Organizations are required to systematically identify their compliance obligations along with the implications they have on their operations, products and services. Understanding the nature of these obligations and what is needed to meet them is essential to establishing an effective compliance program and contending with compliance risk.
1. Raimund Laqua, PMP, P.Eng
ray.laqua@leancompliance.ca
Know Your
Obligations
Hi, I’m an
obligation Wsup A BEST PRACTICE COMPLIANCE
MANAGEMENT FRAMEWORK:
ISO 19600
2. KNOW YOUR OBLIGATIONS
1. Customer Identification Program
2. Customer Due Diligence
3. On-going Monitoring
Requirements
KYC, KYP, KYB, Etc.
The better you know your customer
the better you can evaluate the risk.
5. KNOW YOUR OBLIGATIONS
Carl’s Questions
1. How should we identify our environmental
obligations?
2. What information about these obligations will
help us effectively contend with compliance
risk?
3. How do we improve the use of our legal
register to better manage our obligations?
What do I need to Know
7. KNOW YOUR OBLIGATIONS
Obligation Types
Obligation
Requirement
Mandatory Voluntary
Commitment
An obligation is defined as
being a requirement or a
commitment.
Something a company
must do or chooses to do.
8. KNOW YOUR OBLIGATIONS
4.5 / 4.6 Compliance Obligations
Identification of compliance
obligations and evaluation
compliance risk (4.5./4.6)
Leadership commitment,
Independent compliance
function (5.1), Responsibilities
at all levels (5.3), Support
functions (7)
Planning to address
compliance risks and to
achieve objectives (6)
Operational
planning and
control of
compliance
risks (8)
Performance
evaluation and
compliance
reporting (9)
Managing
compliances and
continual
improvement (10)
Maintain Develop
ImplementEvaluate
Improve
9. KNOW YOUR OBLIGATIONS
1. Identification of Compliance
Obligations (4.5.1)
2. Identification, analysis and
evaluation of compliance risk (4.6)
3. Maintenance of Compliance
Obligations (4.5.2)
KYO Requirements
Know Your
Obligations
Hi, I’m an
obligation Wsup
The better you know your obligation
the better you can evaluate the risk.
10. ▷ The organization should systematically identify its compliance
obligations and their implications for its activities, products and
services.
▷ The organization should take these obligations into account in
establishing, developing, implementing, evaluating, maintaining and
improving its compliance management system.
▷ The organization should document its compliance obligations in a
manner that is appropriate to its size, complexity, structure and
operations.
▷ Sources of compliance obligations should include compliance
requirements and can include compliance commitments.
KNOW YOUR OBLIGATIONS
4.5.1 Identification of Compliance Obligations
11. KNOW YOUR OBLIGATIONS
Obligation Landscape
Mission
Quality
Health & Safety
Security
Environmental
Process Safety
Social License
Conformance
to Industry Standards
Conformance
to Legal Requirements
Accept Stakeholder
Responsibilities
Accept Public
Responsibilities
Legal
Regulatory
Ethics
Code of Conduct
Contracts
Permits
Certifications
Public Safety
Regulatory License• Voluntary
• Focused on Performance
• Risk-based
• Learn / Improve Cycle
• Proactive
• Mandatory
• Focused on Conformance
• Prescriptive
• Audit / Fix Cycle
• Reactive
ORGANIZATIONAL CORPORATE
OVERLAP
12. ▷ The process to identify obligations.
▷ The obligation requirements or commitments.
▷ Their implications with respect to activities,
products and services.
▷ How obligations should be taken into
account.
▷ How obligations should be documented.
KNOW YOUR OBLIGATIONS
What Do We Need to Know
Are these identified for your organization?
