ISO 9001:2015 legal requirements play a massive part in quality management
Many people are surprised to find out what a large part knowing and complying with applicable statutory and legal requirements play in an ISO 9001:2015 aligned quality management system. The requirement to deal adequately with statutory and regulatory requirements, also referred to as legal requirements, occurs no less than thirteen times in the different parts of the ISO 9001:2015 standard.
A reading of ISO 9001:2015 shows that the requirements to manage legal requirements well is on par with the standard's focus on customer satisfaction.
This stands to reason; they are both core drivers of quality and business success. In addition to this, top management is required to lead the charge.
To date, many companies have sought to meet the legal requirements of the quality management system standard in siloed, manual methods. This is understandable, but not in line with the standard at all. We'll get to this later, but let's have a look at the different places where legal requirements are required in ISO 9001:2015.
Some of the many references to legal requirements in ISO 9001:2015
Please feel free to skim through this section very quickly. These are quotes out of the ISO 9001: 2015 standard for quality management systems dealing with statutory and regulatory requirements (legal requirements). The point is that managing the understanding and keeping track of changing legal requirements faced by the different parts of an organisation is of paramount importance in managing quality, implementing an ISO 9001 aligned management system, and obtaining ISO 9001 certification.
We've kindly summarised all of these requirements at the end of this section. Skip there now if you'd like to.
The introduction states:
"The potential benefits to an organisation of implementing a quality management system based on this International Standard are: a) the ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements;"
In the scope and requirements are summarised as being when an organization:
"a) needs to demonstrate its ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements, and
b) aims to enhance customer satisfaction through the effective application of the system, including processes for improvement of the system and the assurance of conformity to customer and applicable statutory and regulatory requirements."
In part 4. the part which sets out the requirement for understanding the context in which an organisation operates in, the standard has this to say about legal requirements:
"The organization shall determine external and internal issues that are relevant to its purpose and its strategic direction and that affect its ability to achieve the intended result(s) of its quality management system." (emphasis mine).
"The organization shall monitor and review information about these external and internal issues." (emphasis mine).
"...Understanding the external context can be facilitated by considering issues arising from legal, technological, competitive, market, cultural, social and economic environments, whether international, national, regional or local." (emphasis mine).
In part 5.1.2 the concept of customer focus is dealt with. Here there is an obligation on top management to lead well by managing the legal requirements of their organisation well.
"Top management shall demonstrate leadership and commitment with respect to customer focus by ensuring that: a) customer and applicable statutory and regulatory requirements are determined, understood and consistently met;" (emphasis mine).
Part 8 sets the standard for determining and reviewing the requirements for products and services including design and development inputs. Not surprisingly statutory and regulatory requirements come up yet again:
"When determining the requirements for the products and services to be offered to customers, the organization shall ensure that: a) the requirements for the products and services are defined, including: 1) any applicable statutory and regulatory requirements;" (emphasis mine).
"The organization shall conduct a review before committing to supply products and services to a customer, to include: d) statutory and regulatory requirements applicable to the products and services; (emphasis mine).
The organization shall determine the requirements essential for the specific types of products and services to be designed and developed. The organization shall consider: c) statutory and regulatory requirements; (emphasis mine).
When dealing with the supply of products and services by third parties or external service providers, the legal requirements of the international standard crop up yet again.
"The organization shall ensure that externally provided processes, products and services do not adversely affect the organization’s ability to consistently deliver conforming products and services to its customers. The organization shall: c) take into consideration: 1) the potential impact of the externally provided processes, products and services on the organization’s ability to consistently meet customer and applicable statutory and regulatory requirements;" (emphasis mine).
And lastly, the standard subjects an organisation's post-delivery activities to the rule of applicable legal requirements.
"The organization shall meet requirements for post-delivery activities associated with the products and services. In determining the extent of post-delivery activities that are required, the organization shall consider: a) statutory and regulatory requirements;" (emphasis mine).
The promised ISO 9001:2015 legal requirements summary
To sum up, the international quality management system standard places requirements on organisation relating to their legal requirements as follows:
- Introduction and scope: Meeting applicable statutory and regulatory requirements benefits an organisation.
- Scope: Assuring conformity to applicable statutory and legal requirements enhances customer satisfaction.
