Compliance management

A guide to help your board ensure that your entity complies with its obligations.

What a compliance management system is

A compliance management system helps your entity:

  • identify compliance obligations and any changed or new obligations
  • comply with compliance obligations
  • prevent, identify and respond to compliance breaches
  • promote a culture of compliance.

Your board should ensure your public entity’s system is consistent with the national standard, the Australian Standard Risk Management Guidelines. Some of the key elements of an effective compliance management system are summarised below.

Determine the scope

Your entity’s system should be appropriate for its size, operations and complexity.

To determine the scope of your system, consider your entity’s:

  • compliance obligations
  • policies and procedures
  • regulatory environment
  • requirements of interested parties, such as your portfolio department and minister.

Compliance obligations

There are 2 types of compliance obligations: requirements and commitments.


Compliance requirements are obligations your entity must comply with.

These include things like:

  • laws and regulations
  • ministerial directions
  • government policy
  • codes of conduct
  • judgments of courts or tribunals
  • orders or rules issued by regulatory agencies.


Compliance commitments are obligations your entity may have a choice whether to comply with or not.

These include things like:

  • voluntary principles or codes of practice
  • standards relevant to your entity and industry.

If there are any standards your entity must comply with by law, you need to classify these as a requirement instead.

If you need help to identify your entity’s compliance obligations, ask your portfolio department.

Where your entity’s compliance obligations come from

Laws and regulations

Many laws and regulations apply to public entities. For example, an Act of Parliament may have established your entity.

Victorian laws that could apply to your board or entity include ones that:

Other relevant laws may include ones on environmental protection, equal opportunity, human rights, modern slavery, consumer protection and occupational health and safety.

Ministerial directions

A ministerial direction directs your board or entity to do something in regards to your entity’s work. Examples of ministerial directions include the Standing Directions(opens in a new window) and ministerial statements of expectations. These may include additional reporting or regulatory frameworks specific to your portfolio. Discuss these with your portfolio department.

You must comply with a ministerial direction, unless you have legal advice that the direction is unlawful or it can’t be complied with for another reason.

Under the Standing Directions, your entity must have a financial management compliance management framework.

If you can’t comply with a direction, advise your minister as soon as possible.

Government policy

Your board or entity may have compliance obligations arising from government policy.

For example, your entity may have to comply with a policy if required by the Premier or Governor in Council.

Codes of conduct

You must comply with the Code of Conduct for Directors of Victorian Public Entities(opens in a new window), which is based on the Victorian public sector values(opens in a new window).

It sets the standard of behaviour expected of you as a director.

Your CEO and entity employees must comply with the Code of Conduct for Public Sector Employees(opens in a new window).

Your entity may also need to comply with industry codes of conduct.

Develop a compliance policy

With your CEO, your board should develop a compliance policy for your entity.

Use our checklist to help guide how you write it.

Policy checklist


We’ve written our policy so it’s:


Our policy includes:

  • a framework that sets compliance objectives
  • a commitment to comply with our obligations
  • a commitment to continually improve our compliance management system.


Our policy explains:

  • the scope of our entity’s compliance management system
  • where we’ll integrate compliance in our entity’s policies, procedures and processes
  • who is responsible for managing and reporting compliance issues
  • the required standard of conduct of your board, CEO and employees
  • who will manage relationships with internal and external stakeholders and how they will do this
  • what happens if someone doesn’t comply with the policy.

Entity requirements

Our policy considers our entity’s:

  • obligations
  • strategy, objectives and values
  • structure and governance framework
  • other internal policies, standards and codes
  • the nature and level of risk associated with non-compliance.

Assign who is responsible for compliance

Your CEO should set up a compliance function and assign and communicate who is responsible for it in your entity.

With your CEO, your board assigns who is responsible in the compliance function to:

Your compliance function needs to be independent and have direct access to your board.

It also needs to have enough authority and resources to fulfil its responsibilities.

Depending on your public entity’s size, it may have:

  • an employee that manages compliance
  • a committee that coordinates compliance.

But if your entity has no employees, your board should act as the compliance function.

Creating a compliance culture

Work with your CEO to create a positive compliance culture in your entity.

Some ways your board can do this are to:

  • adhere to and support your compliance management system
  • receive and discuss regular compliance reports
  • ensure your induction programs emphasise compliance
  • implement and abide by your entity’s values
  • mentor, coach and lead by example
  • recognise achievements in compliance management
  • ensure your entity’s leadership speaks regularly with employees on compliance issues.

Managing compliance risk

Your entity needs processes in place to identify and address compliance risks.

To do this, it can:

  • consider the compliance obligations of its work
  • identify where non-compliance may occur.

If you identify a compliance risk, include this on your entity's risk register.

Compliance controls

Your board should ensure your entity puts controls in place to manage areas of compliance risk. Controls could include:

  • a requirement for approvals
  • compliance assessments and audits
  • clear and easy-to-follow operating policies, procedures, processes and work instructions.

How closely your board monitors particular compliance risks will depend on the nature and level of risk they pose to your entity.

Review your entity’s whole compliance system every year and update your risk register as needed.

Monitoring changes to obligations

Your board should ensure your public entity has processes in place to identify new or changed compliance obligations.

Some ideas to do this are:

  • attend industry forums and seminars
  • join professional groups
  • join the mailing list of relevant regulators
  • liaise with your portfolio department
  • meet with regulators
  • monitor websites of regulators.

These processes help your entity:

  • evaluate the impact of any changes
  • update how it manages its compliance obligations.

Managing non-compliance

When non-compliance occurs, ensure your entity acts to control and correct the non-compliance. If required, it may also need to manage the consequences.

Your entity also needs to think about what it can do to eliminate the cause of the non-compliance so it doesn’t happen again.

To support your entity, your board can:

  • review the non-compliance
  • determine the causes of non-compliance
  • determine if other or similar non-compliances exist or could occur.

Based on what your board finds, your entity needs to:

  • inform your portfolio department and/or minister
  • act to correct any issues
  • review how effective their actions were
  • updated the compliance management system if needed.

Evaluate and improve performance

To assess your entity’s compliance performance and management, ensure your entity collects information, such as:

  • if your entity has current records of its compliance obligations
  • where compliance obligations aren’t met
  • how effectives its controls are.

Your board can also seek feedback on your entity’s compliance performance from a range of sources, such as employees and regulators.

Use this to continually improve your entity’s compliance management system.

Consequences of non-compliance

Non-compliance with your obligations reflects poorly on your entity, your portfolio department and minister.

The possible consequences of non-compliance include: