1. Purpose
1.1 These procedures support the operationalisation of University Risk and Compliance Management – Governing Policy by setting out the University’s standard process for the identification and management of compliance obligations across all University activities.
1.2 These procedures set out the following compliance management processes:
(a) Compliance obligation identification and assessment
(b) Compliance monitoring, attestation and quarterly reporting
(c) Compliance incident management and reporting
1.3 These procedures must be read in conjunction with the University Risk and Compliance Management – Governing Policy and other related supporting documents.
2. Scope and application
2.1 These procedures apply to all staff, students, contractors or consultants, strategic partners, third-party service providers, controlled entities, and members of the University governance, decision-making or advisory bodies.
2.2 Everyone int eh University Community is responsible for compliance. This includes staff, students and third parties, who must follow policies relevant to the University operations and activities they are involved in.
2.3 Senior Managers and Cost Centre Managers must ensure that staff receive the necessary training, information and support to meet compliance requirements.
2.4 As stated in the approved Appendix 011 – Risk Appetite Statement, the University has an averse risk appetite for risks related to regulatory and legislative compliance. A risk-based approach is used to manage compliance obligations.
2.5 These procedures apply to all categories of compliance obligations across the University, including those associated with controlled entities, and their operations. They reflect the University’s commitment to effective and efficient risk and compliance management.
2.6 The University fosters a culture of compliance. Staff are encouraged to report of incidents, systemic issues or process errors without fear of blame. Behaviours that create and support compliance will be recognised and encouraged.
2.7 All individuals involved in compliance management, investigations and corrective actions must act in good faith. This means being honest, sincere, fair and without malice.
2.8 Staff who deliberately or negligently breach compliance obligations may face disciplinary action under the University’s processes, or regulatory or criminal consequences, where applicable.
3. Definitions
3.1 Refer to the University’s Glossary of Terms for definitions as they specifically relate to policy documents.
Agreement Manager refers to an individual nominated by the Agreement Owner and who is responsible for managing a contract across its lifecycle, including negotiation, monitoring, compliance, and reporting.
Agreement Owner refers to an individual who is responsible for appointing an Agreement Manager and holds overall accountability for the business need, outcomes, and performance of the contract.
Assurance means the degree of confidence or certainty that the University's risk and compliance management processes and controls are adequately designed and operating effectively.
Control means any measure or mechanism that is put in place to reduce the consequence and/or likelihood of identified risks. The establishment of controls within business processes provides protection, and their effectiveness strengthens the ability to manage and mitigate the associated risks and compliance obligations.
Compliance obligation means the legislative and regulatory obligations that the University must comply with and voluntary obligations that the University elects to comply with.
Compliance owner is an individual within the University with primary responsibility for ensuring there are effective internal controls in place to identify obligations and monitor regulatory compliance within their business or functional area.
Compliance Management System means the set of interrelated or interacting elements of an organization that establish policies and objectives and processes to achieve those objectives consistent with Australian Standard AS ISO 37301:2023 Compliance Management Systems.
Control Owner is an individual within the University with primary responsibility for managing a particular business process or control that is put in place to reduce the consequence and/or likelihood of identified risks. In most cases the Risk Owner and Control Owner will be different staff members, but in some cases, they may be the same.
Incident is an event or occurrence that interrupts normal operations or causes a deviation from expected outcomes and often requires investigation and corrective actions to prevent recurrence.
Incident of Non-Compliance refers to a failure to meet or adhere to legal and/or regulatory obligations or requirements, or when a process, product or service does not meet specified standards or quality specifications set by the University.
Issue means a specific problem or concern that has negative consequences and either currently exists, has already occurred or is imminent. Unlike risks, issues are events that need immediate attention because they are currently affecting or will affect the University's ability to meet its strategic objectives, and its commitments to students, staff and third parties.
Policy Owner refers to the Responsible Executive Member accountable for ensuring the development, approval, implementation and operationalisation of policy documents (policies, procedures, guidelines) within their area of responsibility.