14. KNOW YOUR OBLIGATIONS
Government Obligations
Source
Pan-Canadian Framework on Clean Growth and
Climate Change
Canadian Environmental Protection Act, 1999 (CEPA)
SOR/2018-66 - Regulations Respecting Reduction in
the Release of Methane and Certain Volatile Organic
Compounds (Upstream Oil and Gas Sector)
SOR/2020-60 - Order Declaring that the Provisions of
the Regulations Respecting Reduction in the Release
of Methane and Certain Volatile Organic Compounds
(Upstream Oil and Gas Sector)
Canadian Energy Regulator Onshore Pipeline
Regulations (SOR/99-294)
15. KNOW YOUR OBLIGATIONS
Industry Specific Obligations
Source
CSA-Z662:19 Oil & Gas Pipeline Systems
CEPA Integrity First Program
API RP 1173 – Pipeline Safety
16. KNOW YOUR OBLIGATIONS
International Obligations
Source
ISO 14000: 2015 Environmental Management System
ISO 19600: 2014 Compliance Management System
18. KNOW YOUR OBLIGATIONS
All Sources
Source
Pan-Canadian Framework on Clean Growth and
Climate Change
Canadian Environmental Protection Act, 1999 (CEPA)
SOR/2018-66 - Regulations Respecting Reduction in
the Release of Methane and Certain Volatile Organic
Compounds (Upstream Oil and Gas Sector)
SOR/2020-60 - Order Declaring that the Provisions of
the Regulations Respecting Reduction in the Release
of Methane and Certain Volatile Organic Compounds
(Upstream Oil and Gas Sector)
CSA-Z662:19 Oil & Gas Pipeline Systems
Canadian Energy Regulator Onshore Pipeline
Regulations (SOR/99-294)
CEPA Integrity First Program
ISO 14000: 2015 Environmental Management System
ISO 19600: 2014 Compliance Management System
Corporate EHS Policy
API RP 1173 – Pipeline Safety
19. KNOW YOUR OBLIGATIONS
Categories
Source Category
Pan-Canadian Framework on Clean Growth and
Climate Change
Framework
Canadian Environmental Protection Act, 1999 (CEPA) Act
SOR/2018-66 - Regulations Respecting Reduction in
the Release of Methane and Certain Volatile Organic
Compounds (Upstream Oil and Gas Sector)
Regulation
SOR/2020-60 - Order Declaring that the Provisions of
the Regulations Respecting Reduction in the Release
of Methane and Certain Volatile Organic Compounds
(Upstream Oil and Gas Sector)
Order
CSA-Z662:19 Oil & Gas Pipeline Systems Standard, Regulation
Canadian Energy Regulator Onshore Pipeline
Regulations (SOR/99-294)
Regulation
CEPA Integrity First Program Association
ISO 14000: 2015 Environmental Management System Standard
ISO 19600: 2014 Compliance Management System Guideline
Corporate EHS Policy Policy
API RP 1173 – Pipeline Safety Guideline
20. KNOW YOUR OBLIGATIONS
Example Categories
INTERNAL
EXTERNAL
What does
CATEGORY
tell us about how obligations
should be managed?
