Section 2

A practical guide to
evaluating legal
compliance

1 of 11
 Section 2

Contents

o Introduction ...................................................................................... 3
o Methods of Compliance Evaluation ....................................................... 4
o Why use a Management System for Compliance Evaluation? ................. 5
o Steps to the Management of Compliance ......................................... 6-10
o Summary .......................................................................................... 11
00

Compliance is not
an option. If you
don’t comply then
you could be
operating outside
of the law.

2 of 11

Introduction
There is an ever increasing amount of
legislation intended by the government
to ensure that we manage issues such
as health and safety in the workplace
and our impacts on the environment in
order to protect human health and the
environment from harm. There is also a
range of legislation designed to give
some security of personal information,
intellectual property and organizational
records to both public and private sector
businesses whose information and
networks are important business assets.
But exactly what legislation is there that
applies to your organization, how does it
apply and why do you need to evaluate
it?
Firstly it is worth looking at compliance
in more detail. Compliance is not an
option. If we don’t comply then we
could be operating outside of the law.
Not only can this lead to penalties and
fines, poor compliance can also lead to:
• Increased health and safety incidents,
environmental accidents and pollution
• Increased downtime, clean up costs
and fines
• Increased insurance premiums and
regulatory inspections
• Workforce concerns and industrial
relations issues
Section 2
• Reduced ability to meet customer
requirements
• Damage to reputation and possible
lost business
• Individual prosecution and
corporate manslaughter and/or
dismissal
Legislation provides regulators with
specific duties and powers and enables
the regulators to take enforcement
action to mitigate the consequence of
site closures and suspension or
revocation of permits. For example, in
2005/2006 the HSE issued 6400
enforcement notices and prosecuted in
over 1010 cases.
Magistrates and courts are coming
under increasing pressure to impose
ever more stringent penalties. With
this in mind, there is increasing
pressure on organizations from various
sources to improve and ensure
compliance.
The objectives of this document are
therefore to provide a practical guide
to evaluating compliance with legal
and other requirements. These can be
anything from your own business
policy, voluntary industry codes of
practice, customer imposed
requirements and UK, European and
international laws.
3 of 11

Methods of compliance
evaluation
So how can you evaluate compliance?
There are essentially three approaches:
2.1 The Passive Approach
The passive approach means an
organization sits back and waits for
things to happen. It relies solely on
feedback from regulators, employees
and members of the public. Typically
few resources are allocated and
compliance efforts are minimized and
tend to be focused on current areas of
concern. The drawback of this approach
is that it may well be unrepresentative
of the true level of compliance, the
outcome of which being the increased
likelihood of a non-compliant event
which could lead to unforeseen
prosecutions.
2.2 The Reactive Approach
The reactive approach is taken when an
organization acts only when a situation
of non-compliance is brought to light.
There may be some internal and
external evaluation and auditing but
this usually relies on a sampling basis.
It is similar to the passive approach in
that typically few resources are
allocated. The drawback of this
approach is that it may not be
sufficiently comprehensive. It tends to
only pick up problems after the event.
Although actions are taken to manage
compliance these are typically only
implemented after the event once the
non-compliance has been identified.
Therefore an organization following the
reactive approach may incur increased
Section 2
costs, both financial and time, in
addressing the non-compliance as
opposed to preventing it occurring.
2.3 The Proactive Approach
An organization following the proactive
approach will seek to actively identify the
compliance position and establish
processes to ensure on-going compliance
status is maintained. The proactive
approach is typically system based and
integrates compliance into everyday
business practices.
The management system may be one of
three types:
• Internal bespoke Compliance
Management System
• Management System based on a
recognized standard such as ISO
14001, ISO 45001, ISO 9001 and ISO
27001
• Third party certified Management
Systems such as ISO 14001, ISO
45001, ISO 9001 and ISO 27001
Management systems provide the
mechanisms to identify upfront
compliance requirements and ensure
appropriate controls are in place to
positively manage compliance status.
They cannot guarantee against a non-
compliance occurring but should ensure
that the system in place quickly identifies
the non-compliance status and corrects it.
4 of 11
 Section 2

Why use a Management

System for compliance
evaluation?
Following the proactive system based By including this in your system for
approach will enable an organization to: compliance management it
immediately increases transparency of
• Make a commitment to compliance
the legal management system and
• Identify current legal and other ensures that there is an effective
requirements specific to the control mechanism in place for each
organization and be aware of of the key requirements.
pending legislation and its impact on
Controls will not always be
the organization well in advance
procedures, but may include site
• Understand the full implications of all inspections, monitoring equipment or
applicable legislation and incorporate designating responsibilities.
the requirements into business
practices
• Keep information up-to-date
• Identify compliance criteria
• Establish a framework to address
and control the identified compliance
requirements
• Provide a mechanism for the on-
going review, evaluation and
reporting of compliance performance The proactive system
One area of particular importance is the
reference to the control mechanism
based approach will
employed within the organization to
manage that element of the legal
enable an organization
requirements. to establish a
framework to address
and control the
identified compliance
requirements.

