OMPLIANCE RISK MANAGEMENT CHARTER & FRAMEWORK · Control activities: in order to mitigate the risk controls (policies, procedures checks) must be identified and implemented. Information

1

Compliance risk charter and framework v 1.0 dd 19-9-17

COMPLIANCE RISK MANAGEMENT

CHARTER & FRAMEWORK V 1.0

Oplage: 1

15-06-2017

2


1 Table of Contents 1 TiU Compliance Risk Management Strategy ........................................................................................ 5

Mission of the Compliance function .............................................................................................. 5

Purpose of the Compliance Risk function ..................................................................................... 5

2 Definition and scope of compliance risk ............................................................................................... 7

Compliance risk ............................................................................................................................. 7

Integrity and reputation risk .......................................................................................................... 7

Scope of Compliance Risk Management ..................................................................................... 7

3 Compliance risk management responsibilities ..................................................................................... 9

Responsibilities of management ................................................................................................... 9

Responsibilities of every employee .............................................................................................. 9

Responsibility of Legal Affairs ..................................................................................................... 10

Responsibilities of Compliance Officer (GRC officer) ................................................................. 10

4 Authority and capabilities of Compliance Officer (GRC) .................................................................... 11

5 Reporting ............................................................................................................................................. 12

1 TiU principles – the foundation of the framework ............................................................................... 14

2 Manage Compliance Risk – 3 lines of defense model ....................................................................... 15

3 The framework within TiU ................................................................................................................... 16

4 The key components of the framework and the key activities of the RCF ......................................... 17

The Risk Control Framework and the five activities ................................................................... 17

4.1.1 Identification of compliance obligations .............................................................................. 18

4.1.2 Risk assessment ................................................................................................................. 19

4.1.3 Compliance risk mitigation .................................................................................................. 19

4.1.4 Compliance risk monitoring ................................................................................................. 21

4.1.5 Compliance risk reporting (including incident management) .............................................. 23

Compliance risk management advisory ...................................................................................... 23

3


Tilburg University Compliance Risk Management Charter and Framework The goal of Tilburg University (TiU) is to actively contribute to society. The university wants to serve society and make it a better place for all citizens. TiU has always actively promoted ways to firmly embed education and research into society. In the strategic plan 5 ambitions have been defined in order to achieve the goals:

Quality comes first

Innovation according to a focused method

Connections through networking

Focused International cooperation

One single, effective university.

Good compliance risk management is necessary to meet the ambitions with

regard to quality and effective University. TiU wants to be a university that the

stakeholders and society can trust. Good compliance risk management is part

of the license to operate. It builds trust and protects our good name in society.

Effective compliance risk management means meeting our compliance

obligations and protecting the loss of damage. It improves our way of operating

for all stakeholders and is viable for a sustainable operations.

In this document we describe the way we have embedded compliance risk management in TiU with the goal to effectively manage the compliance risks.

Charter: in the charter we describe the roles and responsibilities for compliance risk management

Framework: in the framework we outline the methodology, tools and methods that are used.

4


PART 1 Tilburg University Compliance Risk Management Charter

The purpose of the Charter is to define the organization, operation and

governance for compliance risk management for Tilburg University. The charter

applies to all staff.

The charter requires the definition of a good Compliance Risk management

Framework and a Compliance officer and describes the roles and

responsibilities with regard to compliance risk management for Tilburg

University.

5


1 TiU Compliance Risk Management Strategy

Effective management of Compliance Risk is a key stone in building trust. It enables TiU in protecting its

reputation, reduce losses/costs and helps to minimize the risk on investigations, prosecution and

penalties because we do the right things in the right way.

Mission of the Compliance function

Together with the organization and business owners ensure to embed compliance risk management in

the daily activities in order maximize trust and minimize the related risks.

Purpose of the Compliance Risk function

The compliance risk operates within the general risk management framework (see for more detail Risk

Management Charter and framework) and is built in line with the

COSO ERM1 model. COSO identifies the relations between the

risks and the internal control system. Within the context of the

mission and vision and the strategic objectives it implements a

process of management, control, report and review. The internal

control is a process that ensures a reasonable assurance

regarding the realization of the goals with regard to:

Realization of strategic objectives (strategic)

Effectivity and efficiency of processes (operations)

Reliability of (financial) information (reporting

Compliance with applicable law and legislation.

An effective (risk) control system contains 8 elements that are related to the management process:

Internal environment: this relates to the culture of the internal organization and contains the risk

management philosophy, risk appetite and the integrity and ethical values of the organization.

