Risk and Compliance Policy

Reference number

2P_2.9.7_2020

Responsible executive manager

Registrar

Policy owner

Director: Corporate and Information Governance Services

Responsible division

Corporate and Information Governance Services

Status

Approved

Approved by

Council

Date of approval

19 March 2020

Review date

2022

 

Against the background of the dream to be an internationally recognised university in Africa, distinguished for engaged scholarship, social responsiveness and an ethic of care, the council of the North-West University (NWU) has adopted this policy on 19 March 2020 to ensure pursuit of the university’s objectives by embedding risk and compliance management into all the processes of the NWU.

1. Interpretation and application

This policy must be interpreted and applied in a manner consistent with the –

1.1        Constitution of the Republic of South Africa, 1996

1.2        Higher Education Act, 101 of 1997

1.3        The Statute of the North-West University (2017)

1.4        KING IV Report on Corporate Governance, particular principles 11 (risk), principle 13 (compliance) and principle 15 (assurance), and

1.5        The Generally Accepted Compliance Principles (GACP) of the Institute of Compliance in Southern Africa.

2. Definitions

In this policy and for the purposes of risk and compliance management at the NWU –

“assurance” means the diligent application of mind to evidence, resulting in a statement or declaration concerning an identified subject matter or subject matter information, made for the purpose of enhancing confidence in that subject matter or subject matter information;

“compliance framework” means the set of compliance management processes and tools used by the NWU for managing its compliance programme;

“compliance risk” means the risk of impairment of the university’s integrity, leading to damage of the university’s reputation, legal or regulatory sanctions or financial loss as a result of failure to comply with applicable laws, regulations and standards;

“compliance” means the process of measuring adherence to laws, regulations, policies and procedures imposed on the operations of the company;

“compliance function” refers to the NWU’s specialist functions that facilitate and oversee risk management and compliance;

        “control” used as a noun, means a policy or procedure that is part of internal control;

“internal controls” are the measures and methods instituted by the NWU to conduct its business in an orderly manner, to safeguard its assets and resources, to deter and detect errors, ensure accuracy, produce reliable and timely information and to ensure adherence to its policies and procedures.

“opportunities” are those uncertainties that could occur and might lead to benefits or rewards for the NWU;

“process owner” is the individual who is responsible for managing and implementing a specific process as described in the quality manual of the department the person reports in.

“regulatory universe” means the existing and emerging legislation with which the governance, management and administration of the NWU must comply.

       “risk” is about the uncertainty of events; including the likelihood of such occurring and their effect, both positive and negative, on the achievement of the organisation’s objectives.  Risk includes uncertain events 

with a potential positive effect on the organisation (i.e. opportunities) not being captured or not materialising.

“risk appetite” is the amount and type of risk that the NUW is willing to take in order to meet its strategic objectives.

“risk management” is process of the forecasting and evaluation of risks that might face the NWU together with the identification of procedures to avoid or minimise their impact on the NWU;

“risk owner” is an individual who is responsible for monitoring that a particular risk is managed adequately, and this person might not be the process owner;

       “risk rating” is the assessment of the identified risk and is a factor of the likelihood/probability of the risk event occurring, the impact should the risk event occur and the effectiveness of the current internal controls.

3. Policy statement

The Council of the North-West University ("the council”) considers a proper process and framework for the management of risk and compliance and provision of assurance to be of paramount importance for the good governance and effective and efficient management and administration of the North-West University.

It is therefore the policy of the North-West University to:

1.1        Create a framework for the strategic commitment of the NWU council and management for establishing a risk and compliance culture at the university as part of strategy-formation and
-implementation, and of operational management.

1.2        Enable an environment for the optimal identification and management of risk and compliance at process and system levels.

            1.3        Guide the role and responsibilities of assurance providers within an effective control environment.

4. The objective of risk and compliance management

4.1       To govern the NWU in terms of risk and compliance in order to meet the expectations of the council and stakeholders in the outcomes the NWU achieves and the manner in which such outcomes are achieved, through communication, transactions and management that are open and transparent.

4.2       To promote a performance culture affording the NWU an opportunity to focus on the objectives set in the Five-year Strategic Plan as well as the Annual Performance Plan, and to create an environment conducive to the recognition, communication and management of uncertainties (opportunities and threats) related to the relevant objectives.

4.3       To pursue an organisational focus on risk and compliance in order to support the NWU in integrating risk and compliance in an optimal way into organisational decision-making and business processes.

4.4       To implement decisions in a timeous manner in order to create and protect organisational value-add, after having considered all relevant information and taking into account uncertainty.

4.5       To create an understanding and to comply with the relevant legal, regulatory and other obligations applicable to the university.

4.6       To create an understanding for those risks that threaten the ongoing business of the NWU, and to put in place relevant strategies and structures to minimise business disruption.

            4.7        To ensure that the relevant assurance providers enable an effective and efficient internal-control environment.

5. Roles, responsibilities and accountability

5.1 Council and the Audit, Risk and Compliance Committee of Council (ARCC)

5.1.1    The council of the NWU is accountable and takes overall responsibility for the monitoring of the effectiveness and efficiency of risk-and-compliance management.

