Compliance Obligations – Definition
ISO 14001:2015 defines Compliance obligations as “legal requirements that an organization has to comply with any other requirements that an organization has to or chooses to comply with”. In the note, it further states “Compliance obligations can arise from mandatory requirements, such as applicable laws and regulations, or voluntary commitments, such as organizational and industry standards, contractual relationships, codes of practice and agreements with community groups or non-governmental organizations.”
6.1.3 Compliance obligations
The organization should determine and have access to the compliance obligations related to its environmental aspects. The organization must also determine how these compliance obligations apply to the organization. The organization must take these compliance obligations into account when establishing, implementing, maintaining, and continually improving its environmental management system. The organization must maintain documented information about its compliance obligations. Compliance obligations can result in risks and opportunities for the organization.
As per Annex A (Guidance on the use of ISO 14001:2015 standard) of ISO 14001:2015 standard it further explains:
The organization determines, at a sufficiently detailed level, the compliance obligations it identified in 4.2 that are applicable to its environmental aspects, and how they apply to the organization. Compliance obligations include legal requirements that an organization has to comply with any other requirements that the organization has to or chooses to comply with. Mandatory legal requirements related to an organization’s environmental aspects can include, if applicable:
a) requirements from governmental entities or other relevant authorities;
b) international, national and local laws and regulations;
c) requirements specified in permits, licenses, or other forms of authorization;
d) orders, rules, or guidance from regulatory agencies;
e) judgments of courts or administrative tribunals.
Compliance obligations also include other interested party requirements related to its environmental management system which the organization has to or chooses to adopt. These can include, if applicable:
- agreements with community groups or non-governmental organizations;
- agreements with public authorities or customers;
- organizational requirements;
- voluntary principles or codes of practice;
- voluntary labelling or environmental commitments;
- obligations arising under contractual arrangements with the organization;
- relevant organizational or industry standards.
Compliance obligations may be mandatory (eg. Acts and Regulations), or voluntary (eg. contractual relationships, codes of practice and agreements, and even expectations of third parties). Voluntary undertakings become compliance obligations once an organization decides to adopt them. The revised standard requires the organization to take a high-level look at their “compliance obligations”, which include both regulatory requirements and voluntary commitments (for example to industry standards, contracts, and agreements with communities or NGOs). The organization must determine the risks and opportunities associated with compliance obligations. This could be the scale of penalties resulting from non-conformance, the benefits accruing from meeting commitments, or the risks of the EMS failing to maintain compliance. They must plan actions to address compliance obligations and to integrate these actions into the EMS or other business processes. they must determine the competence requirements needed to meet compliance obligations and ensure these are satisfied. They must ensure that awareness-raising and communications programs take account of compliance obligations. They must maintain processes for evaluating fulfillment of compliance obligations, determine to evaluate and take action after evaluation, and maintain knowledge and understanding of its compliance status and the management review should consider trends in the fulfillment of compliance obligations.
ISO 14001:2015 requires organizations to developing an understanding of their compliance obligations, both regulatory and voluntary. There is more emphasis on understanding the expectations of stakeholders and determining those that should be addressed. These could range from commitments to investors or customers about carbon emissions, applicable industry performance standards, local community agreements, and any other commitments made by the organization. ISO 14001:2015 requires more rigor in identifying risks associated with non-compliance, at strategic and operational levels, and in establishing means of control. A fundamental change is being to demonstrate compliance status. This is not a one-off exercise, but a process that provides almost real-time knowledge and understanding of how the organization is performing with regard to regulatory compliance and voluntary commitments. Many organizations, especially those subject to detailed regulatory scrutiny, may already have reliable and ongoing mechanisms for checking compliance, ranging from continuous emissions monitoring to daily housekeeping checks and weekly or monthly reviews of performance against improvement targets aimed at delivering conformance to compliance obligations. Organizations meeting the new compliance requirements of ISO 14001:2015 are probably in a far better position to understand their compliance risks and reap the benefits from being able to demonstrate to stakeholders that they are fulfilling their commitments to environmental sustainability.
Elements of meeting requirements of Compliance obligation:
- Commitment to compliance
- Determining compliance obligations
- Translating requirements of compliance obligations into impact on the organizations
- Ensuring that organizational and technical measures are taken in order to comply with the requirements
- Self-assessing Compliance
- Internal Audit
- Management review of Compliance
1. Commitment to compliance
The organization’s top management must lay down its commitment to fulfilling its compliance obligations. In practice, this is done by including a text in a ‘policy declaration’ signed by top management, in which other policy principles (such as the commitment to improving performance) are laid down. More important than the written statement is the way that this commitment is communicated within the organization by its top management. It is essential that compliance with Compliance obligations are part of the organization’s internal culture. Simply putting a statement down on paper is not enough to bring this about, however; regular communication about the importance of compliance is part of this commitment. It is important that the culture allows for open communication about compliance, and that employees are encouraged to come forth promptly to discuss any problems with compliance. Clause 7.3 Awareness is also relevant in this regard since it sets requirements for creating awareness about compliance with the environmental policy as well as implications of not meeting compliance organization, by the organization’s employees as well as third parties such as temporary workers.
Employee awareness and involvement can be encouraged by:
- Oral and written communication from top management reiterating the importance of compliance, and the progress made in this area.
- Making this a regular agenda item in meetings.
2. Determining Compliance Obligations
The organization must determine and have access to the compliance obligations related to its environmental aspects. It must determine how these compliance obligations apply to the organization. It must take these compliance obligations into account when establishing, implementing, maintaining, and continually improving its environmental management system. Compliance obligation can be a voluntary commitment based on a determination of relevant interested parties and their relevant requirements. Voluntary commitments become obligatory once adopted. The organization must evaluate compliance at predetermined frequencies and take necessary action to address actual or potential non-compliance. It must maintain knowledge and understanding of compliance status. In addition to periodic audits such as Site inspections/observations and Review of records, the organization must also compare results of monitoring to regulatory requirements.
The organization must identify legislation and regulations that apply to it, meaning that they relate to the organization’s environmental aspects. On the basis of the organization’s process steps/ operations/present facilities, an evaluation is made of which legislation and regulations may apply. Sometimes legislation and regulations only apply if a particular limit or threshold is exceeded, for example, the presence of certain quantities of certain substances. It is then important:
- to document why the legislation and regulations in question are applicable (or not);
- in the case of ‘critical limits’, to ensure that limits are not exceeded, or if they are exceeded, that timely action is taken.
It must be realized that some legislation and regulations will be more clearly applicable and some less. An organization must also have an intention to be familiar with, and to comply with, less obvious legislation and regulations. The organization can fairly be expected to be familiar with all the applicable legislation and regulations. The overview of legal requirements must be kept up to date, even when there are changes to legislation. Organizations must, therefore, keep track of these changes and evaluate how they may affect areas such as operational control, as well as measuring and monitoring and any objectives enshrined in a process, are:
- who keeps track of changes in requirements of compliance obligations;
- what sources of information are used;
- how often this is done;
- who translates this information into requirements for the organization, and how;
- how this is recorded;
- how changes are communicated internally;
- who determines how, and how often, compliance with the requirements is checked.
It is important that the person responsible for keeping track of and evaluating Compliance obligations including legislation and regulations requirements and other related requirements is also competent to do so. Competence includes knowledge of:
- the processes in the organization related to legislation and regulations requirements and other requirements;
- the main thrust of the various kinds of legislation and regulations that can apply.
Often there are several officials/departments in an organization who play a part in this process, such as HRM for health-related legislation, Technical Services for inspection requirements and relevant technical standards, a QES department for general legal changes, and possibly a legal/accounting department for insurance conditions, etc. Good working relationships and laying down who does what can make these things clearer. With regard to keeping track of changes in requirements of Compliance obligations, there must also be a regular check to see if the applicable requirements still fit the environment and the company’s operations. New or different requirements may apply due to changes in, or of, operations. There may also be requirements that no longer apply. If desired, evaluating the implications of legislation and regulations on new operations or changes can be a part of a Management of Change Process.
3.Translating requirements of compliance obligations into impact on the organizations
Once an organization is aware of its compliance obligations, it will be necessary to ‘unravel’ them to find the specific requirements that affect it. An organization can only make a pronouncement about its own compliance if these requirements are made explicit. This is a time-consuming (albeit one-time) operation, especially for organizations subject to many laws and regulations. Ultimately, however, it has great added value. It must be clear how these Compliance obligations impact the organization, for example:
- impact of legislation and regulations on the organization
- Technical provisions that must be made;
- Organizational measures required;
- Emissions that must be kept below certain levels;
- Studies that must be done;
- Notifications that must be made;
- Obligatory monitoring, and monitoring reports.
