SQE Assurance Ltd
If your company has an ISO Management System regardless of the type you will now, to some extent have to evidence evaluation of compliance, but the requirement is predominately within ISO 14001 Environmental Management, OHSAS 18001 or the new ISO 45001 Occupational Health and Safety Management.
What is Compliance?
As ISO consultants, we use this term a lot and we are frequently asked what it means.
If as a business you are following the guidelines of applicable industry standards, fulfilling legal obligations and meeting the requirements of your customers you are compliant. Managing compliance is ensuring that you have identified all of those industry standards, legal and customer requirements which are applicable to your activities, products or services and understand what is required and demonstrate how you comply with them.
It does sound easy but many businesses small and large struggle with this requirement of their management system for a number of reasons.
Firstly, by not fully understanding the clause of the standard. Many businesses interpret the requirement to mean that they just need to keep a list of information on legislation up to date.
This is closely followed by where to find up to date information; the HSE website is very informative for legal requirements but companies struggle with environmental legislation as the Environment Agency website is not as well managed.
But even then, businesses have to keep reviewing the information to manage changes, some of which could be minor, and these are usually missed. Another common issue is that many identify legal requirements that are not applicable to their activities, products or services.
Businesses tend to think they have to put everything in their legal register.
This is not a requirement of the standard, you have to be able to identify those that are applicable to the business and its processes.
Finally, the greatest challenge and where a lot of management systems struggle is with the evaluation of compliance.
This requirement is tucked away at the back of the management system in Performance Evaluation.
Many businesses interpret this clause in the standards to mean “you need to check compliance status”; the requirement of the standard is to evaluate it periodically to ensure you are compliant to all the legal requirements identified.
This means you check the status (through audits, inspections etc..) then evaluate that information to confirm the legal status of the business.
The results of the reviews should assess the level of compliance and demonstrate how the business has taken remedial actions to address shortcomings.
A key point which is also commonly missed is the requirement to evidence or demonstrate evaluation of compliance.
During an audit with your certification body you should be able to demonstrate a clear record of when and how this was done.
Other key areas of concern
The ISO standards call for a system in which compliance should be managed.
The International Standards Organisations definition of a system is “a set of interrelated and interacting elements”.
Not understanding this requirement is another common issue found in many management systems where typically legal registers are documented in a spreadsheet and they are just lists of legislation with no link to the company processes, risks, aspects and impacts etc. this does not meet the standards requirements as there is no demonstrable system.
Further to this, employees who are key to managing compliance obligations in the workplace such as those who are responsible for managing health & safety, environment and maintenance etc. should be able to demonstrate the current status of legal compliance of the business.
This can include information on permits, consents, LOLER inspections or process controls for example.
The system should be able to demonstrate where this information is stored and what periodic actions are required to maintain compliance such as when is the next LOLER inspection due? what colour is marked on the lifting equipment? reports from the last inspection, documented evidence of remedial actions taken where the report has raised advisories or failures from the inspection the location and marking of items of lifting equipment and those which have been quarantined etc.
All of these pieces of information on their own are evidence of compliance but the standards require that you should evaluate this compliance therefore there should be documented evidence of that evaluation having taken place.
Where a 3rd party auditor identifies shortfalls in these requirements they will raise non-conformities and depending on the severity of the non-conformity this could result in a Major Non-conformity which will put your certificate at risk.
So how can we help? Our consultants have varied industry backgrounds with work experience including Quality, Safety & Environmental Specialist for Toyota, being responsible for Health, Safety and Environment for a high-risk Lead (Pb) Manufacturer, Quality Manager for a large packaging organisation and 18 years’ experience as a 3rd Party Auditor for the UK’s leading Certification Body.
We have developed a range of solutions for the issues we have been discussing including straightforward consultancy, this can be beneficial where your certification body has identified shortfalls and raised non-conformance; one of our experienced consultants can work with you to quickly investigate and identify the root cause and put in place corrective actions to close out the auditor’s concerns.
Compliance Management Service
For more longer-term improvements and to reduce the burden on those managing compliance within your business we have developed a new service which will provide the solution to your company if you find managing compliance a challenge.
One of our experienced Consultants will visit your business premises and identify your compliance obligations and create you a Bespoke Legal Register.
We will link other elements of your management system including Risks & Opportunities, Interested Parties, Objectives & Targets, Aspects, Impacts and Risks, combining these elements creates added value by giving you a Compliance Management System.
In addition to ensuring your Legal Register only contains legislation which is applicable to your activities, products or services and isn't cluttered with pieces of legislation which are not applicable we will periodically review your register and keep it up to date for you, personally informing you of any changes which require your action.
We can provide a further service where your consultant will visit your business annually and carry out an objective evaluation of your compliance and update your system for you.
Masterclass If you want to learn more about what you have read in this article we also run a series of Masterclasses which you can attend. De-Mystifying Legal Compliance.
For more information on this and other Masterclasses visit our website www.sqea.co.uk/masterclass
For more information on any of our services please email firstname.lastname@example.org or call us on 01283 808117.