Your auditor may actually be wrong...
Every company is at a different point in its management system journey. Whether your company is about to be certified in terms of an ISO, OHSAS, EMAS or other standard for management systems, or has maintained its certification for a number of years you will (probably initially, but often eventually) hear your certification or recertification auditor (as the case may be) utter the words: "you need a legal register".
In making this finding or observation, your auditor will be referring to one of the sections of the management system standard.
In this post we'll call it "the requirement" and it reads something like this (this is a slightly edited version of a portion the OHSAS 18001 standard):
The organisation shall establish, implement and maintain in a procedure(s) for identifying and accessing the legal and other requirements that are applicable to it.
The organisation shall ensure that these applicable legal requirements and other requirements to which the organisation subscribes are taken into account in establishing, implementing and maintaining its management system.
The organisation shall keep this information up-to-date.
The organisation shall communicate relevant information on legal and other requirements to persons working under the control of the organisation, and other relevant interested parties.
Legal Registers - the Way the Requirement is Met
You'll notice that there is absolutely nothing in this wording that refers to a legal register. To date, legal registers have been the means by which organisations meet the requirement.
We typically find that customers who have maintained their management system certification for a number of years are required by auditors to meet the requirement in deeper and deeper ways.
This is to ensure that the organisation is continually improving in its management, which itself is one of the fundamental tenets of management system standards.
These "deeper and deeper" re-certification audit findings, are typically as follows:
For each line in your risk assessment you need to identify the applicable legal requirements
Your company wide legal register is not enough, you need to make it specific to each operation in question.
Many organisations have a central legal register, which is updated from time to time. The site specific legal registers are then manually updated every so often and the legal requirements to risk assessments are then updated manually. This manual updating of legal registers and risk assessments is then performed by already time poor managers of management systems.
New technology, New Methods, even new Standards, but...
A lot has changed since the initial management system standards where developed. As you are probably aware, many of the standards are being updated and replaced. There is a new ISO 9001 standard, a new ISO 14001 standard and a new ISO 45001 is on the cards. These are just some of the updates to standards.
These new standards are not the only areas where progress has been made. There have been astounding leaps in technology since the previous versions of the standards where released. In addition to this, there has been a fundamental shift in the way businesses consume software. Software has moved from being "on premises" to SaaS or cloud based. The technological advances and the move to SaaS has opened up a world of solutions that previously were not possible. These changes have allowed companies to save time on their legal compliance and management system functions and allow managers to focus on other important things.
However, the manner in which companies attempt to meet the standard seems not to take into advantage of these advances and manual methods to fulfil the deeper and deeper recertification findings abound.
It is possible to meet the deeper and deeper recertification requirement manually, in the same way that it is possible to reproduce the Bible through the work of a scribe! This only leads to time poor managers having to spend precious time resources, and immense cost to the organisation, to do something manually, that ought not to be.
LegalTech for Management Systems and Continual Improvement
Legal registers which are delivered in Microsoft Word, Microsoft Excel or online, in a Web 1.0 method, have severe limitations in their ability to deliver on the deeper and deeper recertification requirements. Using such legal registers will ultimately cost an organisation in wasted time, and human error.
Fortunately, LegalTech has advanced to such a degree (in terms of high functionality and competitive price) that it is now possible for any person, in any organisation, to know and understand the legal obligations faced for any given risk through using the LegalTech. It is delivered in a SaaS, cloud based method, allows a perfect fit "tailoring" of the precise legal requirement to any given organisation as well as precise integration with risk assessments. In this way the continual improvement that is required by various management system standards can be met with greater precision and accuracy than before, without placing a huge drain on an organisation's most precious resources, its people.
So when your auditor says you need a legal register. Send him/her this blog. There is a better way!