Objective setting: Objects must have been defined in order to define the risks of not realizing

them.

Event identification: internal and external events that influence the realization of the objectives

must be identified. This includes risks and opportunities.

Risk assessments: risks need to be assessed in terms of likelihood and impact.

Risk response: per risk the most appropriate reaction must be selected (avoid, accept, mitigate

or transfer) in order to align the risk with the risk appetite.

Control activities: in order to mitigate the risk controls (policies, procedures checks) must be

identified and implemented.

Information and communication: relevant information must be identified and communicated.

Monitoring: monitor the effectiveness of risk management and implement changes for

improvement.

Within this framework the purpose of the compliance officer is to:

1 COSO ERM: The COSO ERM-model the most commonly used framework for the implementation and assessment of risk management and was defined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO),

6


Risk Management Compliance purpose

Internal Environment Deepen the culture of compliance by partnering with the business to

increase a culture of trust, accountability, transparency and integrity.

Objective setting Support the TiU strategy by clearly defining roles and responsibilities with

regard to compliance risk management and proactively advise TiU with

regard to compliance risks. Using a risk based approach to align business

outcomes with the risk appetite.

Event identification Understand and advocate the rules, regulations and laws in order to identify

compliance risks and the related events by working together with the

business

Risk assessment Assess in cooperation with the organization the compliance risks

Control activities Define and assess effectivity of compliance risk controls in cooperation with

the business in line with the defined risk strategy.

Information and

communication

Develop and enhance tools to detect, communicate report and manage the

compliance risks in order to limit surprises

Monitoring Implement a monitoring and reporting system with regard to the

effectiveness of risk management

7


2 Definition and scope of compliance risk

Compliance risk

Compliance risk is the risk of impairment of Tilburg University’s integrity. It is a failure (or perceived)

failure to comply with law and regulations and internal policies and procedures that are applicable. The

non-compliance could damage TiU’s reputation, lead to legal or regulatory sanctions and/or financial

losses.

Integrity and reputation risk

Compliance risk is also referred to as integrity risk because integrity is the focus in managing compliance

risk. Compliance risk may sometimes be referred to as compliance risk, but reputational effect can be

one of the effects of a compliance risk besides sanctions and financial losses.

Scope of Compliance Risk Management

It is impossible to include compliance to all applicable law and legislation and therefore Compliance risk

management is only related to the compliance with law and legislation with regard to the core activities of

TiU as well as integrity risks.

TiU has implemented an integral management concept which means that the accountable manager for

activities is also accountable for the compliance with law, regulations and standards with regard to this

activity.. They must implement measures to ensure that they comply with law and legislation with regard

to their activities and that they are aware of changes in law and legislation with regard to these activities.

TiU has a central legal department that operates as an internal advisor / consultant with regard to law

and legislation for the Executive Board. On request of faculties and divisions they also provide advice on

individual cases and f.e. interpretation of law and legislation.

Laws, regulations related to2 Responsible department

Governance ( chapter 9 of the WHW) Executive Board advised by Legal Affairs

Privacy Law Department responsible for activity.3

Accounting Finance & Control

Tax Finance & Control

Insurance Finance & Control

Employment Human Resources

Education, research and valorisation Faculties

Procurement Inkoop en aanbesteding

Treasury Finance & Control

All other Department responsible for activity

In the Structuurregeling en het Bestuurs en Beheersreglement (article 3.9) certain responsibilities are

listed that cannot be mandated by the Executive Board. For these activities the Executive Board is

therefore the responsible department. They concern:

2 In the Structuurregeling and Bestuurs en Beheersreglement certain exceptions have been defined. See list below for these exceptions. 3 A general policy (based upon the AVB (formerly WBP) is issued by the Executive Board (coordinated by Legal Affairs)

8


Area Responsibility with regard to

Human

Resources

Recruitment or dismissal of full professors or directors of central services and

divisions.

Human

Resources

Implement disciplinary measures

Treasury Entering into or providing loans or investments of money (treasury) including the

opening of new bank accounts.

Finance &

Control

Acceptation of donations and legacies

Real Estate

Management /

treasury

The foundation of estates, the acquisition, sale, mortgage and give in use of real

estate including the provision of permission to withdraw the mortgage subscription

and seizures as well as all deeds of ownership.

Legal Affairs Engagement and prosecution in legal proceedings, the assignment of disputes to

arbitrators, the commencement of dates, the approval of an agreement, the

resignment in legal decisions or in decision by arbitration.

