Have you ever heard promises like "making compliance easy" or "simplifying legal compliance"? Achieving legal compliance can be straightforward if you focus on three vital keys.
Understanding Legal Compliance: The Three Vital Keys
-
Knowing and Understanding the Law: Precisely identify which laws and regulations need to be followed.
-
Implementing a Compliance Management System: Use a robust system to manage compliance processes.
-
Executing Compliance Tasks: Ensure all necessary actions are taken to comply with the regulations.
To get legal compliance right, all three components must be optimized, and the first two are super important and the focus of this blog.
Harnessing the Power of Management Systems
There are a number of really excellent Governance, Risk and Compliance (GRC) software platforms on the market today. Most of the leading GRC platforms are profiled in the Verdantix Green Quadrant. These platforms assist companies to manage their Environmental, Health, and Safety (EHS) operational risk using international best practice. The domain of these GRC platforms is the second vital leg of compliance as they (amongst other things) enable organisations to manage the process of doing the necessary to comply with regulation.
Many organisations continue to use management systems which are based on files created in Excel and Word.
The domain of both GRC platforms and management systems created using Excel and Word is the second vital leg of compliance as these systems (amongst other things) enable organisations to manage the process of doing the necessary to comply with regulation.
The Importance of Knowing the Law
Implementing a management system without knowing what specific regulatory requirements apply to a given operation, is like building a road in the wrong direction. This is particularly true of the legal categories: environment, health and safety (EHS) where:
- the operation's location, and
- the exact nature of the onsite business activities
determine which legal provisions apply.
Using advanced GRC software without knowing the law is kind of like having the best and smoothest tarmac laid down for a journey, possibly in the wrong direction. The same is true for Excel and Word based management systems (the direction is still essential, it's just that the road may not be so smooth!)
Overcoming regulatory complexity
Organisations that choose to implement a management system that is aligned with an international standard, are required by those standards to identify the "legal and other requirements" that apply to the operation which is to be certified in terms of such standards. Examples of these standards are ISO 14001 for environment, or ISO 45001 for health and safety. This requirement to identify the "legal and other requirements" exists whether the organisation chooses to use a GRC platform or an Excel and Word-based management system.
We've conducted some research and what we have found is that many organisations use a legal register for the sole purpose of "box ticking" this requirement present in these management system standards.
In other words, unless you have a legal register you won't obtain or retain your management system certification.
Legal Registers: A Compliance Tool
Typically legal registers are delivered in two ways: manually using Excel or Word or through an online method by an external service provider. Such legal registers provide a list of all the regulations that apply to a specific operation, or in the case of company-wide legal registers, the list is comprised of all regulations that apply to a number of different operations of the company.
It then becomes the job of the compliance officer or the EHS manager to figure out which regulations apply to which sites. And when the law changes, the same "figuring out" has to take place.
The problem with legal registers is that they tick a box, but are not genuinely useful.
To overcome the problem of regulatory complexity, a tool which allows anyone to find the answer to the question, "what does the law require us to do in this situation?" is needed. Of course, the answer needs to be unique to the specific operation in question (custom legal registers), and ential the up-to-date, specific legal obligations for any given task or risk available on demand.
The Problem with Legal Registers
The problem with most legal registers is that after looking through the legal register, the list of law, reading the general summaries, and then starting to engage with them, one inevitably ends up asking, "so what does the law require of us here?" The answer is in the hands of consultants, lawyers, or other advisors who must then be consulted to obtain the information you are after. The utility, therefore of the legal register, honestly, is not much at all, but it does "tick the box" for ISO standards.
No "list of law" legal register, no matter how well compiled and updated, and no matter how excellent its summaries of legislation, is able to provide the kind of precision that is required to be genuinely useful.
Linking operational risk to legal risk
If a legal register is able to identify the specific sections of law and codes of practices that apply to each and every risk identified in the aspects and impacts register, or the hazards identification risk assessment at a specific operation, then and only then can operational risks be linked to legal risks in an efficient and cost effective manner.
Without the ability to link operational risk to legal risk it will be nearly impossible to manage the two together as an integrated whole. This is increasingly necessary as law is constantly changing, varies from jurisdiction to jurisdiction and penalties for non-compliance are really ramping up alarmingly.
Whether you manage your operational EHS risks out of an Excel based risk assessment or out of one of the GRC software platforms identified above, it is essential that you can link the precise legal obligations and associated liability with operational risks. Be sure to ask your legal register provider...
-
(if you are using Excel for your risk assessments), whether they can link specific legal sections to each risk in a way that allows you to know simply what the law requires you to do for each risk.
-
(if you are using a GRC software platform), whether they have RESTful API which allows precise linking legal utility to the risk assessment, compliance and audit modules in your GRC platform.
Choosing the Right Legal Register Provider
In considering how you wish to meet the "legal and other requirements" clause of international management system standards, consider using a legal register provider that legitimately overcomes the problem of regulatory complexity, and can help you manage operational risk and legal risk as an integrated whole.
Make sure you consider a legal register provider that is more than just a list of law and useful summaries.