21. KNOW YOUR OBLIGATIONS
Topic
Source Category Topic
Pan-Canadian Framework on Clean Growth and
Climate Change
Framework Environment, Climate
Canadian Environmental Protection Act, 1999 (CEPA) Act Environment
SOR/2018-66 - Regulations Respecting Reduction in
the Release of Methane and Certain Volatile Organic
Compounds (Upstream Oil and Gas Sector)
Regulation Environment
SOR/2020-60 - Order Declaring that the Provisions of
the Regulations Respecting Reduction in the Release
of Methane and Certain Volatile Organic Compounds
(Upstream Oil and Gas Sector)
Order Environment
CSA-Z662:19 Oil & Gas Pipeline Systems Standard, Regulation
Pipeline Safety, Safety,
Environment
Canadian Energy Regulator Onshore Pipeline
Regulations (SOR/99-294)
Regulation Environment, Safety
CEPA Integrity First Program Association Environment, Safety
ISO 14000: 2015 Environmental Management System Standard Environment
ISO 19600: 2014 Compliance Management System Guideline Compliance
Corporate EHS Policy Policy
Environmental, Health,
Safety
API RP 1173 – Pipeline Safety Guideline
Environment, Pipeline
Safety
23. KNOW YOUR OBLIGATIONS
Compliance Design
Source Category Topic Design
Pan-Canadian Framework on Clean Growth and
Climate Change
Framework Environment, Climate Performance-based
Canadian Environmental Protection Act, 1999 (CEPA) Act Environment Prescriptive-based
SOR/2018-66 - Regulations Respecting Reduction in
the Release of Methane and Certain Volatile Organic
Compounds (Upstream Oil and Gas Sector)
Regulation Environment Performance-based
SOR/2020-60 - Order Declaring that the Provisions of
the Regulations Respecting Reduction in the Release
of Methane and Certain Volatile Organic Compounds
(Upstream Oil and Gas Sector)
Order Environment Performance-based
CSA-Z662:19 Oil & Gas Pipeline Systems Standard, Regulation
Pipeline Safety, Safety,
Environment
Management-based, Prescriptive-
based, Performance-based
Canadian Energy Regulator Onshore Pipeline
Regulations (SOR/99-294)
Regulation Environment, Safety Prescriptive-based
CEPA Integrity First Program Association Environment, Safety Performance-based
ISO 14000: 2015 Environmental Management System Standard Environment Management-based
ISO 19600: 2014 Compliance Management System Guideline Compliance Management-based
Corporate EHS Policy Policy
Environmental, Health,
Safety
Outcome-based, Performance-based
API RP 1173 – Pipeline Safety Guideline
Environment, Pipeline
Safety
Management-based, Performance-
based
24. KNOW YOUR OBLIGATIONS
Compliance Designs
MICRO MACRO
MEANS
1. Prescriptive-based
Prescriptive regulation
Design standards
Technology-based regulation
Specification standards
Codes
2. Management-based
International Standards
Industry Standards
Goal-based regulation
Safety case regulation
Enforced self-regulation
ENDS
3. Performance-based
Performance Agreements
Output-based regulation
Market-based regulation
4. Outcome-based
Duty and Liability provisions
Outcome-based regulation
26. KNOW YOUR OBLIGATIONS
Obligation Taxonomy
OBJECTIVE Rank
Agreed Criteria
a. attribute
b. attribute
c. attribute
Scorecard
a. attribute
b. attribute
c. attribute
9
7
4
OUTCOME
Rules
a. rule
b. rule
27. KNOW YOUR OBLIGATIONS
Obligation Taxonomy
OBJECTIVE Rank
Agreed Criteria
a. attribute
b. attribute
c. attribute
Scorecard
a. attribute
b. attribute
c. attribute
9
7
4
OUTCOME
Outcome-based
Rules
a. rule
b. rule
28. KNOW YOUR OBLIGATIONS
Obligation Taxonomy
OBJECTIVE Rank
Agreed Criteria
a. attribute
b. attribute
c. attribute
Scorecard
a. attribute
b. attribute
c. attribute
9
7
4
OUTCOME
Outcome-based
Rules
a. rule
b. rule
Performance-based
29. KNOW YOUR OBLIGATIONS
Obligation Taxonomy
OBJECTIVE Rank
Agreed Criteria
a. attribute
b. attribute
c. attribute
Scorecard
a. attribute
b. attribute
c. attribute
9
7
4
OUTCOME
Outcome-based
Rules
a. rule
b. rule
Performance-based
Prescriptive-based
30. KNOW YOUR OBLIGATIONS
Obligation Taxonomy
OBJECTIVE Rank
Agreed Criteria
a. attribute
b. attribute
c. attribute
Scorecard
a. attribute
b. attribute
c. attribute
9
7
4
OUTCOME
Validate and
Assure
Verify and
Ensure
Satisfy and
Sustain
Continually
Improve
Outcome-based
Performance-based
Management-based
Prescriptive-based
Rules
a. rule
b. rule
Standard Procedures
31. KNOW YOUR OBLIGATIONS
Compliance Measures
MoE
MoP
MoC
Measures of Effectiveness
progress against compliance
outcomes towards zero: non-
conformance, injuries,
violations, emissions, etc.
