Protecht’s eleven part complimentary webinar series focusing on a comprehensive deep dive into Workplace Health and Safety (WHS), kicked off on 23 July 2020. Click here to get access to recordings of all eleven webinars.
In the 9th Webinar of the series we continue our deep dive in WHS by looking at WHS Compliance and Compliance Risk Management.
Scoping the WHS Compliance Function
ISO 45001 covers compliance in Section 6: Planning and Section 9: Performance Evaluation.
ISO 45001: 6.1.3 refers to legal and other requirements and the importance of establishing, Implementing and Maintaining processes to:
- Determine and have access to up-to-date legal requirements
- Determine how legal requirements and other requirements applicable to the organisation and what needs to be communicated
- When establishing, implementing, maintaining and continually improving the OH&S management system how we take these legal and other requirements in to account.
ISO 45001: 9.1.2 refers to the evaluation of the compliance and the importance of evaluating compliance with legal and other requirements:
- Determine frequency and methods for evaluating compliance
- Evaluate compliance and take action if needed
- Maintain knowledge and understanding of compliance status with legal and other requirements
- Retain documented information of compliance evaluation results
What is Compliance?
It is important for us to define what we mean by Compliance.
Compliance means "conforming to a rule". In ISO 19600, the Compliance Standard, it refers to "Meeting all of the organisation's compliance obligations."
Compliance obligations are a compliance requirement (what we have to comply with) and compliance commitments (what we choose to comply with).
What does the Compliance function scope cover?
The widest view of Compliance covers compliance based compliance, ethical based compliance and risk based compliance. This covers the widest range of "rules" being:
- Policies & Codes
- Licence Conditions
In our first poll, we were interested to know what sources the WHS Compliance Management Function covers for the webinar participants. Here are the results:
As expected, 100% include Regulatory sources, while 67% also cover Contractual sources, which is sometimes covered by legal rather than the Compliance function. It is encouraging to see that 90% of functions also cover internal rules such as policies etc.
Our Compliance framework must also consider Risk Appetite. Within the Risk Appetite statement, we need to reference Compliance Risk. At its basic level, this is asking: Does the organisation have an appetite for non-compliance risk? In relation to regulatory compliance, we would hope the answer to be no. This is a compliance based approach to compliance and should represent the minimum standard. If we then set internal "rules" such as policies at a more stringent level than regulatory obligations and have no appetite to breach internal rules, we have "ethical" based compliance. Lastly, where our compliance activities also consider the risks surrounding our non compliance (the wider risks to our business not complying, rather than just the financial and regulatory risk from non-compliance) we have risked based compliance.
With this in mind, in our second poll, we were interested to know what approach our webinar participants had to WHS compliance. Here are the results:
- 70% of participants had a Compliance based approach
- 17% a Risk based approach
- 13% a Ethically based approach
It is interesting to note that 1 in 10 of you are moving towards an ethical based approach which is encouraging and we expect to see more of this happening in the future.
WHS Compliance & Obligation Libraries
The starting point of Enterprise Risk Management is understanding the rules that we need to comply with based on the scope of the function outlined above.
- We need to record these rules in a system. At Protecht, our Protecht.ERM does exactly this.
- We then need to translate the legal wording into plain language obligations that our staff will clearly understand.
- We then need to do a Risk Rating of the Obligations. What Obligations are more important than the others? This is a Risk Based approach to Compliance, which lends itself to ISO 19600.
- We then look at our Compliance activities, splitting them into Compliance Management and Risk Management Activities.
- We are then ready to record and analyse the evidence around Compliance Management and Compliance Risk Management from reporting and response through to escalation and remediation.
This completes the Compliance Process.
Understanding the rules, can be easier said than done! For example we may need to consider Federal, State, International and Regulatory requirements. On top of this we have contractual standards, policies and changing regulations. At Protecht we call these libraries of rules, Registers.
At Protecht, we partner with LexisNexis to provide automated feeds of legal, up to date regulatory requirements and plain language obligations. This information is integrated in our Registers within Protecht.ERM. If an obligation changes, an alert is received and the information is updated.
