What a compliance management system is
A compliance management system helps your entity:
- identify compliance obligations and any changed or new obligations
- comply with compliance obligations
- prevent, identify and respond to compliance breaches
- promote a culture of compliance.
Determine the scope
Your entity’s system should be appropriate for its size, operations and complexity.
To determine the scope of your system, consider your entity’s:
- compliance obligations
- policies and procedures
- regulatory environment
- requirements of interested parties, such as your portfolio department and minister.
There are 2 types of compliance obligations: requirements and commitments.
Compliance requirements are obligations your entity must comply with.
These include things like:
- laws and regulations
- ministerial directions
- government policy
- codes of conduct
- judgments of courts or tribunals
- orders or rules issued by regulatory agencies.
Compliance commitments are obligations your entity may have a choice whether to comply with or not.
These include things like:
- voluntary principles or codes of practice
- standards relevant to your entity and industry.
If there are any standards your entity must comply with by law, you need to classify these as a requirement instead.
If you need help to identify your entity’s compliance obligations, ask your portfolio department.
Where your entity’s compliance obligations come from
Laws and regulations
Many laws and regulations apply to public entities. For example, an Act of Parliament may have established your entity.
Victorian laws that could apply to your board or entity include ones that:
- improve public administration, such as the and the
- emphasise financial stewardship, such as the and the
- progress workplace gender equality in the Victorian public sector, such as the
- regulate state-owned enterprises, such as the
- focus on accountability, transparency and integrity, such as the , , and the
Other relevant laws may include ones on environmental protection, equal opportunity, human rights, modern slavery, consumer protection and occupational health and safety.
A ministerial direction directs your board or entity to do something in regards to your entity’s work. Examples of ministerial directions include the and ministerial statements of expectations. These may include additional reporting or regulatory frameworks specific to your portfolio. Discuss these with your portfolio department.
You must comply with a ministerial direction, unless you have legal advice that the direction is unlawful or it can’t be complied with for another reason.
Under the Standing Directions, your entity must have a financial management compliance management framework.
If you can’t comply with a direction, advise your minister as soon as possible.
Your board or entity may have compliance obligations arising from government policy.
Codes of conduct
It sets the standard of behaviour expected of you as a director.
Your entity may also need to comply with industry codes of conduct.
Develop a compliance policy
With your CEO, your board should develop a compliance policy for your entity.
Use our checklist to help guide how you write it.
We’ve written our policy so it’s:
Our policy includes:
- a framework that sets compliance objectives
- a commitment to comply with our obligations
- a commitment to continually improve our compliance management system.
Our policy explains:
- the scope of our entity’s compliance management system
- where we’ll integrate compliance in our entity’s policies, procedures and processes
- who is responsible for managing and reporting compliance issues
- the required standard of conduct of your board, CEO and employees
- who will manage relationships with internal and external stakeholders and how they will do this
- what happens if someone doesn’t comply with the policy.
Our policy considers our entity’s:
- strategy, objectives and values
- structure and governance framework
- other internal policies, standards and codes
- the nature and level of risk associated with non-compliance.
Assign who is responsible for compliance
Your CEO should set up a compliance function and assign and communicate who is responsible for it in your entity.
With your CEO, your board assigns who is responsible in the compliance function to:
- ensure it’s consistent with , which has a full list of the function’s responsibilities
- report on the performance of the compliance management system to your board and CEO.
Your compliance function needs to be independent and have direct access to your board.
It also needs to have enough authority and resources to fulfil its responsibilities.
Depending on your public entity’s size, it may have:
- an employee that manages compliance
- a committee that coordinates compliance.
But if your entity has no employees, your board should act as the compliance function.
Creating a compliance culture
Work with your CEO to create a positive compliance culture in your entity.
Some ways your board can do this are to:
- adhere to and support your compliance management system
- receive and discuss regular compliance reports
- ensure your induction programs emphasise compliance
- implement and abide by your entity’s values
- mentor, coach and lead by example
- recognise achievements in compliance management
- ensure your entity’s leadership speaks regularly with employees on compliance issues.
Managing compliance risk
Your entity needs processes in place to identify and address compliance risks.
To do this, it can:
- consider the compliance obligations of its work
- identify where non-compliance may occur.
If you identify a compliance risk, include this on your entity's risk register.
Your board should ensure your entity puts controls in place to manage areas of compliance risk. Controls could include:
- a requirement for approvals
- compliance assessments and audits
- clear and easy-to-follow operating policies, procedures, processes and work instructions.
How closely your board monitors particular compliance risks will depend on the nature and level of risk they pose to your entity.
Review your entity’s whole compliance system every year and update your risk register as needed.
Monitoring changes to obligations
Your board should ensure your public entity has processes in place to identify new or changed compliance obligations.
Some ideas to do this are:
- attend industry forums and seminars
- join professional groups
- join the mailing list of relevant regulators
- liaise with your portfolio department
- meet with regulators
- monitor websites of regulators.
These processes help your entity:
- evaluate the impact of any changes
- update how it manages its compliance obligations.
When non-compliance occurs, ensure your entity acts to control and correct the non-compliance. If required, it may also need to manage the consequences.
Your entity also needs to think about what it can do to eliminate the cause of the non-compliance so it doesn’t happen again.
To support your entity, your board can:
- review the non-compliance
- determine the causes of non-compliance
- determine if other or similar non-compliances exist or could occur.
Based on what your board finds, your entity needs to:
- inform your portfolio department and/or minister
- act to correct any issues
- review how effective their actions were
- updated the compliance management system if needed.
Evaluate and improve performance
To assess your entity’s compliance performance and management, ensure your entity collects information, such as:
- if your entity has current records of its compliance obligations
- where compliance obligations aren’t met
- how effectives its controls are.
Your board can also seek feedback on your entity’s compliance performance from a range of sources, such as employees and regulators.
Use this to continually improve your entity’s compliance management system.
Consequences of non-compliance
Non-compliance with your obligations reflects poorly on your entity, your portfolio department and minister.
The possible consequences of non-compliance include:
Reviewed 19 August 2022