Residual Risk means the risk remaining after application of mitigations, controls and treatment plans.
Reportable Breach and Non-Compliance refers to the obligated reporting of an incident of non-compliance which is required in order to adhere to mandatory legal and regulatory requirements imposed by government bodies, industry standards, laws, contracts, or agreements.
Risk is the effect of uncertainty upon the University’s objectives. Risk may have a positive or negative impact.
Risk Appetite conveys the degree of risk the University is prepared to accept in pursuit of its business objectives and strategic plan.
4. Risk and Compliance Management Framework
4.1 The Risk and Compliance Management Framework (Diagram 1) offers a consistent methodology and process to guide, direct, and support the effective identification and management of risks across all University activities.
Diagram 1 – Risk and Compliance Management Framework
4.2 Underpinning the Framework is the Risk and Compliance Management Operating Model (Diagram 2). The Operating Model illustrates the practical application of how roles and responsibilities are embedded within business-as-usual risk and compliance management activities.
Diagram 2 – Risk and Compliance Management Operating Model
5. Compliance Obligation Identification and Assessment
5.1 The University is subject to a wide range of both internal and external compliance obligations. They include compliance requirements under:
(a) Internal Obligations
(i) UniSC policies
(ii) UniSC procedures
(b) External Obligations
(i) Legislation
(ii) Regulations
(iii) Industry codes of conduct
(iv) Industry and/or accreditation standards
(c) Other Obligations
(i) Contractual arrangements (contracts, agreements, memorandum of understanding etc.)
5.2 Compliance Ownership
5.2.1 For internal compliance obligations, the Compliance Owner role is typically shared between a Responsible Executive Member and a Designated Officer. Their responsibilities are as follows:
(a) Responsible Executive Member:
(i) Has overall accountability for policy documents within their portfolio.
(ii) Ensures policy documents are developed, approved and implemented in accordance with the University’s Policy Framework.
(b) Designated Officer:
(i) Responsible for operationalising the policy document.
(ii) Develops and implements policy documents on behalf of the Responsible Executive Member.
5.2.2 For external compliance obligations the Compliance Owner is typically an Executive member. However, depending on the nature of the obligation, a member of Senior Management may also be assigned as a Compliance Owner. For example, the Deputy Vice-Chancellor (Academic) is the Compliance Owner for the Higher Education Standards Framework (Threshold Standards) 2021, while the Director, People and Culture, is the Compliance Owner for the Human Rights Act 2019.
5.2.3 For contractual arrangements, the nominated Agreement Manager is responsible for ensuring compliance with contractual obligations, with oversight from the Agreement Owner. Refer to the Management of Contracts and Memorandum of Understanding (MOUs) – Operational Policy and Procedures for more detail on roles and responsibilities related to contractual arrangements.
5.2.4 For projects and project management activities, project managers are responsible for ensuring that they and other project participants understand and meet the relevant compliance obligations arising from the project. They are also responsible for managing any incidents of non-compliance and implementing corrective actions. Refer to the Project Assessment and Management – Operational Policy for more detail on roles and responsibilities related to projects.
5.3 Compliance Obligation Identification
5.3.1 Internal and external compliance obligations are recorded in the UniSC Compliance Register. The Director, Governance and Risk Management is responsible for reviewing and maintaining the Register.
5.3.2 Compliance Owners must stay informed about changes to existing compliance obligations and identify new obligations relevant to their area of responsibility. This includes identifying changes arising from new or emerging University activities, changes to current activities, or expansion of activities into new locations or jurisdictions.
5.3.3 Where changes are identified, Compliance Owners must notify Governance and Risk Management either by email to [email protected] or through the Quarterly Compliance Declaration process.
5.4 Compliance Obligation Assessment
5.4.1 In line with Appendix 013 – Risk Matrix and Assessment Tables, internal and external compliance obligations are assigned a risk rating of:
(a) High,
(b) Medium
(c) Low.
