Compliance Policy

Dublin City University (hereinafter referred to as the ‘University’) recognises that it is important to have effective governance arrangements in place. This includes a system of internal control to assist staff and others in understanding the University’s compliance obligations in relation to external laws and regulations.

The University operates in a complex and ever evolving compliance-driven environment with over 3400 pieces of primary legislation enacted since the foundation of the State that potentially apply to the University. DCU has identified approximately 150 acts that are of particular relevance to the University.

This policy is intended to:

a) set expectations for how each area within the University will identify and assess its compliance obligations;

b) identify how those obligations are to be managed; 

c) provide a framework for each area to monitor and report on compliance; 

d) ensure a consistent and effective approach to the identification and documentation of the University’s compliance obligations; 

e) provide for procedures to be followed to record, escalate, and resolve identified instances of non-compliance;

f) integrate and align compliance management with the University’s risk management framework and business processes;

g) develop a culture of compliance awareness; 

h) ensure that compliance obligations are taken into account when making strategic management decisions; 

i) provide for the management of compliance obligations to be integrated into standard management practices and accountability processes; 

j) support an environment where staff take responsibility for compliance obligations; and

k) encourage continuous review and improvement of the University’s compliance management processes. 

This policy applies to all units of the University, both academic and support, including its research centres and its wholly owned campus companies and relates to compliance obligations that arise for them from applicable legislation and external regulations. 

The following will be maintained and published on the University’s website:

A) Central Policies Webpage (CPW)

The CPW will display the most significant policies by which the University governs its internal affairs. It will include sections on University Statutes, Codes, Charters and Regulations that will be of particular interest to staff, students and the general public. The CPW will be maintained by the Office of the Chief Operations Officer. 

B) Corporate Compliance Framework Webpage (CCFW)

The CCFW will display a listing of the most significant pieces of legislation with which the University must comply. This webpage will be maintained by the Office of the Chief Operations Officer.

The Chief Operations Officer may request advice from the University’s legal advisors of any changes in relevant legislation.

Non-compliance is a risk to the University as it can lead to: 

a) damage to the University’s reputation and/or loss of public confidence;

b) damage to property or injury to person(s), including death or disability;

c) pecuniary damage in the form of fines or compensation; 

d) remedial costs that would not otherwise be incurred; 

e) loss of opportunity, or a delay in the achievement of an opportunity; and/or

f) avoidable disruption to business processes and activities. 

The University President has overall responsibility for compliance and is answerable to the Governing Authority for this function. 

The Chief Operations Officer (COO) is the University’s Compliance Coordinator and is supported in this role by the Risk and Compliance Officer (RCO), Senior Management and Heads of Unit across the University. 

The RCO will draft the list of the most relevant legislation and regulations and will submit it to the University Executive for approval. Upon approval, this list constitutes the CCFW. A copy of the CCFW is available in Appendix 1.

For each item of legislation or regulations on the CCFW, a member of the Senior Management Group (SMG) is identified as having delegated responsibility for ensuring that the university has appropriate knowledge of and adequate internal controls in place to ensure compliance. The relevant SMG member may further delegate the functions to ensure day-to-day responsibility for compliance to a staff member (‘compliance manager’) in their area, however responsibility for ensuring compliance cannot be further delegated. 

The COO is responsible for maintaining a log of reported compliance breaches. The COO will make this log available to Internal Audit. 

The COO is responsible for putting in place an annual schedule of sample compliance checks to monitor the effectiveness of the University’s internal compliance controls. 

Compliance Managers are responsible for:

a) oversight of compliance in their area of responsibility;

b) providing leadership within their area of responsibility;

c) maintaining and continuously improving compliance management in their areas;

d) promoting an ethical and positive compliance culture within their area; 

e) communicating the existence of compliance obligations, and any related behavioural requirements, to those in the University expected to uphold them; 

f) identifying, assessing and managing compliance risks for those elements for which they have responsibility; 

g) reporting to the COO or RCO any emerging or residual compliance risks in a timely manner; 

h) reporting incidents of non-compliance to the COO or RCO; 

i) supporting Heads of Unit to ensure compliance; 

j) develop policies, systems, procedures, education and training to guide the behaviour of staff, and where appropriate, students and others; 

k) actively monitoring compliance management within their area; and

l) formally notifying the RCO on a regular basis as to whether effective internal controls are in place to ensure compliance within their area of responsibility.