All Entering into an agreement that exceeds the value that has been defined by the

Executive Board (NB €250.000).

Legal Affairs has an advising and consulting role with regard to laws and legislations. They work

primarily for the Executive Board.

The compliance officer (GRC officer) will perform compliance risk assessment for the following laws and

legislations:

Wet op het hoger onderwijs en wetenschappelijk onderzoek (WHW) d.d. 8 oktober 1992

Algemene Verordering Gegevensverwerking (AVG) formerly Wet Bescherming

Persoonsgegevens

Wet Normering Topinkomens (WNT)

Gedragscodes Vereniging Samenwerkende Nederlandse Universiteiten: 4

o Code of good governance (Gedragscode goed bestuur)

o Code of use of personal data in research (code voor gebruik persoonsgegevens in

wetenschappelijk onderzoek)5

o Code of ethics for scientific practice (code wetenschappelijke integriteit)

o Code of conduct for international students (code international student)

4 See www.vsnu.nl for the codes 5 This code of conduct is currently under instruction to align it with the new European guidelines for data protection. It should be compliant with the new AVG.

http://www.vsnu.nl/

9


3 Compliance risk management responsibilities

Compliance risk is the responsibility of all staff members of Tilburg University.

Responsibilities of management

Management is accountable for all the processes they perform and in that role is also the owner of the

compliance risk management with regard to their activities.

They must set a good example with regard to considering the expectations of the stakeholders, knowing

and applying the rules, and defining and encouraging a culture where people are trusted and

accountable for their activities. They are also responsible for the monitoring for changes in law and

legislation with regard to their activities, f.e. by using their networks.

The Executive Board is ultimately responsible for compliance of Tilburg University with all applicable

laws and legislation and managing all risks associated with the activities of TiU. The Executive Board will

report Compliance issues and report on the risk management & control systems to the Audit Committee

and the Board of Governors (supervisor).

The directors of divisions and faculties are responsible for compliance risk management for all the

activities in their department / faculty.

At all levels management must create an environment of individual and collective accountability in which

the importance of meeting compliance obligations is well understood. Management achieves this part in

providing sufficient resources (training, budget, staffing) to its compliance management function to

ensure effective compliance risk management. The specific responsibilities are outlined in the

framework.

The Executive Board has appointed a Governance, Risk and Compliance Officer to manage the

Compliance Risk.

Responsibilities of every employee

Every employee of TiU is responsible for managing compliance risk and complying with applicable law

and legislation (external and internal) in personal and business conduct.

Management is responsible to identify and communicate and train the minimum compliance

requirements that the employee must comply with in day-to-day operations. They must reward or

sanction employees performance against these requirements.

Employees must find out what compliance obligations impact their activities and must make sure that

they understand and implement them.

The compliance obligations are formalized in:

Laws and legislation

Codes of Conducts

Policies (beleid)

The approval process for new policies and standards is formalized and managed by the Secretary of the

Board. In case of university related policies that have a legal effect and therefore risk, that need to be

10


approved by the Executive Board, the legal affairs department is always consulted before approval

(included in the approval process). In case of faculty related policies (f.e. in the Onderwijs en

Examenreglement (OER) this consultation by Legal Affairs however is not mandatory.

Responsibility of Legal Affairs

The Legal Affairs department is a department that has an advisory and consulting role for the Executive

Board, and the whole Tilburg University organization. All policies with a legal impact (and therefore risk)

with that are approved by the Executive Board are via standard approval process, validated by the Legal

Affairs department. For faculty related policies this is not standard, but Legal Affairs can be consulted.

In case of implementation of (changed) laws with an impact on the whole organization the Legal Affairs

department can play a coordinated role, f.e. with the implementation of the WHW and the new AVG.

All contractual agreements with a financial impact of €250.000 or more need to be signed by the

President of the Executive Board. These contracts are validated upfront by the Legal Department that

assess the legal impact and provide advice with regard to risk. Contract with a financial impact of 250K

or less are mandated to the faculties. In these cases assessment by Legal department are not

mandatory. Legal department can be consulted.

Responsibilities of Compliance Officer (GRC officer)

The GRC officer is responsible for the following:

Manage day-to-day activities with regard to Compliance

Define and implement the compliance risk management framework in line with the general risk

management framework. Drive the ongoing evolution of the Compliance Risk Framework.

Facilitate, advice and support the faculties and department in defining the Compliance Risk

Framework for their activities including training and communication support.

