https://nimonik.com
An overview of why your organization should equip itself with a robust and integrated Legal Register (Compliance Obligations). Reviews of the purpose, intent and benefits of a Legal Register.
1. The Legal & Other Requirements Registry (ISO
14001:2004)
Compliance Obligations (ISO 14001:2015)
In the Context of an EH&S Management System
Updated February 2018
Please feel free to use this presentation in the development of business cases for the
development of a robust compliance assurance program or training.
Nimonik.com - 尼莫尼克
Support: support@nimonik.com
602-5445 Av de Gaspé
Montréal, QC H2T 3B2 Canada
Canadian LinkedIn Enviro Group
Chinese EHS & CSR LinkedIn Group
2. Nimonik.com
- 2 -
Purpose
To provide information to enhance understanding of what the Legal Registry is
(and is not).
To provide context for how the Legal Registry fits within an EH&S Management
System.
To provide an overview of the process to sustain the integrity of the Legal
Registry.
3. Nimonik.com
- 3 -
Definitions
Approval – Means all approvals, authorizations, permits, licenses, consents, permissions or other regulatory
instruments granted to Your organization's by government agencies and regulatory bodies pertaining to the
construction and operation of a facility, and which typically contain operating and reporting conditions imposed
upon Your organization's .
Compliance Program – Means the systematic procedures instituted by an organization (e.g. Your
organization's ) to ensure that the provisions of the applicable Regulations are being met.
Operational Controls – Means those documented or undocumented procedures, processes or work
practices designed to ensure safe, efficient and reliable activities (operations), products or services; to guide
conformance to internal policies and standards, as well as to ensure conformance to Regulatory
Requirements. Operational Controls may include policies, standards, work practices, operating procedures,
training manuals, automated control system design and configuration and job descriptions.
Regulations – Means all statutes, regulations, codes of conduct, or other legislative requirements of general
application; industry specific requirements imposed by a regulatory authority; and all guidelines or work
practices incorporated by reference in an Approval.
Regulatory Compliance – Means the certification or confirmation that the operating business is conforming
or adhering to all Regulatory Requirements, typically achieved through the consistent and relentless execution
of Operational Controls.
Regulatory Requirements - Means all requirements, obligations and commitments applicable to, or binding
upon Your organization's under all applicable Regulations and Approvals, and includes any commitments
made to regulators by Your organization's or its representatives, whether or not such commitments are
evidenced in writing.
4. Nimonik.com
- 4 -
Executive Summary
The Legal Registry, at its simplest, is nothing more than a “list” to track Regulatory Requirements. In the
context of an EH&S Management System, best practice is for the Legal Registry to incorporate a
concordance map. The concordance map maintains the line of sight between a Regulatory Requirement
and the Operational Control to manage compliance with that Regulatory Requirement.
Regulatory Compliance is one outcome of competent workers consistently and relentlessly executing
Operational Controls with integrity:
By itself, the Legal Registry is nothing more than a “binder on a shelf”.
To achieve consistent compliance with EH&S Regulatory Obligations, the Legal Registry must be translated into action - what
workers do – which actions are embedded within an Operational Control.
When implemented, the Operational Control forms a critical part of an effective EH&S Management System, and accordingly
the Operational Control must have integrity.
The usefulness of the Legal Registry supports: (a) the identification of possible compliance gaps (Regulatory Requirements with
no corresponding Operational Control; (b) the assurance that Operational Controls have regulatory integrity; and (c) the desired
outcome whereby execution of the Operational Control results in compliance with related Regulatory Requirements.
There is no simple, “silver bullet” solution to achieve Regulatory Compliance. Compliance is tactical work,
achieved by competent workers consistently and relentlessly executing Operational Controls with integrity.
Compliance assurance is measured by testing: (a) whether the Operational Control is designed to effectively
manage the Regulatory Obligation and; (b) whether the Operational Control is executed effectively.
