Defines the framework and objectives for management of compliance obligations.
|Effective date||1 August 2019|
|Review date||6 May 2022|
|Owner||Chief Financial Officer|
|Author||Chief Audit & Risk Officer|
|Print version||Compliance Policy|
The purpose of this policy is to define the RMIT framework and objectives for the management of compliance obligations and promote a positive compliance culture as an integral part of ensuring good governance and operational excellence at RMIT.
RMIT University is a public-sector organisation under Victorian law and stands on Aboriginal Country of the Kulin Nation. RMIT recognises and acknowledges the Bundjil Statement that helps all RMIT staff to respectfully work, live and study on Aboriginal Country.
RMIT is subject to a wide range of compliance obligations including compliance requirements under applicable laws, regulations, standards, codes of practice, and compliance commitments made by RMIT.
This policy frames the RMIT Group approach to compliance to ensure a compliance culture that enables RMIT to achieve its strategic, operational and commercial objectives.
The policy applies to all staff, researchers, contractors and volunteers of the RMIT Group.
4.1. RMIT is committed to ensuring compliance with all laws and regulations, and alignment to standards and codes of practice that apply to the RMIT Group.
4.2. RMIT will embed a positive compliance culture across all operating areas with control systems that create effective and sustainable compliance outcomes.
4.3. Compliance management will be underpinned by continuous improvement and awareness of compliance obligations across all operating areas and locations.
5.1. RMIT’s compliance framework encompasses the following elements:
a) All staff are required to act ethically and with integrity. Behaviours that create and support compliance are encouraged and behaviours that compromise compliance are unacceptable.
b) Ownership of compliance obligations is clearly articulated, understood and aligned to Delegations of Authority and the Code of Conduct to enable effective oversight and management.
c) University operations are underpinned by a compliance management program that is integrated with the risk management framework to enable RMIT to identify, assess, manage, monitor and report on compliance obligations.
d) Breaches in compliance are proactively identified and prompt corrective action is taken. Members of the RMIT Group who breach compliance obligations may be subject to disciplinary action.
e) Regular assurance reporting on significant breaches, trends and systemic issues, and the level of compliance, is conducted across the RMIT Group.
5.2. This policy and the Compliance Management Program form key components of RMIT’s compliance framework.
5.3. RMIT’s compliance framework is informed by governance structures and instruments including, but not limited to:
a) University statutes and regulations
b) Code of Conduct
c) Audit and general governance functions
d) Corporate Social Responsibility Framework
e) Delegations of Authority
f) Risk Management Policy
g) Anti-Corruption and Fraud Prevention Policy
6.1. The Audit and Risk Management Committee assists Council in discharging its responsibilities to the RMIT Group by monitoring compliance with laws, regulations and the Code of Conduct.
6.2. Members of the Vice-Chancellor’s Executive:
a) are accountable for and implement the RMIT Group Compliance Management Program within their areas of responsibility
b) assign appropriate resources for management of compliance obligations including nominated compliance management contacts with subject matter expertise who have significant operational control and delegated authority
c) provide information, advice and assurance about compliance management for their areas of accountability.
6.3. Internal Audit, Compliance, Risk and Regulation:
a) develops and maintains the Compliance Management Program. This includes the development of the Compliance Policy and associated procedures and resources
b) advises and supports responsible owners and compliance obligation contacts to effectively implement controls for the management of compliance obligations
c) monitors and facilitates regular reporting to governance bodies and management committees, and external agencies where required.
6.4. Compliance management contacts:
a) promote a culture of compliance within their business area or function and manages implementation activities in accordance with the Compliance Management Program
b) actively monitor compliance risks and responds to compliance breaches in line with the Compliance Breach Management Procedure
c) collaborate with the Internal Audit, Compliance, Risk and Regulation team to maintain an effective and current compliance management program and cooperates with requests for information.
6.5. All staff and researchers remain individually accountable for their actions as members of the RMIT Group community, bound by the Code of Conduct and relevant enterprise agreements. They have a responsibility to:
a) ensure that they are aware of the compliance obligations applicable to their role and that their actions are consistent with RMIT policies
b) undertake mandatory compliance training
c) report and escalate compliance concerns and suspected breaches to their manager or supervisor.
6.6. Contractors and volunteers have a responsibility to:
a) ensure that they are aware of the compliance obligations applicable to their role at RMIT and that their actions are consistent with RMIT policies
b) undertake compliance training as requested and conduct themselves in accordance with the specific terms of engagement.
6.7. The Chief Audit and Risk Officer is responsible for the Compliance Management Program and the Compliance Breach Management Procedure.
7.1. This policy is maintained by the Governance and Compliance team.
7.2. Periodic review will have regard to ISO 19600 Intentional Standard for Compliance Management.
A contravention of a compliance obligation caused by an act or omission. Significant or material breaches may be reportable to an external agency or regulator.
See also: Material breach
Compliance obligations at RMIT are grouped into three tiers.
Tier 1: obligations that are fundamental to RMIT’s core business, being the provision of education and research, which are identified as high priority and core to licenses to operate as a Table A University, RTO, CRICOS provider and non-senior secondary school provider. It includes high risk obligations relating to the good governance of RMIT.
Tier 2: obligations that relate to RMIT’s operational efficiency and commercial success. They are relevant to specific operating locations, business units or functional areas.
Tier 3: other obligations established under the RMIT Policy Governance Framework including delegations of authority, standards of conduct and obligations to give effect to RMIT’s self-accrediting authority.
Compliance Management Program
The coordinated institutional approach to identification, monitoring, review and reporting of compliance obligations, risks, and performance across the RMIT Group.
Compliance Management Contact
Senior leaders, with subject matter expertise, usually reporting directly to a member of the Vice-Chancellors Executive. They are responsible for implementing the compliance management program for their specific areas of operational responsibility.
Compliance obligation register
There are two types of registers that support the Compliance Management Program.
Key Compliance Obligation Register: a record used to identify tier 1 compliance obligations and to assess the risk, impact and likelihood of non-compliance with these obligations. Compliance activities and controls for these obligations are documented within the register.
Functional/business level Compliance Obligation Register: a record used to identify tier 2 compliance obligations and to assess the risk, impact and likelihood of non-compliance with these obligations.
Compliance obligation breach register
A record of breaches of the University’s compliance obligations managed by Internal Audit Compliance Risk and Regulation.
Governance attestation process
A verification process undertaken by members of the Vice-Chancellor’s Executive and key senior staff whereby they attest to the effectiveness of internal controls and compliance/non-compliance with the obligations that are relevant to their areas of operation throughout the University.
Council, committees of Council, and the Academic Board.
A severe and significant breach, in terms of scale and/or regulatory requirements, or with implications for safety and security, and/or legal requirements.
See also: Breach
A member of the Vice-Chancellors Executive or a specified regulatory delegate under the Delegations of Authority.
|Version||Approval date||Effective date||Summary of changes||Approval authority|
|1.0||6 May 2019||1 August 2019||New policy||ARMC|
|1.1||15 November 2019||1 August 2019||Editorial amendment||UPM|