Details the requirements for managing breaches of compliance obligations.
|Effective date||1 August 2019|
|Review date||6 May 2022|
|Owner||Chief Audit & Risk Officer|
|Author||Assistant Director, Governance & Compliance|
|Print version||Compliance Breach Management Procedure (PDF 104 KB)|
The procedure details the requirements for identifying, assessing, remediating, reporting and recording breaches of compliance obligations under the compliance management program.
This procedure applies to all staff including researchers, contractors and volunteers of the RMIT Group.
It does not apply to allegations of breaches of the Code of Conduct which are handled under separate policies.
2.1. All RMIT staff who identify or suspect a breach must report it to their manager as soon as practicable. Evidence that may be valuable in determining the cause or allow for corrective action to be taken must not be compromised or destroyed.
2.2. Managers must report the identified or suspected breach to the compliance management contact or responsible owner.
2.3. If staff are unable to discuss a breach with their manager, they must report the breach directly to the relevant compliance management contact or the Chief Audit and Risk Officer.
2.4. Staff who wish to make a confidential or anonymous disclosure about an identified or suspected compliance breach should make the disclosure directly to email@example.com (unless there is a corruption or fraud concern then see rule 5.1).
2.5. Staff who are aware of a breach and fail to report it may be subject to disciplinary action in accordance with the Code of Conduct and relevant RMIT policies that may apply.
2.6. Where reasonable and practicable, immediate action must be taken to contain the breach. This may include stopping unauthorised practices, recovering any records, implementing safety measures etc. In certain cases, action may be required before the matter can be reported.
2.7. Where incidents or breaches relate to high risk regulatory activities the Escalation Guide: Regulatory, Legal, Conduct, Safety and Security Matters must be followed.
2.8. Significant or material breaches must be reported to Internal Audit, Compliance, Risk and Regulation by responsible owners as soon as practicable, with timelines for assessment of the breach to ensure that any independent investigation, as necessary or required, commences in a timely manner.
3.1. Compliance management contacts are responsible for assessment of compliance breaches. The compliance management contact will assess the nature, scale and impact of breaches with reference to risk management protocols and determine the appropriate course of action. Where there is a conflict of interest concern, the responsible owner may seek advice from the Chief Audit and Risk Officer.
3.2. The assessment will identify root causes and determine whether the breach is an isolated or systemic issue. It will identify corrective or preventative actions to mitigate or eliminate the impact of the breach and likelihood of recurrence.
3.3. Breaches that may give rise to a risk of harm to individuals must be evaluated to determine likelihood and severity to inform corrective action and determine if an external agency needs to be notified.
3.4. Corrective or preventative action plans for breaches to privacy and personal data security must be endorsed by the Privacy Office and Chief Information Security Office.
3.5. The implementation of corrective or preventative actions will be approved and monitored by the responsible owner.
4.1. Suspected or actual breaches must be recorded.
4.2. Breaches relating to high risk regulatory activities will be recorded by the compliance management contact/s identified in the Escalation Guide: Regulatory, Legal, Conduct, Safety and Security Matters.
4.3. Material breaches relating to high risk regulatory activities must be reported to the relevant governance body – Academic Board, Audit and Risk Management Committee or Council.
4.4. The responsible owner in consultation with the Chief Audit and Risk Officer must report compliance obligation breaches to the relevant government department or regulatory agency where the reporting of such breaches is mandatory.
4.5. The Chief Audit and Risk Officer must report on identified compliance obligation breaches, corrective action and status to the Audit and Risk Management Committee no less than twice per year in accordance within the approved schedule.
4.6. The Chief Audit and Risk Officer will retain a record of breaches and outcomes on the Compliance Obligation Breach Register.
- Compliance Management Program [staff login]
- Escalation Guide: Regulatory, Legal, Conduct, Safety and Security Matters [staff login]
|Version||Approval date||Effective date||Summary of changes||Approval authority|
|1.0||25 July 2019||1 August 2019||New procedure||Chief Audit & Risk Officer|