Compliance Management Policy

Purpose

This policy confirms the commitment of the University of Otago to: delivering its strategic and operational objectives in accordance with the law and principles of good governance; and fostering an environment where staff assume responsibility for managing compliance obligations.

The University's approach to compliance management, the compliance management program, and compliance reporting procedures are detailed in the Compliance Management Framework, which supplements this policy.

A structured compliance program provides a number of beneficial outcomes by: encouraging a pro-active approach to compliance issues that could impact on the strategic and operational objectives of the University; helping to reduce the risk of unlawful and inappropriate conduct and the negative consequences of those actions; and demonstrating good corporate governance thereby enhancing reputation and community confidence in our University.

Organisational scope

This policy applies to all staff and all current and future areas of the University's business including its academic, research, administrative, project and commercial activities.

Where more detailed compliance related policies or procedures are developed to cover specific areas of the University's operations (e.g., health and safety, building, commercial activities), they should comply with the broad directions detailed in this policy.

The Boards of Controlled Entities are responsible for establishing their own compliance policy, framework, and processes and provide reports on compliance to the Vice-Chancellor and the Audit and Risk Committee on request and at the beginning of each calendar year.

Definitions

Compliance Management Framework

The set of components that provide the foundations and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving compliance throughout the organisation.

Register of Compliance Obligations

The University’s obligations together with actions taken to remediate actual or potential noncompliance are maintained in the University’s enterprise-wide risk management application (Logic Manager). The register will cross-reference, not duplicate, obligations and remediation actions recorded in existing registers or systems at the University i.e. Health and Safety.

Controlled Entity

An organisation that is related to the University through partial or full control/ownership.

Content

1. Compliance Management Framework

   1. The University of Otago is committed to complying with all laws, agreements, standards, codes and obligations relating to its operations and governance. In particular, the University recognises its obligation to its students, staff, and the wider community, to promote a positive compliance culture.
   2. The University has therefore adopted a methodology consistent with the Compliance Management Systems standard (ISO 37301:2021) for identifying, assessing and managing its compliance obligations. This methodology is the basis of the University of Otago's Compliance Management Framework. It applies to both academic and service divisions and considers a broad range of operational, governance, quality, academic and financial compliance obligation.
   3. The framework operates on the following principles:
      1. Outsourcing of operations or activities does not relieve the University of its compliance obligations. The standard that would be required for any outsourcing arrangement will be the same as that for the University itself.
      2. Compliance activities are integrated with other University functions such as governance, risk management, and internal audit.
      3. Compliance obligations are embedded into University-wide policies, processes, procedures and practices.
      4. To help ensure its activities are objective, the compliance function is independent of the operations to which compliance obligations apply.

2. Responsibility for Compliance

   1. The University Council has overall responsibility for compliance with laws, regulations and Council approved policies and in exercising this function delegates:
      1. Responsibility for oversight of compliance management activities to its Audit and Risk Committee, and
      2. Responsibility for the implementation of the Compliance Management Framework to the Vice-Chancellor.
   2. The Audit and Risk Committee will:
      1. Provide oversight to compliance management activities across the University and its controlled entities and monitor the implementation of remedial actions to minimise or eliminate noncompliance risk, and
      2. Report at least quarterly to the Council on the performance of compliance management activities (this may form part of a broader report on the work of the Committee).
   3. The Vice-Chancellor is responsible for:
      1. Communicating significant actual or potential compliance breaches to the Council and the Audit and Risk Committee as appropriate, and
      2. Delegates responsibility for ensuring that compliance management practices are established and maintained in accordance with this policy to the Chief Operating Officer.
   4. The Chief Operating Officer has:
      1. Delegated authority to ensure that compliance management practices are established and maintained and that support and guidance is provided to the University community,
      2. Responsibility for the operational management of compliance management practices University- wide, and
      3. Ensures governance mechanisms effectively monitor compliance and the way in which compliance obligations are managed.
   5. Senior Managers (DVCs, PVCs, Deans, Head of Departments, Directors) are responsible for:
      1. Recognition and disclosure of actual or potential noncompliance in their areas of responsibility.
      2. Identifying existing and emerging laws and regulations applicable to their area of responsibility on an ongoing basis.
      3. Maintaining and updating the Register of Compliance Obligations in accordance with the University-wide Compliance Management Framework.
      4. Reporting regularly to the Vice-Chancellor on compliance - immediately in instances where significant actual or potential noncompliance is identified.
      5. Ensuring that compliance risks are assessed for any new (or significantly altered) activity for which they are responsible.
      6. Ensuring that noncompliance and noncompliant behaviours are dealt with appropriately.
      7. Making training opportunities in compliance available to staff as appropriate to their position and role.
   6. The Head of Risk, Assurance and Compliance is responsible for:
      1. Promoting and facilitating the implementation of formal processes to identify, assess, record and communicate compliance obligations and compliance risks,
      2. The ongoing development of the Compliance Management Framework,
      3. Continuously monitoring action undertaken by the University to address significant instances of noncompliance, and
      4. Providing guidance and assistance to senior management and staff in fulfilling the responsibilities defined in this policy.
   7. All other management and supervisory staff are accountable for the timely and proactive provision of information to all those mentioned in (a) to (f) above which will allow those responsible for managing actual or potential noncompliance in particular areas, to carry out their tasks in the most informed manner possible.

Related policies, procedures and forms

• Compliance Management Framework (PDF)
• Health and Safety Policy
• Incident Reporting Policy
• Protected Disclosures Policy and Procedure
• Risk Management Framework

Contact for further information

If you have any queries regarding the content of this policy or need further clarification, please contact:

Director of Risk, Assurance and Compliance
Email risk.management@otago.ac.nz