5.4.2 Governance and Risk Management consult with Compliance Owners to assess the level of risk associated with each obligation. This assessment considers the possible impacts or consequences of non-compliance on the University’s activities and objectives.
5.4.3 Each Compliance Owner must liaise with other areas of the University to confirm that the controls and processes in place for managing internal or external obligations are adequately designed and operating effectively.
6. Compliance Monitoring, Attestation and Quarterly Reporting
6.1 Compliance Monitoring
6.1.1 To support effective compliance monitoring, Compliance Owners must ensure that controls are adequately designed and are operating effectively. They must also identify and report any incidents of non-compliance in a timely manner.
6.1.2 Agreement Managers and Project Managers with operational responsibility for contracts or projects must ensure that any incidents of non-compliance are reported through appropriate channels, including escalation to the relevant Compliance Owner or Senior Manager, or via the Compliance Incident/Breach Reporting Tool.
6.1.3 Where an incident of non-compliance is identified, the responsible Senior Manager/Cost Centre Manager must take appropriate action to address the incident and implement additional controls to strengthen compliance.
6.1.4 Internal Audit provides independent assurance of the University’s compliance with applicable obligations, based on the scope of the internal audits it undertakes.
6.2 Quarterly Compliance Declaration and Reporting
6.2.1 Governance and Risk Management oversees compliance management across the University by facilitating the completion of the Quarterly Compliance Declaration process. Compliance Owners and Senior Staff/Cost Centre Managers are required to complete the declaration.
Compliance Owners are required to:
(a) confirm the status of compliance with legislation, regulations, and University policy, including any incidents of non-compliance or reportable breaches
(b) identify any new or changed compliance obligations
(c) indicate whether the risk rating for existing or new obligations may need to be updated.
6.2.2 Governance and Risk Management consolidates and moderates the Declaration outputs with relevant subject matter experts to develop the University Compliance Exception and Incident/Breach Report for submission to the University Executive, the Audit and Risk Management Committee, and Council.
7. Compliance Incident Management and Reporting Process
7.1 All staff are responsible for reporting any incident of non-compliance, reportable breach or systemic issue to the relevant Compliance Owner or member of Senior Staff/Cost Centre Manager in line with the following methodology:
Diagram 3 – Compliance Incident Management and Reporting Process
7.2 Depending on the timing and nature of an incident, Compliance Owners and/or Senior Staff/Cost Centre Managers must report all such incidents using one of the following methods:
(a) the Compliance Incident/Breach Reporting Tool, or
(b) the Quarterly Compliance Declaration process.
7.3 Once an incident is reported, the process below must be followed:
(a) If legislation or regulations specify procedures for managing an incident, those procedures must be followed; or
(b) If an incident is not subject to specific legislative or regulatory procedures under 7.3(a), and it is covered under one of the policies listed below, the relevant University policy and any associated procedures must be followed:
(i) Anti-Discrimination and Freedom from Bullying and Harassment – Operational Policy
(ii) Conflict of Interest – Governing Policy
(iii) Copyright – Academic Policy
(iv) Data Governance – Operational Policy
(v) Financial Management Practices – Operational Policy
(vi) Fraud and Corruption Control – Governing Policy
(vii) Health, Safety and Wellbeing – Governing Policy
(viii) ICT Security – Operational Policy
(ix) Privacy and Right to Information – Operational Policy
(x) Public Interest Disclosures – Governing Policy
(xi) Responsible Research Conduct – Academic Policy
(xii) Staff Code of Conduct – Governing Policy
(xiii) Staff Gifts and Benefits – Operational Policy
(xiv) Student Conduct – Governing Policy
If neither clause (a) nor (b) applies, the incident must still be managed in accordance with clauses (c) to (f) below.
(c) Assess the severity and risk level of the incident in accordance with Appendix 013 – Risk Matrix and Assessment Tables detailed in Risk Management – Procedures.
