1 Compliance risk charter and framework v 1.0 dd 19-9-17 C OMPLIANCE RISK MANAGEMENT CHARTER & FRAMEWORK V 1.0 Oplage: 1 15-06-2017
1
Compliance risk charter and framework v 1.0 dd 19-9-17
COMPLIANCE RISK MANAGEMENT
CHARTER & FRAMEWORK V 1.0
Oplage: 1
15-06-2017
2
Compliance risk charter and framework v 1.0 dd 19-9-17
1 Table of Contents 1 TiU Compliance Risk Management Strategy ........................................................................................ 5
Mission of the Compliance function .............................................................................................. 5
Purpose of the Compliance Risk function ..................................................................................... 5
2 Definition and scope of compliance risk ............................................................................................... 7
Compliance risk ............................................................................................................................. 7
Integrity and reputation risk .......................................................................................................... 7
Scope of Compliance Risk Management ..................................................................................... 7
3 Compliance risk management responsibilities ..................................................................................... 9
Responsibilities of management ................................................................................................... 9
Responsibilities of every employee .............................................................................................. 9
Responsibility of Legal Affairs ..................................................................................................... 10
Responsibilities of Compliance Officer (GRC officer) ................................................................. 10
4 Authority and capabilities of Compliance Officer (GRC) .................................................................... 11
5 Reporting ............................................................................................................................................. 12
1 TiU principles – the foundation of the framework ............................................................................... 14
2 Manage Compliance Risk – 3 lines of defense model ....................................................................... 15
3 The framework within TiU ................................................................................................................... 16
4 The key components of the framework and the key activities of the RCF ......................................... 17
The Risk Control Framework and the five activities ................................................................... 17
4.1.1 Identification of compliance obligations .............................................................................. 18
4.1.2 Risk assessment ................................................................................................................. 19
4.1.3 Compliance risk mitigation .................................................................................................. 19
4.1.4 Compliance risk monitoring ................................................................................................. 21
4.1.5 Compliance risk reporting (including incident management) .............................................. 23
Compliance risk management advisory ...................................................................................... 23
3
Compliance risk charter and framework v 1.0 dd 19-9-17
Tilburg University Compliance Risk Management Charter and Framework The goal of Tilburg University (TiU) is to actively contribute to society. The university wants to serve society and make it a better place for all citizens. TiU has always actively promoted ways to firmly embed education and research into society. In the strategic plan 5 ambitions have been defined in order to achieve the goals:
Quality comes first
Innovation according to a focused method
Connections through networking
Focused International cooperation
One single, effective university.
Good compliance risk management is necessary to meet the ambitions with
regard to quality and effective University. TiU wants to be a university that the
stakeholders and society can trust. Good compliance risk management is part
of the license to operate. It builds trust and protects our good name in society.
Effective compliance risk management means meeting our compliance
obligations and protecting the loss of damage. It improves our way of operating
for all stakeholders and is viable for a sustainable operations.
In this document we describe the way we have embedded compliance risk management in TiU with the goal to effectively manage the compliance risks.
Charter: in the charter we describe the roles and responsibilities for compliance risk management
Framework: in the framework we outline the methodology, tools and methods that are used.
4
Compliance risk charter and framework v 1.0 dd 19-9-17
PART 1 Tilburg University Compliance Risk Management Charter
The purpose of the Charter is to define the organization, operation and
governance for compliance risk management for Tilburg University. The charter
applies to all staff.
The charter requires the definition of a good Compliance Risk management
Framework and a Compliance officer and describes the roles and
responsibilities with regard to compliance risk management for Tilburg
University.
5
Compliance risk charter and framework v 1.0 dd 19-9-17
1 TiU Compliance Risk Management Strategy
Effective management of Compliance Risk is a key stone in building trust. It enables TiU in protecting its
reputation, reduce losses/costs and helps to minimize the risk on investigations, prosecution and
penalties because we do the right things in the right way.
Mission of the Compliance function
Together with the organization and business owners ensure to embed compliance risk management in
the daily activities in order maximize trust and minimize the related risks.
Purpose of the Compliance Risk function
The compliance risk operates within the general risk management framework (see for more detail Risk
Management Charter and framework) and is built in line with the
COSO ERM1 model. COSO identifies the relations between the
risks and the internal control system. Within the context of the
mission and vision and the strategic objectives it implements a
process of management, control, report and review. The internal
control is a process that ensures a reasonable assurance
regarding the realization of the goals with regard to:
Realization of strategic objectives (strategic)
Effectivity and efficiency of processes (operations)
Reliability of (financial) information (reporting
Compliance with applicable law and legislation.
An effective (risk) control system contains 8 elements that are related to the management process:
Internal environment: this relates to the culture of the internal organization and contains the risk
management philosophy, risk appetite and the integrity and ethical values of the organization.
Objective setting: Objects must have been defined in order to define the risks of not realizing
them.
Event identification: internal and external events that influence the realization of the objectives
must be identified. This includes risks and opportunities.
Risk assessments: risks need to be assessed in terms of likelihood and impact.
Risk response: per risk the most appropriate reaction must be selected (avoid, accept, mitigate
or transfer) in order to align the risk with the risk appetite.
Control activities: in order to mitigate the risk controls (policies, procedures checks) must be
identified and implemented.
Information and communication: relevant information must be identified and communicated.
Monitoring: monitor the effectiveness of risk management and implement changes for
improvement.
Within this framework the purpose of the compliance officer is to:
1 COSO ERM: The COSO ERM-model the most commonly used framework for the implementation and assessment of risk management and was defined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO),
6
Compliance risk charter and framework v 1.0 dd 19-9-17
Risk Management Compliance purpose
Internal Environment Deepen the culture of compliance by partnering with the business to
increase a culture of trust, accountability, transparency and integrity.
Objective setting Support the TiU strategy by clearly defining roles and responsibilities with
regard to compliance risk management and proactively advise TiU with
regard to compliance risks. Using a risk based approach to align business
outcomes with the risk appetite.
Event identification Understand and advocate the rules, regulations and laws in order to identify
compliance risks and the related events by working together with the
business
Risk assessment Assess in cooperation with the organization the compliance risks
Control activities Define and assess effectivity of compliance risk controls in cooperation with
the business in line with the defined risk strategy.
Information and
communication
Develop and enhance tools to detect, communicate report and manage the
compliance risks in order to limit surprises
Monitoring Implement a monitoring and reporting system with regard to the
effectiveness of risk management
7
Compliance risk charter and framework v 1.0 dd 19-9-17
2 Definition and scope of compliance risk
Compliance risk
Compliance risk is the risk of impairment of Tilburg University’s integrity. It is a failure (or perceived)
failure to comply with law and regulations and internal policies and procedures that are applicable. The
non-compliance could damage TiU’s reputation, lead to legal or regulatory sanctions and/or financial
losses.
Integrity and reputation risk
Compliance risk is also referred to as integrity risk because integrity is the focus in managing compliance
risk. Compliance risk may sometimes be referred to as compliance risk, but reputational effect can be
one of the effects of a compliance risk besides sanctions and financial losses.
Scope of Compliance Risk Management
It is impossible to include compliance to all applicable law and legislation and therefore Compliance risk
management is only related to the compliance with law and legislation with regard to the core activities of
TiU as well as integrity risks.
TiU has implemented an integral management concept which means that the accountable manager for
activities is also accountable for the compliance with law, regulations and standards with regard to this
activity.. They must implement measures to ensure that they comply with law and legislation with regard
to their activities and that they are aware of changes in law and legislation with regard to these activities.
TiU has a central legal department that operates as an internal advisor / consultant with regard to law
and legislation for the Executive Board. On request of faculties and divisions they also provide advice on
individual cases and f.e. interpretation of law and legislation.
Laws, regulations related to2 Responsible department
Governance ( chapter 9 of the WHW) Executive Board advised by Legal Affairs
Privacy Law Department responsible for activity.3
Accounting Finance & Control
Tax Finance & Control
Insurance Finance & Control
Employment Human Resources
Education, research and valorisation Faculties
Procurement Inkoop en aanbesteding
Treasury Finance & Control
All other Department responsible for activity
In the Structuurregeling en het Bestuurs en Beheersreglement (article 3.9) certain responsibilities are
listed that cannot be mandated by the Executive Board. For these activities the Executive Board is
therefore the responsible department. They concern:
2 In the Structuurregeling and Bestuurs en Beheersreglement certain exceptions have been defined. See list below for these exceptions. 3 A general policy (based upon the AVB (formerly WBP) is issued by the Executive Board (coordinated by Legal Affairs)
8
Compliance risk charter and framework v 1.0 dd 19-9-17
Area Responsibility with regard to
Human
Resources
Recruitment or dismissal of full professors or directors of central services and
divisions.
Human
Resources
Implement disciplinary measures
Treasury Entering into or providing loans or investments of money (treasury) including the
opening of new bank accounts.
Finance &
Control
Acceptation of donations and legacies
Real Estate
Management /
treasury
The foundation of estates, the acquisition, sale, mortgage and give in use of real
estate including the provision of permission to withdraw the mortgage subscription
and seizures as well as all deeds of ownership.
Legal Affairs Engagement and prosecution in legal proceedings, the assignment of disputes to
arbitrators, the commencement of dates, the approval of an agreement, the
resignment in legal decisions or in decision by arbitration.
All Entering into an agreement that exceeds the value that has been defined by the
Executive Board (NB €250.000).
Legal Affairs has an advising and consulting role with regard to laws and legislations. They work
primarily for the Executive Board.
The compliance officer (GRC officer) will perform compliance risk assessment for the following laws and
legislations:
Wet op het hoger onderwijs en wetenschappelijk onderzoek (WHW) d.d. 8 oktober 1992
Algemene Verordering Gegevensverwerking (AVG) formerly Wet Bescherming
Persoonsgegevens
Wet Normering Topinkomens (WNT)
Gedragscodes Vereniging Samenwerkende Nederlandse Universiteiten: 4
o Code of good governance (Gedragscode goed bestuur)
o Code of use of personal data in research (code voor gebruik persoonsgegevens in
wetenschappelijk onderzoek)5
o Code of ethics for scientific practice (code wetenschappelijke integriteit)
o Code of conduct for international students (code international student)
4 See www.vsnu.nl for the codes 5 This code of conduct is currently under instruction to align it with the new European guidelines for data protection. It should be compliant with the new AVG.
9
Compliance risk charter and framework v 1.0 dd 19-9-17
3 Compliance risk management responsibilities
Compliance risk is the responsibility of all staff members of Tilburg University.
Responsibilities of management
Management is accountable for all the processes they perform and in that role is also the owner of the
compliance risk management with regard to their activities.
They must set a good example with regard to considering the expectations of the stakeholders, knowing
and applying the rules, and defining and encouraging a culture where people are trusted and
accountable for their activities. They are also responsible for the monitoring for changes in law and
legislation with regard to their activities, f.e. by using their networks.
The Executive Board is ultimately responsible for compliance of Tilburg University with all applicable
laws and legislation and managing all risks associated with the activities of TiU. The Executive Board will
report Compliance issues and report on the risk management & control systems to the Audit Committee
and the Board of Governors (supervisor).
The directors of divisions and faculties are responsible for compliance risk management for all the
activities in their department / faculty.
At all levels management must create an environment of individual and collective accountability in which
the importance of meeting compliance obligations is well understood. Management achieves this part in
providing sufficient resources (training, budget, staffing) to its compliance management function to
ensure effective compliance risk management. The specific responsibilities are outlined in the
framework.
The Executive Board has appointed a Governance, Risk and Compliance Officer to manage the
Compliance Risk.
Responsibilities of every employee
Every employee of TiU is responsible for managing compliance risk and complying with applicable law
and legislation (external and internal) in personal and business conduct.
Management is responsible to identify and communicate and train the minimum compliance
requirements that the employee must comply with in day-to-day operations. They must reward or
sanction employees performance against these requirements.
Employees must find out what compliance obligations impact their activities and must make sure that
they understand and implement them.
The compliance obligations are formalized in:
Laws and legislation
Codes of Conducts
Policies (beleid)
The approval process for new policies and standards is formalized and managed by the Secretary of the
Board. In case of university related policies that have a legal effect and therefore risk, that need to be
10
Compliance risk charter and framework v 1.0 dd 19-9-17
approved by the Executive Board, the legal affairs department is always consulted before approval
(included in the approval process). In case of faculty related policies (f.e. in the Onderwijs en
Examenreglement (OER) this consultation by Legal Affairs however is not mandatory.
Responsibility of Legal Affairs
The Legal Affairs department is a department that has an advisory and consulting role for the Executive
Board, and the whole Tilburg University organization. All policies with a legal impact (and therefore risk)
with that are approved by the Executive Board are via standard approval process, validated by the Legal
Affairs department. For faculty related policies this is not standard, but Legal Affairs can be consulted.
In case of implementation of (changed) laws with an impact on the whole organization the Legal Affairs
department can play a coordinated role, f.e. with the implementation of the WHW and the new AVG.
All contractual agreements with a financial impact of €250.000 or more need to be signed by the
President of the Executive Board. These contracts are validated upfront by the Legal Department that
assess the legal impact and provide advice with regard to risk. Contract with a financial impact of 250K
or less are mandated to the faculties. In these cases assessment by Legal department are not
mandatory. Legal department can be consulted.
Responsibilities of Compliance Officer (GRC officer)
The GRC officer is responsible for the following:
Manage day-to-day activities with regard to Compliance
Define and implement the compliance risk management framework in line with the general risk
management framework. Drive the ongoing evolution of the Compliance Risk Framework.
Facilitate, advice and support the faculties and department in defining the Compliance Risk
Framework for their activities including training and communication support.
Oversee Compliance Risk management activities in all faculties and divisions. Advise and
support the faculties and divisions with this respect.
Identify new or changed law and legislation and identification of the impact and necessary
changes for TiU.
Advise on all policies for TiU.
Advise and support the organization in in changes and processes with respect to Compliance
Risk management. F.e. by participating in projects.
Ensure adequate and timely reporting with regard to Compliance incidents and Compliance Risk
management.
11
Compliance risk charter and framework v 1.0 dd 19-9-17
4 Authority and capabilities of Compliance Officer (GRC)
The Compliance Risk function (GRC officer) requires some rules with respect to the authority of the
Compliance Risk management Function with regard to:
Independence To avoid potential conflicts of interest the GRC Officer must be
independent of the business activities and report directly to the Chairman
of the College van Bestuur of Tilburg University.
Investigate and
challenge
When GRC officer perceive a Compliance Risk or when a Management
Decision may give or has given rise to a significant financial or reputational
risk for TiU they must investigate and challenge any actions or concerns
without influence from the business. If the matter is not promptly resolved,
the GRC Officer must follow the escalation process
Escalation When a matter is escalated the GRC officer, he/she must decide whether
to advise the Executive Board that the course of an action would result in
an unacceptable compliance risk and that the action cannot proceed.
Management must postpone the execution of the action until a decision
has been taken by the Executive Board
Access The GRC officer must, at all times, have unfettered and direct access (in
accordance with applicable law and legislation) to all activities in their area
of responsibilities. This includes all documentation, systems (e.g.
complaints registers, whistleblower reports and files), employees, the
Chairman of the Executive Board, directors, staff members etc, that the
GRC officer reasonably believes are necessary to execute their
responsibilities effectively. The GRC officer must have the opportunity to
attend (relevant) meetings to raise any matters that are reasonable and
necessary.
Liaison and partnering The GRC officer must work closely together with legal affairs, employees,
management to ensure knowledge exchange about regulations and to
ensure compliance risk management.
NB: the Executive Board is the contact for the supervising authorities.
Capabilities,
evaluation and
remuneration
The GRC officer must have the necessary qualifications, experience and
professional and personal skills to enable him/her to carry out the
responsibilities effectively. He/she must have an overall understanding of
the activities and governance of Tilburg University. He/she must
understand the obligations, legislation and standards that impact the
activities. The GRC must coach and train new management regarding
compliance.
The GRC officer must have the opportunity to develop his/her skills.
The remuneration of the GRC Officer will be in line with the Collective
Labour Agreements.
Recruitment and
termination
The President of the Executive Board will decide whether to appoint or
terminate the GRC Officer.
12
Compliance risk charter and framework v 1.0 dd 19-9-17
5 Reporting The GRC officer will report at least quarterly to the President of the Executive Board on the effectiveness of implementation and embedding of compliance risk management in Tilburg University. This report will contain:
Upcoming laws and legislation with an effect on the activities of Tilburg University.
Status-update on compliance risk management implementation;
Key Compliance Risks
Incidents reported with respect to compliance
Status action plan implementation. All incidents will be reported within 5 working days after detection by the GRC officer to the President of the Executive Board. Incidents that are reported in the whistleblower regulation or with regard to the scientific integrity are excluded from this reporting. In the regulations with regard to whistleblowing and scientific integrity separate reporting is defined. In this reporting an advice is provided. The GRC officer will receive these advises and based upon this they will analyze the advice and in cooperation with the accountable departments will define an action plan. The monitoring of the follow up of this action plan will be included in the standard process. The Executive Board will ensure the reporting to the Board of Governors via the standard process.
13
Compliance risk charter and framework v 1.0 dd 19-9-17
PART 2 Tilburg University Compliance Risk Management Framework
The Tilburg University (TiU) compliance risk management framework (framework) comprises the
principles, processes and tools that the organization uses to manage Compliance Risk. It is essentially a
risk management program.
The framework is a key tool for the organization and all of its employees and
supervisors to understand – and apply – our approach to compliance risk
management. It also creates transparency to our external stakeholders.
The important topics for managing Compliance Risk are:
1. The business principles of Tilburg University – the foundation for the framework
2. The three line of defense model to manage Compliance risk
3. The framework in our business
4. The key components and the key activities of the chart.
This framework complements, and should be read with the Charter. Modifications in the Framework must
be aligned with the scope of the charter.
14
Compliance risk charter and framework v 1.0 dd 19-9-17
1 TiU principles – the foundation of the framework
The Business principles of Tilburg University express what the University holds
dear, what we believe and what we aim for. Individually each principle is equally
important and taken as a whole they define our collective conscience. As such
they are the foundation of everything we do.
The principles are defined in our code of conduct (rules of behavior) that can be found on the intranet
and are: Those who work or study at Tilburg University:
Behave appropriately and are conscientious and trustworthy
Show respect for each other
Use their expertise in their field of study to contribute to an inspiring working environment
Are involved with both individuals and society
15
Compliance risk charter and framework v 1.0 dd 19-9-17
2 Manage Compliance Risk – 3 lines of defense model
The 3 line of defense model that Tilburg University has implemented helps us to mitigate the
(compliance) risks – it applies to all faculties and divisions within the University. This model is essential
for the effective operation of the Compliance Risk management Framework.
Tilburg University manages the compliance risk based upon the 3 lines of defense model:
Executive Board and Management, the Compliance Risk management function and the Internal Audit
department. The three line of defense model distinguishes among functions that own and manage risks,
functions that monitor and oversee risks and functions that provide independent assurance.
Defense line 1: Management
The first line of defense, develops and implements mitigation activities, including monitoring and
reporting, for managing Compliance risks in business activities. The directors and management
manages risks day-to-day and they are affected by the consequences of the risks.
Defense line 2: Compliance Risk management function
The second line of defense, in cooperation with Legal Affairs identifies relevant compliance risk-related
laws, regulations and standards. They translate the law into compliance obligations and assist the
management to identify their compliance risks. They help the management to identify activities that
mitigate the compliance risks (controls) within the risk appetite of the University. They monitor the control
of the compliance risks and advise on compliance risk related manners. They work together with other
second line of defense functions (finance & control) to provide objective challenge and support,
escalating matters when necessary to help optimize the tradeoff between risk and reward. The second
line of defense serves in an advisory and validation role as the organization designs, implements and
embeds policies and guidelines, tracks internal mitigation activities (action plan management) and
executes training on compliance related subjects.
Defense line 3: Internal Audit
The third line of defense, provides management with independent, objective assurance on the overall
effectiveness of the design and operation of internal controls (mitigation activities).
Executive
Board
First line of defense:
management
second line of defense:
staff departments (Governance, Risk & Compliance, Finance &
Control)
Third line of defense:
Internal Audit (independent)
16
Compliance risk charter and framework v 1.0 dd 19-9-17
3 The framework within TiU
The University operates in a complex environment governed by law and legislation (f.e Wet Hoger
Onderwijs and Wetenschappelijk Onderzoek) and extensive compliance obligations. The reputation of
TiU is one of the key assets for the organization.
It is therefore important that TiU complies with the letter and spirit of the obligations, both in the systems
and processes but also in the conduct of employees and students. To achieve this we have implemented
a framework to manage the Compliance Risks.
The Framework consists of 2 components:
The Risk Control Framework
Advisory Services
The Compliance Risk Control Framework (RCF) reflects the key activities that need to be performed in
order to understand and manage the Compliance risks. These are activities that the first line of defense
must implement.
Advisory service is the specialized support and advise that the first line of defense receives to help to
manage the compliance risks more effectively.
17
Compliance risk charter and framework v 1.0 dd 19-9-17
4 The key components of the framework and the key activities of the RCF
The Risk Control Framework and the five activities
The Compliance RCF is a vital part of the framework as it provides an overview of the compliance
obligations and the risks arising from law and legislation and the implementation in Tilburg University.
The Chart is the outcome of a continuous process and exists of 5 key activities that are listed in the
chart:
1. Identification of Compliance Obligations
2. Risk assessment
3. Compliance Risk Mitigation (incl. training and
education)
4. Compliance Risk monitoring (incl. Action Tracking)
5. Compliance Risk Reporting (incl. incident
management)
The RCF provides an overview of the applicable law and
legislation and standards that apply to a certain activity
(operations). It also outlines how the risk mitigation measures
are implemented. In other words how compliance obligations
are embedded and ensured. It helps the business in the
awareness of the obligations and it helps to provide
assurance about compliance risk management to stakeholders like regulators, auditors and employees
as all information is centralized.
The RCF must contain the following:
1. Reference to the key compliance related laws, regulations and standards
2. Clear description that capture the relevant obligations from these laws and the risks arising from
these obligations
3. Risk assessment of these risks (impact assessment) without and with the current controls in
place (gross and net risk assessment) in line with the overall Risk management methodology.
4. The process to which the obligation and the related risks is/are linked
5. The implemented controls that mitigate the risk.
6. The process owner (accountable) is also responsible for the compliance risks and the related
controls.
The chart must be as practical, brief and concise as possible, and must link to existing and newly
identified activities. The methodology is aligned with the methodology regarding risk management.
Management must: Governance, Risk & Compliance Officer must:
1. Help the GRC officer develop and update the
RCF by clearly identifying the principle
business activities and relevant processes
affected by the obligations
1. Develop and maintain a RCF for the
University (entities) with the assistance of
management
2. Identify the employees that have managerial
accountability for and are accountable for
execution of an activity outlined in the RCF.
2. Demonstrate that all the elements of the chart
have been discussed and approved by the
accountable management.
1 Idenfication of Compliance Risk
obligations
2 Risk assessment
3 Compliance risk mitigation
4 Compliance Risk Monitoring
5 Compliance Risk Reporting
18
Compliance risk charter and framework v 1.0 dd 19-9-17
Management must: Governance, Risk & Compliance Officer must:
3. Formally approve the RCF for their activity /
entity
3. Report material changes in law and legislation
(monitored by Compliance) to responsible
management and President of the Executive
Board.
4. Notify GRC immediately of any changes in
activities that have an effect on the RCF.
4.1.1 Identification of compliance obligations
The RCF must be kept up-to-date. It must at all times reflect the compliance obligations and related risks
that arise based upon international (European) and local (Dutch) laws, regulations and standards that
apply to the activities of Tilburg University. In general laws en legislations will be transposed into internal
policies (beleid, richtlijnen). Inclusion of compliance obligations in the RCF is risk-based.
Legal affairs must Management must GRC officer must:
1. Provide (on request) advise
and consultation with regard
to law and legislation that
affect the activities of TiU.
1. Identify new and changed
compliance obligations with
regard to the activities they
are accountable for in
cooperation with Legal
Affairs (consultation) and
GRC Officer
1. Identify with management
and legal the related
Compliance obligations and
update the RCF
2. Validate all policies with
legal impact (and risk) that
need approval of the
Executive Board with regard
to compliance with law and
legislation (standard
process)
2. Identify together with the
GRC officer, compliance
risks that arise from
compliance obligations
3. Validate the faculty policy
(faculteitsreglement) for
legal impact (and risk) as it
needs approval of the
Executive Board
3. Implement the applicable
changed law (compliance
obligation) in their activities
2. Translate compliance
related law and legislations
into compliance obligations
(in cooperation with legal
expert)
4. Provide standard clauses
that need to be implemented
by the faculties in the
Opleiding en
ExamenReglement (OER)
4. . Formalize the changes in
policies, processes and
working instructions
3. Enter the compliance
obligation in the Risk
Control Framework.
5. Confirm at least annually
that the Compliance Risk
Framework:
a. Accurately reflects
the compliance law
and legislation
b. The validity of the
compliance
obligations in the
compliance Risk
Framework .
5. Inform and train staff
members with regard to
these changes.
4. Ensure that agreed upon
compliance obligations are
implemented.
19
Compliance risk charter and framework v 1.0 dd 19-9-17
4.1.2 Risk assessment
Risk assessment is an ongoing process and follows the identification of compliance obligations. It consist
of the following steps that are aligned with the general risk management standard (see for more detail:
Risk management charter and framework).
The risk assessment contains of the following steps:
1. Identification of the risk with a clear description of the risk that contains:
a. The inducer of the risk called factor. (what could cause the risk)
b. The effect / consequence of the risk (what is the impact of the risk, f.e. penalty,
reputational, imprisonment ...)
2. Assessment of the risk using the standardized risk grid that has been prepared for risk
management. It consists of the assessment of the frequency and the gravity of the risks and will
be done for:
a. Gross risk / inherent risk: the risk without taking into account the implemented controls
b. Net risk / residual risk: the risk after the implementation of the controls.
Management must: Governance, Risk & Compliance Officer must:
1. Participate and contribute to the risk
assessment sessions to define the risks and
assess the impact.
1. Ensure that the Compliance risks are
integrated in the assessment process.
2. Work with GRC and Legal to identify the high
compliance risks (risk assessments).
2. Participate (facilitate) all Risk assessments
3. Work with GRC and Legal to identify the
controls that mitigate the (high) compliance
risks
3. Rate and rank in cooperation with
management the current and anticipated
critical and high residual compliance risks and
determine the mitigation measures
4. Validate and approve the outcome of the risk
assessment
4. Ensure that the reporting regarding
Compliance risk contain the information
regarding risk assessments
5. Inform the GRC officer in case of any
changes that impact the compliance risks
5. At least review and update the compliance
risk mapping on an annual basis in
cooperation with management.
4.1.3 Compliance risk mitigation
Compliance risk mitigation is the process of developing and implementing controls, such as
documentation (policies, procedures), organization (f.e. training and awareness), security (f.e.
segregation of functions, authorizations) and checks (level 1 and level 2) that mitigate the compliance
risk.
Law and legislation may change from time to time and these must be implemented in the operations of
Tilburg University. Most often they will be transposed in policies (beleid).
DOCUMENTATION
The framework components (controls) like policies must be developed and communicated so that
employees understand their obligations (f.e. whistleblower, gifts, work for third parties). All documents
must be easy accessible for employees and/or students via intranet. All documentations (versions) are
20
Compliance risk charter and framework v 1.0 dd 19-9-17
centralized in the departments responsible for these policies (accountable department). They must
ensure adequate version management.
Management must: Legal affairs Governance, Risk &
Compliance Officer must:
1. Within the time agreed with the
GRC Officer, establish and
implement specific appropriate
activities (controls) to mitigate
the compliance risks in the
business processes.
1. Validate the policies
with legal impact (and
risk) that need approval
of the Executive Board:
1. Advise the management
about their Compliance
Obligations
2. Ensure that policies and
processes are defined (made),
implemented and distributed
(communicated) and that they
are stored using adequate
version management.
2. On request of faculty
management validate
faculty related policies
that are based on law
and legislation (f.e.
WHW) on compliance
with legal obligation.
2. Assist management to identify
risk mitigation measures.
Raise issues to the
management and president of
the Executive Board thay may
have an impact on the
suitability of existing
mitigation measures.
3. Ensure that the organization
unit meets its obligation and
embeds the activities to
mitigate the risks in their
activities
4. Work with the GRC Officer to
ensure that the framework
components are presented in a
way that employees at all
levels can access and
understand
3. Monitor the framework
components are developed
and communicated so that
employees understand their
responsibility
5. Take the measures necessary
that employees behavior
conforms to the framework
(compliance related policies
included the University’s
principles (values)
6. Include in all job descriptions and policies that the employee will be held accountable to meet the compliance obligation in line with the CAO where it is defined in article 1.8: ‘De
werknemer is gehouden zijn functie naar zijn beste vermogen uit te oefenen, zich te gedragen als een goed werknemer en te handelen naar de aanwijzingen door of vanwege de werkgever gegeven.’
4. Establish and maintain GRC
information and
documentation and
procedures that GRC uses,
such as Charter and
Framework, and ensure that
they are available at all times.
7. Store and archive all policies and ensure version management. Monitor publication on intranet.
21
Compliance risk charter and framework v 1.0 dd 19-9-17
ORGANIZATION (INCL TRAINING AND ORGANIZATION)
The compliance culture will be reinforced by a good knowledge of the employees of the organization.
This can be realized via communication and training / education. It builds awareness and understanding
of the compliance risk management standards.
If necessary we will create compliance related training and education with regard to this subject. It is also
very important that new staff members are informed about their compliance obligations (f.e. code of
conduct, working for third parties etc) with their training program. But also for existing staff members
refreshment training /activities must be available.
Management must: Governance, Risk & Compliance Officer must:
1. Develop training programs for compliance
related training and education.
1. Advise the management about their
Compliance Obligations
2. Ensure delivery of compliance related training
at start of employment, and regularly have
activities to refresh knowledge, including new
subjects. All employees must receive the
training necessary to perform their role
2. Assist the training department and/or other
departments in the developing, maintaining
and executing of training material
3. Ensure the execution of the compliance
related training and maintain attendance /
participation and assessment records
3. Serve as content expert for compliance
related training material
4. Monitor the quality and frequency of
compliance related training.
4.1.4 Compliance risk monitoring
EXECUTION OF LEVEL 1 OR LEVEL 2 CHECKS
The monitoring of compliance risks makes it possible for the business to verify whether the risk mitigation
activities are working adequately and to identify new or changed risks.
The plan for monitoring must be documented and updated on an annual basis (more frequently when
required and should describe:
Compliance obligation
Goal of the check
Check methodology and sample size
Selection criteria
Responsible
Check items (what do we check and how)
Assessment criteria (when OK and when not)
Reporting (how and to whom)
Management must: Governance, Risk & Compliance Officer must:
1. Establish a first line of defense tracking and
report deficiencies to the GRC officer.
1. Work with the business to document the
necessary check plans and validate them
after preparation.
2. Provide to the GRC Officer a first line of
defense a document (monitoring plan) that
2. Establish second line of defense monitoring
activities via level 2 checks. Formalizing these
22
Compliance risk charter and framework v 1.0 dd 19-9-17
Management must: Governance, Risk & Compliance Officer must:
outlines the first line tracking activities and the
person accountable for the execution.
checks in a checkplan. Execution and
reporting of the findings. Define
recommendations if needed to mitigate risk. 3. Work with the GRC officer to ensure
appropriate evaluation of the first line checks.
4. Within the time agreed with the GRC Officer
to address issues that arise from the first line
and second line checks (action plan follow up)
3. Report on a quarterly basis on the compliance
checks result to the Present of the Executive
Board.
5. Ensure adequate resources (quantity and
quality to execute the checks.
ACTION PLAN MANAGEMENT
Action plan management is a process to ensure the visibility and resolution of compliance incidents and
other compliance related findings and issues (so including the checks performed). Compliance related
findings should include:
Actions identified by management in its day to day operations and from the first line of defense
checks.
Actions resulting from recommendations made by the second line of defense monitoring and
other framework activities.
Actions resulting from compliance incidents as part of the operational risk management process
(formalized in the risk management charter and framework).
Actions resulting from recommendations made by internal / external audit (3rd line of defense).
Actions resulting from recommendations / findings from supervision by authorities.
Management must: Governance, Risk & Compliance Officer must:
1. Ensure compliance related actions are
recorded in the action plan database
managed by GRC officer
1. Monitor all compliance related findings and
issues until they are resolved (by processing
and managing action plan database).
2. Resolve identified issues in a sustainable
manner within the agreed deadline.
2. Create and execute a process for tracking
and managing the actions and the adequate
execution of the actions.
3. Provide the GRC officer of a status update on
open actions until the issue is resolved
3. Incorporate with management lessons
learned in the activities (translated into
actions that are monitored)
4. Incorporate (in cooperation with GRC officer)
of lessons learned in the activities
4. Report to the President of the Executive
Board the unaddressed (open) and overdue
actions via the Compliance Dashboard
(quarterly)
All actions are logged for monitoring in the action plan database of the GRC department and must
include:
Finding or risk
Recommendation (if applicable)
Action to be taken (mitigation measure)
Accountable for action
Deadline.
23
Compliance risk charter and framework v 1.0 dd 19-9-17
4.1.5 Compliance risk reporting (including incident management)
PERIODICAL REPORTING
Compliance risk reporting allows the management and the GRC and Legal departments to assess
whether compliance risk exceed the risk appetite. Reporting also allows for communication and
discussion of potential compliance risks.
Management and compliance are responsible for gathering information, and then analyzing and
communicating the result so that informed, timely decisions can be made.
Reports will be issued at least on a quarterly basis.
INCIDENT REPORTING
Compliance incidents are all incidents which have an effect on the integrity of
Tilburg University, leading to material damage to the reputation, legal or
supervisory authority sanctions, or financial loss, as a result of a failure (of a
perceived failure) to comply with applicable law and legislation.
When compliance incidents occur (despite of materiality) they must be handled through the standard risk
management charter and framework. They must be immediately reported to the GRC Officer.
Management must: Governance, Risk & Compliance Officer must:
1. Ensure that any suspected compliance
incident is reported to the GRC Officer as
described in the report
1. Must treat all reported compliance incidents
with confidentiality
2. Register the incident in the incident register
and report in line with the reporting guidelines
(see risk management standard and charter)
Compliance risk management advisory
The GRC department plays a very important pro-active advisory role: they advise Executive Board,
management, departments, committees and employees. They provide advice on compliance risk,
responsibilities, obligations and concerns on compliance issues while taking into account the business
practices and operational constraints.
In the event that a significant compliance risk is identified and management planned course of action
may put Tilburg University at risk, the GRC officer must, unless circumstances otherwise prevent,
immediately escalate the manner to the President of the Executive Board and the Audit Committee for
an opinion.
Together a decision will be made whether to advise management in writing that the course of the action
would result in an unacceptable compliance risk. If management is advised NOT to proceed, but
nonetheless wishes to proceed, management must, in writing advice the Board of Governors
(Stichtingbestuur) and get approval form that level. In the advice the opinion of the GRC officer must be
presented.
24
Compliance risk charter and framework v 1.0 dd 19-9-17
Management must: Legal Affairs Governance, Risk &
Compliance Officer must:
1. Create and maintain an
environment that supports the
legal department and the
GRC department in their role
as advisor
1. Assess whether
particular conduct or
activities (including
governance, new
activities, new
cooperation’s or
changes to existing)
comply with law and
legislation, regulations
and standards in
cooperation with the
GRC officer.
1. Responds to requests from
employees and management
for guidance on compliance
risks and reporting of
compliance risks
2. Seek advice from the GRC
officer and legal department
when developing new
activities, cooperation’s and
changing the governance of
the organization
2. Assess whether particular
conduct or activities (including
governance, new activities,
new cooperation’s or changes
to existing) comply with law
and legislation, regulations
and standards in cooperation
with Legal Affairs
3. Work closely with the GRC
Officer and the Legal
department to find compliant
solutions based on business
practices and operational
constraints (find a workable,
compliant option)
2. Advise (requested and
unrequested) on legal
issues
3. Advise (requested and
unrequested) on compliance
and compliance risk issues
4. Maintain records of significant
advises given.