5. Nimonik.com
- 5 -
Regulatory Compliance – Vision, Goals & Scope
Vision:
Well run companies will conduct their business using a “cradle to grave” approach ensuring they are in
compliance with all applicable regulatory obligations, including design, construction, commissioning,
operation and decommissioning of our assets, whether directly or through our contractors and agents.
They will do this because it is good business – it is supportive of, and consistent with, operations
excellence.
They will achieve this in a manner transparent to the workforce – it is the way they do business, a part of
their DNA.
Goals:
100% Compliance with regulatory obligations is the minimum standard.
Management systems and independent audits provide assurance to the Board of Directors and Senior
Management that the organization is on a continuous improvement journey to beyond regulatory
compliance.
Scope:
Scope is to identify Regulatory Requirements that: (a) directly protect people & the environment; (b)
directly pertain to operating company assets; and (c) indirectly protect the organizations license to
operate and grow.
6. Nimonik.com - 6 -
Overview – Regulatory Governance, Assurance and Compliance
Governance
Compliance Assurance
Compliance Program
The foundation for success is a
Regulatory Compliance Program
whereby compliance is ingrained as
“how we do business”.
Governance - independent structure to
facilitate the objectivity, transparency,
consistency and integrity.
The Compliance Assurance measures
build on the foundation of the
Compliance Program to provide
assurance to the Board and Senior
Management the Compliance Program
is effective.
7. Nimonik.com
- 7 -
Regulatory Compliance – What It Is and Is Not
Regulatory Compliance:
IS NOT about a “culture of compliance” (doing what we are told to do).
IS about a “culture of integrity” – honoring our regulatory commitments because it is the
right thing to do and is consistent with our values and beliefs.
IS NOT about creating an impediment to operational excellence or an additional burden on
resources (e.g. layers of process, button pressing and paper pushing that interfere with
the productivity of our workers).
IS about supporting good business performance – aligning with our operational excellence
initiatives and the integrity with which we operate our assets.
IS NOT about trade offs – e.g. “compromising production, cost or schedule to achieve
compliance with our regulatory obligations”.
IS about the relentless pursuit of excellence to “deliver it all” without compromise.
8. Nimonik.com
- 8 -
Safety Excellence
• Journey to Zero – EHS
Performance Improvement
programs
• Process Safety Management
Environmental Compliance
• Living up to our standards
• Ensuring our license to operate
Maintenance & Reliability
• Process driven
• Proactive and planful
Cost Management
• Smart decision making
• Cash flow to fund growth
Business Integration
• Company-wide processes
• Working smarter
Clear Accountabilities
• Back to basics
• Simplified focus
• One company approach
Operational Excellence – Role of Regulatory Compliance
Regulatory compliance initial focus on environmental,
and health and safety compliance, fits with operational
excellence vision and is an outcome of good operating
practices.
9. Nimonik.com
- 9 -
Operational Excellence – Compliance As An Outcome
Operational Excellence = competent workers consistently and relentlessly executing
Operational Controls with integrity.
Management: 50% - 80% of time spent (with functional support) ensuring the above:
Do we have sufficient workers? Work is adequately resourced with no vacant roles.
Are workers competent ? New workers to be on-boarded and trained effectively. All workers have all
required training to ensure competency and execution of Operational Controls. Workers have clarity of
accountabilities and have the authority to execute against those accountabilities.
Do we have all necessary Operational Controls to operate the business or assets? Do workers know
what we hold them accountable for? Do they have records of those accountabilities, such as job
descriptions, access to the operating procedures they rely on? Are the assets designed and configured
to hard wire best practices (safety, production, compliance etc.) where we can?
Do the Operational controls have integrity? Are they up to date, reflecting safe and best operating
practices? Do they leverage and institutionalize knowledge of workers? Is compliance embedded
transparently (in actionable layman’s terms)? Are processes in place to solicit worker input? Is incident
learning embedded in Operational Controls and implemented for continuous improvement?