Besides determining its compliance obligations, an organization must identify and evaluate its environmental aspects. The organization’s operations/processes will dictate the line of approach. Making this identification usually shows a connection between the applicable compliance obligation requirement and the personnel responsible. The organization can opt to combine the translating of all the legal requirements into their impacts on the organization with the identifying of its environmental aspects. If it does so, it is important to ensure that all legislation and regulations have been adequately incorporated. Ultimately, the responsibilities and tasks with regard to such things as legal and other requirements come together in the job descriptions, procedures, and/or operational instructions. When identifying both environmental aspects and legislation and regulations, items in a specific job or task descriptions or procedures/ operational instructions can be numbered and referred to
4. Ensuring that organizational and technical measures are taken in order to comply with the requirements
Once the organization knows which requirements apply, it determines how each requirement will impact it and what measures and actions are necessary to comply with the requirements. If a requirement has not yet been met, an action must be defined in the organization’s environmental program to achieve compliance with it (this program may be annually updated). It may be necessary to notify and confer with the competent authority to define this action. The next step is to ensure that these measures and actions are actually taken. Doing so properly guarantees that the requirement is met even in between compliance checks. The method of ensuring compliance depends on the type of requirement for the organization. There are roughly four types of requirements:
- ‘Static’ requirements: requirements for parts of the organization that do not change often, such as requirements for a building (fire-proof doors, presence of a sprinkler system, etc.).
- Technical requirements: requirements for technical measures and maintenance.
- Performance and monitoring requirements: requirements that entail taking measurements (of concentrations, annual obligations or amounts), keeping records or drawing up reports (including reports, measurements and studies by third parties).
- Organizational requirements: for matters such as training and instructing personnel.
Other methods for guaranteeing compliance include:
- a checklist which is gone through at defined intervals;
- frequent measuring, recording and reporting (these can be kept up to date in a register or overview of measurements, records, and reports);
- laying down the method in procedures or instructions which are ensured by means of internal audits;
- translating requirements into action linked to officers and recording these actions once carried out.
The severity of these measures is proportional to the risk of nonconformities. The degree of guarantee must be heavier as the risks increase. The risk has often already been determined in the identification and evaluation phase. The management system can include an overview by the element of how compliance was ensured. If there are changes to legislation and regulations it will be easy to find what parts of the management system must be adapted.
5. Self-assessing Compliance
The essence of this element is that an organization must be able to say with conviction that it has met its compliance obligation including legislation and regulations under control. It is difficult to guarantee that all legislation and regulations are being complied with at every moment. Round-the-clock monitoring of all the requirements is impossible. A focused approach should enable the organization’s management to have confidence that there is a high level of compliance and that any nonconformities are resolved (where necessary, in consultation with the competent authorities). Assuming that the organization knows which requirement of compliance obligation including legislation and regulations apply, and has translated requirements they contain into their impacts on it, it can get a structural idea of its own compliance by taking the following steps. This means that there is an established process for this self-evaluation.
- The approach depends on the number of requirements
If the number of requirements of Compliance obligations is limited, a checklist can be used for a periodic check that the requirements are being met. The management system can designate who fills out the checklist and at what intervals, how the results are reported to management, and how the rectification of nonconformities is ensured. If the number of requirements is greater, it is a good idea to establish principles for the frequency with which compliance with the individual requirements is evaluated. This frequency will depend on factors like the chance of nonconformity with the requirements and any consequences of nonconformity. Using these general principles as a basis, an organization can determine the appropriate frequency and method of evaluation for each requirement.
2. Basis of the approach
To determine how and how often compliance with particular requirements should be evaluated, there must be an idea of:
- The chances of nonconformity with these requirements arising.
- The potential consequences of such a nonconformity for the environment or working conditions.
There is a relationship here with the requirement from the standard to identify and evaluate the environmental aspect. The organization can apply the risk assessment when identifying its environmental aspects. The outcome of the risk assessment can be used to determine how strictly to specify the evaluation of compliance with legislation and regulation for a particular environmental aspect. An organization can establish a few basic principles for specifying how it evaluates its own compliance. This can be done using the matrix also used for the risk assessment. Each organization can use its own categories for chances and effect.
|Scope of Risk||Static Requirements||Technical Requirements||Performance / Technical Requirements||Organization Requirements|
|Acceptable||Test only if a change or incident occurs, as part of Management of the change process||maintenance check two times per year||Two times per year data evaluated by environment coordinator||Once per month on rounds with the checklist|
|High-risk||Once per month on rounds with the checklist||monthly maintenance check||Four times per year data evaluated by environment coordinator||four times per year data evaluated by environment coordinator|
|Extremely high (unacceptable risk)||Once per week on rounds with the checklist||weekly maintenance check||12 times per year data evaluated by environment coordinator||12 times per year data evaluated by environment coordinator|
Example of principles for specifying self-evaluation of compliance
The higher the risk becomes, the more often the self-evaluation must be performed. It must be clear how compliance is evaluated for each requirement. This means that it is known:
- Who is responsible for carrying out the evaluation;
- What is evaluated (for example which rules or checklist, etc.);
- How to record that the evaluation has been done, and how any nonconformities are dealt with.