Oversee Compliance Risk management activities in all faculties and divisions. Advise and

support the faculties and divisions with this respect.

Identify new or changed law and legislation and identification of the impact and necessary

changes for TiU.

Advise on all policies for TiU.

Advise and support the organization in in changes and processes with respect to Compliance

Risk management. F.e. by participating in projects.

Ensure adequate and timely reporting with regard to Compliance incidents and Compliance Risk

management.

11


4 Authority and capabilities of Compliance Officer (GRC)

The Compliance Risk function (GRC officer) requires some rules with respect to the authority of the

Compliance Risk management Function with regard to:

Independence To avoid potential conflicts of interest the GRC Officer must be

independent of the business activities and report directly to the Chairman

of the College van Bestuur of Tilburg University.

Investigate and

challenge

When GRC officer perceive a Compliance Risk or when a Management

Decision may give or has given rise to a significant financial or reputational

risk for TiU they must investigate and challenge any actions or concerns

without influence from the business. If the matter is not promptly resolved,

the GRC Officer must follow the escalation process

Escalation When a matter is escalated the GRC officer, he/she must decide whether

to advise the Executive Board that the course of an action would result in

an unacceptable compliance risk and that the action cannot proceed.

Management must postpone the execution of the action until a decision

has been taken by the Executive Board

Access The GRC officer must, at all times, have unfettered and direct access (in

accordance with applicable law and legislation) to all activities in their area

of responsibilities. This includes all documentation, systems (e.g.

complaints registers, whistleblower reports and files), employees, the

Chairman of the Executive Board, directors, staff members etc, that the

GRC officer reasonably believes are necessary to execute their

responsibilities effectively. The GRC officer must have the opportunity to

attend (relevant) meetings to raise any matters that are reasonable and

necessary.

Liaison and partnering The GRC officer must work closely together with legal affairs, employees,

management to ensure knowledge exchange about regulations and to

ensure compliance risk management.

NB: the Executive Board is the contact for the supervising authorities.

Capabilities,

evaluation and

remuneration

The GRC officer must have the necessary qualifications, experience and

professional and personal skills to enable him/her to carry out the

responsibilities effectively. He/she must have an overall understanding of

the activities and governance of Tilburg University. He/she must

understand the obligations, legislation and standards that impact the

activities. The GRC must coach and train new management regarding

compliance.

The GRC officer must have the opportunity to develop his/her skills.

The remuneration of the GRC Officer will be in line with the Collective

Labour Agreements.

Recruitment and

termination

The President of the Executive Board will decide whether to appoint or

terminate the GRC Officer.

12


5 Reporting The GRC officer will report at least quarterly to the President of the Executive Board on the effectiveness of implementation and embedding of compliance risk management in Tilburg University. This report will contain:

Upcoming laws and legislation with an effect on the activities of Tilburg University.

Status-update on compliance risk management implementation;

Key Compliance Risks

Incidents reported with respect to compliance

Status action plan implementation. All incidents will be reported within 5 working days after detection by the GRC officer to the President of the Executive Board. Incidents that are reported in the whistleblower regulation or with regard to the scientific integrity are excluded from this reporting. In the regulations with regard to whistleblowing and scientific integrity separate reporting is defined. In this reporting an advice is provided. The GRC officer will receive these advises and based upon this they will analyze the advice and in cooperation with the accountable departments will define an action plan. The monitoring of the follow up of this action plan will be included in the standard process. The Executive Board will ensure the reporting to the Board of Governors via the standard process.

13


PART 2 Tilburg University Compliance Risk Management Framework

The Tilburg University (TiU) compliance risk management framework (framework) comprises the

principles, processes and tools that the organization uses to manage Compliance Risk. It is essentially a

risk management program.

The framework is a key tool for the organization and all of its employees and

supervisors to understand – and apply – our approach to compliance risk

management. It also creates transparency to our external stakeholders.

The important topics for managing Compliance Risk are:

1. The business principles of Tilburg University – the foundation for the framework

2. The three line of defense model to manage Compliance risk

3. The framework in our business

4. The key components and the key activities of the chart.

This framework complements, and should be read with the Charter. Modifications in the Framework must

be aligned with the scope of the charter.

14


1 TiU principles – the foundation of the framework

The Business principles of Tilburg University express what the University holds

dear, what we believe and what we aim for. Individually each principle is equally

important and taken as a whole they define our collective conscience. As such

they are the foundation of everything we do.

The principles are defined in our code of conduct (rules of behavior) that can be found on the intranet

and are: Those who work or study at Tilburg University:

Behave appropriately and are conscientious and trustworthy

Show respect for each other

Use their expertise in their field of study to contribute to an inspiring working environment

Are involved with both individuals and society

15


2 Manage Compliance Risk – 3 lines of defense model

The 3 line of defense model that Tilburg University has implemented helps us to mitigate the

(compliance) risks – it applies to all faculties and divisions within the University. This model is essential

for the effective operation of the Compliance Risk management Framework.

Tilburg University manages the compliance risk based upon the 3 lines of defense model:

Executive Board and Management, the Compliance Risk management function and the Internal Audit

department. The three line of defense model distinguishes among functions that own and manage risks,

functions that monitor and oversee risks and functions that provide independent assurance.

Defense line 1: Management

The first line of defense, develops and implements mitigation activities, including monitoring and

reporting, for managing Compliance risks in business activities. The directors and management

manages risks day-to-day and they are affected by the consequences of the risks.

Defense line 2: Compliance Risk management function

The second line of defense, in cooperation with Legal Affairs identifies relevant compliance risk-related

laws, regulations and standards. They translate the law into compliance obligations and assist the

management to identify their compliance risks. They help the management to identify activities that

mitigate the compliance risks (controls) within the risk appetite of the University. They monitor the control

of the compliance risks and advise on compliance risk related manners. They work together with other

second line of defense functions (finance & control) to provide objective challenge and support,

escalating matters when necessary to help optimize the tradeoff between risk and reward. The second

line of defense serves in an advisory and validation role as the organization designs, implements and

embeds policies and guidelines, tracks internal mitigation activities (action plan management) and

executes training on compliance related subjects.

Defense line 3: Internal Audit

The third line of defense, provides management with independent, objective assurance on the overall

effectiveness of the design and operation of internal controls (mitigation activities).

Executive

Board

First line of defense:

management

second line of defense:

staff departments (Governance, Risk & Compliance, Finance &

Control)

Third line of defense:

Internal Audit (independent)

16


3 The framework within TiU

The University operates in a complex environment governed by law and legislation (f.e Wet Hoger

Onderwijs and Wetenschappelijk Onderzoek) and extensive compliance obligations. The reputation of

TiU is one of the key assets for the organization.

It is therefore important that TiU complies with the letter and spirit of the obligations, both in the systems

and processes but also in the conduct of employees and students. To achieve this we have implemented

a framework to manage the Compliance Risks.

The Framework consists of 2 components:

The Risk Control Framework

Advisory Services

The Compliance Risk Control Framework (RCF) reflects the key activities that need to be performed in

order to understand and manage the Compliance risks. These are activities that the first line of defense

must implement.

Advisory service is the specialized support and advise that the first line of defense receives to help to

manage the compliance risks more effectively.

17


4 The key components of the framework and the key activities of the RCF

The Risk Control Framework and the five activities

The Compliance RCF is a vital part of the framework as it provides an overview of the compliance

obligations and the risks arising from law and legislation and the implementation in Tilburg University.

The Chart is the outcome of a continuous process and exists of 5 key activities that are listed in the

chart:

1. Identification of Compliance Obligations

2. Risk assessment

3. Compliance Risk Mitigation (incl. training and

education)

4. Compliance Risk monitoring (incl. Action Tracking)

5. Compliance Risk Reporting (incl. incident

management)

The RCF provides an overview of the applicable law and

legislation and standards that apply to a certain activity

(operations). It also outlines how the risk mitigation measures

are implemented. In other words how compliance obligations

are embedded and ensured. It helps the business in the

awareness of the obligations and it helps to provide

assurance about compliance risk management to stakeholders like regulators, auditors and employees

as all information is centralized.

The RCF must contain the following:

1. Reference to the key compliance related laws, regulations and standards

2. Clear description that capture the relevant obligations from these laws and the risks arising from

these obligations

3. Risk assessment of these risks (impact assessment) without and with the current controls in

place (gross and net risk assessment) in line with the overall Risk management methodology.

4. The process to which the obligation and the related risks is/are linked

5. The implemented controls that mitigate the risk.

6. The process owner (accountable) is also responsible for the compliance risks and the related

controls.

The chart must be as practical, brief and concise as possible, and must link to existing and newly

identified activities. The methodology is aligned with the methodology regarding risk management.

Management must: Governance, Risk & Compliance Officer must:

1. Help the GRC officer develop and update the

RCF by clearly identifying the principle

business activities and relevant processes

affected by the obligations

1. Develop and maintain a RCF for the

University (entities) with the assistance of

management

2. Identify the employees that have managerial

accountability for and are accountable for

execution of an activity outlined in the RCF.

2. Demonstrate that all the elements of the chart

have been discussed and approved by the

accountable management.

1 Idenfication of Compliance Risk

obligations

2 Risk assessment

3 Compliance risk mitigation

4 Compliance Risk Monitoring

5 Compliance Risk Reporting

18



3. Formally approve the RCF for their activity /

entity

3. Report material changes in law and legislation

(monitored by Compliance) to responsible

management and President of the Executive

Board.

4. Notify GRC immediately of any changes in

activities that have an effect on the RCF.

4.1.1 Identification of compliance obligations

The RCF must be kept up-to-date. It must at all times reflect the compliance obligations and related risks

that arise based upon international (European) and local (Dutch) laws, regulations and standards that

apply to the activities of Tilburg University. In general laws en legislations will be transposed into internal

policies (beleid, richtlijnen). Inclusion of compliance obligations in the RCF is risk-based.

Legal affairs must Management must GRC officer must:

1. Provide (on request) advise

and consultation with regard

to law and legislation that

affect the activities of TiU.

1. Identify new and changed

compliance obligations with

regard to the activities they

are accountable for in

cooperation with Legal

Affairs (consultation) and

GRC Officer

1. Identify with management

and legal the related

Compliance obligations and

update the RCF

2. Validate all policies with

legal impact (and risk) that

need approval of the

Executive Board with regard

to compliance with law and

legislation (standard

process)

2. Identify together with the

GRC officer, compliance

risks that arise from

compliance obligations

3. Validate the faculty policy

(faculteitsreglement) for

legal impact (and risk) as it

needs approval of the

Executive Board

3. Implement the applicable

changed law (compliance

obligation) in their activities

2. Translate compliance

related law and legislations

into compliance obligations

(in cooperation with legal

expert)

4. Provide standard clauses

that need to be implemented

by the faculties in the

Opleiding en

ExamenReglement (OER)

4. . Formalize the changes in

policies, processes and

working instructions

3. Enter the compliance

obligation in the Risk

Control Framework.

5. Confirm at least annually

that the Compliance Risk

Framework:

a. Accurately reflects

the compliance law

and legislation

b. The validity of the

compliance

obligations in the

compliance Risk

Framework .

5. Inform and train staff

members with regard to

these changes.

4. Ensure that agreed upon

compliance obligations are

implemented.

19


4.1.2 Risk assessment

Risk assessment is an ongoing process and follows the identification of compliance obligations. It consist

of the following steps that are aligned with the general risk management standard (see for more detail:

Risk management charter and framework).

The risk assessment contains of the following steps:

1. Identification of the risk with a clear description of the risk that contains:

a. The inducer of the risk called factor. (what could cause the risk)

b. The effect / consequence of the risk (what is the impact of the risk, f.e. penalty,

reputational, imprisonment ...)

2. Assessment of the risk using the standardized risk grid that has been prepared for risk

management. It consists of the assessment of the frequency and the gravity of the risks and will

be done for:

a. Gross risk / inherent risk: the risk without taking into account the implemented controls

b. Net risk / residual risk: the risk after the implementation of the controls.


1. Participate and contribute to the risk

assessment sessions to define the risks and

assess the impact.

1. Ensure that the Compliance risks are

integrated in the assessment process.

2. Work with GRC and Legal to identify the high

compliance risks (risk assessments).

2. Participate (facilitate) all Risk assessments

3. Work with GRC and Legal to identify the

controls that mitigate the (high) compliance

risks

3. Rate and rank in cooperation with

management the current and anticipated

critical and high residual compliance risks and

determine the mitigation measures

4. Validate and approve the outcome of the risk

assessment

4. Ensure that the reporting regarding

Compliance risk contain the information

regarding risk assessments

5. Inform the GRC officer in case of any

changes that impact the compliance risks

5. At least review and update the compliance

risk mapping on an annual basis in

cooperation with management.

4.1.3 Compliance risk mitigation

Compliance risk mitigation is the process of developing and implementing controls, such as

documentation (policies, procedures), organization (f.e. training and awareness), security (f.e.

segregation of functions, authorizations) and checks (level 1 and level 2) that mitigate the compliance

risk.

Law and legislation may change from time to time and these must be implemented in the operations of

Tilburg University. Most often they will be transposed in policies (beleid).