Do workers consistently and relentlessly execute those Operational Controls? Does management
engage in observations, oversight, assessments, coaching, counseling and correcting? Do we learn (and
implement learning) from incident investigations? How do we respond to information from lagging and
leading metric reporting? How effective is the management review process?
If we do the above well, regulatory compliance is one outcome, in addition to operational
excellence synergistic outcomes (best practices on safety, Process Safety Management,
Maintenance & Reliability, sustained production, worker productivity, as well as
institutionalizing long term worker knowledge).
10. - 10 -
Culture – Operational Integrity & Operational Respect
The culture, or style, of the organization is one that respects compliance as a minimum standard, and sees
non-compliance as an inhibitor to our collective license to operate and grow.
Culture and Leadership is fundamental – without driving a culture of integrity – a positional felt
understanding and accountability of compliance obligations – the introduction of tools, systems and
processes has a low probability of success of moving us up the curve.
At senior management levels, culture or style includes ensuring the “wake” that we leave does not overtly or
inadvertently compromise a foundation of operational integrity.
No worker should believe or feel he or she is doing the right thing by compromising compliance (or safety or other like values
and beliefs) for the sake of production, cost or schedule.
Management’s behavior must walk the talk on a day to day, moment by moment tactical level - embedded or underlying how we
implement the Management System, including all operational practices and decisions.
At the line level, operational integrity means workers are given operational respect:
Workers are provided with certainty as to what is expected from them (their accountabilities), as reflected in Operational
Controls.
Workers are supported in the consistent and relentless execution of those accountabilities through training, tools and authority.
As a quid pro quo, workers are prepared to be held accountable to execute those duties with excellence, reinforced through a
cycle of training, assessments and corrective action (coaching, mentoring, re-training or assigning consequences if required).
Workers are confident they will return home in the same condition they arrived to work. The know their co-workers are
competent, and the Operational Controls they all follow have integrity and are respected.
Workers feel valued because they know the Operational Controls they all follow will deliver the business outcome safely,
reliably, and in a manner that reflects the integrity of the organization. Workers will not be asked (nor expected) to compromise
safety, regulatory requirements, or the sustained reliable operations of the assets, products or services they steward on behalf
of the organization .
Middle management ensures workers are given operational respect; holding workers accountable; providing
support, coaching, encouragement, recognition and discipline as required.
11. Nimonik.com
- 11 -
Compliance Program - Desired End State
Regulatory compliance must be made real for employees – it must be engrained in how we do
business every day, not just a another “binder on a shelf”.
We will choose to comply with our regulatory obligations and commitments, not because we
are told to so, but because it is good business. It aligns with our operational excellence
aspirations and initiatives, as well as the integrity with which we operate our assets.
A Regulatory Compliance Program is a subsystem that is consistent with, and a component
of, the overarching environment, health and safety management system (Corporate EH&S
Management System Standard).
There are four thematic elements essential to a desired end state.
1. Awareness and Accountability:
Compliance is everyone’s accountability – clarification of roles and accountabilities is foundational.
Each position, and any contractor acting on the organization's ’s behalf, will have a clear delineation of
regulatory obligations within the scope of the accountabilities for that role, and all operating procedures,
and each employee or contractor will be accountable, and competent to execute against those
accountabilities. Successful execution of a Compliance Program relies upon absolute clarity of
individual roles and regulatory accountabilities, whether such individual positions lie within an
operating group or services group.
Management will understand and execute its role in an overall compliance management subsystem to
steward and manage regulatory compliance.
12. Nimonik.com
- 12 -
Compliance Program – Desired End State (Continued)
2. Competency:
Systems must support the development of competencies required to fulfill compliance obligations
3. Prevention:
The design, construction and handover of assets to operations will provide a foundation for operating the
assets under all operating conditions in compliance with all applicable Regulatory Requirements.
