James Cook University (JCU) has a responsibility to identify and comply with range of legislative and regulatory requirements. An effective, organisation-wide compliance management system enables an organization to demonstrate its commitment to compliance with relevant laws, including legislative requirements, industry codes and organisational standards, as well as standards of good corporate governance, best practices, ethics and community expectations (AS ISO 19600:2015 Compliance Management Systems). .
The intent of a robust and integrated system of compliance is to provide assurance to the Vice Chancellor and University Council that the University is actively attentive to its legislative compliance obligations, considering impacts of any consequent changes, and ensuring that these are embedded in practice and procedures across the University.
To achieve the objective of being a compliant organisation, JCU’s Compliance Framework aims to:
JCU’s compliance framework comprises a set of components that provide the foundations and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving legislative compliance management throughout the organisation. The Compliance Framework has three pillars – inform (ensuring staff are aware of their obligations and the legislative changes that may impact their business unit’s activities); comply (an annual compliance declaration by Deputy Vice Chancellors); and assure (internal and external audit and review activity) - providing a formal approach to continuous improvement. There will also be regular monitoring and review of the Framework’s performance.
The Framework consists of:
The framework will enable:
Complementary to the Compliance Framework is the Code of Conduct at the governance and management level.
The three pillar approach within the Compliance Framework– inform, comply and assure – is a robust and risk based mechanism for ensuring the University is meeting its statutory obligations. AS 3806:2006 states that an effective compliance program will result in an organisation “being able to demonstrate its commitment to compliance with relevant laws, including legislative requirements, industry codes, organisational standards, as well as standards of good corporate governance, ethics and community expectations”.
In moving to this Compliance Framework, JCU is reflecting the principles of the Standard within these four key aspects:
a) commitment (by the governing body and senior management);
b) implementation (responsibilities clearly articulated and assigned);
c) monitoring and measuring (performance of the program is monitored and clearly demonstrable); and
d) continual improvement.
2.1 Policy and Procedural Guidance
There are several policy and procedural documents, forms and registers which identify and manage JCU’s expectations around ethics and integrity in dealings with staff, students and others prescribed in the Code of Conduct, and the University’s obligations identified by this Compliance framework.
As a large and complex statutory authority, the University has a significant number of compliance obligations, at both the Commonwealth and State level. To ensure that the University can comply with all of its obligations, it is important to identify legislation and other legislative instruments which impose a compliance obligation. These obligations may arise because the University is, for example, an employer, a provider of goods and services, a statutory body or a recipient of Commonwealth funding. Compliance obligations might include:
These obligations will be recorded in the University’s Compliance Register to be maintained by Legal and Assurance within the Office of the Chief of Staff. This Register will map the University’s obligations to business units and responsible officers. Identification of the University's statutory obligations, or changes in these obligations, will be an ongoing activity undertaken by the designated Responsible Officers and senior management. This will include Responsible Officers informing other employees of any amendments, initiating updates to the University’s Compliance Register (through Legal and Assurance), and undertaking any practical steps necessary to ensure compliance with existing, amended and new statutory obligations.
To ensure Responsible Officers and others are informed in a timely manner of Commonwealth and State legislative change across all areas of responsibility by jurisdiction and subject area, a subscription to a legislative alert service (such as SAI Global’s Lawlex Legislative Alert) will be maintained. Policies, procedures and other documentation which reference legislation will be reviewed on any substantive change, particularly in those areas of actual or potential risk.
Deputy Vice Chancellors will be required to annually sign a Compliance Declaration which confirms the level of compliance with relevant legislation, provides details of any actual or potential breaches and any action taken, and the outcomes and recommendations in response to legislative change (if any). The aim is to proactively identify and report actual/potential breaches in accordance with a procedure to be developed.
Where there is non-compliance, a Compliance Action Plan will be developed by the relevant Division in response, with timeframes and a risk assessment with mitigation strategies (where appropriate). This provides for a better understanding of the non-compliance risk exposure for specific activities rather than having a broad high risk around legislative compliance in general.
The annual Compliance Statement seeks to remind the University Executive of accountabilities in overseeing the University's statutory obligations relating to compliance.
4.1 Reporting Incidents of Non-Compliance
Responsible Officers are required to identify and maintain records of all non-compliance incidents or potential breaches within their designated areas. Formal reporting on non-compliance incidents and their management is to be made to the Chief of Staff as and when such incidents occur. The Chief of Staff will advise the Vice Chancellor, Chair of Audit Committee and Chancellor of incidents of significance or notifiable issues. Compliance breaches may be identified through audit activity, self-disclosure, third party complaints, compliance certifications, and review or notification by regulatory agencies and other authorities.
Information received from Responsible Officers during this process is used to advise University Council through Audit Committee of high risk non-compliance incidents or significant compliance trends. Actions may be taken on the basis of this reporting by senior management to clarify any non-compliance which has not been satisfactorily addressed by an organisational area.
A staff member who wishes to report any incident of non-compliance should approach either the relevant designated Responsible Officer if the incident relates to a specific obligation or their manager or supervisor if the incident relates to an operational matter. It is also open to a staff member to make a public interest disclosure in accordance with the relevant procedures, where circumstances warrant.
4.2 Corrective Actions
When a compliance breach is detected it is Management’s responsibility to:
Where a significant compliance breach occurs, and based on a risk assessment, a corrective action plan should be developed by Management in consultation with the Responsible Officer. The Responsible Officer will monitor the implementation of the corrective action plan to ensure that compliance is reinstated.
Where a Responsible Officer believes that Management’s response to a compliance breach is not appropriate, the matter should be escalated to the relevant Deputy Vice Chancellor for resolution.
The University is responsive to a number of external regulatory agencies for accreditation, certification and registration purposes (including vocational and professional bodies, the Tertiary Education Quality and Standards Authority, and others) and therefore subject to external audit or review, accreditation or self-review and reporting obligations. An assurance map will be compiled to capture these obligations.
The annual Internal Audit Work Plan may also include a rolling compliance audit, using a risk based approach, to assure the Vice Chancellor and Audit Committee that the University is maintaining or working towards compliance, or to assess whether any business improvement implemented to meet legislative change is fit for purpose and meets requirements.
In order to effectively manage compliance obligations, an annual review of compliance processes will be undertaken. This will include:-
The risk of compliance failure should be reassessed whenever there are:-
5.1 Compliance Performance Reporting
Formal reporting mechanisms on compliance activities include:
The University Council is ultimately responsible for approving the Compliance Framework and Policy, and through Audit Committee oversees the adherence, monitoring and review of the University’s Compliance Framework. Audit Committee is also responsible for reviewing and making recommendations to Council regarding the Compliance Policy.
The Vice Chancellor is responsible for leading a compliance culture across the University through promoting and supporting the Compliance Policy and Framework. Detailed responsibilities for University staff include:
The University Executive are responsible for ensuring that appropriate resources, systems and processes are in place to implement the Compliance Framework across the organisation, comply with legislative and regulatory requirements within their specific areas of operational responsibility, and ensure that any potential or actual legislative non-compliance has been identified and is being managed appropriately. Specifically:
Chief of Staff
The Chief of Staff has overall responsibility for the control and coordination of the Compliance Framework and for coordinating the implementation of the compliance process in all areas of the University with compliance responsibilities through Legal and Assurance. Specifically:
Responsible Officers will work closely with the Chief of Staff and will have responsibility for providing guidance and support to all employees; monitoring legislation, regulations and codes for any changes or new statutory requirements; reporting non-compliance issues, whether systemic, recurring or one-off; and ensure that legislative requirements are met within their Divisions. Specifically:
Managers and staff
Commitment must be demonstrated by managers by making themselves fully aware of the University’s legislative obligations within their area of accountability or span of control. All staff are responsible for:
The table below summarises the key actions, reviews and reports required by JCU’s Compliance Framework. It details who is responsible for each activity and the required timing. In dependent review may also be sought to confirm the University’s approach to compliance is consistent with best practice.
Review Compliance Policy
Review the currency and effectiveness of JCU’s Compliance Policy
Council to approve on advice of Vice Chancellor and Audit Committee
(review to be coordinated by Chief of Staff)
Every two years in November
Review Compliance Framework
Review the currency and effectiveness of JCU’s Compliance Framework
Audit Committee to consider on advice of Vice Chancellor
(coordinated by Chief of Staff)
Every year in November
University’s Compliance Register
Identify and review legislative obligations and nomination of Responsible Officers
University Executive to initiate, Audit Committee to review (coordinated by University General Counsel)
Annually in July
University’s Risk Register
Review current status of Compliance Action Plans, potential or actual breaches and other relevant issues
All DVCs (Responsible Officers to coordinate)
Audit Committee (coordinated by Chief of Staff)
Annually by University Executive in August
Annually by Audit Committee in November
Review current status of key risks, Risk Treatment Plans, incidents and other relevant issues
University Executive and Audit Committee (coordinated by Chief of Staff)
Annually in July
Detail proposed compliance activities for the coming year and identify any key risk management issues.
Chief of Staff
Annually as part of University planning cycle
Ensure staff are aware of the Compliance Framework, Policy and Procedures and their obligations.
Chief of Staff (Responsible Officers to assist)
Introduction for all new staff at on-line induction with more detailed session for Responsible Officers within three months of commencing.
NOTE: Printed copies of this policy are uncontrolled, and currency can only be assured at the time of printing.
Date for next review
NOTE: A minor amendment will not result in a change of the next major review date.
[Approval date - the date the approval authority approved the establishment, minor or major amendment or disestablishment]
[Implementation Date - the date the policy was published in the Policy Library and is the date the policy takes effect]
Revisions to Framework
Chief of Staff
Chief of Staff
Compliance, standards of compliance, compliance framework