- Part 4: Context: Organisations are required to understand the contexts in which they operate and are obliged to monitor and review the issues which affect the contexts including legal environments whether international, national, regional or local.
- Part 5: Customer Focus: Top management is obliged to ensure that applicable statutory and regulatory requirements are determined, understood and consistently met and in this way demonstrate leadership and commitment to customer focus.
- Part 8.2: Requirements for Products and Services. Organisations are required to determining and review the requirements for products and services including design and development inputs. Here the requirement of the standard is limited to the legal requirements which affect the products and services. The obligation is to determine and review such statutory and regulatory requirements.
- Part 8.4: Control of externally provided processes, products and services. Organisations are required to manage suppliers in conformance with applicable legal requirements.
Top management to lead the charge
Part 5 sets out the leadership required and commitments incumbent upon top management when managing for quality in terms of the standard. Of course these obligations include the leadership and commitments necessary to manage the legal understanding and compliance in terms of the requirements of the standard. The relevant portions are as follows:
"Top management shall demonstrate leadership and commitment with respect to the quality management system by:
a) taking accountability for the effectiveness of the quality management system;
b) ensuring that the quality policy and quality objectives are established for the quality management system and are compatible with the context and strategic direction of the organization;
c) ensuring the integration of the quality management system requirements into the organization’s business processes;
d) promoting the use of the process approach and risk-based thinking;
e) ensuring that the resources needed for the quality management system are available;" (emphasis mine).
Reading the legal requirements of ISO 9001:2015 together with the requirements placed on top management does become a little complex. Each aspect of the ISO 9001:2015 legal requirements (such as ensuring that the local legal context of the organisation is understood, for one) is the responsibility of top management and these responsibilities must be handled in terms of ISO 9001:2015. So, to continue this single example, the questions top management must answer in relation to understanding the local legal context are:
- is top management assuming accountability for it or delegating it?
- has top management ensured that this requirement part and parcel of the quality policy and quality objectives?
- is the requirement integrated into business processes?
- are the risk based thinking and the process approach employed?
- and importantly, has this requirement been adequately resourced?
These questions must be asked for each and every of the ISO 9001:2015 requirements for statutory and regulatory requirements. The best way to do so is to create a table (when in doubt create a table).
This is a great checklist (or rather check-table). Each member of a senior management team should regularly run through this checklist in order to ensure that all the blocks are answered "yes", or that processes are being followed in order to ensure that each block will be answered yes soon.
As you can see, there are a lot of things that top management must have in place to manage their organisation's statutory and regulatory requirements and a simple visualisation of these requirements can help one see the wood for the trees.
A need to move on from a siloed and manual approach
Some requirements are very difficult, if not impossible to meet, without moving away from a siloed and manual approach toward and integrated and automated approach to legal compliance management.
However, the manner in which most organisations have sought to manage their legal obligations is in a siloed and manual manner.
In many companies different siloed departments or individuals handle different domains of legal compliance. A few examples are as follows:
|Type of regulation:
|Legal compliance often managed by:
|Finance team or legal team
|Corporate governance including reporting:
|Finance team, legal team, company secretary, reporting team
|Finance / tax team
|Competition / anti-trust:
|Employment / labour:
|Environmental manager or EHS manager
|Health & safety:
|Health & safety manager or EHS manager
|Environmental or EHS manager
|Data protection / Information security:
|Legal team / IP team
Property and facilities management:
|Property & facilities management
Consumer protection / product liability:
|Legal team / product managers
|Ethics and corruption:
Clearly this is an incomplete and debatable list of regulations and assignment of responsibilities. Also, many domains of industry specific regulation have been deliberately omitted. Nevertheless, every company has different individuals or departments responsible for different legal domains. There may be even more silos between among different countries and among different operations.
One may think of silos as vertical in nature; silos among domains. Silos may also be horizontal in nature; silos among levels within a domain. For example in the management of confidential customer data the CTO or CDO may be in a silo higher up from those lower in the organisation who are actually responsible on a day to day basis with keeping in step with the law. Those who run digital advertising campaigns, and who process and use confidential customer data to do so, could possibly breach the law that would affect the whole company and which is the responsibility of the CTO. Another example of an horizontal silo could be the domain of environment. Say an engineer is responsible for maintaining the integrity of a pollution control dam in conformance with local legislation. If he is in an horizontal silo there is a good chance that a legal obligation he is under (which the environmental manager may or may not know about) would not have reached him adequately or in a systemetised manner. If the law is breached by an employee in a lower silo, it is still a breach by the company.