With this in mind I was interested to find whether webinar participants convert their regulatory compliance requirements into easy to understand obligations? Here are the results:
- 59% of Webinar participants do convert regulatory compliance into easy to understand obligations.
- 41% of Webinar participants do not.
At Protecht we believe it is crucial to help your staff understand the legal obligations, it takes the responsibility away from the Legal Department and onto the individual. We believe that every one is a Risk and Compliance Manager and has a part to play. Putting the legalese into easy to understand plain language makes it easier for your staff to contribute to WHS Compliance and Compliance Risk Management.
WHS Compliance Management
WHS Compliance Management involves the following key steps:
- The first step is to Identify and record the sources of the compliance requirements.
- The second step is to understand the compliance requirements and determine the related obligations.
- The third step is to establish processes, procedures and policies that allow compliance with obligations.
- The forth step is to carry out compliance functions to ensure ongoing assurance.
- The fifth and final step is to report on the outcomes of the compliance process.
WHS Compliance Risk Management
Compliance Risk Management is linked but separate. What is compliance risk? If risk is 'the effect of uncertainty on objectives' as defined in ISO 31000, compliance risk is the effect of uncertainty on compliance objectives.
Compliance Objectives are to comply with applicable compliance obligations, in order to:
- Protect the organisation from financial loss
- Protect the organisation from reputation damage
- Protect the organisation from the negative impact of legal or regulatory action
- Protect relevant stakeholders from risks the organisation brings to them
What do we need to consider with a compliance risk management framework?
We need a risk based approach to compliance. The first step is to risk rate the obligation. We can then apply the ISO 31000 steps and define our appetite for compliance risk.
Compliance risk is just another risk. As we have explored throughout this webinar series incorporating compliance or WHS risk into our overall ERM framework is considered best practice.
With this in mind I was interested to know if our Webinar participants risk rate their obligations. Here are the results:
- 50% of Webinar participants do
- 50% of Webinar participants do not
At Protecht we strongly encourage you to risk rate your obligations. As discussed this risk based approach is supported by ISO 9600 and considered best practice in 2020.
In terms of the risk process, we need:
- To understand our compliance risks
- Assess them
- Attach risk metrics to these risks
- Manage any breaches of our obligations
- Carry out controls assurance
- Manage our Issues & Actions
- Report & Respond
These are the steps of good risk management and apply to WHS Compliance risk, HR risk, Cyber risk or any other risks that we are managing.
We were interested to know how the webinar participants defined compliance risk. Here are the results:
- 57% of participants defined compliance risk as 'the risk of non-compliance'
At Protecht we believe best practice is not to define Compliance Risk as the risk of non compliance. Why? Because non compliance is an impact on the basis that we are most likely to have an objective "to comply with regulatory obligations".
Compliance Risk is the risk event that could lead to a compliance breach.
WHS Compliance Reporting
In the Webinar we shared some examples of best practice Compliance Reporting by sharing some examples from Protecht.ERM.
We looked at:
- The Obligations and Alerts Dashboard
- The Risk in Motion Dashboard
- Safety in Motion Dashboard
As we have explored in previous Webinars, we believe that the Risk in Motion or Safety in Motion Dashboards for WHS is the ultimate in reporting. These Dashboards aggregate all the data related to a particular risk and provides you with the complete picture of that risk on one page, with the ability to drill into the detail further.
With this in mind, we were interested to know what systems our webinar participants are currently using to manage WHS Compliance, here are the results:
As we have explored in previous webinars, I strongly encourage you (if you are not already) to bring your WHS Compliance and Compliance Risk Management into the wider ERM focus. Having a dedicated system such as Protecht.ERM helps you to manage these risks within the one platform.
In our next webinar I will be joined again by my colleague Adel Fakhreddine Head of Sales APAC, we will continue our deep dive into WHS by looking at Static to Dynamic WHS Risk Reporting.
To access the recording of the previous webinars and to save your spot for the upcoming webinars click the image below: