Transforming compliance: practical steps to a risk-based approach

With 25 years of experience as a health and safety leader in the manufacturing sector, Anthony Wareham shared insights and practical steps around transforming EHS compliance to a risk-based approach. This involves aligning corporate values to a vision, addressing and resolving known challenges, managing risk, and ultimately transforming the teams and processes that drive organizational compliance.  

Understand the risks and the significance of EHS

“Compliance is the starting point,” Wareham began, “it’s the minimum acceptable standard – but it varies across the globe.” To begin your transformation journey, you “have to start with some really foundational concepts – and the first one is compliance.” Transforming compliance is achieved through establishing clear goals and methodologies — in this case, setting the vision of what to achieve and then identifying the methods and means to do so.  

A risk-based approach to EHS begins with understanding its significance. Wareham framed this into three main categories consisting of the moral imperative, the business drivers, and the legal ramifications: 

Moral imperatives 

Employers “have a moral duty to protect their staff from harm”, Wareham said, and EHS plays a vital role in establishing safe practices whilst at the workplace. He set the context for a risk-based approach to compliance as a moral obligation of the company — and those spearheading the business — to protect their workers. Unfortunately, approximately three million workers die each year from work-related accidents and diseases — a tragedy, Wareham stated, which affects “not only the individual, but their families and communities”, underscoring the moral imperative of addressing risk to individuals as a top priority. 

Business drivers 

Although protecting the lives and wellbeing of workers is of utmost importance, incidentally missing compliance and EHS regulations can also affect businesses at an operational level. Incidents that bring with them the risk of death or injury, or the risk of pollution, can have a negative impact on stock prices. These costs are further amplified by the funding necessary to go back and mitigate those risks.

Legal ramifications 

Around the world, there are many different consequences for violating health and safety standards – some more severe than others. While many of the consequences can be quite significant by way of fines and litigation, less severe consequences can include prohibitions and enforcement notices. These too carry with them a cost, especially when they require process changes or re-training.

Shift your mindset

Occasionally, “businesses will separate risk and compliance,” Wareham said. He believes the two should be coordinated, rather than siloed, seeing it as a “continuum of how [people] manage their compliance and risk”.  

Wareham categorized the behaviors that companies tend to adopt in this continuum: “At one end of the spectrum we have ‘reactive’, where you wait for something to go wrong and then you react to it. And on the other end of the spectrum, you have ‘interdependent’, where you take a much more proactive approach.”

Reactive 

The ‘reactive’ mindset is a high risk, Wareham warned, “because you’re waiting for things to go wrong and then you’re scrambling to fix them.” There is an assumption that compliance standards are being met, and so there is only a response when provoked.

Dependent 

“As you move up the curve [from a high-risk reactive mentality to a lower-risk, interdependent way of acting], where a lot of companies are, leaders hire competent professionals and assume everything is running smoothly until it doesn’t… then you’re back into reactive mode,” Wareham explained. He advised this isn’t the best route to follow either, as it’s entirely dependent on the skillset of the professionals undertaking the work. In scenarios such as these, skills vary across regions and business sectors, often resulting in inconsistency and unreliability. 

Independent 

“A much more proactive way,” Wareham asserts, is when “[the] independent [mindset] takes a more holistic view.” Focusing on utilizing a standardized system of compliance monitoring to evaluate all potential scenarios, this anticipatory approach encourages “leadership to ask questions… they’re looking to the future, asking ‘is everything running smoothly?’, ‘do you have everything you need?’” This ensures standards are always going to be met quickly and efficiently, with plans already in place. Leadership should require regular updates about the efficiency of the system, ensuring the chosen strategy for reporting continues to function desirably. 

Interdependent  

The final and most desirable mindset is interdependence. “You fully embed your programs in your compliance organization,” said Wareham. “That will lower the risk significantly” because leadership can take action before a law becomes mandatory. “If you can get to the top end of the curve, you’ll find things will be much better managed from a risk perspective.” This long-term strategy places the business as a whole in a low-risk category, with minimal surprises.  

Wareham encouraged businesses to self-evaluate, asking if teams “know [their] compliance status today, or know where to find it?” at both the facility-by-facility and corporate leadership level.  

Establish and carry out your vision

“You need to make sure you have the risk and compliance balanced and identify where you are on the spectrum,” noted Wareham. It can be difficult for businesses to transition from a reactive or dependent mindset to the interdependent way of thinking and acting.  

The transformation from a decentralized approach to a centralized approach is driven by three main factors: culture, cost, and risk.

To set a vision, consider culture, cost, and risk 

To set your vision, you need to evaluate your company’s culture, and how the environment your business has fostered directly impacts your compliance. Companies with locations around the world must consider the “embedded culture at one site”, and how each company may have a different way of thinking.  When companies “grow by acquisition”, this difference can be even more pronounced. “You get this mix of culture, and that can get in the way,” Wareham said, as it’s “hard to standardize and get everyone ‘on the same page’.”  