Not all silos are created equal. But all silos have the same problems. They are (in no particular order):
- Complex regulatory domains are often managed by those who lack legal expertise or time to get to the bottom of what the law requires of them in any given situation. For example environmental managers responsible for environmental legal obligations, the breach of which could impose fines in the millions on companies.
- On the other hand often legal teams hold the knowledge of what the law requires, but those actually responsible for the actions that may transgress the law do not have the same knowledge.
- The processes employed by different silos to keep track of law are often undertaken and communicated in a manual manner. It is not automated.
- Efforts to disseminate legal obligation awareness are often manual, inefficient and prone to human error and the broken telephone effect.
- Departments, teams and individuals who should be acting in concert as part of an automated system are not foregoing many opportunities.
- Risk created by changes of regulation in one silo is not integrated holistically with the associated operational risk that gives rise to the liability. Thus operational risk and legal risk are not holistically managed.
- One silo does not know what the other silos are doing (whether badly or well).
- Lack of integration and synergy between silos.
- Law is actually not siloed, eg. environmental reporting requirements in the Companies Act.
- There is no integrated view of a company's legal obligations.
- There is no one place that anyone in an organisation can go to know the law, know the legal updates that affect them, simply without taking a lot of time to find those obligation that affect them in their moment of enquiry. It's like drinking from a fire hydrant type flow of legal changes.
Governance, risk & compliance software is excellent, but not enough.
There is no magic wand when it comes to the integration of legal silos, both horizontal and vertical. However, there have been huge advances in governance, risk and compliance technology. There is no end to the number of excellent GRC software vendors on the market today. Most of these platforms have excellent modules for monitoring and reporting legal compliance. Where GRC software fall short is that these solutions lack the legal information so that one knows what to do by law. One cannot manage legal compliance against an empty checklist. Yes, the GRC software will provide for the integration of vertical silos once legal information has been added into the compliance checklists. However when it comes to including all and only the relevant legal obligations faced by any given employee no matter their level or domain, GRC software solutions do fall short.
This means that legal requirement information is still generated expensively, manually and inefficiently, usually by:
- lawyers who who usually have other more pressing transactional work to attend to
- external lawyers or consultants
- employees who do not have the time or expertise to conduct ongoing legal research
- Legal content vendors who typically have a limited number of legal domains, usually EHS legal register providers.
In the latter two instances the cost incurred is not so much a financial one. The cost is one that no company can afford. It is the cost of legal inaccuracy that often results from employees who do not have legal training or who do not have time to conduct legal research being responsible for understanding and monitoring legal requirements.
Either way, using the latest GRC software while still conducting legal research manually (whether accurately or not) and in silos will fall short of the requirements placed on top management by the standard.
The check-table has been colour coded in red for the ISO 9001:2015 requirements which are impossible for top management to comply with without an integrated legal platform which provides context specific legal obligations and updates to all employees over all departments, teams and levels who need to know what the law requires of them.
The blocks in orange are those that are not impossible to fulfill, but are difficult and tempting for top management not to fulfill without subscribing for such an integrated legal platform. Significantly, if such a platform is not used, the cost of meeting the ISO 9001:2015 obligations on top management will be very high because legal resources, whether in house or not, are very expensive. The costs of managing legal obligations awareness across many domains, employees, and usually over many different operations and legal jurisdictions is vast complex and manually intractable.
Legaltech enables integration and automation
So in conclusion, the missing piece of the ISO 9001:2015 puzzle is the ability to get legal requirements in a user friendly format into an organisations GRC software in a context specific and automated manner without relying on expensive manual methods of doing so by siloed departments with varying levels of expertise and time to do so.
The Libryo Platform enables any person (in any department or level), in any organisation to understand the legal obligations they face in any situation, at the touch of a button. It is the missing piece of the ISO 9001:2015 puzzle.
Quotations of the ISO 9001:2015 international standard for quality management system are the copyright of ISO, the International Organisation for Standardisation.