We're hiring for a range of exciting new roles - if you'd like to join the team, click here to learn more



Stay in the loop

Never miss a beat with the latest in VET news delivered straight to your inbox.

Future-Proof Your RTO Compliance Framework with a Colour-Coded Risk Map

February 27, 2020

Casey Helman, CEO
Max Charlie Group

The declaration of compliance is fast approaching for RTOs. Come March, there’ll be two types of RTOs:

  1. RTOs in panic mode, fumbling through a semi-organised internal audit to get a rough idea of their state of compliance 
  2. RTOs who’ve completed a range of systematic reviews in the last year, with a good understanding of their strengths and opportunities for improvement

If number one sounds familiar, it’s time to review your RTO’s compliance framework.

Helping clients develop their regulatory compliance framework is one of my favourite parts of the job. Here are some key aspects of this process:

Internal audit schedule and risk profile

One of the easiest ways to keep up with your compliance requirements is by having an internal audit schedule, which enables you to regularly practice audits without the pressure of the real thing. It sounds obvious, but you’ll be surprised at the number of RTOs I audit who don’t have an internal audit schedule, or just perform internal audits four times a year, covering every single RTO standard and only skimming the surface because there’s so many.

These schedules are only valuable when they match your RTO’s risk profile. For example, an RTO offering courses in forklift driving for a one-off cost will have a different risk profile and/or priorities than an RTO who offers a range of courses through traineeship models, or via VET in Schools. The schedule frequency should closely match your risk profile.

Responsibility for the RTO compliance framework

Everyone should follow processes and complete their work to a high standard, but it’s critical to outline who is collecting, managing, and acting on the information outlined in the RTO compliance framework. Someone must be responsible for driving the process, and preferably a single person.

The information being collected

RTOs have access to a lot of data. But what data is valuable for our compliance framework? Examples include:

  • Audit reports (from the regulator, external independent consultants, internal audits)
  • Assessment validation 
  • AVETMISS data
  • AQTF learner surveys, employer surveys, competency completions
  • RTO specific feedback surveys
  • Complaints and appeals register
  • Analytics: website, social media performance/engagement, learning management system, etc.
  • OHS incident registers, workplace inspection reports, etc.
  • Staff satisfaction surveys

You’ll need to list the data you want to include in your RTO’s compliance framework, and why it’s valuable.

You should also consider how often you’re collecting the data. Some will be monthly, quarterly, or annually, and some will be ad hoc. You’ll need to design a compliance framework that will collect and display your information.

A decision must be made on what works best for your RTO, as it’ll determine what you can achieve.

Risk map

This is a real example I created for a client after reviewing their data. Based on the Standards for RTOs, we assigned a risk level to each standard by colour coding it either green, orange, red or blue.

This particular RTO delivers high risk units, using a range of third parties that help them deliver interstate training (hence the red for standards 1.1-1.4, 1.8-1.12 and 2.3-2.4).

To explain the risk levels further:

Low Risk

  • Performed well in past audits
  • Policies, processes or procedures are in place

Medium Risk

  • Performed average in past audits
  • Policies, processes or procedures are in place, but they’re ineffective or insufficient

High Risk

  • Performed poorly in past audits
  • May or may not have policies, processes or procedures in place
  • The RTO participates in high-risk operations

Not Applicable

  • The standards do not apply to the RTO’s operations

I need to put a disclaimer here: these risk levels are a guide only. I’ve had situations where we've allocated a high risk to a standard even though they had solid policies and procedures, and had performed well in audit. The context of the RTO and its environment will determine the overall risk.

After allocating the risk levels, you’ll have a better idea of where to focus your time, energy and resources for compliance and improved quality. Generally speaking, the high-risk components would be looked at quarterly, the medium-risk components looked a bi-annually, and the low-risk components looked at either bi-annually or annually (depending on what it was).

Simple. Strong. Systematic.


Reviewing and improving your RTO’s compliance framework is an invaluable way to avoid non-compliance, and by creating a colour-coded risk profile, you’ll have a visual tool that can guide your steps. It’s done wonders for my clients, and hopefully does the same for you.

Want to know more?

Check out these articles:

Get the latest VET news and insights

VET moves fast. Stay informed, with blogs straight to your inbox.

Enjoy this blog? Please share using the buttons below