In an effort to resolve this disparity, Wareham encourages businesses to evaluate if their “local teams know the minimum standards and if the corporate teams have the means to scale these standards globally?” A self-analysis is required, asking questions about how “corporate culture affects the safety of workers. Are the most senior leaders discussing safety? Do actions align with intentions? How does the culture manifest in employee decisions, such as shortcuts” that can negatively impact safety? 

Building a vision consists of a delicate balance between compliance and costs. Wareham acknowledges how difficult managing the costs of running a business is, “especially when the deliverables are intangible – not being prosecuted, for example.” To help fill “that cost bucket”, Wareham recommended looking at what you’re spending on existing systems, asking: “Could you use your money more wisely?” He advises businesses to improve gradually, to avoid overspending the company’s risk management budget when trying to quickly address and resolve compliance issues.  

Good practice is to: 

• Evaluate what resources are needed 
• Understand the minimum standards to meet, in all areas of EHS compliance 
• Establish corporate standards that can be applied to the entire global organization 
• Be sure there is a method of forecasting the requirements emerging or changing
  

Build and execute a plan 

As new laws are mandated, companies need to be prepared to respond quickly and efficiently. To do this, Wareham observes, you must transition along the spectrum from a reactive mindset to a proactive approach, where gaps in your business are identified and closed, upcoming regulations are not only anticipated but actively tracked, and clear data is available for regulators to immediately access when requested.  

Wareham recommended the following four steps companies should follow to ensure they’re able to respond timely to quick regulatory changes: 

• Gap analysis: identify your company’s position and establish a plan to close any gaps. Prioritize which gaps to focus on based on their risk. Using a risk approach to prioritize an action helps to ensure all eventualities are covered 
• Be prepared: ensure you’re prepared for a compliance visit with a ready-made plan to show the regulator, with a reasonable structure and timeframe 
• Control plan: have an intermediate, short-term plan in place to cover all bases, whilst working on a longer-term plan 
• Measures: put measures in place to manage longer-term issues and risks 

It’s important to remember that you can’t completely eliminate risk from any operation, but “having different risk measurements and processes in different areas can cause a problem,” Wareham said. 

“Although it’s a numbers-driven process, they may have different multiplication factors, and the same events could end up with different risk priority numbers.” This can make comparisons incredibly difficult. To be on the same plane, you need a common system. 

Empower your team

Building a team to transform compliance begins with nurturing existing workers. Wareham emphasized that enthusiastic and motivated employees may lack the necessary skills to begin with, but upskilling hardworking individuals is easier, more cost-efficient, and faster than hiring new starters. Empowering your team also means letting go, or rather,  letting them make mistakes and mentoring them in a positive way, without blame so they can learn from the experience and eliminate the root cause. People learn through error, and dedicating time and energy to personal development increases morale and boosts the overall workplace culture. 

Additionally, build a system that people want to use, and identify how you can capitalize on it for compliance. Wareham advised making sure the new technology is intuitive and valuable, rather than an additional hindrance to someone’s role or day-to-day responsibilities. “Give them a vision,” he said, “on how [the new technology] will make their life easier”, since “if the system is easier, it’s more likely to be learned” quickly and used efficiently. 

Empowering your teams to maximize existing resources and utilize intuitive and straightforward technology to aid in meeting compliance regulation is the simplest way to transform your company.  

Give your teams: 

• Access to data required for regulations 
• Methods to track and communicate compliance 
• Corporate-wide visibility into global status 
• Ways to measure proactivity, not reactivity 
• Rewards for success, but “don’t reward the absence of a negative outcome” 
• Core competencies, rather than external machines or safety experts from elsewhere 
• A talent pipeline 

Working with Enhesa

Wareham said he found that, during the time in his career when he used the solution, Enhesa “fitted [his] niche”. It was “eye-opening” to realize that his team had “relied on [others] locally to understand the laws.” With Enhesa, Wareham realized that his company had a “seven percent gap of compliance.” With the solution, their compliance improved to 99.7%, with the remaining 0.03% being resolved by using  Enhesa’s Regulatory Forecaster, which provides notifications and information about regulatory changes being introduced across jurisdictions, so teams can get ahead of changes before they are required to comply with them.  

In summary, companies need to: 

• Understand the risks of noncompliance  
• Shift their mindset from reactive to proactive  
• Establish a company-wide vision for meeting compliance 
• Build a plan with ready to use data on hand for all stakeholders who need it 
• Empower their teams with accessible technology 

Enhesa’s content, technology, and services help companies track both local and global compliance. The solutions combine to enable an action plan to scale corporate standards, helping to close gaps and prepare for upcoming regulatory changes. And, it empowers teams with accurate, up-to-date information, when needed, for both internal and external stakeholders.