5 of 11
 Section 2

Steps to the management of

compliance

Typically through a management There are many different ways an

system there will be a number of organization can go about identifying
different steps to the management of legal requirements. These include the
compliance: sources identified in the following table.
4.1 Step 1 – Commitment to Government departments, including:
Legal Compliance Evaluation
• Defra
Essentially this requires the • DTI
agreement from top management that • Department of Health
this is required and their commitment
National Regulators such as:
to provide the necessary resources
including staff, finance and IT support • Environmental Agency –
to carry out the evaluation and to take www.netregs.gov.uk
action to resolve areas of non- • Health and Safety Executive –
www.hse.gov.uk
compliance.
Local Authorities
4.2 Step 2 – Identification of Professional and Trade Bodies:
Legal Requirements
• IEMA
Having secured top management • IOSH
commitment to evaluating • ROSPA
compliance, the next step is to • Trade Associations
identify the legal requirements such • Engineering Employers Federation
as codes of practice and guidance • The Trade Union Congress
notes. Law Publications and bulletins
Legal requirements can take many including:
forms including: • ENDS
• Cedrec
• Legislation, regulations and • Cromer
statutes • Law Now
• Directives Websites including:
• Permits, licences or other forms of • Business Links –
authorization www.businesslink.gov.uk
• Envirowise –
• Orders issued by regulatory bodies www.envirowise.gov.uk/legislation
• Judgements of courts or Suppliers – who have legal obligation to
administrative tribunals produce guidance on the use and disposal
• Treaties, conventions and protocols of their products

6 of 11
 Section 2

Steps to the management of

compliance continued
These are all valuable sources. However, understanding of what these criteria are
the most important thing is what you do for your organization it will be very
with the information you identify. difficult to undertake an effective
evaluation of compliance.
Typically the identification of legal
requirements leads to the production of a The legal register should be a ‘live’
legal register. A typical legal register document and be useful to the
would include: organization. It may also identify:
• Installation Activity
Column 1 Column 2 Column 3 • Regulation
Company Name of Description of • Regulator
Activity Legislation Legislation • Description of Regulation

However, this format will not be • Relevance to organization – compliance

sufficient to enable an effective criteria
evaluation of compliance within the • Responsible Persons
management system.
• Reference to other parts of the
4.3 Step 3 – Identification of management system e.g.
Compliance Criteria environmental aspects, health and
To ensure the use of a legal register is safety hazards, objectives and targets
effective, consideration should be given • Reference to licence, permit,
to also using the document as a authorization or notification
mechanism to:
• Further information (e.g. codes of
• Evaluate the legislation to determine practice)
which components are applicable,
e.g. discharge of trade effluent from • Operational Controls
the effluent plant Additional columns might be as follows:
• Establish the relevance of the
legislation to the organization –
identify which activities are
completed on site that fall within the Column 4 Column 5 Column 6
scope of the legislation e.g. a licence
is required for the discharge of trade Legislative Applicability to Compliance
effluent Requirements organization requirement
s
The above are referred to as the
compliance criteria and without a good

7 of 11

Steps to the management of
compliance continued
This type of register can provide a clear
understanding of the relationship
between legislation and the
organizations activities, products and
services. Also, it can be used as an
awareness-raising tool, but more
importantly it provides a clear audit trail
for the internal audit function to
undertake their evaluation of legal
compliance.
4.4 Step 4 – Compliance
Performance Evaluation
Having identified relevant legislation, the
compliance criteria and related
operational controls, the next step is to
develop a process for checking legal
compliance.
Use the information from the register to
review current practices against the
identified legal requirements applicable
to your organization. You might want to
consider developing a checklist for each
item of legislation that the organization
has identified. Objective evidence will
need to be gathered in order to evaluate
compliance.
Compliance performance evaluation can
be carried out by:
• Monitoring against performance
indicators – trend analysis to predict
and prevent non-compliance e.g.
amount of mercury discharged on a
monthly basis versus the early figure
specified within the discharge
consent or noise emissions limits
Section 2
• Reviewing risk assessments
• Undertaking physical inspections e.g.
of the status of oil storage facility or of
wearing of relevant personal protective
equipment (PPE)
• Undertaking Management Systems
audits
• Compliance verification against
procedural and legal requirements
• Independent verification (e.g. in the
case of compliance to a GHG permit)
Conducting a compliance performance
evaluation will help you to:
• Identify any regulatory non-
compliances
• Determine whether existing controls
are adequate to help prevent
regulatory non-compliance including
those related to abnormal and
emergency situations
• Identify areas where further
information is required to track or
confirm compliance, any opportunities
for improvement
• Proactively manage an organization’s
compliance status
8 of 11

