreditation, registration or licensing;
• complying with timeframes set down by the legislation for performing activities;
• a requirement to provide a specified service or range of services;
• restrictions or limitations on how these services can be offered; and
• financial obligations.

These obligations will be recorded in the University’s Compliance Register to be maintained by Legal and Assurance within the Office of the Chief of Staff. This Register will map the University’s obligations to business units and responsible officers. Identification of the University's statutory obligations, or changes in these obligations, will be an ongoing activity undertaken by the designated Responsible Officers and senior management. This will include Responsible Officers informing other employees of any amendments, initiating updates to the University’s Compliance Register (through Legal and Assurance), and undertaking any practical steps necessary to ensure compliance with existing, amended and new statutory obligations.

To ensure Responsible Officers and others are informed in a timely manner of Commonwealth and State legislative change across all areas of responsibility by jurisdiction and subject area, a subscription to a legislative alert service will be maintained. Policies, procedures and other documentation which reference legislation will be reviewed on any substantive change, particularly in those areas of actual or potential risk.

Where new or revised legislation creates obligations for the University, a Compliance Action Plan may be required. The template for a Compliance Action Plan is at appendix 1.

4. COMPLY (Management of Compliance)

Deputy Vice Chancellors, Provost and the Vice Chancellor will be required to annually sign a Compliance Declaration specific to their Division which confirms the level of compliance with relevant legislation, provides details of any actual or potential breaches and any action taken, and the outcomes and recommendations in response to legislative change (if any) respective to their Divisions. The aim is to proactively identify and report actual/potential breaches in accordance with the Annual Compliance Declaration Procedure..

Where there is non-compliance, a Compliance Action Plan will be developed by the relevant Division or at the University level in response, with timeframes and a risk assessment with mitigation strategies (where appropriate). This provides for a better understanding of the non-compliance risk exposure for specific activities rather than having a broad high risk around legislative compliance in general.

The annual Compliance Statement seeks to remind the University Executive of accountabilities in overseeing the University's statutory obligations relating to compliance.

4.1 Reporting Incidents of Non-Compliance

Responsible Officers are required to identify and maintain records of all non-compliance incidents or potential breaches within their designated areas. Formal reporting on non-compliance incidents and their management is to be made to the Chief of Staff as and when such incidents occur. The Chief of Staff will advise the Vice Chancellor, Chair of Audit Committee and Chancellor of incidents of significance or notifiable issues. Compliance breaches may be identified through audit activity, self-disclosure, third party complaints, compliance certifications, and review or notification by regulatory agencies and other authorities.

Information received from Responsible Officers during this process is used to advise University Council through Audit Committee of high risk non-compliance incidents or significant compliance trends. Actions may be taken on the basis of this reporting by senior management to clarify any non-compliance which has not been satisfactorily addressed by an organisational area.

A staff member who wishes to report any incident of non-compliance should approach either the relevant designated Responsible Officer if the incident relates to a specific obligation or their manager or supervisor if the incident relates to an operational matter. It is also open to a staff member to make a public interest disclosure in accordance with the relevant procedures, where circumstances warrant.

Reporting processes are outlined in the Legislative Alerts and Non-Compliance Reporting Procedure.

4.2 Corrective Actions

When a compliance breach is detected it is Management’s responsibility to:

• investigate the circumstances relating to the compliance breach;
• notify the compliance breach to the Responsible Officer;
• ensure that timely and adequate corrective actions are taken to reinstate compliance; and
• provide a copy of the Compliance Action Plan to the Chief of Staff.

Where a significant compliance breach occurs, and based on a risk assessment, a corrective action plan should be developed by Management in consultation with the Responsible Officer. The Responsible Officer will monitor the implementation of the corrective action plan to ensure that compliance is reinstated.

Where a Responsible Officer believes that Management’s response to a compliance breach is not appropriate, the matter should be escalated to the Chief of Staff for resolution.

5. ASSURE (Audit, Monitoring and Review)

The University is responsive to a number of external regulatory agencies for accreditation, certification and registration purposes (including vocational and professional bodies, the Tertiary Education Quality and Standards Authority, and others) and therefore subject to external audit or review, accreditation or self-review and reporting obligations. An assurance map will be compiled to capture these obligations.

The annual Internal Audit Work Plan may also include a rolling compliance audit, using a risk based approach, to assure the Vice Chancellor and Audit Committee that the University is maintaining or working towards compliance, or to assess whether any business improvement implemented to meet legislative change is fit for purpose and meets requirements.

In order to effectively manage compliance obligations, an annual review of compliance processes will be undertaken. This will include:-

• the review and updating of the compliance and risk registers;
• notification of any previously un-reported compliance breaches, issues or complaints; and
• audit of compliance processes, as applicable.

The risk of compliance failure should be reassessed whenever there are:-

• new or changed activities or services;
• changes to the structure or strategy of the University;
• significant external changes; or
• changes to compliance obligations.

