Professional Documents
Culture Documents
03.2 Evaluating Legal Compliance
03.2 Evaluating Legal Compliance
A practical guide to
evaluating legal
compliance
1 of 11
Section 2
Contents
o Introduction ...................................................................................... 3
o Methods of Compliance Evaluation ....................................................... 4
o Why use a Management System for Compliance Evaluation? ................. 5
o Steps to the Management of Compliance ......................................... 6-10
o Summary .......................................................................................... 11
00
Compliance is not
an option. If you
don’t comply then
you could be
operating outside
of the law.
2 of 11
Section 2
Introduction
3 of 11
Section 2
Methods of compliance
evaluation
So how can you evaluate compliance? costs, both financial and time, in
There are essentially three approaches: addressing the non-compliance as
opposed to preventing it occurring.
2.1 The Passive Approach
The passive approach means an 2.3 The Proactive Approach
organization sits back and waits for An organization following the proactive
things to happen. It relies solely on approach will seek to actively identify the
feedback from regulators, employees compliance position and establish
and members of the public. Typically processes to ensure on-going compliance
few resources are allocated and status is maintained. The proactive
compliance efforts are minimized and approach is typically system based and
tend to be focused on current areas of integrates compliance into everyday
concern. The drawback of this approach business practices.
is that it may well be unrepresentative The management system may be one of
of the true level of compliance, the three types:
outcome of which being the increased
• Internal bespoke Compliance
likelihood of a non-compliant event
Management System
which could lead to unforeseen
prosecutions. • Management System based on a
recognized standard such as ISO
2.2 The Reactive Approach
14001, ISO 45001, ISO 9001 and ISO
The reactive approach is taken when an
27001
organization acts only when a situation
of non-compliance is brought to light. • Third party certified Management
There may be some internal and Systems such as ISO 14001, ISO
external evaluation and auditing but 45001, ISO 9001 and ISO 27001
this usually relies on a sampling basis. Management systems provide the
It is similar to the passive approach in mechanisms to identify upfront
that typically few resources are compliance requirements and ensure
allocated. The drawback of this appropriate controls are in place to
approach is that it may not be positively manage compliance status.
sufficiently comprehensive. It tends to They cannot guarantee against a non-
only pick up problems after the event. compliance occurring but should ensure
Although actions are taken to manage that the system in place quickly identifies
compliance these are typically only the non-compliance status and corrects it.
implemented after the event once the
non-compliance has been identified.
Therefore an organization following the
reactive approach may incur increased
4 of 11
Section 2
5 of 11
Section 2
6 of 11
Section 2
7 of 11
Section 2
8 of 11
Section 2
9 of 11
Section 2
10 of 11
Section 2
Summary
11 of 11