Heads of Unit are responsible for: 

a) day-to-day responsibility for the management of compliance in their areas; 

b) incorporating compliance management into standard management practices; 

c) identifying and determining appropriate actions to address operational compliance risks within their area of responsibility; 

e) implementing policies and directions with respect to compliance management; and

f) reporting incidents of non-compliance or conditions that prevent compliance to the COO or RCO.

All staff are responsible for:

a) ensuring that they meet compliance obligations in their day-to-day activities;

b) awareness of their compliance obligations and how these affect their own activities and functions; 

c) implementing policies and directions with respect to compliance management; 

d) reporting incidents of non-compliance or conditions that prevent compliance to their line manager. 

Internal Audit can audit compliance with this policy at any time. If guidance is sought, Internal Audit can advise on the development of tools (e.g. self-assessment checklists) to support effective compliance management. Internal Audit is responsible for: 

a) developing DCU’s Combined Assurance Framework; 

b) regularly reviewing the log of compliance breaches and taking breaches into consideration when audit planning; and

c) reporting and making recommendations to the COO and the Audit Committee on compliance matters. 

When a breach of a compliance requirement is reported to the COO or RCO, it should be categorised as one of the following types: 

a) Type 1 – an isolated incident of a breach where there are controls in place to prevent recurrence. 

b) Type 2 – an isolated incident of a breach where there are no controls in place to prevent recurrence.

c) Type 3 – an ongoing series of breaches arising in an environment where there are controls in place to prevent breaches. 

d) Type 4 – an ongoing series of breaches arising in environment where there are no controls in place to prevent breaches.

The COO shall determine whether a reported breach should be added to the log of compliance breaches and will notify relevant members of SMG about the details of a given breach. 

The COO will submit to the Audit Committee an annual report with a list of any logged breaches received in that year, and a summary of any remedial actions taken to prevent recurrence or to better manage compliance risks in the future.  

The COO will notify the Head of Internal Audit when any type 3 or type 4 breaches are added to the log of compliance breaches. 

Failure to comply with this policy is a breach of University policy and may be the subject of disciplinary action in accordance with the University’s disciplinary procedures.

A reference to a compliance obligation in this policy includes a reference to: 

a) the laws of the State; and

b) the laws of another country in which the University operates, or where the University is subject to legal obligations.

For the purpose of this policy, a reference to ‘law’, ‘legislative obligations’ and ‘legal’ includes: 

a) legislation and statutes, including The Universities Act, 1997; 

b) standards and requirements mandated under legislation; 

c) EU Regulations;

d) regulations made under legislation; 

e) government endorsed guidelines; 

f) common law obligations (e.g. duty of care); and

g) interpretations of the same by a court of law. 

This policy should be read in conjunction with the following University documents:

a) Risk Management Policy 

b) Risk Appetite Statement

This policy should be read in conjunction with the University’s Risk Management Policy for the following reasons: 

a) The University is subject to a range of compliance obligations and so meeting these and maximizing the benefits of any rights or opportunities available under the law, is an essential component of managing risk and opportunity. 

b) Risk and opportunity management is most effectively achieved when the risks associated with non-compliance, or failure to realize a benefit, are identified and processes are implemented to ensure that they are effectively managed. 

c) Under the University’s Risk Management Policy, all Heads are responsible for managing the risks and opportunities associated with their areas and for documenting these risks in their local unit level risk registers. 

The University’s Risk Appetite for compliance risks is low and it seeks to meet its compliance obligations to the best of its endeavours. Where possible, the University will look to satisfy compliance obligations in the simplest and most effective way. 

If you have any questions in relation to this policy, please contact the COO at coo@dcu.ie

This policy will be reviewed when deemed necessary by the office of the Chief Operations Officer and no later than five years after being approved.