A compliance management system helps your entity:
Your board should ensure your public entity’s system is consistent with the national standard, the Australian Standard Risk Management Guidelines. Some of the key elements of an effective compliance management system are summarised below.
Your entity’s system should be appropriate for its size, operations and complexity.
To determine the scope of your system, consider your entity’s:
There are 2 types of compliance obligations: requirements and commitments.
Compliance requirements are obligations your entity must comply with.
These include things like:
Compliance commitments are obligations your entity may have a choice whether to comply with or not.
These include things like:
If there are any standards your entity must comply with by law, you need to classify these as a requirement instead.
If you need help to identify your entity’s compliance obligations, ask your portfolio department.
Many laws and regulations apply to public entities. For example, an Act of Parliament may have established your entity.
Victorian laws that could apply to your board or entity include ones that:
Other relevant laws may include ones on environmental protection, equal opportunity, human rights, modern slavery, consumer protection and occupational health and safety.
A ministerial direction directs your board or entity to do something in regards to your entity’s work. Examples of ministerial directions include the Standing Directions and ministerial statements of expectations. These may include additional reporting or regulatory frameworks specific to your portfolio. Discuss these with your portfolio department.
You must comply with a ministerial direction, unless you have legal advice that the direction is unlawful or it can’t be complied with for another reason.
Under the Standing Directions, your entity must have a financial management compliance management framework.
If you can’t comply with a direction, advise your minister as soon as possible.
Your board or entity may have compliance obligations arising from government policy.
For example, your entity may have to comply with a policy if required by the Premier or Governor in Council.
You must comply with the Code of Conduct for Directors of Victorian Public Entities, which is based on the Victorian public sector values.
It sets the standard of behaviour expected of you as a director.
Your CEO and entity employees must comply with the Code of Conduct for Public Sector Employees.
Your entity may also need to comply with industry codes of conduct.
With your CEO, your board should develop a compliance policy for your entity.
Use our checklist to help guide how you write it.
We’ve written our policy so it’s:
Our policy includes:
Our policy explains:
Our policy considers our entity’s:
Your CEO should set up a compliance function and assign and communicate who is responsible for it in your entity.
With your CEO, your board assigns who is responsible in the compliance function to:
Your compliance function needs to be independent and have direct access to your board.
It also needs to have enough authority and resources to fulfil its responsibilities.
Depending on your public entity’s size, it may have:
But if your entity has no employees, your board should act as the compliance function.
Work with your CEO to create a positive compliance culture in your entity.
Some ways your board can do this are to:
Your entity needs processes in place to identify and address compliance risks.
To do this, it can:
If you identify a compliance risk, include this on your entity's risk register.
Your board should ensure your entity puts controls in place to manage areas of compliance risk. Controls could include:
How closely your board monitors particular compliance risks will depend on the nature and level of risk they pose to your entity.
Review your entity’s whole compliance system every year and update your risk register as needed.
Your board should ensure your public entity has processes in place to identify new or changed compliance obligations.
Some ideas to do this are:
These processes help your entity:
When non-compliance occurs, ensure your entity acts to control and correct the non-compliance. If required, it may also need to manage the consequences.
Your entity also needs to think about what it can do to eliminate the cause of the non-compliance so it doesn’t happen again.
To support your entity, your board can:
Based on what your board finds, your entity needs to:
To assess your entity’s compliance performance and management, ensure your entity collects information, such as:
Your board can also seek feedback on your entity’s compliance performance from a range of sources, such as employees and regulators.
Use this to continually improve your entity’s compliance management system.
Non-compliance with your obligations reflects poorly on your entity, your portfolio department and minister.
The possible consequences of non-compliance include: