#231 Evaluating Compliance within ISO Management

When stating ISO Management System ‘compliance’, that in reality means the conformance to ISO Standard requirements, compliance in ISO terminology actually refers to compliance with legal and other statutory regulations.

It may sound like semantics, but the difference is distinct for a reason, as you don’t get a ‘non-compliance’ for not meeting requirements, rather you get a ‘non-conformity’. When it comes to compliance with the law as required by ISO Standards, you need more than a Legal Register to prove compliance.

In this episode, Ian Battersby dives into what is meant by compliance in ISO, how this relates to legal and statutory requirements, and how businesses can effectively evaluate compliance.

You’ll learn

• What is the difference between ‘Compliance’ and ‘Conformity’?
• What are the different types of compliance requirements?
• How do Acts and Regulations work in tandem?
• Who enforces legal compliance requirements?
• Where do these requirements sit in ISO Standards?
• How do you prove compliance within ISO management?
• How do you evaluate effective compliance?

Resources

• Isologyhub
• From Silos to Synergy: The benefits of Implementing an Integrated ISO Management System Webinar registration

In this episode, we talk about:

[00:30] Upcoming webinar: If you’d like to learn more about the benefits of integrated management systems, feel free to register for our upcoming webinar here.

[01:30] Episode Summary – Ian Battersby discusses the topic of compliance within ISO Standards, and how you can effectively evaluate it within your Management System.    

[02:30] What is the difference between ‘Compliance’ and ‘Conformity’? It’s a common misconception that you ‘comply’ with an ISO Standard, when in reality, you conform to an ISO Standard, hence why you can receive a ‘non-conformity’ in audits and not ‘noncompliance’.

When we talk about compliance within ISO Management, this refers to compliance with the law, regulations and other statutory requirements, as this is a requirement within all ISO Standards.

[03:50] What are the different types of compliance requirements? There are many different types of law, Ian focuses on what is known as statute law legislation, as this is distinct from common law, case law and constitutional conventions.

Statute law legislation is clearly written and can be cited in something like a Legal Register, or Register of Compliance Obligations. There are different types of legislation that you’ll need to document, including:

Primary Legislation: These are put in place by acts of UK Parliament and may have involvement from devolved administrations as well. Statutory compliance refers to compliance with primary legislation. An example of this type of legislation includes the Health & Safety at Work Act.

Secondary or delegated legislation: Those primary Acts often require a lot more detail regarding the practicalities of applying them, which is delivered through Secondary or delegated legislation, otherwise more commonly known as regulations. These have more input from relevant public bodies to provide the requirements that can be applied.

Both regulations are issues under Statutory Instruments (SI’s), which are the formal legal vehicle that gives them effect. Put simply, regulations are the rules and Statutory Instruments are the legal mechanism which brings those rules into effect.

[06:05] How Acts and Regulations work in tandem: Taking the Health & Safety at Work Act as an example, at the start this was quite a broad and generic act, it wasn’t until years later that the workplace health, safety and welfare regulations came about to support the Act.

This was further bolstered with the Management of Health & Safety at Work Regulations. Both regulations were developed through consultation between Government departments and other bodies such as the Health & Safety Executive.

These regulations gave companies much more detail on what’s actually required in order to comply with the Health & Safety at Work Act.

[06:50] Who enforces legal requirements? – It’s not just the police that enforce legal requirements, there are a number of other bodies independent of government and the judiciary that can enforce regulations and prosecute for breaches caused by organisations and individuals.

This can include bodies such as The Health & Safety Executive, The Financial Conduct Authority, The Environment Agency and the Information Commissioners Office. There are more for other areas, and these are often the bodies involved in the development of specific regulations.

[07:45] Where do these requirements sit in ISO Standards? As Is the case with ISO Standards, the requirement for compliance is sprinkled throughout the whole document.

Starting with Clause 4 Context. Here ‘Interested parties’ are a focus, of which regulatory bodies can be considered an interested party, as they control the regulations that you are required to comply with by law.

Even if you don’t think you fall under specific legislation, there are still general applicable business laws that all businesses must comply with. So this exercise is not simply a case of running a Management System, it’s also about running an effective business. 

