Why is a “legal register” no longer enough under ISO 14001 and ISO 45001?

How would you define a “legal register”? Where does the phrase come from?

The phrase has become common parlance for EHS professionals involved in implementing and maintaining site, country, regional or company-wide EHS management systems. But what is it?

Our services were designed and have evolved to meet the needs of the main EHS standards used around the world today – most notably ISO 14001 and OHSAS 18001 (replaced by ISO 45001 in March 2018). If you work with companies every day that come to you asking for “legal registers”, which we do, you realize that the concept is even harder to pin down and pretty much everyone will have their own opinion on the matter.

(And of course, if you want to confuse yourself further and Google the term, your bedtime reading will be taken care of for several weeks.)

What the Standards Say

Section 6.1.3 of ISO 14001 (2015) on Environmental Management Systems states that organizations have to identify and have access to the legal (and other) requirements they have to comply with and understand how those “compliance obligations” apply to the organization. Importantly there is also a requirement to maintain documented information of these.

We will find out for certain when ISO 45001:2018 is published one month from now, but section 6.1.3 (Determination of legal requirements and other requirements) of the draft ISO 45001 (OHS MS) has a similar obligation to ISO 14001, but focuses also on the need to have a process in place to be aware of, and stay on top of legal and other requirements, while also mentioning the need to keep the related documented information up to date:

What is interesting to note is that the term “legal register” is not actually mentioned anywhere in the standards – it has just become the standard all-encompassing phrase for what these provisions require. We will come back to this point!

What is clear is that meeting the requirements of both these Sections 6.1.3 requires a process that all starts with the need to identify and have access to the applicable regulation, based on the company’s environmental or health and safety aspects/hazards (what the company does).

The provisions of Sections 6.1.3 in both standards make perfect logical sense – and would indeed seek to describe what perhaps has become the “conventional” understanding of a legal register.

However, the standards don’t stop there…

Section 9.1.2 of both standards relates to evaluation of compliance. The key words or phrases in these sections relating to having a “process” in place to, “evaluate” compliance. In addition organizations will need to “maintain knowledge and understanding”, “action” and “document” their compliance evaluation. Each of these words take us way beyond a simple list or “register” of laws. Under the aforementioned provision, companies have to ensure that their organization periodically evaluates compliance with all of its compliance obligations, has documented this evaluation and that it is aware of its compliance status. Crucially, if a company wants to get their management system certified they will be expected to be able to identify their compliance status – at any given time.

Finally, it is also critical to mention the wording in Sections 9.3 of both standards, relating to Management review. This requires top management to review the overall management system periodically, with particular consideration to compliance obligations/legal requirements and conformity assurance. As well as sites, regional and corporate level managers also need to have visibility on their company’s compliance status.

This is why Enhesa’s services are designed to allow on-going compliance management across your organization. We help you:

• Identify regulations and requirements and determine applicability;
• Have clear, consolidated knowledge and understanding of your obligations;
• Have a clear demonstrable, central and standardized process in place to evaluate and maintain knowledge of compliance;
• Allow monitoring and recording of actions
• Provide a continuous view on the status of the process and the status of compliance at site, regional and global level.

Best Practice

The best practice we’ve seen with our clients is to adopt a global approach that allows On-going Compliance Management. This involves creating living “compliance registers” for each of your sites around the world which fulfills the dual purpose of both making companies aware of which laws apply to them, as well as creating the possibility to assess, record and verify your compliance status continuously – not just when an audit is scheduled.

This approach brings many benefits. One of the key benefits is that the global aspect fosters a corporate-wide strategy and approach to managing EHS and seeks to embed those values deep into the culture of the organization – across all locations. Another key advantage is that this can streamline your external/internal compliance audit program. If you have more visibility on EHS compliance status and performance on an on-going basis it means audits can be more targeted, effective and therefore efficient.

On-going global compliance management – beyond a “legal register”

As we have seen, the on-going management of compliance with EHS legal obligations is essential. However, this can be easier said than done – especially when the challenge is multiplied across locations in global companies.

Laws are constantly changing and evolving. Legal language is very often a quagmire of references, cross-references, legal phraseology and obscure definitions.

It is a time-consuming and often complex business to navigate hundreds of legal obligations, determining which are relevant to your organization and which not, even before you assess your compliance against them. This is why many practitioners turn to external providers of services to help them be aware of their obligations, and even to help them comply.

There are many providers of so-called “legal register” services in every country on earth where a certification for a management system has been sought. However, when different, local, in-country solutions are used across a multinational organization they are likely to be very different in terms of coverage, quality, reliability and ultimately, effectiveness.

More specifically, what a decentralized, local-only approach will not do is:

• Make it easier to instill a global corporate EHS compliance culture (or even start to develop one);
• Give a global, coherent and reliable view on EHS compliance performance and liabilities;
• Provide greater confidence in your ability to say you are compliant in any given location;
• Give individual site-locations the impression that compliance with EHS laws is taken seriously across the company, and right to the top.

It is therefore hard to justify NOT taking a global view, while leveraging local knowledge and expertise every step of the way.