View Document

Compliance Breach Management Procedure

This is the current version of this document. You can provide feedback on this policy to the document author - refer to the Status and Details on the document's navigation bar.

Section 1 - Context

(1) The procedure details the requirements for identifying, assessing, remediating, reporting and recording breaches of compliance obligations under the compliance management program.

Top of Page

Section 2 - Authority

(2) Authority for this document is established by the Compliance Policy.

Top of Page

Section 3 - Scope

(3) This procedure applies to all staff including researchers, contractors and volunteers of the RMIT Group.

(4) It does not apply to allegations of breaches of the Code of Conduct which are handled under separate policies.

Top of Page

Section 4 - Details

Policy Governance

(5) RMIT policies and procedures governing a specific type of breach or critical incident response may take precedence over this procedure. However, the requirements for reporting and recording (section 4) apply to all types of breaches.

Identifying and Responding to Breaches of Compliance Obligations

(6) All RMIT staff who identify or suspect a breach must report it to their manager as soon as practicable. Evidence that may be valuable in determining the cause or allow for corrective action to be taken must not be compromised or destroyed.

(7) Managers must report the identified or suspected breach to the compliance management contact or responsible owner.

(8) If staff are unable to discuss a breach with their manager, they must report the breach directly to the relevant compliance management contact or the Chief Audit and Risk Officer.

(9) Staff who wish to make a confidential or anonymous disclosure about an identified or suspected compliance breach should make the disclosure directly to compliance@rmit.edu.au (unless there is a corruption or fraud concern then see clause (26).

(10) Staff who are aware of a breach and fail to report it may be subject to disciplinary action in accordance with the Code of Conduct and relevant RMIT policies that may apply.

(11) Where reasonable and practicable, immediate action must be taken to contain the breach. This may include stopping unauthorised practices, recovering any records, implementing safety measures etc. In certain cases, action may be required before the matter can be reported.

(12) Where incidents or breaches relate to high risk regulatory activities the Escalation Guide: Regulatory, Legal, Conduct, Safety and Security Matters must be followed.

(13) Significant or material breaches must be reported to Internal Audit, Compliance Risk and Regulation by responsible owners as soon as practicable, with timelines for assessment of the breach to ensure that any independent investigation, as necessary or required, commences in a timely manner.

Assessing and Remediating Breaches of Compliance Obligations

(14) Compliance management contacts are responsible for assessment of compliance breaches. The compliance management contact will assess the nature, scale and impact of breaches with reference to risk management protocols and determine the appropriate course of action. Where there is a conflict of interest concern, the responsible owner may seek advice from the Chief Audit and Risk Officer.

(15) The assessment will identify root causes and determine whether the breach is an isolated or systemic issue. It will identify corrective or preventative actions to mitigate or eliminate the impact of the breach and likelihood of recurrence.

(16) Breaches that may give rise to a risk of harm to individuals must be evaluated to determine likelihood and severity to inform corrective action and determine if an external agency needs to be notified.

(17) Corrective or preventative action plans for breaches to privacy and personal data security must be endorsed by the Privacy Office and Office of the Chief Information Security Officer.

(18) The implementation of corrective or preventative actions will be approved and monitored by the responsible owner.

(19) Staff who may have access to confidential or personal information during breach management must comply with the Privacy Policy and the Information Governance Policy.

Recording and Reporting of Breaches of Compliance Obligations

(20) Suspected or actual breaches must be recorded.

(21) Breaches relating to high risk regulatory activities will be recorded by the compliance management contact/s identified in the Escalation Guide: Regulatory, Legal, Conduct, Safety and Security Matters.

(22) Material breaches relating to high risk regulatory activities must be reported to the relevant governance body – Academic Board, Audit and Risk Management Committee or Council.

(23) The responsible owner in consultation with the Chief Audit and Risk Officer must report compliance obligation breaches to the relevant government department or regulatory agency where the reporting of such breaches is mandatory.

(24) The Chief Audit and Risk Officer must report on identified compliance obligation breaches, corrective action and status to the Audit and Risk Management Committee no less than twice per year in accordance within the approved schedule.

(25) The Chief Audit and Risk Officer will retain a record of breaches and outcomes on the Compliance Obligation Breach Register.

Public Interest Disclosure

(26) Breaches caused by suspected or confirmed corruption must follow the Anti-Corruption and Fraud Prevention Policy and Whistleblower Procedure.

Top of Page

Section 5 - Resources

(27) Refer to the following documents which are established in accordance with this procedure:

  1. Compliance Management Program
  2. Escalation Guide: Regulatory, Legal, Conduct, Safety and Security Matters (available via the staff Compliance webpage).