Measures of Performance
capabilities, capacity,
competency to meet
compliance objectives
Measures of Conformance
evidentiary artifacts that
demonstrate conformance to
standard.
MoI
Measures of Integrity
values, beliefs, behavior,
honesty, promise keeping,
disciplined, respect for
people, etc.
32. KNOW YOUR OBLIGATIONS
Example Compliance Designs
What does
COMPLIANCE DESIGN
tell us about how obligations
should be managed?
33. ▷The organization should identify and evaluate its compliance risks.
This evaluation can be based on a formal compliance risk
assessment or conducted via alternative approaches. Compliance
risk assessment constitutes the basis for the implementation of the
compliance management system and the planned allocation of
appropriate and adequate resources and processes to manage
identified compliance risks.
▷The organization should identify compliance risks by relating its
compliance obligations to its activities, products, services and
relevant aspects of its operations in order to identify situations
where noncompliance can occur. The organization should identify the
causes for and consequences of noncompliance.
KNOW YOUR OBLIGATIONS
4.6 Identification, Analysis and Evaluation of Compliance Risk
34. ▷ The organization should analyse compliance risks by
considering causes and sources of noncompliance and the
severity of their consequences, as well as the likelihood that
noncompliance and associated consequences can occur.
Consequences can include, for example, personal and
environmental harm, economic loss, reputational harm and
administrative liability.
▷ Risk evaluation involves comparing the level of compliance
risk found during the analysis process with the level of
compliance risk the organization is able and willing to accept.
Based on this comparison, priorities can be set as a basis for
determining the need for implementing controls and the
extent of these controls (see 6.1).
KNOW YOUR OBLIGATIONS
Risk Evaluation
35. “The effects of uncertainty
on compliance objectives.”
KNOW YOUR OBLIGATIONS
Risk Definition
THREATS
OPPORTUNITIES
CAUSES
CONSEQUENCES
Preventive
Controls
Mitigative
Controls
Bow-Tie Analysis
36. ▷ Organizations should have processes in place to
identify new and changed laws, regulations, codes
and other compliance obligations to ensure on-
going compliance.
▷ Organizations should have processes to evaluate
the impact of the identified changes and
implement any changes in the management of the
compliance obligations.
KNOW YOUR OBLIGATIONS
4.5.2 Maintenance of Compliance Obligations
37. KNOW YOUR OBLIGATIONS
Obligation Change Process
INITIATION
• Change description
• Type of change
• Reason for change
• Time limitations
IMPACT ANALYSIS
• Identify implications of change
• Conduct risk assessment
• Identify affected parties
APPROVAL
• Approve implementation of
requested change
PLANNING
• Develop implementation plan
• Develop communication plan
INITIATION
IMPLEMEN-
TATION
IMPACT
ANALYSIS
PLANNING APPROVAL
IMPLEMENTATION
• Execute implementation plan
• Notify affected parties
• Conduct necessary training
and qualification
47. KNOW YOUR OBLIGATIONS
What steps can you take to know your obligations better?
1. Which attributes or sets of attributes tend to
be missing from your obligation register?
2. What 3 attributes would significantly improve
your ability to manage your obligations?
3. What steps could you take to start including
those attributes in your obligation registers?
4. Will you be acting on those steps in the
upcoming weeks?
48. The better you know your obligations
the better you can evaluate the risk.
A BEST PRACTICE COMPLIANCE
MANAGEMENT FRAMEWORK:
ISO 19600
Know Your
Obligations
Hi, I’m an
obligation Wsup