Bulletin Board - Document Comments

Bulletin Board - Review and Comment

Step 1 of 4: Comment on Document

How to make a comment?

1. Use this Protected Document to open a comment box for your chosen Section, Part, Heading or clause.

2. Type your feedback into the comments box and then click "save comment" button located in the lower-right of the comment box.

3. Do not open more than one comment box at the same time.

4. When you have finished making comments proceed to the next stage by clicking on the "Continue to Step 2" button at the very bottom of this page.

Important Information

During the comment process you are connected to a database. Like internet banking, the session that connects you to the database may time-out due to inactivity. If you do not have JavaScript running you will receive a message to advise you of the length of time before the time-out. If you have JavaScript enabled, the time-out is lengthy and should not cause difficulty, however you should note the following tips to avoid losing your comments or corrupting your entries:

DO NOT jump between web pages/applications while logging comments.
DO NOT log comments for more than one document at a time. Complete and submit all comments for one document before commenting on another.
DO NOT leave your submission half way through. If you need to take a break, submit your current set of comments, take a note of where you up to and return later to make a further submission.
DO NOT exit from the interface until you have completed all three stages of the submission process.
If you would like a copy of the comments you made via the Bulletin Board, please email policy@rmit.edu.au and specify which document you provided feedback on and a copy of your submission will be emailed to you.

Compliance Procedure

Section 1 - Context

(1) This procedure sets out the rules and requirements for maintaining compliance with relevant obligations at RMIT. It outlines RMIT’s approach to managing compliance, defines relevant terms, roles, responsibilities and embedding a positive compliance culture aligned with the best practice standard, ISO 37301:2021 for Compliance Management Systems.

(2) This procedure is to be read in conjunction with the Compliance Policy and Compliance Breach Management Procedure.

Top of Page

Section 2 - Authority

(3) RMIT is subject to a wide range of compliance obligations, including compliance requirements under applicable laws, regulations, standards, codes of practice, and compliance commitments made by RMIT.

(4) Authority for this document is established by the Compliance Policy.

Top of Page

Section 3 - Scope

(5) Throughout this procedure, RMIT means the RMIT Group. The RMIT Group is defined as RMIT University and its controlled entities (e.g. RMIT Vietnam, RMIT Europe, RMIT Online and RMIT University Pathways – formerly known as RMIT Training).

(6) This procedure applies to all staff, researchers, affiliates, contractors and volunteers of the RMIT Group. All members of the RMIT community are responsible for understanding and fulfilling compliance obligations.

(7) Non-RMIT owned or controlled bodies, such as affiliated colleges and other similar entities, should utilise and apply this document and its principles.

Top of Page

Section 4 - Procedure

(8) The Compliance Procedure is a key feature of RMIT’s overall compliance management system. It affirms RMIT’s commitment to compliance and, along with the Compliance Breach Management Procedure, establishes methods to support staff in managing compliance obligations.

(9) The procedure expands on responsibilities outlined in the Compliance Policy, supports RMIT’s regulatory risk appetite, and describes the system for identifying, assessing, managing, monitoring and reporting on compliance management, including the role of the Central Compliance team in implementing a Group-wide legislative compliance management approach.

(10) RMIT’s compliance management approach is comprised of the following five components:

Compliance Obligations Management
Risk Assessment
Control Identification Assessment
Monitoring
Compliance Management Reporting.

(11) The components of the compliance management approach are reviewed and evaluated every two years to ensure they remain fit for purpose and facilitate continuous improvement.

Compliance Obligations Management

(12) Compliance with relevant legislation is crucial for RMIT to operate pragmatically and safely. It allows RMIT to uphold its reputation and ensure legal integrity, while safeguarding the rights and welfare of its stakeholders, and ensures responsible management of resources and finances. Relevant legislative topics include:
•   Education and quality standards
•   International students
•   Copyright and intellectual property
•   Health, safety and wellbeing
•   Anti-discrimination and equal opportunity
•   Privacy and data protection
•   Research ethics and integrity, and
•   Financial governance regulations.

Legislative Obligations Register

(13) RMIT has established a centralised Legislative Obligations Register that comprises applicable legislation, along with its corresponding obligations and requirements. The legislation in this Register has been categorised based on its underlying nature and is as follows:

Education and Training
Operations and Corporate
People, Employment and OHS
Research
Technology, Data and Privacy.

(14) Ownership of compliance obligations must be defined, understood and aligned with the Delegations of Authority Policy to ensure effective oversight and management of compliance activities.

(15) Stakeholder teams essential to meeting legislative requirements are identified by the Central Compliance team during the initial review of the legislation. These stakeholder teams are designated as ‘Legislative Owners’ and ‘Legislative Specialists’ and are contact points for matters related to this legislation. It is important to note that compliance remains a shared responsibility across multiple teams.

(16) The Central Compliance team engages with relevant teams as new legislation is implemented. If any work involving legislation with a high impact on RMIT is not listed in the Legislative Obligations Register, the responsible parties must notify the Central Compliance team at compliance@rmit.edu.au.

(17) Where a compliance management responsibility for an Act or specific obligations under that Act cannot be determined based on portfolio responsibilities, the Vice-Chancellor, in consultation with the Vice-Chancellor’s Executive Meeting, determines who will be the Legislative Owner for that Act or obligation.

Legislative Change Communication

(18) Compliance obligations may change as legislation changes. It is crucial for Legislative Owners and relevant RMIT stakeholders to be aware of these changes to maintain compliance and minimise risk to RMIT.

(19) The Legislative Change Communication Process is the system used to notify RMIT staff of changes to regulatory obligations. It provides a structured approach to inform relevant staff of changes to regulatory obligations through an Alerts system. This process ensures that relevant staff are aware of and address compliance risks arising from legislative changes.

(20) The Legislative Alerts List contains Bills and regulations that may change compliance obligations and is accessible through the RMIT staff Legislative Communication Change SharePoint site. Staff can check the summary fields in the list to determine if changes are relevant to their responsibilities before accessing the full Alerts list.

(21) Stakeholders responsible for or materially impacted by legislative obligations should subscribe to specific legislative newsletters and alerts from government departments or reputable legal advisory websites.

(22) Staff must consider how legislative changes impact their area of responsibility. This may include adjusting policies, procedures or practices to comply with new obligations. The Legislative Owner is responsible for communicating a compliance action plan to the Central Compliance team, outlining the impact of change, the proposed action plan and the timeframes for implementation.

(23) While the Legislative Change Communication process presents updates to regulatory obligations, it is the responsibility of RMIT staff to maintain awareness of these changes and determine subsequent actions to ensure compliance. Regulatory compliance changes identified locally should be brought to the attention of the Central Compliance team as soon as practicable.

Risk Assessment

Classification of Legislation by Tiers

(24) RMIT takes a risk-informed approach to managing compliance obligations by categorising applicable legislation into tiers based on the potential financial, regulatory, reputational and safety impacts associated with non-compliance. This tiered classification system, guided by the RMIT Risk Management Framework, helps prioritise and focus the assurance efforts provided by the Compliance Policy and its associated procedures.

Tier 1	Fundamental to RMIT’s core activities with significant consequences for non-compliance.
Tier 2	Moderate relevance across RMIT operations with material consequences for non-compliance.
Tier 3	Relevant to specific or limited aspects of RMIT operations with material consequences at local levels.

(25) Using RMIT’s Risk Management Framework, Legislative Owners, with assistance from Legislative Specialists and key staff, assess the level of risk that non-compliance with a particular compliance obligation poses to RMIT in achieving its strategic objectives. This assessment helps determine where to focus resources and the level of action required for non-compliance issues.