Ian highlights clause 6.1.3 in ISO 45001, which states the need to determine legal requirements applicable to your business, whereas in ISO 14001 this clause talks about compliance obligations. Despite the difference in wording, they are essentially looking for the same thing, which is detailing what legal requirements you need to comply with.

In ISO 9001 it also states that any products or services offered should meet customer and applicable statutory and regulatory requirements. This is then further strengthened in the Leadership clause as leaders are required to ensure that their commitments meet all customer requirements, but also any applicable regulatory and statutory requirements associated with the products and service. This is phrasing that is repeated throughout ISO 9001.

Going back to ISO 45001 and ISO 14001, both also require an evaluation of compliance, both the part of monitoring and measuring and the results of them to be submitted through your management review process.

The Standards are very clear in that they require you to determine the frequency and methods for evaluation of compliance.

[12:00] How do you prove compliance within ISO management? In ISO 45001 there is an appendix that give examples of what you can monitor and measure for the fulfilment and evaluation of legal requirements.

As mentioned, many organisations opt to use a Legal Register which states all applicable legislation for your business that will be evaluated in an Internal Audit, but proving genuine compliance is much more than just acknowledging the legislation itself.

For larger organisations, this can be a very burdensome task, especially if you find yourself in a position where legal requirements aren’t being met.

Ian provides an example to illustrate how to prove effective compliance:

Waste removal is something that every business has to do, whether they do so through a waste management contractor, or through a landlord, the law states that any waste you generate must be removed, transferred, processed, treated, etc. by licenced organisation in a very specifically regulated fashion.

You as an organisation or your landlord may receive an annual season ticket which includes the required demonstration of compliance, which can be in the form of West Carrier license number, the types of waste, the classification codes under the European or waste catalogue, dates and signatures.

Now if you run into an instance where something on that waste transfer note was incorrect, like a wrong address or waste type, how do you prove that you were still compliant in the actual activity of removing waste? An Audit will pick up on the note discrepancies and you may be faced with being non-compliant.

A way to ensure that you have a record of compliance is to keep electronic copies of all your waste transfer notes, and keep them in a central location, or even possibly linked within your Legal Register if possible. Despite the discrepancy, you will be able to prove that you have a prior record of compliance.

Ian gives another example, you may have air conditioning in your area of work that’s due for a service. The contractor will need to verify the engineer before you engage with them, including a check to see if they’re competent under F Gas Regulations and hold a valid REFCOM Registration Certificate.

If you wait to check / validate their certificates of competence, you may run into a situation where they may have an expired certificate at the time that they serviced your aircon, and so that may render that service as inadequate under your legal requirements.

To avoid this, you should reference that you’ve evaluated the contractor within your Legal Register, this would include a check on their registration number and dates of when their F Gas competency certificates are valid, ensuring your service falls within those dates.

In short, to demonstrate compliance, you should be keeping on-going records in relation to your legal requirements. These should also be readily available and easily accessible.

[20:35] How do you evaluate effective compliance:  Legal requirements such as the Health & Safety at Work Act are much broader, and it can be difficult to know exactly what records you need to keep to prove compliance.

This is where the supporting regulations can provide the required detail and provide a much clearer picture of what evidence is required. One example is the requirement to carry out sufficient risk assessments, which requires you to identify hazards, assess risks, determine control measures you know, communicate those to people, and review of those assessments regularly.

You as the business will need to create a programme to manage the risk assessment process, and this should be documented somewhere, including a note of your review and action dates. This risk assessment list should also be linked within your Legal Register.

In short, one of the most effective ways to show and evaluate compliance is to ensure that all relevant evidence is linked or attached in some way to a Legal Register or Register of Compliance Obligations. These evidence documents should be active and hold a record of previous actions and any planned upcoming actions.

You could also schedule regular inspections of your legal compliance, to evaluate your level of compliance against different requirements on an on-going basis. The resulting reports can also be linked within the Legal Register.

Don’t just rely on Internal Audits to cover your legal compliance evaluation. Utilise dedicated legal compliance inspections, link all relevant evidence within your legal register and have on-going reviews and updates throughout the year.  

If you’d like any assistance with implementing ISO standards, get in touch with us, we’d be happy to help!

We’d love to hear your views and comments about the ISO Show, here’s how:

• Share the ISO Show on Twitter or Linkedin
• Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List