What a compliance management system is
A compliance management system helps your entity:
- identify compliance obligations and any changed or new obligations
- comply with compliance obligations
- prevent, identify and respond to compliance breaches
- promote a culture of compliance.
Your board should ensure your public entity’s system is consistent with the national standard, the Australian Standard Risk Management Guidelines. Some of the key elements of an effective compliance management system are summarised below.
Determine the scope
Your entity’s system should be appropriate for its size, operations and complexity.
To determine the scope of your system, consider your entity’s:
- compliance obligations
- policies and procedures
- regulatory environment
- requirements of interested parties, such as your portfolio department and minister.
There are 2 types of compliance obligations: requirements and commitments.
Compliance requirements are obligations your entity must comply with.
These include things like:
- laws and regulations
- ministerial directions
- government policy
- codes of conduct
- judgments of courts or tribunals
- orders or rules issued by regulatory agencies.
Compliance commitments are obligations your entity may have a choice whether to comply with or not.
These include things like:
- voluntary principles or codes of practice
- standards relevant to your entity and industry.
If there are any standards your entity must comply with by law, you need to classify these as a requirement instead.
If you need help to identify your entity’s compliance obligations, ask your portfolio department.
Where your entity’s compliance obligations come from
Laws and regulations
Many laws and regulations apply to public entities. For example, an Act of Parliament may have established your entity.
Victorian laws that could apply to your board or entity include ones that:
- improve public administration, such as the Public Administration Act 2004 (opens in a new window)and the Public Records Act 1973(opens in a new window)
- emphasise financial stewardship, such as the Financial Management Act 1994 (opens in a new window)and the Audit Act 1994(opens in a new window)
- progress workplace gender equality in the Victorian public sector, such as the Gender Equality Act 2020(opens in a new window)
- regulate state-owned enterprises, such as the State Owned Enterprises Act 1992(opens in a new window)
- focus on accountability, transparency and integrity, such as the Public Interest Disclosures Act 2012 (opens in a new window), Ombudsman Act 1973 (opens in a new window), Independent Broad-based Anti-Corruption Commission Act 2011 (opens in a new window)and the Freedom of Information Act 1982(opens in a new window)
Other relevant laws may include ones on environmental protection, equal opportunity, human rights, modern slavery, consumer protection and occupational health and safety.
A ministerial direction directs your board or entity to do something in regards to your entity’s work. Examples of ministerial directions include the Standing Directions(opens in a new window) and ministerial statements of expectations. These may include additional reporting or regulatory frameworks specific to your portfolio. Discuss these with your portfolio department.
You must comply with a ministerial direction, unless you have legal advice that the direction is unlawful or it can’t be complied with for another reason.
Under the Standing Directions, your entity must have a financial management compliance management framework.
If you can’t comply with a direction, advise your minister as soon as possible.
Your board or entity may have compliance obligations arising from government policy.
For example, your entity may have to comply with a policy if required by the Premier or Governor in Council.
Codes of conduct
You must comply with the Code of Conduct for Directors of Victorian Public Entities(opens in a new window), which is based on the Victorian public sector values(opens in a new window).
It sets the standard of behaviour expected of you as a director.
Your CEO and entity employees must comply with the Code of Conduct for Public Sector Employees(opens in a new window).
Your entity may also need to comply with industry codes of conduct.
Develop a compliance policy
With your CEO, your board should develop a compliance policy for your entity.
Use our checklist to help guide how you write it.
We’ve written our policy so it’s:
- in plain English so everyone can understand it
- accessible for people with disability.
Our policy includes:
- a framework that sets compliance objectives
- a commitment to comply with our obligations
- a commitment to continually improve our compliance management system.
Our policy explains:
- the scope of our entity’s compliance management system
- where we’ll integrate compliance in our entity’s policies, procedures and processes
- who is responsible for managing and reporting compliance issues
- the required standard of conduct of your board, CEO and employees
- who will manage relationships with internal and external stakeholders and how they will do this
- what happens if someone doesn’t comply with the policy.
Our policy considers our entity’s:
- strategy, objectives and values
- structure and governance framework
- other internal policies, standards and codes
- the nature and level of risk associated with non-compliance.
Assign who is responsible for compliance
Your CEO should set up a compliance function and assign and communicate who is responsible for it in your entity.
With your CEO, your board assigns who is responsible in the compliance function to:
- ensure it’s consistent with Compliance management systems (AS ISO 19600)(opens in a new window), which has a full list of the function’s responsibilities
- report on the performance of the compliance management system to your board and CEO.
Your compliance function needs to be independent and have direct access to your board.
It also needs to have enough authority and resources to fulfil its responsibilities.
Depending on your public entity’s size, it may have:
- an employee that manages compliance
- a committee that coordinates compliance.
But if your entity has no employees, your board should act as the compliance function.
Creating a compliance culture
Work with your CEO to create a positive compliance culture in your entity.
Some ways your board can do this are to:
- adhere to and support your compliance management system
- receive and discuss regular compliance reports
- ensure your induction programs emphasise compliance
- implement and abide by your entity’s values
- mentor, coach and lead by example
- recognise achievements in compliance management
- ensure your entity’s leadership speaks regularly with employees on compliance issues.
Managing compliance risk
Your entity needs processes in place to identify and address compliance risks.
To do this, it can:
- consider the compliance obligations of its work
- identify where non-compliance may occur.
If you identify a compliance risk, include this on your entity's risk register.
Your board should ensure your entity puts controls in place to manage areas of compliance risk. Controls could include:
- a requirement for approvals
- compliance assessments and audits
- clear and easy-to-follow operating policies, procedures, processes and work instructions.
How closely your board monitors particular compliance risks will depend on the nature and level of risk they pose to your entity.
Review your entity’s whole compliance system every year and update your risk register as needed.
Monitoring changes to obligations
Your board should ensure your public entity has processes in place to identify new or changed compliance obligations.
Some ideas to do this are:
- attend industry forums and seminars
- join professional groups
- join the mailing list of relevant regulators
- liaise with your portfolio department
- meet with regulators
- monitor websites of regulators.
These processes help your entity:
- evaluate the impact of any changes
- update how it manages its compliance obligations.
When non-compliance occurs, ensure your entity acts to control and correct the non-compliance. If required, it may also need to manage the consequences.
Your entity also needs to think about what it can do to eliminate the cause of the non-compliance so it doesn’t happen again.
To support your entity, your board can:
- review the non-compliance
- determine the causes of non-compliance
- determine if other or similar non-compliances exist or could occur.
Based on what your board finds, your entity needs to:
- inform your portfolio department and/or minister
- act to correct any issues
- review how effective their actions were
- updated the compliance management system if needed.
Evaluate and improve performance
To assess your entity’s compliance performance and management, ensure your entity collects information, such as:
- if your entity has current records of its compliance obligations
- where compliance obligations aren’t met
- how effectives its controls are.
Your board can also seek feedback on your entity’s compliance performance from a range of sources, such as employees and regulators.
Use this to continually improve your entity’s compliance management system.
Consequences of non-compliance
Non-compliance with your obligations reflects poorly on your entity, your portfolio department and minister.
The possible consequences of non-compliance include:
- criminal prosecution
- civil action for damages for breach of statutory duty
- negative reports from statutory bodies, such as the Victorian Ombudsman(opens in a new window) or the Independent Broad-based Anti-Corruption Commission(opens in a new window)
- more reporting to your minister
- closer monitoring by your entity’s portfolio department
- resignation or removal of board directors by the relevant minister.