Comments

Document Feedback - Review and Comment

Step 1 of 4: Comment on Document

How to make a comment?

1. Use this Protected Document to open a comment box for your chosen Section, Part, Heading or clause.

2. Type your feedback into the comments box and then click "save comment" button located in the lower-right of the comment box.

3. Do not open more than one comment box at the same time.

4. When you have finished making comments proceed to the next stage by clicking on the "Continue to Step 2" button at the very bottom of this page.

 

Important Information

During the comment process you are connected to a database. Like internet banking, the session that connects you to the database may time-out due to inactivity. If you do not have JavaScript running you will recieve a message to advise you of the length of time before the time-out. If you have JavaScript enabled, the time-out is lengthy and should not cause difficulty, however you should note the following tips to avoid losing your comments or corrupting your entries:

  1. DO NOT jump between web pages/applications while logging comments.

  2. DO NOT log comments for more than one document at a time. Complete and submit all comments for one document before commenting on another.

  3. DO NOT leave your submission half way through. If you need to take a break, submit your current set of comments. The system will email you a copy of your comments so you can identify where you were up to and add to them later.

  4. DO NOT exit from the interface until you have completed all three stages of the submission process.

 

Compliance Procedure

Section 1 - Context

(1) This procedure sets out the rules and requirements for maintaining compliance with relevant obligations at RMIT. It outlines RMIT’s approach to managing compliance, defines relevant terms, roles, responsibilities and embedding a positive compliance culture aligned with the best practice standard, ISO 37301:2021 for Compliance Management Systems.

(2) This procedure is to be read in conjunction with the Compliance Policy and Compliance Breach Management Procedure.

Top of Page

Section 2 - Authority

(3) RMIT is subject to a wide range of compliance obligations, including compliance requirements under applicable laws, regulations, standards, codes of practice, and compliance commitments made by RMIT.

(4) Authority for this document is established by the Compliance Policy.

Top of Page

Section 3 - Scope

(5) Throughout this procedure, RMIT means the RMIT Group. The RMIT Group is defined as RMIT University and its controlled entities (e.g. RMIT Vietnam, RMIT Europe, RMIT Online and RMIT University Pathways [RMIT UP]).

(6) This procedure applies to all staff, researchers, affiliates, contractors and volunteers of the RMIT Group. All members of the RMIT community are responsible for understanding and fulfilling compliance obligations.

(7) Non-RMIT owned or controlled bodies, such as affiliated colleges and other similar entities, should utilise and apply this document and its principles. 

Top of Page

Section 4 - Procedure

(8) The Compliance Procedure is a key feature of RMIT’s overall compliance management system. It affirms RMIT’s commitment to compliance and, along with the Compliance Breach Management Procedure, establishes methods to support staff in managing compliance obligations.

(9) The procedure expands on responsibilities outlined in the Compliance Policy, supports RMIT’s regulatory risk appetite, and describes the system for identifying, assessing, managing, monitoring and reporting on compliance management, including the role of the Central Compliance Team in implementing a Group-wide legislative compliance management approach.

(10) RMIT’s compliance management system is comprised of the following five components:

  1. Compliance Obligations Management
  2. Risk Assessment
  3. Control Identification Assessment
  4. Monitoring
  5. Compliance Management Reporting.

(11) The components of the compliance management system are reviewed and evaluated every two years to ensure they remain fit for purpose and facilitate continuous improvement. 

Compliance Obligations Management

(12) Compliance with relevant legislation is essential for RMIT to operate ethically, safely and pragmatically. It enables RMIT to maintain its commitment to the provision of high-quality teaching, learning and research, while ensuring legal integrity, and safeguarding the rights and welfare of its stakeholders. Additionally, it supports the responsible management of resources and finances. Relevant legislative topics include:

  1. Education and quality standards
  2. Standards for onshore overseas students
  3. Copyright and intellectual property
  4. Health, safety and wellbeing
  5. Anti-discrimination and equal opportunity
  6. Privacy and data protection
  7. Research ethics and integrity, and
  8. Financial governance regulations.

Legislative Obligations Register

(13) RMIT has established a centralised Legislative Obligations Register that comprises applicable legislation, along with its corresponding obligations and requirements. The legislation in this Register has been categorised based on its underlying nature and is as follows:

  1. Education and Training
  2. Operations and Corporate
  3. People, Employment and OHS
  4. Research
  5. Technology, Data and Privacy.

(14) Ownership of compliance obligations must be defined, understood and aligned with the Delegations of Authority Policy to ensure effective oversight and management of compliance activities (refer to clauses 27–35).

(15) Stakeholder teams essential to meeting legislative requirements are identified by the Central Compliance Team during the initial review of the legislation. These stakeholder teams are designated as ‘Legislative Owners’ and ‘Legislative Specialists’ and are contact points for matters related to this legislation. It is important to note that compliance remains a shared responsibility across multiple teams.