DOCUMENTATION

The framework components (controls) like policies must be developed and communicated so that

employees understand their obligations (f.e. whistleblower, gifts, work for third parties). All documents

must be easy accessible for employees and/or students via intranet. All documentations (versions) are

20


centralized in the departments responsible for these policies (accountable department). They must

ensure adequate version management.

Management must: Legal affairs Governance, Risk &

Compliance Officer must:

1. Within the time agreed with the

GRC Officer, establish and

implement specific appropriate

activities (controls) to mitigate

the compliance risks in the

business processes.

1. Validate the policies

with legal impact (and

risk) that need approval

of the Executive Board:

1. Advise the management

about their Compliance

Obligations

2. Ensure that policies and

processes are defined (made),

implemented and distributed

(communicated) and that they

are stored using adequate

version management.

2. On request of faculty

management validate

faculty related policies

that are based on law

and legislation (f.e.

WHW) on compliance

with legal obligation.

2. Assist management to identify

risk mitigation measures.

Raise issues to the

management and president of

the Executive Board thay may

have an impact on the

suitability of existing

mitigation measures.

3. Ensure that the organization

unit meets its obligation and

embeds the activities to

mitigate the risks in their

activities

4. Work with the GRC Officer to

ensure that the framework

components are presented in a

way that employees at all

levels can access and

understand

3. Monitor the framework

components are developed

and communicated so that

employees understand their

responsibility

5. Take the measures necessary

that employees behavior

conforms to the framework

(compliance related policies

included the University’s

principles (values)

6. Include in all job descriptions and policies that the employee will be held accountable to meet the compliance obligation in line with the CAO where it is defined in article 1.8: ‘De

werknemer is gehouden zijn functie naar zijn beste vermogen uit te oefenen, zich te gedragen als een goed werknemer en te handelen naar de aanwijzingen door of vanwege de werkgever gegeven.’

4. Establish and maintain GRC

information and

documentation and

procedures that GRC uses,

such as Charter and

Framework, and ensure that

they are available at all times.

7. Store and archive all policies and ensure version management. Monitor publication on intranet.

21


ORGANIZATION (INCL TRAINING AND ORGANIZATION)

The compliance culture will be reinforced by a good knowledge of the employees of the organization.

This can be realized via communication and training / education. It builds awareness and understanding

of the compliance risk management standards.

If necessary we will create compliance related training and education with regard to this subject. It is also

very important that new staff members are informed about their compliance obligations (f.e. code of

conduct, working for third parties etc) with their training program. But also for existing staff members

refreshment training /activities must be available.


1. Develop training programs for compliance

related training and education.

1. Advise the management about their

Compliance Obligations

2. Ensure delivery of compliance related training

at start of employment, and regularly have

activities to refresh knowledge, including new

subjects. All employees must receive the

training necessary to perform their role

2. Assist the training department and/or other

departments in the developing, maintaining

and executing of training material

3. Ensure the execution of the compliance

related training and maintain attendance /

participation and assessment records

3. Serve as content expert for compliance

related training material

4. Monitor the quality and frequency of

compliance related training.

4.1.4 Compliance risk monitoring

EXECUTION OF LEVEL 1 OR LEVEL 2 CHECKS

The monitoring of compliance risks makes it possible for the business to verify whether the risk mitigation

activities are working adequately and to identify new or changed risks.

The plan for monitoring must be documented and updated on an annual basis (more frequently when

required and should describe:

Compliance obligation

Goal of the check

Check methodology and sample size

Selection criteria

Responsible

Check items (what do we check and how)

Assessment criteria (when OK and when not)

Reporting (how and to whom)


1. Establish a first line of defense tracking and

report deficiencies to the GRC officer.

1. Work with the business to document the

necessary check plans and validate them

after preparation.

2. Provide to the GRC Officer a first line of

defense a document (monitoring plan) that

2. Establish second line of defense monitoring

activities via level 2 checks. Formalizing these

22



outlines the first line tracking activities and the

person accountable for the execution.

checks in a checkplan. Execution and

reporting of the findings. Define

recommendations if needed to mitigate risk. 3. Work with the GRC officer to ensure

appropriate evaluation of the first line checks.

4. Within the time agreed with the GRC Officer

to address issues that arise from the first line

and second line checks (action plan follow up)

3. Report on a quarterly basis on the compliance

checks result to the Present of the Executive

Board.

5. Ensure adequate resources (quantity and

quality to execute the checks.

ACTION PLAN MANAGEMENT

Action plan management is a process to ensure the visibility and resolution of compliance incidents and

other compliance related findings and issues (so including the checks performed). Compliance related

findings should include:

Actions identified by management in its day to day operations and from the first line of defense

checks.

Actions resulting from recommendations made by the second line of defense monitoring and

other framework activities.

Actions resulting from compliance incidents as part of the operational risk management process

(formalized in the risk management charter and framework).

Actions resulting from recommendations made by internal / external audit (3rd line of defense).

Actions resulting from recommendations / findings from supervision by authorities.


1. Ensure compliance related actions are

recorded in the action plan database

managed by GRC officer

1. Monitor all compliance related findings and

issues until they are resolved (by processing

and managing action plan database).

2. Resolve identified issues in a sustainable

manner within the agreed deadline.

2. Create and execute a process for tracking

and managing the actions and the adequate

execution of the actions.

3. Provide the GRC officer of a status update on

open actions until the issue is resolved

3. Incorporate with management lessons

learned in the activities (translated into

actions that are monitored)

4. Incorporate (in cooperation with GRC officer)

of lessons learned in the activities

4. Report to the President of the Executive

Board the unaddressed (open) and overdue

actions via the Compliance Dashboard

(quarterly)

All actions are logged for monitoring in the action plan database of the GRC department and must

include:

Finding or risk

Recommendation (if applicable)

Action to be taken (mitigation measure)

Accountable for action

Deadline.

23


4.1.5 Compliance risk reporting (including incident management)

PERIODICAL REPORTING

Compliance risk reporting allows the management and the GRC and Legal departments to assess

whether compliance risk exceed the risk appetite. Reporting also allows for communication and

discussion of potential compliance risks.

Management and compliance are responsible for gathering information, and then analyzing and

communicating the result so that informed, timely decisions can be made.

Reports will be issued at least on a quarterly basis.

INCIDENT REPORTING

Compliance incidents are all incidents which have an effect on the integrity of

Tilburg University, leading to material damage to the reputation, legal or

supervisory authority sanctions, or financial loss, as a result of a failure (of a

perceived failure) to comply with applicable law and legislation.

When compliance incidents occur (despite of materiality) they must be handled through the standard risk

management charter and framework. They must be immediately reported to the GRC Officer.


1. Ensure that any suspected compliance

incident is reported to the GRC Officer as

described in the report

1. Must treat all reported compliance incidents

with confidentiality

2. Register the incident in the incident register

and report in line with the reporting guidelines

(see risk management standard and charter)

Compliance risk management advisory

The GRC department plays a very important pro-active advisory role: they advise Executive Board,

management, departments, committees and employees. They provide advice on compliance risk,

responsibilities, obligations and concerns on compliance issues while taking into account the business

practices and operational constraints.

In the event that a significant compliance risk is identified and management planned course of action

may put Tilburg University at risk, the GRC officer must, unless circumstances otherwise prevent,

immediately escalate the manner to the President of the Executive Board and the Audit Committee for

an opinion.

Together a decision will be made whether to advise management in writing that the course of the action

would result in an unacceptable compliance risk. If management is advised NOT to proceed, but

nonetheless wishes to proceed, management must, in writing advice the Board of Governors

(Stichtingbestuur) and get approval form that level. In the advice the opinion of the GRC officer must be

presented.

24


Management must: Legal Affairs Governance, Risk &

Compliance Officer must:

1. Create and maintain an

environment that supports the

legal department and the

GRC department in their role

as advisor

1. Assess whether

particular conduct or

activities (including

governance, new

activities, new

cooperation’s or

changes to existing)

comply with law and

legislation, regulations

and standards in

cooperation with the

GRC officer.

1. Responds to requests from

employees and management

for guidance on compliance

risks and reporting of

compliance risks

2. Seek advice from the GRC

officer and legal department

when developing new

activities, cooperation’s and

changing the governance of

the organization

2. Assess whether particular

conduct or activities (including

governance, new activities,

new cooperation’s or changes

to existing) comply with law

and legislation, regulations

and standards in cooperation

with Legal Affairs

3. Work closely with the GRC

Officer and the Legal

department to find compliant

solutions based on business

practices and operational

constraints (find a workable,

compliant option)

2. Advise (requested and

unrequested) on legal

issues

3. Advise (requested and

unrequested) on compliance

and compliance risk issues

4. Maintain records of significant

advises given.

Documents

OMPLIANCE RISK MANAGEMENT CHARTER & FRAMEWORK · Control activities: in order to mitigate the risk controls (policies, procedures checks) must be identified and implemented. Information