Evaluating compliance can take various forms, including:
- as part(s) of a checklist used for routine checks;
- periodic agenda point(s) during meetings;
- continuous or periodic measuring program and reporting results;
- incidental measurement;
- specific evaluation by management/production manager etc.;
- internal audits with an additional audit focused specifically on the process of identifying and complying with legal requirements;
- workplace inspections.
3.Checking compliance with legal and other requirements
According to the standard, the organization must periodically evaluate whether it is meeting these requirements and must keep records of this evaluation. The frequency of this evaluation can differ for each requirement. The organization must determine how often to evaluate the various requirements and how to perform the evaluation.
6. Internal Audit
During internal audits, the organization itself determines how the parts of its management system are working. The question is also whether the management system is good enough to achieve its objectives. One important objective is to comply with compliance obligations. The internal audit yields essential information for the management review. Sometimes people think that internal audits can be used to perform the ‘self-evaluation. This is only possible to a limited degree. Since the internal audits are intended to evaluate the organization’s own system, they also test the effectiveness of the procedures for self-evaluating compliance. Compliance can only be evaluated using internal audits if requirements from legislation and regulations are embedded in procedures or instructions.
7. Management review of Compliance
The results of the evaluation of compliance must be available during the management review. If management is to make a judgment of compliance, they must be given an overview of performance. For top management, it is in any case important to know for which Compliance including legislation and regulations requirements is critical and/or insufficient and what measures need to be taken (if necessary) to improve compliance. The cause of any nonconformity is also investigated so as to formulate corrective action.
Compliance Obligation in relationship to the other parts of the management system
We shall now discuss the part of ISO 14001:2015 standards having a direct reference to compliance Obligations. Other parts of the management system are also important for proper compliance. A brief indication of their relationship to compliance follows, in order of the elements of the standard.
Relationship of elements of ISO 14001:2015 standard relevant for compliance management.
Consistent with the environmental policy, the intended output of the environmental management system includes fulfillment of compliance obligations.
As per Annex A (Guidance on the use of ISO 14001:2015 standard) of ISO 14001:2015 standard it further explains:
As part of managing change, the organization should address planned and unplanned changes to ensure that the unintended consequences of these changes do not have a negative effect on the intended outcomes of the environmental management system. Examples of change include changes in compliance obligations.
4.2 Understanding the needs and expectations of interested parties
The organization shall determine which of the relevant needs and expectation of the interested parties relevant to EMS become its compliance obligations.
As per Annex A (Guidance on the use of ISO 14001:2015 standard) of ISO 14001:2015 standard it further explains:
An organization is expected to gain a general (Le. high-level, not detailed) understanding of the expressed needs and expectations of those internal and external interested parties that have been determined by the organization to be relevant. The organization considers the knowledge gained when determining which of these needs and expectations it has to or it chooses to comply with, i.e. its compliance obligations.
Interested party requirements are not necessarily requirements of the organization. Some interested party requirements reflect needs and expectations that are mandatory because they have been incorporated into laws, regulations, permits, and licenses by governmental or even court decisions. The organization may decide to voluntarily agree to or adopt other requirements of interested parties (e.g. entering into a contractual relationship. subscribing to a voluntary initiative). Once the organization adopts them, they become organizational requirements (i.e. compliance obligations) and are taken into account when planning the environmental management system.
4.3. Determining the scope of the environmental management system
The organization shall determine the boundaries and applicability of the environmental management system to establish its scope. When determining this scope, the organization shall consider the compliance obligations referred to in Clause 4.2
In setting the scope. the credibility of the environmental management system depends upon the choice of organizational boundaries. The organization considers the extent of control or influence that it can exert over activities, products, and services considering a life cycle perspective. Scoping should not be used to exclude activities, products, services, or facilities that have or can have significant environmental aspects, or to evade its compliance obligations. The scope is a factual and representative statement of the organization’s operations included within its environmental management system boundaries that should not mislead interested parties.
5.2 Environmental policy
Top management shall establish, implement and maintain an environmental policy that, within the defined scope of its environmental management system includes a commitment to fulfill its compliance obligations.
