Compliance Policy
1.1) Dublin City University operates in a complex and ever evolving compliance-driven environment and this, taken together with a low tolerance for not meeting its legal responsibilities and obligations (hereinafter referred to as its ‘compliance obligations’) as set out in the University’s Risk Appetite Statement, can make achieving compliance a challenge.
1.2) To meet this challenge the University understands the importance of having strong governance in place including a framework to identify and manage its compliance obligations.
Non-compliance with its compliance obligations is a risk to the University as it can lead to:
-
damage to the University’s reputation and/or loss of public confidence;
-
damage to property or injury to person(s), including death or disability;
-
pecuniary damage in the form of fines and/or compensation;
-
remedial costs that would not otherwise be incurred;
-
loss of opportunity, or delay in the achievement of an opportunity; &
-
avoidable disruption to business processes and activities.
2.1) This policy is intended to:
-
set expectations for how the University will identify and assess its compliance obligations;
-
identify how compliance obligations are to be managed;
-
provide a framework around which the University will monitor and report on compliance;
-
establish a consistent and effective approach to the identification and documentation of the University’s compliance obligations;
-
provide for the procedures to be followed to record, escalate, and resolve identified instances of non-compliance;
-
integrate and align compliance management with the University’s risk management framework and business processes;
-
develop a culture of compliance awareness;
-
ensure that compliance obligations are considered when making strategic management decisions;
-
provide for the management of compliance obligations to be integrated into standard management practices and accountability processes;
-
support an environment where management and staff take responsibility for compliance obligations; &
-
encourage review of, and improvement in, the University’s compliance management framework.
This policy applies to all units of the University, both academic and support, including its research centres and wholly owned campus companies. The policy relates to compliance obligations that arise from applicable legislation and external regulations.
4.1) Compliance Obligations
The University’s Risk Appetite for compliance risk is low and it seeks to meet its compliance obligations to the best of its endeavours. Where possible, the University will look to satisfy its compliance obligations in the simplest and most effective way.
4.2) Publication of Framework & Policies
The following will be maintained and published on the University’s website by the Office of the Chief Operations Officer:
a) Corporate Compliance Framework Webpage (CCFW)
The CCFW will display a listing of the key compliance obligations with which the University must comply.
b) Central Policies Webpage (CPW)
The CPW will display the policies by which the University governs its internal affairs. It will include information on the Policies, Statutes, Codes, Charters and Regulations that will be of particular interest to staff, students and the general public.
4.3) Legal Advice
The Chief Operations Officer may request advice from the University’s legal advisors with regard to any changes in applicable and / or relevant legislation.
5.1) The University President has overall responsibility for compliance and is answerable to the Governing Authority for this function.
5.2) The Chief Operations Officer (COO) is the University’s Compliance Coordinator and is supported in this role by the Risk and Compliance Officer (RCO), Senior Management and the Heads of Units across the University.
5.3) The Risk & Compliance Officer (RCO) will draft the list of the most relevant legislation and regulations identified as DCU compliance obligations and will submit it to the University Executive for approval on a periodic basis to be determined by the COO. Upon approval, that list will constitute the current CCFW.
5.4) For each item on the CCFW, a member of the Senior Management Group (referred to hereinafter as the ‘Compliance Manager’) is identified as having delegated responsibility for ensuring that the University has appropriate knowledge of, and adequate internal controls in place to manage, compliance.
5.5) The Compliance Manager may delegate their responsibility to manage day-to-day compliance for their item(s) to another post holder in their area (referred to hereinafter as the ‘Compliance Officer’). However, responsibility for managing compliance may not be delegated further.
5.6) The COO is responsible for maintaining a log of reported compliance breaches and will make the log available to Internal Audit on request.
5.7) The COO is responsible for putting in place an annual survey to monitor the effectiveness of the University’s internal compliance controls.
5.8) Compliance Managers (or the Compliance Officer where the responsibility has been delegated) are responsible for:
a) oversight of compliance in their areas of responsibility;
b) demonstrating compliance leadership within their area;
c) maintaining and continuously improving compliance management in their area;
d) promoting an ethical and positive compliance culture within their area;
e) communicating the existence of compliance obligations, to those in the University expected to uphold them;
f) providing, or otherwise obtaining and communicating, advice and/or guidance on how to meet compliance obligations;
g) identifying, assessing and managing compliance risks for those elements for which they have responsibility;
h) reporting to the COO or the RCO any emerging or residual compliance risks in a timely manner;
i) reporting incidents of non-compliance to the COO or the RCO;
j) supporting Heads of Unit to ensure compliance;
k) developing policies, systems, procedures, education and training to guide the behaviour of staff, and where appropriate, students and others;
l) actively monitoring compliance management within their area; &
m) formally notifying the RCO on a regular basis as to whether effective internal controls are in place to ensure compliance within their area of responsibility.
5.9) Heads of Unit are responsible for:
a) day-to-day responsibility for the management of compliance obligations within their area;
b) incorporating compliance management into standard management practices;
c) identifying and determining appropriate actions to address operational compliance gaps or risks within their area of responsibility;
d) implementing policies and procedures with respect to compliance management; &
e) reporting incidents of non-compliance, or any conditions that prevent compliance, to the relevant Compliance Manager or Compliance Officer, and separately to the COO and the RCO.
5.10) All staff are responsible for:
a) meeting their relevant compliance obligations in their day-to-day work activities;
b) having an awareness of their compliance obligations and how these affect their work activities and functions;
c) implementing policies, procedures and directions with respect to compliance management; &
d) reporting incidents of non-compliance, or conditions that prevent compliance, to their line manager.
5.11) Internal Audit may audit compliance with this policy at any time. If guidance is sought by a Compliance Manager/Officer, the RCO, or the COO, Internal Audit may advise on the development of tools (e.g. self-assessment checklists) to support effective compliance management.
Internal Audit is responsible for:
a) developing the University’s Combined Assurance Framework;
b) regularly reviewing the log of compliance breaches and taking breaches into consideration when audit planning; &
c) reporting and making recommendations to the COO and to the Governing Authority Risk Committee on compliance matters.
5.12) Incident Reporting – COO
When a suspected breach of a compliance obligation (i.e. an ‘incident’) is reported to the COO, or to the RCO, it will be categorised as one of the following types:
a) Type 1 – an isolated incident where there are controls in place to prevent recurrence.
b) Type 2 – an isolated incident where there are no controls in place to prevent recurrence.
c) Type 3 – an ongoing series of incidents arising in an environment where there are controls in place to prevent further incident.
d) Type 4 – an ongoing series of incidents arising in environment where there are no controls in place to prevent further incidents.
5.13) The COO shall determine whether a reported incident qualifies as a breach. If an incident is determined to be a breach, it shall be added to the log of compliance breaches. The COO will also notify the breach to the relevant Compliance Manager.
5.14) The COO will submit to the Governing Authority Risk Committee an annual report with a list of logged breaches received in that year along with a summary of any remedial actions taken to prevent recurrence, or to better manage compliance obligations, in the future.
5.15) The COO will notify the Head of Internal Audit when any Type 3 or Type 4 incidents are added to the log of compliance breaches.
Failure to comply with this policy may be the subject of disciplinary action in accordance with the University’s disciplinary procedures.
7.1) A reference to a compliance obligation in this policy includes a reference to:
a) the laws of the State; and
b) the laws of another country in which the University operates, or where the University is subject to legal obligations.
7.2) For the purpose of this policy, a reference to a ‘law’, and ‘legal’ includes:
a) legislation and statutes;
b) standards and requirements mandated under legislation;
c) EU Regulations;
d) regulations made under legislation; and
e) common law obligations (e.g. duty of care).
8.1) This policy should be read in conjunction with the following University documents:
a) Risk Management Policy
b) Risk Appetite Statement
c) Compliance Procedures
8.2) This policy should be read in conjunction with the University’s Risk Management Policy because under the University’s Risk Management Policy, all Heads of Units are responsible for managing the risks and opportunities associated with their areas and for documenting these risks in their Unit / Operational level risk registers.
If you have any questions in relation to this policy please contact the Office of the Chief Operations Officer at:
E: coo@dcu.ie
This policy will be reviewed as and when deemed necessary by the Office of the Chief Operations Officer.
| Policy Name | Compliance Policy |  |
|
| Unit Owner | Office of the Chief Operations Officer | ||
| Version Reference | Original Version 2.0 | Reviewed Version | |
| Approved by | Executive | N/a | |
| Effective Date | 2nd September 2025 | N/a | |
| Legislation / Regulations | Compliance Manager | Compliance Officer | Link |
|---|---|---|---|
| Climate Action and Low Carbon Development Act | COO | Sustainability Manager | Sustainability at DCU |
| Charities Act 2009 | COO | Deputy COO with responsibility for charities governance | N/a |
| Children First Act | COO | Deputy COO with responsibility for child protection | Child Protection |
| Companies Act 2014 | COO | Deputy COO with responsibility for companies secretarial compliance | N/a |
| Control of Exports Act 2008 and Regulation (EU) 2021/821 & Regulation (EU) 2023/66 | COO | Deputy COO with responsibility for Export Control | Export Control at DCU |
| Data Protection Acts | COO | Data Protection Officer | Data Protection Unit |
| Employment Acts | VP for People & EDI | N/a | DCU People |
| Employment Equality Acts | VP for People & EDI | EDI Manager | DCU People |
| EU Public Procurement Directive, including related Government regulations and guidelines | Director of Finance | Strategic Procurement and Supply Chain Manager | DCU Procurement |
| Ethics in Public Office Act 1995 | COO | N/a | OCOO |
| Freedom of Information Act 2014 | COO | Freedom of Information Officer | FOI Office |
| Higher Education Act 2022 | COO | N/a | N/a |
| Health and Safety Acts | COO | Health and Safety Manager | H&S |
| Official Languages Act 2003 & 2021 | COO | Irish Language Officer | Oifig na Gaeilge |
| Ombudsman (Amendment) Act 2012 | COO | Ombudsman Liaison Officer | Ombudsman Liaison |
| Protected Disclosures Act 2014 | COO | N/a | OCOO |
| Qualifications and Quality Assurance (Education and Training) Act 2012 |
|
|
|
| Universities Act 1997 | COO | N/a | OCOO |
| Standards in Public Office Act 2001 | COO | N/a | OCOO |
| Value-Added Tax Consolidation Act 2010 | Director of Finance | N/a | Finance |