We will investigate competently, consistently and with integrity, all incidents of non-compliance to
understand the root causes, and identify and implement continuous improvement solutions to minimize
the risk or recurrence.
Excellence in Maintenance & Reliability and Process Safety Management will also play a role in
prevention of operational upsets and sustained compliance.
4. Leadership/Culture:
Leaders will promote a culture of integrity through what we say and do, and will not by overtly (by what
we say or do) or inadvertently (by what we do not say and do), compromise worker compliance with
Regulatory Requirements .
Processes, practices and tools will be modified or designed, and implemented with
consistency and integrity, to institutionalize and sustain the above, including through change
of laws, workers or activities, products and services.
13. - 13 -
Review ----- The Legal Registry – What Is It?
The Legal Registry at its simplest is a list of the Regulatory Requirements applicable to a Business. However,
if not translated into actions, it is nothing more than a binder on a shelf.
Accordingly, best practice is for the Legal Registry to be more than a list of Regulatory Requirements. At a
minimum it must contain a concordance map between the Regulatory Requirement and the Operational
Control – the record of the tasks and activities to be executed and by which we ensure compliance with the
Regulatory Requirement. Specifically, the Legal Registry must contain:
A statement of the Regulatory Obligation
A concordance map to the Operational Control(s) by which the Business achieves compliance to the relates Regulatory
Requirement(s), and which Operational Control includes:
A description of the facility to which that requirement pertains;
The position(s) accountable and responsible to perform the obligation , as well as the positions to be consulted or informed
as part of the Business Process;
A description of the work activities to be performed to comply with the obligation (e.g. the translation of the Regulatory
Requirement into meaningful – plain language – actions tasks, activities and outcomes);
A description of is to be done to demonstrate compliance with that obligation.
Why do we need a concordance map?
Identification of compliance gaps (Regulatory Requirements with no corresponding Operational Control);
Supportive of process to manage new or changed Regulatory Requirements;
Supportive of BU compliance self assessments or Corporate compliance audits re: effectiveness or execution of the Operational
Control; and
Compliance assurance – provide assurance to Senior Management/Board re: compliance through measurement of execution of
Operational Controls.
Once a baseline (snapshot in time) of the Legal Registry is in place, a sustainment process must keeps the
Legal Registry current through changes of law (whether new regulations or Your organization's specific
approvals); changes of organization and changes to our operations.
14. Nimonik.com
- 14 -
The Concordance Map - The Connection Between The Legal Registry,
Operational Controls And Implementation
Training
Self-assessment
Corrective
action
Audit
LineofSight
OperationalControls
Legal Registry
Risk Register
Environmental Aspects or
Business Risks
Significant Environmental
Aspects/Business Risks
Policies
Standards
Practices/Operating
Procedures/Training
Manuals
Automated Control Systems
(e.g. DCS)
Job Descriptions
Operational Controls should
have integrity –in addition to
embedding safe, reliable
operating best practices, they
should also operationalize the
clear linkage between the risk
register, environmental aspects
and the regulatory requirement.
Excellence in execution =
regulatory compliance. All
transparent to workers and
synergistic with operational
excellence.
Synergies – Operational Controls
should reflect best practices,
including safety, PSM, M&R,
identification of key inter-
dependencies, institutionalizing
the skills, knowledge and
experience of our best operators
and providing clarity of roles and
responsibilities.
Implementation:
Rollout of operational
controls can be on a “when
ready” basis with a cycle of
training, self-assessments,
corrective actions and
audit. Rollout to be
supported and reinforced
with other EH&S MS Gap
Closure Initiatives,
Operational Excellence
initiatives and/or EHS
performance Improvement
program rollout. A
communication strategy
would be helpful to co-
ordinate and align with
culture outcome.
15. Nimonik.com
- 15 -
What Do We Do With The Legal Registry? - Making It “Real”
Legal Registry
Obligation
Facility
Position & Competencies
Support Resources
Task to Comply
Demonstrate compliance
(Performance Assurance)
Operational Controls
(operating procedures,
operating limits, etc.)