(26) All non-compliance issues are risk-assessed within the context of the compliance obligation itself. This risk assessment is reviewed whenever there are changes to the compliance obligations, changes to internal policy, or every two years, whichever occurs first.

Control Identification and Assessment

(27) Compliance control assessments are undertaken to determine if RMIT has processes in place to meet obligations under applicable legislation. These assessments are conducted using Self-Assessment Questionnaires (SAQs) to identify current controls and any gaps that need to be addressed.

Self-Assessment Questionnaires (SAQs)

(28) Biannual reviews of compliance obligations are conducted to align with the biannual ARMC reporting cycle. These reviews utilise Self-Assessment Questionnaires (SAQs) to evaluate the current state of compliance and identify any areas of improvement.

(29) RMIT stakeholder teams, with assistance from the Central Compliance team, complete the SAQs as part of the compliance obligations review process. These teams will evaluate whether processes are in place to meet legislative obligations, record current controls, identify gaps and any actions needed.

(30) Specific requirements under each SAQ can be viewed at the Legislative Obligations Register.

(31) After the SAQs are completed, the Central Compliance team assess the responses to determine the overall compliance of the stakeholder teams with the requirements, and may provide feedback and suggestions for implementing compliance controls to address gaps or areas of non-compliance.

(32) The SAQs are essential for assessing RMIT’s strengths and areas requiring improvement. They provide valuable insights for specific business areas and the broader RMIT community.

Monitoring

(33) Following the initial compliance obligations review using the SAQs, the Central Compliance team conducts monitoring and check-ins every six months. These check-ins capture any changes in compliance status, controls and actions taken to address gaps. They also record any changes in the compliance environment that may have an impact on RMIT’s compliance obligations. These biannual check-ins provide an opportunity for the stakeholder teams to raise any compliance-related matters with the Central Compliance team.

(34) The monitoring program is designed to be flexible, allowing it to adapt to the changing environments and address specific areas of compliance risk in a timely manner.

(35) Legislative Owners are responsible for monitoring compliance within their business area to assess how effectively compliance risks are being managed. The Central Compliance team can provide advice on best practices for monitoring compliance risks.

Compliance Management Reporting

(36) To ensure appropriate visibility, oversight and governance of compliance management, the Central Compliance team coordinates biannual reporting to VCEM and ARMC, with input from Legislative Owners and Legislative Specialists. When in-depth discussions on specific legislation are required, Legislative Owners will lead these discussions at relevant governance meetings.

(37) Compliance reports include key information and insights, which may cover:

Reported compliance breaches
Key legislative compliance gaps
Significant actions to address gaps
Compliance attestations by Legislative Owners
Status updates on the implementation of the Compliance Policy.

Compliance Breach Management

(38) All RMIT staff who identify or suspect a compliance breach must report it to their manager as soon as practicable, in accordance with the Compliance Breach Management Procedure.

(39) Managers must report the identified or suspected breach to the respective Legislative Owner, Legislative Specialist, and the Central Compliance team via the RMIT Compliance Breach Reporting Form.

(40) If compliance breaches related to a specific area of concern have a separate reporting process, that process takes precedence over using the RMIT Compliance Breach Reporting Form. Situations identified as near incidents are to be reported to the Central Compliance team.

(41) Legislative Owners are responsible for assessing the nature, scale and impact of breaches to determine the appropriate course of action.

(42) The Legislative Owner must report compliance obligation breaches to the relevant government department or external regulatory agency within the legislated timeframe, when mandatory. Before any disclosure is made, approval must be obtained from the Chief Financial Officer and Executive Director, Governance, Legal and Strategic Operations and advice sought on the reporting process.

(43) The Central Compliance team coordinates an annual attestation process that includes Legislative Owners reporting any known compliance breaches.

Training and Awareness

(44) Awareness, communication and training programs are used to educate staff about their compliance responsibilities. These programs focus on compliance risk activities and are outlined in the Compliance Policy and associated procedures.

(45) Managers at all levels are responsible for ensuring that they and their staff are aware of their compliance obligations and have or are in the process of acquiring the necessary competence to meet these obligations. This includes ensuring that their staff complete all mandatory compliance training.

(46) The RMIT Compliance Education program is available on Workday. Mandatory courses are automatically assigned to staff members based on their roles and cover a range of areas, including workplace integrity, health, safety and wellbeing, information governance, privacy and cybersecurity.

(47) All staff and researchers have a responsibility to complete mandatory compliance training courses on employment, every two-years thereafter, or where a new training course is developed and assigned to them.

Continuous Improvement

(48) The ongoing review of the compliance management approach, objectives and assessment criteria is conducted as part of continuous improvement by the Central Compliance team.

Review

(49) The Compliance Procedure is maintained by the Central Compliance team and is reviewed every five years in accordance with the Policy Governance Framework.

(50) Periodic reviews will align with ISO 37301:2021 Compliance Management Systems.

Top of Page

Section 5 - Definitions

(Note: Commonly defined terms are in the RMIT Policy Glossary. Any defined terms below are specific to this policy).

Accountable Officer	A member of the VCE or a specified legislative or regulatory delegate who is accountable for resourcing and nominating Legislative Owners and Legislative Specialists.
Breach	A failure to meet the clauses, principles, or requirements of legislative obligations or RMIT policies. Significant or material breaches may be reportable to an external agency or regulator. See also: Material breach.
Compliance	Meeting all requirements of laws, regulations, statutes, standards and policies.
Compliance culture	The values, ethics and beliefs about upholding legislative, regulatory and policy compliance that are embedded in an organisation.
Compliance management approach	The coordinated institutional approach to identifying, assessing, managing, monitoring and reporting compliance obligations, risks, and performance across the RMIT Group.
Compliance obligation	Refers to any legal, regulatory, contractual or internal requirement that RMIT must adhere to. This includes obligations arising from legislation, regulations, standards, codes of practice, and internal policies that govern RMIT’s operations and activities and ensures that RMIT meets its responsibilities to staff, students, government bodies and the broader community.
Compliance Obligation Breach Register	A record of breaches of RMIT’s compliance obligations. The Compliance Obligation Breach Register is managed by Central Compliance via the RMIT University Organisational Breach Reporting Form.
Compliance obligation tiers	Compliance obligations at RMIT are grouped into three tiers. • Tier 1: Fundamental to RMIT’s core activities and possibility of significant consequences for non-compliance. • Tier 2: Moderate relevance across university operations and possibility of material consequences for non-compliance. • Tier 3: Relevant only to specific or limited aspects of university operations with possibility of material consequences at local levels.
Compliance risk	The category of risk that could lead to non-compliance with a legislative, regulatory or policy obligation. E.g. the lack of consistent business processes creates the risk of staff failing to act in accordance with compliance requirements.
Legislative Owner	Legislative Owners are senior officers responsible for compliance with specific obligations and provide leadership to ensure requirements are met. They are accountable for guiding the implementation of compliance processes, systems and controls within their area, as well as implementing compliance action plans. Additionally, they are responsible for nominating legislative specialists for the Central Compliance team to liaise with, and provide the annual attestation for compliance for their area of business.
Legislative Specialist	Subject-matter experts with operational knowledge of how specific legislation or Acts apply to RMIT. They support the Legislative Owner in implementing the Compliance Policy, provide advice about specific legislation, and are responsible for facilitating or undertaking assessments against obligations.
Non-compliance	The outcome of non-fulfillment or contravention of compliance obligations.
Mandatory compliance training course	A compliance training course assigned to an individual based on their role that they must complete.
Material Breach	A severe and signiﬁcant breach, in terms of scale and/or regulatory requirements, or with implications for safety and security, and/or legal requirements. See also: Breach.