(16) The Central Compliance Team engages with relevant teams as new legislation is implemented. The initiation of contact with teams is prioritised on a case-by-case basis, depending on the nature of the legislation and its potential impact on RMIT. If any work involving legislation with a high impact on RMIT is not listed in the Legislative Obligations Register, the responsible parties must notify the Central Compliance Team at compliance@rmit.edu.au.

(17) Where a compliance management responsibility for an Act or specific obligations under that Act cannot be determined based on portfolio responsibilities, the Vice-Chancellor, in consultation with the Vice-Chancellor's Executive Meeting, determines who will be the Legislative Owner for that Act or obligation.

Legislative Change Communication

(18) Compliance obligations may change as legislation changes. It is crucial for Legislative Owners and relevant RMIT stakeholders to be aware of these changes to maintain compliance and minimise risk to RMIT.

(19) The Legislative Change Communication Process is the system used to notify RMIT staff of changes to regulatory obligations. It provides a structured approach to inform relevant staff of changes to regulatory obligations through an Alerts system. This process ensures that relevant staff are aware of and address compliance risks arising from legislative changes.

(20) The Legislative Alerts List contains Bills and regulations that may change compliance obligations and is accessible through the RMIT staff Legislative Communication Change SharePoint site. Staff can check the summary fields in the list to determine if changes are relevant to their responsibilities before accessing the full Alerts list.

(21) Stakeholders responsible for or materially impacted by legislative obligations should subscribe to specific legislative newsletters and alerts from government departments or reputable legal advisory websites. Staff responsible must be appropriately registered as primary contacts with key agencies to ensure they receive regular correspondence. The contact details must be current and inboxes monitored.

(22) The Legislative Owner is responsible for communicating a compliance action plan to the Central Compliance Team, outlining the impact of legislative changes, the proposed action plan and the timeframes for implementation. This may include adjusting policies, procedures or practices to comply with new obligations. Managers should request staff to consider how legislative changes impact their areas of responsibility.

(23) While the Legislative Change Communication process presents updates to regulatory obligations, it is the responsibility of RMIT staff to adapt or implement subsequent actions and processes to ensure compliance. Regulatory compliance changes identified locally should be brought to the attention of the Central Compliance Team as soon as practicable. 

Risk Assessment

Classification of Legislation by Tiers

(24) RMIT takes a risk-informed approach to managing compliance obligations by categorising applicable legislation into tiers based on the potential financial, regulatory, reputational and safety impacts associated with non-compliance. This tiered classification system, guided by the RMIT Risk Management Framework, helps prioritise and focus the assurance efforts provided by the Compliance Policy and its associated procedures. 

Table 1: Legislation classified by tiers:
Tier 1
Fundamental to RMIT’s core activities with significant consequences for non-compliance.
Tier 2
Moderate relevance across RMIT operations with material consequences for non-compliance.
Tier 3
Relevant to specific or limited aspects of RMIT operations with material consequences at local levels.

(25) Using RMIT’s Risk Management Framework, Legislative Owners, with assistance from Legislative Specialists and key staff, assess the level of risk that non-compliance with a particular compliance obligation poses to RMIT in achieving its strategic objectives. This assessment helps determine where to focus resources and the level of action required for non-compliance issues.

(26) All non-compliance issues are risk-assessed within the context of the compliance obligation itself. This risk assessment is reviewed whenever there are changes to the compliance obligations, changes to internal policy, or every two years, whichever occurs first. 

Control Identification and Assessment

(27) Compliance control assessments are undertaken to determine if RMIT has processes in place to meet obligations under applicable legislation. These assessments are conducted using Self-Assessment Questionnaires (SAQs) to identify current controls and any gaps that need to be addressed. 

Self-Assessment Questionnaires (SAQs)

(28) Biannual reviews of compliance obligations are conducted to align with the biannual ARMC reporting cycle. These reviews utilise Self-Assessment Questionnaires (SAQs) to evaluate the current state of compliance and identify any areas of improvement.

(29) Legislative Owners and their teams, with assistance from the Central Compliance Team, complete the SAQs as part of the compliance obligations review process. These teams will evaluate whether processes are in place to meet legislative obligations, record current controls, identify gaps and any actions needed.

(30) Specific requirements under each SAQ can be viewed at the Legislative Obligations Register.

(31) After the SAQs are completed, the Central Compliance Team assess the responses to determine the overall compliance against the requirements, and may provide feedback and suggestions to the Legislative Owners and their teams for implementing compliance controls to address gaps or areas of non-compliance.

(32) The SAQs are essential for assessing RMIT’s strengths and areas requiring improvement. They provide valuable insights for specific business areas and the broader RMIT community.

Monitoring

(33) Following the initial compliance obligations review using the SAQs, the Central Compliance Team conducts monitoring and check-ins every six months. These check-ins capture any changes in compliance status, controls and actions taken to address gaps. They also record any changes in the compliance environment that may have an impact on RMIT’s compliance obligations. These biannual check-ins provide an opportunity for the stakeholder teams to raise any compliance-related matters with the Central Compliance Team.