5.1.2    In governing these matters, the council delegates authority, set limits of acceptable behaviour through relevant codes of conduct, and the definition of risk appetite and risk tolerance. 

5.1.3    In the execution of its function to advise the council on risk and compliance matters, the ARCC must –

            5.1.3.1   consider the likely consequences of existing or impending litigation against the NWU;

            5.1.3.2   determine whether mechanisms are in place to enable the university to comply with all relevant legal and statutory requirements;

            5.1.3.3   submit regular reports to council on risk and compliance matters

            5.1.3.4   consider the assurance coverage obtained from management as well as internal and external assurance providers on all risks affecting the university;

            5.1.3.5   advise the council on the performance of its oversight functions regarding the university’s financial reporting process, the system of internal control, the risk and compliance management process, the audit process, and the

                          monitoring of the risk and compliance function; and

            5.1.3.6   provide assurance to the council that the university’s operations with regard to risk and compliance management, control and governance processes are adequately addressed. 

5.2 University Management Committee (UMC)

5.2.1   The UMC is responsible for the management of risk and compliance and for achieving the objectives set by the council and managing uncertainty in relation to the set objectives.

5.2.2   In relation to the above, the UMC has the obligation

           5.2.2.1   To promote a performance culture embedding risk management in decision-making and business processes.

           5.2.2.2   To establish procedures and standards to ensure compliance to NWU policies and rules;

           5.2.2.3   To create awareness of and ensure compliance with legal, regulatory and other obligations;

           5.2.2.4     To keep the ARCC informed of matters relevant to risk and compliance;

5.3 Combined Assurance

5.3.1   In accordance with good practice, the NWU subscribes to a combined assurance model overseen by the council.

5.3.2   The council oversees the implementation of the combined assurance model designed and implemented to cover effectively the organisation’s significant risks and material matters through a combination of the following assurance service

           providers and functions as appropriate for the NWU:

  • Line functions that own and manage risks
  • Specialist functions that facilitate and oversee risk management and compliance
  • Internal Audit
  • Independent external assurance providers such as external audit.
  • Other external assurance providers as appropriate.
  • Regulatory inspectors.

5.3.3   The Combined Assurance Forum (CAF) of the NWU has the following mandate in regard to combined assurance:

           5.3.3.1   To consider the relevant reports in regard to risk management and risk control from various assurance providers;

           5.3.3.2   To report relevant matters to the ARCC via the UMC for purposes of covering the relevant lines of defence in regard to

  • the effectiveness of the control environment
  • the integrity of the data used for internal decision-making; and
  • the credibility of the information contained in relevant reports.

5.4 Corporate and Information Governance Services (CIGS)

The role and purpose of the CIGS are as follows:

5.4.1   To advise and support the Registrar on matters related to governance, risk and compliance management;

5.4.2   To establish an enterprise risk management and compliance framework that enables effective risk and compliance management to be implemented in a consistent way across the NWU;

5.4.3   To put measures in place to ensure appropriate levels of understanding and engagement in risk and compliance management through discussion, training and reporting;

5.4.4   To establish a business-continuity framework in order to ensure that possible disruptions and risks threatening the ongoing operations of the NWU, are effectively countered and managed.

5.5 Internal Audit

The role and function of the Internal Audit function in regard to risk and compliance management matters are as follows:

5.5.1   To evaluate controls and advising managers at all levels, including assessing the tone and risk management culture of the university, as well as evaluating and reporting on the effectiveness and efficiency of the implementation of

           management policies;

5.5.2   To evaluate risks, as well as the significance of key activities and risk factors;

5.5.3   To analyse operations and confirm information in close relation with line managers; in order to report findings

5.5.4   To review levels of compliance at the university in regard to rules, regulations, laws, codes of practice, guidelines and principles as these apply individually and collectively to all parts of the NWU.

5.6 Employees

Employees must

5.6.1   Actively seek to understand the objectives, risks, controls and obligations that relate to activities relevant to the work environment;

5.6.2   Support and participate towards establishing a culture of risk and compliance management;

5.6.3   Undertake activities in compliance with legislation and NWU policies and procedures;

5.6.4   Identify and report risk events and instances of non-compliance; and

5.6.5   Report new risks, risks exceeding tolerance, breaches and weaknesses of controls to the relevant line manager, and as required under NWU policies.

6. Procedures and guidelines

The implementation of the Policy takes place in accordance with the following procedures and guidelines;

6.1 A compliance framework consisting of the following components:

  • Identification of the regulatory universe and act owners;
  • Compliance risk identification and assessment including identifying controls;
  • Compliance risk mitigation, including standards, procedures and guidelines;
  • Compliance monitoring;
  • Awareness and training,
  • Reporting, and
  • Record-keeping.

6.2 A risk-management framework consisting of the following elements:

  • Identification of risks and opportunities
  • Identification of probable risk owners.
  • Evaluation of the risks (impact and probability).
  • Establishment of a risk appetite
  • Gaining assurances about effectiveness of controls.
  • Identification of suitable responses to risk.
  • Reporting of significant risks
  • Implementation, abatement and monitoring.
  • Risk-based internal auditing
  • Awareness, training and record-keeping
  • Embedding and reviewing