Staying on the right side of the law
One of the most common non-conformances to occur amongst companies pursuing certification to ISO 14001 and OHSAS 18001 is a failure to properly evaluate their compliance with 'legal and other requirements'. Rob Shepherd talks to NQA’s Samantha Johnson to find out why this is and how to avoid it happening.
As the world’s leading environmental management and occupational health and safety management systems respectively, certification to ISO 14001 and OHSAS 18001 are considered key ways to demonstrate that a company operates to the highest possible standards. Yet, even though it is a pillar of both certifications, all too often organisations fail to thoroughly evaluate their legal and other requirements compliance, leading to non-conformances that could easily be avoided.
Cause and effect
It is worth making clear that certification to ISO 14001 and OHSAS 18001 alone is not a guarantee of legal compliance. It is an organisation’s responsibility to ensure that it periodically evaluates compliance with each and every applicable requirement and is fully aware of its status. However, certification should demonstrate that a body, such as NQA, has assessed and confirmed that the organisation has a demonstrably effective management system that affirms its commitments in this area.
Given the importance of legal compliance, why do so many organisations fail to evaluate it correctly? According to NQA’s Area Operations Manager, Samantha Johnson, the answer is not straightforward and she explains, ‘There are many reasons why a company can neglect to get its house in order in this respect. These include a failure to take the issue seriously enough, misunderstanding and ignorance about the legal framework that relates to its activities, a lack of detail in reporting and internal auditing, and not providing enough evidence for the Assessor to use to confirm an effective management system process.’
Moment of clarity
Organisations must establish, implement and maintain procedures for periodically evaluating compliance with applicable legal and other requirements. This involves selecting a competent person to carry out the evaluation, who must develop a method to ascertain their compliance status. They should assess the extent to which the organisation meets the requirements and review and report to senior management about the findings. This can be communicated through the Management Review which seems to be an appropriate process for this.
‘Legal requirements comprise legislation, including Acts and Regulations, EU Regulations and Directives, permits, licenses, orders issued by regulators and planning permissions,’ explains Johnson. ‘What companies often find more difficult to decipher is what relates to the “other” part of the process. This can comprise of elements such as non-regulatory guidance, codes of practice, contracts, requirements of customers, trade bodies and agreements with other stakeholders.’
This process is not something that can be carried out once and then forgotten about. Periodic evaluation is vital (frequency dependent upon risk and specific legal or operational needs/requirements) in order to ensure that the latest requirements are met and that any changes to the way a company operates are accounted for. Asked to provide an example, Johnson replies, ‘Perhaps the most obvious relates to, within the safety discipline, that of risk assessments. These are dynamic documents that evolve over time, meaning that there could be a need to carry out other additional actions in order to be fully legally compliant.’ In terms of an environmental example, sites operating under an Environmental Permit, may need to carry out very regular inspections of the permitted area to ensure compliance to that Permit, sometimes even on a daily basis.
Environmental and health and safety laws provide a cornerstone for protecting the environment and the people in it from harm. Organisations have a legal and moral duty to comply and failure to do so can have very serious repercussions including operational, business continuity and reputational consequences, as well as sanctions including fines, imprisonment and disqualification.
Knowing the law and complying with it are two different things and while updating a legal register is important, some companies simply fail to the take the next step and evaluate it in terms of their own businesses. It is also vital to identify legal changes that are on the horizon and be prepared for when they come in and avoid taking a reactive approach to the issue.
Johnson comments, ‘Too many organisations look at legal compliance evaluation as an entirely separate entity from existing management system processes – something that I would advise avoiding by incorporating it into existing check mechanisms for example into an inspection or internal audit regime. Completing it altogether means that things can be flagged up and more detail given as part of a continual evaluation process. Put simply, if it's integrated into the overall management system, the more efficient and effective it is likely to be.’
Organisations should also be aware of where an auditor’s responsibilities begin and end. While auditors are required to establish conformity of a management system to the requirements of ISO 14001 or OHSAS 18001, they are not required to make a direct evaluation of legal compliance or indeed conduct a compliance audit. However, an external auditor should be able to verify whether an organisation has established the required procedures to evaluate their own compliance by examining examples of specific legal compliance, looking for evidence of compliance and reviewing its evaluation process.
‘Auditors should be able to flag up any problems and give a good “shake of the tree” 'comments Johnson. ‘An auditor can act as an invaluable pair of fresh eyes and if a client has missed something and they pick it up, the auditor should raise it appropriately to help avoid potential issues in the future. Ultimately, it's about teamwork and if an auditor can spot something and the company deals with it accordingly, it could avoid a catastrophe and prevent bodies such as the Environment Agency and Health & Safety Executive getting involved.’
Checks and balances
Properly evaluating legal and other compliance needn’t be a problem if the correct procedures are in place, comprising a comprehensive register, records of evaluations and findings that are correctly prioritised and addressed. NQA’s Samantha Johnson concludes, ‘As one of the most common reasons for non-conformances to ISO 14001 and OHSAS 18001, many of the issues regarding compliance could be avoided if the subject is given the time and consideration it deserves.’ In my opinion, this is one of the most important and valuable areas of both standards.