Compliance Obligations

Pretty much all of the standards that we certify against have requirements related to ‘compliance obligations’. In other words, you’re expected to demonstrate that what you do and what you sell is all legal, as a minimum, and meets any other requirements that are expected.

Which is not to say that the external auditor is going to check every facet of your organisation with a view to calling the police if something is amiss. While you should of course be doing right by employees, paying taxes and generally operating responsibly, what we’re interested in is whether you comply with the requirements that are relevant to the standard and to your organisation.

So, if we’re looking at quality, what are the legal requirements or industry norms that your customers might expect? Maybe your employees need to have registered qualifications, or your jobs have to carry an official marking. If it’s health and safety, there will be general requirements such as the Health and Safety at Work Act, and others that depend on your risks, like the equipment you use or where work takes place. Similarly, for environment, almost everyone will have to deal with Waste Duty of Care but you may have other considerations depending on what you do and what is on your site. Some requirements apply to all organisations and other may be specific to, say, construction, or railways, or work on highways.

It’s the health and safety (ISO45001) and environmental (ISO14001) management system standards that have the most stringent requirements to manage compliance obligations. But the rigour they demand can be viewed as good practice for all. So, what do they require?

There’s a lot of detail in the standards but it can be summarised into three parts. Firstly, identify what applies to your organisation. To do this you’re expected to have access to reliable sources of information about what the obligations demand, and to know when there are any updates or changes. This could be through Government websites, trade organisations, subscription services or professional bodies. Or you could be leaning on a consultant for support.

Then, it’s important to interpret what the compliance obligations mean specifically to your organisation. Some requirements will apply to everyone, whereas others will depend on the number of employees, or turnover or the volume of stuff being handled. It may be that you can justify why you don’t need to comply, or at least not yet. But, if you do need to ensure compliance, how exactly are you doing that? What processes, resources, training have been put in place? Who has responsibility for compliance?

Finally, how do you know that you are complying in practice? It’s never safe to assume, so what checks are in place to ensure that what should be happening actually is happening? This might need a periodic review of compliance obligations, or some checks built into internal audit, or perhaps utilising other methods such as frequent housekeeping inspections.

To pull all this together into a useful resource and help demonstrate effective compliance management, it’s common to have a ‘compliance register’ or similar document in place. But, as is often the case, exactly how you fulfil the requirements of the standards is up to you.