While all the commitments are important, some interested parties are especially concerned with the organization’s commitment to fulfilling its compliance obligations, particularly applicable legal requirements. This International Standard specifies the number of interconnected requirements related to this commitment. These include the need to:
- determine compliance obligations;
- ensure operations are carried out in accordance with these compliance obligations;
- evaluate the fulfilment of the compliance obligations;
- correct nonconformities
6.1 Actions to address risks and opportunities – 6.1.1 General
When planning for the environmental management system, the organization should consider compliance obligations to be addressed to:
- give assurance that the environmental management system can achieve its intended outcomes;
- prevent or reduce undesired effects, including the potential for external environmental conditions to affect the organization;
- achieve continual improvement.
The overall intent of the process established in clause 6.1.1 is to ensure that the organization is able to achieve the intended outcomes of its environmental management system, to prevent or reduce undesired effects. and to achieve continual improvement. The organization can ensure this by determining its risks and opportunities that need to be addressed and planning action to address them. These risks and opportunities can be related to environmental aspects, compliance obligations, other issues, or other needs and expectations of interested parties.
Compliance obligations can create risks and opportunities. such as failing to comply (which can damage the organization’s reputation or result in legal action) or performing beyond its compliance obligations (which can enhance the organization’s reputation)
6.1.4 Planning action
The organization should plan to take actions to address its compliance obligations;
The organization plans, at a high level, the actions that have to be taken within the environmental management system to address its significant environmental aspects, its compliance obligations, and the risks and opportunities identified in 6.1.1 that are a priority for the organization to achieve the intended outcomes of its environmental management system.
6.2.1 Environmental objectives
The organization should establish environmental objectives at relevant functions and levels, taking into account the organization’s significant environmental aspects and associated compliance obligations, and considering its risks and opportunities.
The organization should ensure that f personnel doing work that affects its environmental performance under its control have the necessary competence to fulfil its compliance obligations;
The competency requirements of this International Standard apply to persons working under the organization’s control who affect its environmental performance, including persons:
a) whose work has the potential to cause a significant environmental impact;
b) who are assigned responsibilities for the environmental management system, including those who:
1] determine and evaluate environmental impacts or compliance obligations;
The organization should ensure that persons doing work under the organization’s control are aware of the implications of not conforming with the environmental management system requirements, including not fulfilling the organization’s compliance obligations.
Awareness of the environmental policy should not be taken to mean that the commitments need to be memorized or that persons doing work under the organization’s control have a copy of the documented environmental policy. Rather, these persons should be aware of its existence, its purpose, and its role in achieving the commitments, including how their work can affect the organization’s ability to fulfill its compliance obligations.
The organization shall establish, implement and maintain the processes needed for internal and external communications relevant to the environmental management system, when establishing its communication processes, the organization shall take into account its compliance obligations
Communication allows the organization to provide and obtain information relevant to its environmental management system, including information related to its significant environmental aspects, environmental performance, compliance obligations, and recommendations for continual improvement.
9.1 Monitoring, measurement, analysis and evaluation
The organization shall communicate relevant environmental performance information both internally and externally, as identified in its communication processes and as required by its compliance obligations
When determining what should be monitored and measured, in addition to progress on environmental objectives, the organization should take into account its significant environmental aspects, compliance obligations, and operational controls.
9.1.2 Evaluation of compliance
Once the Compliance obligation has been determined, the organization should establish, implement and maintain the processes needed to evaluate fulfillment of its compliance obligations. The organization should determine the frequency from evaluation of compliance, action taken from evaluation of compliance, and maintain knowledge and understanding of its compliance status. The organization should retain documented information as evidence of the compliance evaluation results.
The frequency and timing of compliance evaluations can vary‘ depending on the importance of the requirement, variations in operating conditions, changes in compliance obligations, and the organization’s past performance. An organization can use a variety of methods to maintain its knowledge and understanding of its compliance status, however, all compliance obligations need to be evaluated periodically. If compliance evaluation results indicate a failure to fulfill a legal requirement, the organization needs to determine and implement the actions necessary to achieve compliance. This might require communication with a regulatory agency and an agreement on a course of action to fulfil its legal requirements. Where such an agreement is in place, it becomes a compliance obligation. A non-compliance is not necessarily elevated; to a nonconformity if, for example, it is identified and corrected by the environmental management system processes. Compliance-related nonconformities need to be corrected, even if those nonconformities have not resulted in actual non-compliance with legal requirements.
9.3 Management Review
The management review should include the changes in the needs and expectations of interested parties, including compliance obligations. the management review should also include information on the organization’s environmental performance including fulfillment of its compliance obligations.