View current

Compliance Management Policy

This is the current version of the approved document. You can provide feedback on this document to the Enquiries Contact - refer to the Status and Details tab from the menu bar above.

Section 1 - Purpose and Scope

(1) The University of Queensland (UQ or the University) operates in a highly regulated environment, requiring the University to identify and manage legal and regulatory compliance obligations across various jurisdictions. Compliance obligations include legal and regulatory requirements and commitments made by the University through its policies and undertakings.

(2) The purpose of this Policy is to establish a flexible compliance management framework that integrates systems, policies, procedures, and processes to meet UQ’s compliance objective. The framework is based on the ISO 37301:2021 Compliance Management System guidelines and adopts a risk-based approach to ensure that UQ can demonstrate compliance with its legal and regulatory compliance obligations.

(3) This Policy applies to all UQ staff, students and affiliates. UQ controlled entities are required to adopt a policy and/or processes that are consistent with this Policy.

Compliance Commitment and Objective

(4) UQ is committed to maintaining a strong compliance culture that ensures capacity to operate in a manner that is compliant with its legal and regulatory compliance obligations.

(5) UQ’s compliance objective is to ensure it has efficient requisite systems, processes, and controls in place to enable it to demonstrate compliance with its compliance obligations effectively, within the parameters established by Senate through the Risk Appetite Statement (RAS). 

Top of Page

Section 2 - Principles and Key Requirements

Compliance Principles

(6) To meet its compliance commitment and objective, UQ will:

  1. adopt a Compliance Management Framework (CMF) that supports the implementation of proportionate, flexible, and sustainable compliance processes;
  2. ensure accountability and clarity of assigned compliance ownership, roles, and responsibilities;
  3. monitor the statutory and regulatory environment and maintain a register of key regulatory exposures;
  4. nurture and support a competent workforce and foster an organisational culture that is agile and responsive to compliance challenges and opportunities;
  5. provide a range of training and development opportunities that build capacity, awareness, and knowledge of compliance practices and processes;
  6. integrate compliance systems and procedures that support the efficient and effective management, monitoring, and assurance of compliance obligations and exposures;
  7. maintain a compliance breach management framework that provides a range of mechanisms for identifying, reporting, escalating, and responding to instances of non-compliance through efficient and effective intervention and remediation;
  8. report on, and evaluate, compliance exposures and compliance performance through various governance channels and mechanisms that support efficient and effective oversight and monitoring of compliance; and
  9. undertake a periodic review of the compliance management framework, systems, and processes that facilitate the enhancement and continuous improvement of compliance.
Top of Page

Section 3 - Roles, Responsibilities and Accountabilities

Compliance Governance

Senate Risk and Audit Committee

(7) The Senate Risk and Audit Committee (SRAC) exercises oversight of the University’s governance, risk and compliance frameworks including policies, procedures, information systems and systems of internal control surrounding key financial and operational processes. The Committee also provides oversight of the leadership and direction in terms of organisational culture and ethical behaviour.

(8) SRAC reviews and endorses reports and assurances on the University’s framework and processes to demonstrate compliance with its legal and regulatory compliance obligations, including any material compliance breaches and/or regulatory actions against the University.

Academic Board

(9) The Academic Board and its committees contribute to and demonstrate the University’s commitment to academic governance, in compliance with the Higher Education Standards Framework (Threshold Standards) 2021. The Academic Board provides advice and assurance to the Senate Risk and Audit Committee on the management of academic and research risks.

Vice-Chancellor's Risk and Compliance Committee

(10) The Vice-Chancellor's Risk and Compliance Committee (VCRCC) provides advice and recommendations to the Vice-Chancellor and the Senate Risk and Audit Committee. The committee provides oversight of the implementation of any directives in relation to governance and compliance ownership, risk, and compliance exposure, to address any systemic issues or to further enhance controls and culture.

Roles and Responsibilities

Vice-Chancellor and President, and Senior Leadership Team

(11) The Vice-Chancellor and President, with support of the senior leadership team, is accountable for the overall effectiveness of the compliance management framework, systems, and processes, including:

  1. setting the ‘tone at the top’ by demonstrating a commitment to achieving compliance objectives through the Compliance Management Framework and Compliance Ownership;
  2. allocating adequate and appropriate resources to develop, implement, evaluate, and improve compliance management;
  3. ensuring alignment between strategic and operational objectives and compliance obligations.

Compliance Owners

(12) Compliance Owners are accountable for compliance obligations and exposures assigned under their remit. This includes:

  1. awareness of compliance obligations and evaluating compliance risks;
  2. identifying and communicating compliance risks and exposures relevant to their area/function and implementation of appropriate controls to manage risks within tolerable levels;
  3. monitoring and measuring compliance performance of UQ wide compliance obligations;
  4. ensuring compliance requirements are supported by integrated policies, procedures, and processes;
  5. developing and facilitating training and supporting resources to develop staff capacity and awareness of compliance obligations and exposures;
  6. managing compliance breaches and remediation processes for compliance obligations;
  7. reporting to the VCRCC and other key stakeholders on compliance performance for compliance obligations; 
  8. supporting and facilitating compliance assurance, review, and enhancement activities for Compliance Obligations.

Heads of Organisational Units/Managers and Supervisors

(13) Heads of organisational units/managers and supervisors are responsible for managing day-to-day compliance within their area(s). This includes responsibility for:

  1. maintaining and monitoring compliance obligations and controls with sufficient frequency to ensure controls are effective, and fit for purpose;
  2. ensuring all staff within their organisational unit or area comply with UQ’s compliance management framework and supporting policies, procedures and processes;
  3. advising Compliance Owners and other key stakeholders of compliance exposures and risk within their area;
  4. ensuring staff have the appropriate competence through training and support that enables them to fulfill compliance requirements within their functional areas;
  5. reporting and contributing to the management of compliance breaches and remediation processes for compliance obligations within their area;
  6. supporting and participating in compliance assurance, review, and enhancement activities as directed; 
  7. proactively modelling and championing an engaged compliance culture among their teams and peers.

Governance and Compliance Unit

(14) The Governance and Compliance Unit is responsible for the operation of the compliance management framework, including:

  1. maintaining the Compliance Legislation Register;
  2. providing guidance and advice to stakeholders on current, new, and emerging compliance exposures, in consultation with Compliance Owners and other key stakeholders;
  3. facilitating and supporting the monitoring, review, and enhancement of the Compliance Management Framework, systems and processes;
  4. reporting to Compliance Owners and the Vice-Chancellor's Risk and Compliance Committee on compliance exposures and compliance performance.

Staff, Students and Affiliates

(15) All staff, students, and affiliates must:

  1. comply with UQ’s compliance obligations and supporting policies, procedures and processes;
  2. report compliance concerns and suspected areas of non-compliance; and
  3. participate and complete any required training.
Top of Page

Section 4 - Monitoring, Review and Assurance

Compliance Owners

(16) Compliance owners are accountable for monitoring, reviewing, assurance, and management of compliance exposures under their remit.

Managers and Supervisors

(17) Managers and supervisors are responsible for monitoring and supporting the review assurance and management of compliance exposures within their organisational unit or area.

Governance and Compliance Unit

(18) The Governance and Compliance Unit is responsible for the monitoring, review of the implementation of the Compliance Management Framework, policy, and supporting systems and processes, to ensure they are effective and meet the needs of UQ.

Internal Audit

(19) The Internal Audit group undertakes independent audits and provides assurance on compliance exposures and compliance obligations as per the Senate approved annual audit plan.

Top of Page

Section 5 - Recording and Reporting

(20) The Compliance Legislation Register records compliance ownership for key compliance instruments and associated compliance obligations that UQ has exposure to.

(21) New and existing compliance exposures are reported through relevant Compliance Owners and disseminated or escalated through to stakeholders as needed.

(22) Compliance owners are responsible for maintaining records of compliance and reporting on compliance performance for the compliance obligations they are responsible for.

(23) Managers and supervisors are responsible for maintaining appropriate records of compliance as required, and reporting to the Compliance Owner on compliance performance within their portfolio/area(s) of responsibility.

(24) All staff are responsible for reporting and escalating concerns on non-compliance through the established channels.

(25) All records supporting instances of non-compliance are recorded and stored securely in approved systems of record.

Top of Page

Section 6 - Appendix

Definitions, Terms, and Acronyms

Term Definition
Compliance breach a compliance breach occurs when there is a failure to meet the requirements of a compliance obligation.
Compliance Management Framework
comprises the key systems, processes, and policies that underpin the University’s approach to managing compliance through a risk-based approach.
Compliance obligation externally imposed obligations that are established through law/legislation, regulations, codes, professional standards, and other licensing or contractual obligations; and internally approved UQ policy and procedures that assure regulatory compliance.
Compliance Owner(s) UQ staff that have been assigned accountability for the management of specified statutory and legal compliance obligations and risks that the University has exposure to. Compliance Owners are recorded in the Compliance Legislation Register.
Remediation Refers to the actions taken to treat a compliance breach to ensure that the compliance obligation(s) is/are fully met and that the associated risk level is mitigated through a systematic and documented approach.
Senior leadership team comprises executive management functions that support the Vice-Chancellor in the effective management of strategic, operational, and financial matters for the University, including compliance.

Related Policy Areas

(26) This Policy should be read in conjunction with the following:

  1. Governance and Management Framework Policy
  2. Enterprise Risk Management Framework Policy and supporting Incident Management Procedure.