(34) The monitoring program is designed to be flexible, allowing it to adapt to the changing environments and address specific areas of compliance risk in a timely manner.

(35) Legislative Owners are responsible for monitoring compliance within their business area to assess how effectively compliance risks are being managed. The Central Compliance Team can provide advice on best practices for monitoring compliance risks. 

Compliance Management Reporting

(36) To ensure appropriate visibility, oversight and governance of compliance management, the Central Compliance Team coordinates biannual reporting to VCEM and ARMC, with input from Legislative Owners and Legislative Specialists. When in-depth discussions on specific legislation are required, Legislative Owners will lead these discussions at relevant governance meetings.

(37) Compliance reports include key information and insights, which may cover:

  1. Areas of elevated regulatory risk
  2. Reported compliance breaches
  3. Key legislative compliance gaps
  4. Significant actions to address gaps
  5. Results of compliance attestations
  6. Status updates on the implementation of the Compliance Policy.

Compliance Breach Management

(38) Identified or suspected compliance breaches must be reported and managed in accordance with the Compliance Breach Management Procedure.

Training and Awareness

(39) Managers at all levels are responsible for ensuring that they and their staff are aware of their compliance obligations and have or are in the process of acquiring the necessary competence to meet these obligations. This includes ensuring that their staff complete all mandatory compliance training.

(40) The RMIT Compliance Education program is available on Workday. Mandatory courses are automatically assigned to staff members based on their roles and cover a range of areas, including workplace integrity, health, safety and wellbeing, information governance, privacy and cybersecurity.

(41) All staff and researchers have a responsibility to complete mandatory compliance training courses on employment, every two-years thereafter, or where a new training course is developed and assigned to them.

Continuous Improvement

(42) The ongoing review of the compliance management approach, objectives and assessment criteria is conducted as part of continuous improvement by the Central Compliance Team. 

Review

(43) The Compliance Procedure is maintained by the Central Compliance Team and is reviewed every five years in accordance with the Policy Governance Policy.

(44) Periodic reviews will align with ISO 37301:2021 Compliance Management Systems.

Top of Page

Section 5 - Definitions

(Note: Commonly defined terms are in the RMIT Policy Glossary. Any defined terms below are specific to this policy).
Breach
A failure to meet the clauses, principles, or requirements of regulatory, contractual and legislative obligations or RMIT policies and procedures. Significant or material breaches may be reportable to an external agency or regulator. See also: Material breach.
Compliance
Meeting all requirements of laws, regulations, statutes, standards and policies.
Compliance culture
The values, ethics and beliefs about upholding legislative, regulatory and policy compliance that are embedded in an organisation.
Compliance management
The coordinated institutional approach to identifying, assessing, managing, monitoring and reporting compliance obligations, risks, and performance across the RMIT Group.
Compliance obligation
Refers to any legal, regulatory, contractual or internal requirement that RMIT must adhere to. This includes obligations arising from legislation, regulations, standards, codes of practice, contracts, and internal policies and procedures that govern RMIT’s operations and activities and ensures that RMIT meets its responsibilities to staff, students, government bodies and the broader community.
Compliance Breach Register
A record of breaches of RMIT’s compliance obligations, managed by the Central Compliance Team.
Compliance obligation tiers
Compliance obligations at RMIT are grouped into three tiers.
•    Tier 1: Fundamental to RMIT’s core activities and possibility of significant consequences for non-compliance. 
•    Tier 2: Moderate relevance across university operations and possibility of material consequences for non-compliance. 
•    Tier 3: Relevant only to specific or limited aspects of university operations with possibility of material consequences at local levels.
Compliance risk
The category of risk that could lead to non-compliance with a legislative, regulatory or policy obligation. E.g. the lack of consistent business processes creates the risk of staff failing to act in accordance with compliance requirements.
Legislative Owner
Legislative Owners are senior officers responsible for compliance with specific obligations and provide leadership to ensure requirements are met. They are accountable for guiding the implementation of compliance processes, systems and controls within their area, as well as implementing compliance action plans. Additionally, they are responsible for nominating Legislative Specialists for the Central Compliance Team to liaise with.
Legislative Specialist
Subject-matter experts with operational knowledge of how specific legislation or Acts apply to RMIT. They support the Legislative Owner in implementing the Compliance Policy, provide advice about specific obligations, and are responsible for facilitating or undertaking assessments against obligations.
 
Non-compliance
The outcome of non-fulfillment or contravention of compliance obligations.
Mandatory compliance training course
 
A compliance training course assigned to an individual based on their role that they must complete.
Material breach
A severe and significant breach, in terms of scale and/or regulatory requirements, or with implications for safety and security, and/or legal requirements. See also: Breach.