Steps to the management of
compliance continued
There has been much discussion since
the revision to ISO 14001:2004 as to
what constitutes an ‘Evaluation of
compliance’. What is clear is that there is
no one method or definitive answer but
more of a suite of tools that can be used
then completing the evaluation.
Therefore it is important that the
outcomes of the evaluations are brought
together to enable trend analysis and
the overall compliance status to be
determined.
4.5 Step 5 – Compliance and
Review Reporting
Compliance review is more than just
monitoring. Routine monitoring may not
check compliance with all requirements
and limits of a permit or consent.
Monitoring of an indicator to
demonstrate improvement (such as
quantity of monthly hazardous waste
arising’s) will not check compliance with
all applicable waste legislation (such as
whether hazardous waste
documentation identifies waste streams
correctly). However the results of
monitoring can be an input into the
evaluation process.
Likewise a true evaluation of compliance
is more than just systems auditing as
systems audits tend to have broad
scopes, are not specifically focused on
legal compliance, assess too small a
sample of data and are too infrequent to
Section 2
demonstrate system effectiveness.
However, results of audits can be an
input into the evaluation process and are
still a valuable tool.
4.6 Step 6 – Compliance
Verification
So, compliance verifications are also
necessary. Compliance verifications use
compliance detail from legal register and
legal documents, such as permits, to
create comprehensive checklists.
Compliance verifications can be
targeted, topic specific, more frequent
and risk-based.
Compliance verification will:
• Identify compliance tasks and their
frequency
• Ensure availability of sufficient
competent resource
• Allocate time and resources on a risk
basis
Regardless of which methods are used –
it is essential that appropriate records
are held of the outcome of the
evaluation process.
...it is important that
the outcomes of the
evaluations are brought
together to enable
trend analysis...
9 of 11

Steps to the management of
compliance continued
4.7 Step 7 – Compliance Reporting
So what do you do with the results of the
evaluation? Compliance reporting is a
systematic activity using information from
monitoring, system auditing, verification
and feedback from interested parties
(such as regulators). Using this data
enables you to confidently, and
accurately, report on your compliance
status to top management (policy and
decision makers) for the identification of
future legislative trends, areas of
strengths and weaknesses, and
opportunities for improvement.
Reporting should be undertaken at a
frequency appropriate to the risks and
should seek to answer the questions,
posed by top management, ‘how
compliant have we been, are we now,
and will we be, with legal and other
requirements?’
Section 2
4.8 Step 8 – Define an Action Plan
Define an action plan for addressing the
issues identified in the gap analysis. The
action plan might include the:
• Allocation of specific clear roles and
responsibilities for compliance
• Communication on the relevance of
the requirements at all levels
• Revision of procedures in include
operational criteria
• Provision of relevant training
4.9 Step 9 – Repeat the process
In order to maintain legal compliance,
this evaluation process needs to be
repeated on a regular basis. This
provides the opportunities for continuous
improvements and enables you to keep
up to date, if not ahead of, regulatory
developments.
10 of 11
 Section 2

Summary

There is no right or wrong way to the

evaluation of compliance. There are
different methods for evaluating
compliance. Choose the approach that best
suits your business based on size, type and
complexity.
We would, however, recommend using a
system based approach to identify legal
requirements and establish appropriate
controls. A legal Register can be an
effective tool to help evaluate and verify
compliance.
Determine the measures needed to
develop a compliance framework, including
frequency and resources and the frequency
of review and reporting should be
systematic and risk-based.
Provide comprehensive reports to top
management for decisions on future
policy and objectives, and for
corporate assurance.
Evaluation of compliance is a key
component of an effective system to
deliver continued legal compliance. A
management system will not
guarantee compliance as it can not
predict the future! It will however
provide the framework for an
organization to manage its
compliance status and improve its
capability to deliver regulatory
compliance.

There is no right or wrong way to the

evaluation of compliance. There are
different methods for evaluating
compliance. Choose the approach that best
suits your business based on size, type and
complexity.

11 of 11