5.1 Compliance Performance Reporting

Formal reporting mechanisms on compliance activities include:

• Annual Compliance Declarations by Deputy Vice Chancellors, Provost and the Vice Chancellor of compliance with legal, regulatory and other obligations;
• regular reporting, by the Office of the Chief of Staff to Vice Chancellor's Advisory Committee and Audit, Risk and Compliance Committee of Council on major developments, issues and compliance incidents including the status of implementation of corrective action plans;
• provision of an annual, risk-based plan of compliance activities to Audit, Risk and Compliance Committee for review and approval; and
• reviews of the Compliance Policy and the Compliance Framework (to align with reviews of the Risk Management Framework and Policy), including an assessment of their effectiveness and recommendations for improvement.

6. RESPONSIBILITIES FOR COMPLIANCE

The University Council is ultimately responsible for approving the Compliance Framework and Policy, and through Audit Committee oversees the adherence, monitoring and review of the University’s Compliance Framework. Audit Committee is also responsible for reviewing and making recommendations to Council regarding the Compliance Policy.

The Vice Chancellor is responsible for leading a compliance culture across the University through promoting and supporting the Compliance Policy and Framework. Detailed responsibilities for University staff include:

University Executive

The University Executive are responsible for ensuring that appropriate resources, systems and processes are in place to implement the Compliance Framework across the organisation, comply with legislative and regulatory requirements within their specific areas of operational responsibility, and ensure that any potential or actual legislative non-compliance has been identified and is being managed appropriately. Specifically:

• remaining aware of the compliance obligations (including monitoring for changes in legislation and regulation) within their areas of control;
• identifying individual staff members requiring training and ensuring their participation as required to ensure ongoing compliance;
• reporting non-compliance or potential non-compliance to the Responsible Officer and the Chief of Staff;
• undertaking corrective actions to compliance breaches in a timely manner;
• certifying compliance for their area of control; and
• encouraging behaviours that create and support compliance and a compliance culture.

Chief of Staff

The Chief of Staff has overall responsibility for the control and coordination of the Compliance Framework and for coordinating the implementation of the compliance process in all areas of the University with compliance responsibilities through Legal and Assurance. Specifically:

• developing, implementing and ensuring continuous improvement of the Compliance Framework;
• overall coordination of the Compliance Program and ensuring that all responsible areas of the University fulfil their compliance responsibilities;
• identifying, in conjunction with Responsible Officers, compliance requirements and training needs and promoting awareness of compliance obligations;
• maintaining the University’s Compliance Register;
• providing advice to relevant staff and Responsible Officers on new or changed legislation, its content and application to the University where appropriate;
• reporting compliance breaches to management and University Executive and ensuring that appropriate and timely corrective actions are undertaken;
• conducting regular compliance audits; and
• reporting to vice Chancellor's Advisory Committee and Audit, Risk and Compliance Committee of Council.

Responsible Officers

Responsible Officers will work closely with the Chief of Staff and will have responsibility for providing guidance and support to all employees; monitoring legislation, regulations and codes for any changes or new statutory requirements; reporting non-compliance issues, whether systemic, recurring or one-off; and ensure that legislative requirements are met within their Divisions. Specifically:

• ensuring that the compliance requirements for their areas of compliance responsibility are identified, understood and documented (in the Compliance and Risk Register where appropriate).
• monitoring identified legislation and regulations for change and ensuring that compliance continues to be maintained, including providing advice to the University General Counsel if such change impacts the University’s Compliance Register;
• providing guidance and support to staff on compliance with legislative obligations (including new or changed obligations) relevant to their areas of responsibility;
• monitoring and reporting non-compliance;
• advising the relevant Deputy Vice Chancellor, Provost or Vice Chancellor on completing the Annual Compliance Declaration; and
• encouraging behaviours that create and support compliance and a compliance culture.

Managers and staff

Commitment must be demonstrated by managers by making themselves fully aware of the University’s legislative obligations within their area of accountability or span of control. All staff are responsible for:

• adherence to the compliance obligations relevant to their position;
• performing their duties in a lawful and safe manner;
• undertaking training as required on compliance activities and initiatives;
• undertaking corrective actions to compliance breaches in a timely manner; and
• reporting and escalating compliance concerns, issues, complaints and failures.

7. SUMMARY OF KEY COMPLIANCE ACTIVITIES

The table below summarises the key actions, reviews and reports required by JCU’s Compliance Framework. It details who is responsible for each activity and the required timing. In dependent review may also be sought to confirm the University’s approach to compliance is consistent with best practice.

Related Policy Instruments

Compliance Policy

Appendices

Appendix 1 Compliance Action Plan template

Administration

NOTE: Printed copies of this policy are uncontrolled, and currency can only be assured at the time of printing.

Approval Details

Revision History