(d) Incidents assessed as having Catastrophic or Major Consequences, or High Risk, must be reported to the Vice-Chancellor and President by the Responsible Executive Member (or delegate). In such cases, the Incident Response Team (IRT) may be activated in accordance with the Critical Incident Management – Operational Policy and Procedures. The IRT will manage the incident response until resolution.
(e) Corrective and/or preventative actions identified during an incident assessment or investigation must be implemented promptly by, or under the oversight of, the relevant Senior Manager or Cost Centre Manager. In some cases, regulators and external authorities may require evidence that corrective actions have been identified and implemented effectively.
(f) Where an incident of non-compliance results in a material change to an existing risk or reveals a control failure, the associated risk must be re-evaluated in accordance with the Risk Management – Procedures. If the residual risk is assessed as being outside the University's stated risk appetite, the risk acceptance process outlined in Section 7 of the Risk Management – Procedures must be followed.
7.4 A central register of reported incidents will be maintained in an approved and secure recordkeeping system by Governance and Risk Management, in accordance with the in accordance with the University’s Records Management – Procedures, the Information Privacy Act 2009 (Qld) and Privacy Act 1988 (Cth), and the University’s Privacy and Right to Information – Operational Policy and Procedures.
7.5 Compliance Owners and Senior Staff are encouraged to regularly review compliance processes and controls to identify opportunities for improvement. Lessons learned from incidents, audit findings, and stakeholder feedback should inform updates to procedures, training, and systems to strengthen the University’s compliance culture.
8. Roles and responsibilities
Roles | Responsibilities |
Audit and Risk Management Committee | Overseas compliance management and governance activities. Reports to Council where appropriate. |
Vice-Chancellor and President | Provides executive oversight of compliance across the University. Ensures appropriate resources and culture are in place to support compliance. |
University Executive | Managing compliance obligations within their portfolios. Ensures compliance obligations are identified, assessed, monitored, and reported in accordance with these procedures. Endorses decisions to accept compliance risks and oversees implementation of corrective actions. Where a compliance incident results in a material change to risk, ensures the risk is reassessed and, if required, escalated through the risk acceptance process outlined in the Risk Management – Procedures. Completes Quarterly Compliance Declarations. |
Director, Governance and Risk Management | Maintains the University’s Compliance Register and reports to the University Executive, Vice-Chancellor and President, Audit and Risk Management Committee (ARMC) and Council. Supports compliance processes and reporting across Cost Centres and University activities in accordance with these procedures. Maintains a central register of reported incidents and Quarterly Compliance Declarations. |
Senior Staff Cost Centre Managers | Manages day-to-day compliance within their areas. Ensures staff are trained and aware of relevant obligations. Reports incidents of non-compliance or reportable breaches and oversees corrective actions. Completes Quarterly Compliance Declarations. |
Project Managers | Manages compliance within the projects they oversee. Ensures project staff understand relevant obligations. Reports incidents of non-compliance and implements corrective actions. |
Agreement Owners | Accountable for the business need, outcomes, and performance of contracts. May also be the Authorised Delegate or Financial Delegate. Ensures contracts deliver value and align with UniSC strategic objectives. Appoints Agreement Managers (where not already appointed by the Authorised Delegate) and oversees contract obligations and performance. |
Agreement Managers | Manages day-to-day compliance within the contracts they are responsible for. Ensures contract associated staff are aware of relevant obligations. Reports incidents of non-compliance and implements corrective actions. |
Internal Audit | Provides independent assurance on the effectiveness of compliance controls and processes. Assesses compliance performance during internal audit activities and reports findings to the University Executive, Vice-Chancellor and President and ARMC. |
All Staff | Responsible for understanding and complying with obligations relevant to their role. Reports incidents and contributes to corrective actions when required. |
9. Appendices and supporting documents
Appendix 011 – Risk Appetite Statement