Greetings reader! Thanks for joining us for the fourth volume of the 12 Best Practices of Compliance Solutions Series.
In this series, we address twelve of the key challenges you face, one-by-one, with best practice advice derived from over a quarter of a century of support to global industry!
Volume 1, regarding staffing challenges, can be accessed here.
Volume 2, on getting leadership commitment, can be accessed here.
Volume 3, on the impact of acquisitions/mergers and divestitures/de-mergers, can be accessed here.
In this volume, we examine the challenge of finding the right balance between a Management System (or “legal register”) approach, and a Compliance Auditing approach to managing EHS compliance globally.
The “traditional” approach to EHS regulatory compliance assurance has typically followed one of two approaches: We find that companies have typically either adopted a Management System approach or a Compliance Auditing approach. It is quite common to find both approaches being adopted within the same company across regional and global locations. Neither approach facilitates a continuous view on your compliance status.
What do we mean by each of these approaches?
- Management System: This involves the implementation of an environmental and/or health and safety management system—-often based on ISO 14001 or ISO 45001 (or OHSAS 18001 until 2021). The management system may cover individual sites, multiple sites within a country of region or even all of a company’s facilities worldwide. From the legal compliance perspective, this approach typically involves the maintenance of site-level “legal registers”– with rudimentary control by external consultants or management system certifiers. This is the approach we have typically seen in Europe and Asia.
- Compliance Auditing: Traditionally, this has been the approach taken by North American companies. They will typically have audit teams visit sites around the world on a periodic basis to assess compliance against local laws using internal, external, local or corporate resources. Sites usually prepare by conducting some form of self-assessment prior to an audit. Post-audit site EHS managers are then required to rectify the audit findings within a prescribed period of time.
Both approaches have a number of weaknesses:
- Many legal registers that we come across are not fit for their purposes. To clarify that purpose, it is important to remind ourselves of what ISO 14001 and 45001 actually require in terms of managing legal compliance. First of all, neither standard uses the phrase “legal register.” Instead, the standards require you to have a process in place to determine which laws (and their specific requirements) apply to your organization and remain current with those. EHS managers need to maintain knowledge and understanding of their compliance statuses (and this through documented information). This is not only a crucial difference for those currently certified to OHSAS 18001 (but who will need to switch over to ISO 45001 in the next 2 and a half years), but it is also central to defining what a “legal register” should be, and do.
- In the worst case scenario, “legal registers” are not consulted and not updated sufficiently; the legal registers become a simple tick box exercise to satisfy certifying auditors. Some registers will be made available online by external service providers—but these are often only country-specific. There is no consistent, standardized and measurable approach across the whole company.
- Legal registers can be inconsistent, with too much emphasis on awareness and not enough emphasis on specific compliance obligations.
- Audits tend to just provide a snapshot in time; they don’t necessarily reflect day-to-day realities.
- Auditing programs are resource heavy; teams travel the world and sites often visited every year or every other year. Local sites also have to invest in their own compliance efforts. External auditing consultants that do not understand the site processes and are expensive can also often be involved.
- Sites have many other aspects of EHS to manage and getting bogged down in audit paperwork or updating legal registers can become inefficient and time wasting.
- There can be language or cultural barriers to auditing effectively.
- External auditors may intimidate site personnel. Site personnel may fear the results of the audit; auditors may not get a complete and accurate picture of the site, thereby rendering the audit process less effective.
- The audit tools used across sites can vary greatly in terms of quality, accuracy and consistency—which n can lead to skewed numbers in terms of compliance findings and results.
- The need for different audit teams with local expertise and language skills means it can be incredibly difficult to get a consistent, reliable picture of compliance across sites.
The best practice example that we see more and more with our clients, and one that is actually advocated by the ISO EHS Management System Standards, is an approach that combines the best elements of both the aforementioned approaches.
The best practice is to adopt a global approach that allows Ongoing Compliance Management. This involves creations of living “compliance registers” for each of your sites around the world. This fulfills the dual purpose of making companies aware of which laws apply to them, but also creating the possibility to assess, record and verify your compliance status continuously— not only when an audit is scheduled.
This approach brings many benefits. One of the key benefits is that the global aspect fosters a corporate-wide strategy and approach to managing EHS and seeks to embed those values deep into the culture of the organization—across all locations.
It will cost your company a lot less if you are using one tool globally to establish local site-level registers of applicable laws and requirements and ALSO enabling auditing of compliance using the same standardized global solution. You will be killing two birds with one stone with a standardized global approach.
More specifically, best practice programs will have the following elements of the aforementioned different approaches:
An ongoing compliance management program should start with a tool or service that provides standardized regulatory compliance information that can be completed online.
A crucial starting point is to establish which EHS laws are applicable to specific sites in specific countries. Knowing what does not apply can be just as important, as you don’t want sites wasting time on things that don’t apply to them. Best-in-class companies will use some form of applicability screening assessment that allows the filtering-out en masse of irrelevant laws, based on a clear and simple set of questions.
Once an applicability assessment has been undertaken, an initial assessment or gap analysis of where sites stand in terms of compliance with local laws is typically undertaken. This can be done on the basis of a self-assessment, an internal (2nd party) or external (3rd party) review or audit. Best practice is focusing on higher-risk sites as a priority.
The results of any initial applicability screenings and compliance assessments should be recorded as part of your compliance register. Best practice is to do this within some form of software application that allows a dashboard view of site and regional and global levels of compliance. This also facilitates follow-ups and review of previous audit findings very quickly.
Changes in regulation should be highlighted and explained, enabling review of what is applicable (or not applicable) in case of new or changed legislation, a change in processes or a change of onsite equipment.
- Follow-up or verification audits/assessments of compliance can be undertaken based on compliance risk – which can take into account factors, such as a major regulatory change, previous compliance performance or site responsiveness. Any audit program can be much more streamlined, and therefore cost-efficient, if it is based on the ongoing compliance management approach. For example, well-performing sites may only need an outside audit once every three years rather than annually.
- Best-in-class companies will also have a service to keep them aware of proposed policy and regulation that is coming on the horizon, helping them stay ahead of the curve and proactively tackle issues—– potentially creating business opportunities.
- Make sure that the compliance approach you take facilitates the provision of regulatory information in English and local language, enabling site uptake and corporate overview. In addition, using the same approach throughout your company’s locations means that internal EHS discussions will revolve around tools and approaches that everyone is aware of; everyone will speak the same EHS compliance language.
- It is important to make use of a service that provides a standardized data structure in terms of EHS compliance, which enables data analysis, collaboration between sites and a corporate/global view from the top.
- Depending on the maturity of your EHS program, it can be hugely beneficial, in terms of efficiency and effectiveness— if you rollout your ongoing compliance management program within an enterprise-wide EHS software solution, bringing various aspects within one unified management system. Various providers of enterprise-wide EHS software platforms all offer a variety of different modules enabling you to manage various elements of EHS.
- Place compliance in the hands of local/regional staff with clear information and tools that enable you to supervise and review more from afar. Ownership encourages responsibility, engagement and understanding.
Taking the best elements of both approaches is clearly a best practice approach, meeting the needs of management systems auditors and corporate EHS managers and auditors. It makes a lot of sense financially, and in terms of effectiveness and efficiency, to use a Compliance Dashboard covering all your sites globally. The Compliance Dashboard should be used for dual purposes by site staff as well as regional and/or corporate EHS. This strategy will give you an ongoing view, knowledge and understanding of your compliance status.