Have you ever heard promises like "making compliance easy", or "simplifying legal compliance"?
There are 3 vital keys to legal compliance.
- Knowing and understanding precisely what law needs to be complied with
- Implementing a system to manage the process of doing the necessary to comply
- Actually doing the necessary stuff to comply.
To get legal compliance right, one has to optimise all three legs of compliance, and the first two are super important and the focus of this blog.
Many excellent management system applications are available
There are a number of really excellent governance, risk and compliance ("GRC") software platforms on the market today. Most of the leading GRC platforms are profiled in the Verdantix Green Quadrant . These platforms assist companies to manage their EHS operational risk using international best practice. The domain of these GRC platforms is the second vital leg of compliance as they (amongst other things) enable organisations to manage the process of doing the necessary to comply with regulation.
Many organisations continue to use management systems which are based on files created in Excel and Word.
The domain of both GRC platforms and management systems created using Excel and Word is the second vital leg of compliance as these systems (amongst other things) enable organisations to manage the process of doing the necessary to comply with regulation.
Implementing a management system without knowing what specific regulatory requirements apply to a given operation, is like building a road in the wrong direction. This is particularly true of the domains environment, health and safety ("EHS") where:
- the location of the operation in question, and
- the exact nature of the on site activities
determine which legal provision apply, and which don't apply.
Using sophisticated GRC software without knowing the law is kind of like having the best and smoothest tarmac laid down for a journey, possibly in the wrong direction. The same is true for Excel and Word based management systems (the direction is still essential, it's just that the road may not be so smooth!)
Overcoming the problem of regulatory complexity
Organisations that choose to implement a management system that is aligned with an international standard, are required by those standards to identify the "legal and other requirements" that apply to the operation which is to be certified in terms of such standards. Examples of these standards are ISO 14001 for environment, or OHSAS 18001 (soon to be replaced by ISO 45001) for health and safety. This requirement to identify the "legal and other requirements" exists whether the organisation chooses to use a GRC platform or a Excel and Word based management system.
We've conducted some research and what we have found is that many organisations use a legal register for the sole purpose of "box ticking" this requirement present in these management system standards.
In other words, unless you have a legal register you won't obtain or retain your management system certification.
Typically legal registers are delivered in two main ways, manually using Excel or Word or through an online method by an external service provider. Such legal registers provide a list of all the regulations that apply to a specific operation, or in the case of company wide legal registers, the list is comprised of all regulations that apply to a number of different operations of the company.
It then becomes the job of the "compliance officer" or the EHS manager to figure out which regulations applies to which sites. And when the law changes the same "figuring out" has to take place.
The problem with legal registers is that they tick a box, but are not genuinely useful.
To overcome the problem of regulatory complexity, a tool which allows anyone to find the answer to the question, "what does the law require us to do in this situation?" is needed. Of course the answer needs to be unique to the specific operation in question, and have the up to date, specific legal obligations for any given task or risk available on demand.
The problem with most legal registers is that after looking through the legal register, the list of law, reading the general summaries, and then starting to engage with them, one inevitably ends up asking, "so what does the law require of us here?" The answer is in the hands of consultants, lawyers, or other advisors who must then be consulted to obtain the information you are after. The utility, therefore of the legal register, honestly, is not much at all, but it does "tick the box" of ISO standards.
No "list of law" legal register, no matter how well compiled and updated, and no matter how excellent its summaries of legislation, is able to provide the kind of precision that is required to be genuinely useful.
Linking operational risk to legal risk
If a legal register is able to identify the specific sections of law and codes of practices that apply to each and every risk identified in the aspects and impacts register, or the hazards identification risk assessment at a specific operation, then and only then can operational risks be linked to legal risks in an efficient and cost effective manner.
Without the ability to link operational risk to legal risk it will be nearly impossible to manage the two together as an integrated whole. This is increasingly necessary as law is constantly changing, varies from jurisdiction to jurisdiction and penalties for non-compliance are really ramping up alarmingly.
Whether you manage your operational EHS risks out of an Excel based risk assessment or out of one of the GRC software platforms identified above, it is essential that you can link the precise legal obligations and associated liability with operational risks. Be sure to ask your legal register provider...
- (if you are using Excel for your risk assessments), whether they can link specific legal sections to each risk in a way that allows you to know simply what the law requires you to do for each risk.
- (if you are using a GRC software platform), whether they have RESTful API which allows precise linking legal utility to the risk assessment, compliance and audit modules in your GRC platform.
In considering how you wish to meet the "legal and other requirements" clause of international management system standards, consider using a legal register provider that legitimately overcomes the problem of regulatory complexity, and can help you manage operational risk and legal risk as an integrated whole. Make sure you consider a legal register provider that is more than a list of law and useful summaries.