Senior Leader
Oversight Stewardship
Worker
Job Description
Operating Procedures
Competency & Training
Task Tools (enablers)
Assets
Setting of limits
Process Design
Documents
Operating Procedures
Alarms
Resources to sustain
thru changes of law,
positions, assets and
technology
Onboarding training, certification,
retraining, and recertification
resources to sustain thru changes of
workers, positions, operating
procedures etc.
Non-Compliance Events
Investigations/root cause analysis
Learn and Fix (continuous improvement)
Automatic system
response to non-
compliance
Human response
to non-compliance
CULTURE OF INTEGRITY
16. Nimonik.com
- 16 -
The Registry – One Small But Integrated Part of the EH&S Management
System
Legal Registry Sustainment
Process and support
resources to sustain integrity
of legal registry:
•changing/new regulations
•organization changes
•New/modified assets
•Link to operational controls
•Consistency of interpretation
•MOC Initiator
•Reporting
Audits
•EH&S Audit independent
assessment of compliance
Operational Controls
Updated to ensure currency
and effectiveness (integrity –
document control), and are
accessible.
Compliance is an outcome –
Regulatory Requirements are
embedded (transparent to
workers)
Linkage to management of
Risk Register and
Environmental Aspects
Clarity of roles, responsibility
and authorities
Awareness & Training for
impacted employees
(competency)
Checking
Verify compliance by verifying execution of
operational controls (self assessment)
Implementation cycle of training, assessment and
corrective action to ensure implementation and
consistent and relentless execution.
Corrective and preventative action – ILP, audit and
self assessment findings
Measurement and reporting – lagging and leading
indicators
Management Review:
Is the system adequate and effective?
Corrective action: follow up, encouragement,
coaching, re-training or discipline – management
“walks the talk” and demonstrates commitment by
ongoing active follow up. Active management
commitment will be supportive of increasing
maturing of culture of operational integrity
Corporate
Accountability Business Unit
Accountability With
Corporate Support
* Corporate means Regulatory Compliance, EH&S
Audit, and others as required
17. - 17 -
Framework Elements to Achieve Operational Compliance
Regulatory Requirement:
ID & track in Registry;
Link to Risk Registry &
Environmental Aspects
Scan and action changes
Interpretation:
Consistency & Integrity
Meet the regulatory intent
Translation:
Into tasks workers execute
In layman’s terms
Operational Control
Clarity of roles, authorities
and accountabilities
ID adequate resources
Demonstration of compliance
Training or Other Corrective
Action
Worker competency
Continuous improvement on
effectiveness of operational
control and/or execution
Assessments or Audits
Is the control effective?
Is the control consistently
executed?
Focus on high risk areas (link
to risk register and significant
environmental aspects)
Non-compliance or non-
conformance Findings,
Incident Reviews &
Investigations
Monitoring & Reporting
Leading & lagging indicators
(e.g. # of compliance
incidents; # of compliance
gaps from Registry; # of open
action items from
assessments, audits; %
workers trained etc. (see
Appendix for list)
Management Review
Is the system effective?
Action required on
Operational Control
effectiveness or execution?
Systemic Corrective Action
Compliance Assurance:
Effective process in place to sustain the integrity of the Registry (tracking of requirements and compliance gaps)
All regulatory requirements have an Operational Control in place.
Premise: execution of effective operational controls = regulatory compliance as an outcome.
Assessment and audit plans built on risk based approach (linkage to Risk Registry) are fully executed.
Assessment & audits (internal or external) test for compliance effectiveness and execution.
Management Review in place and effective.
EH&S Board Assurance through independent Operations Integrity Audit (similar to Financial Internal Audit).
Execution:
Consistent & Relentless
Stewardship/Self-Review
Legend:
Plan = Green
Do = Blue
Check = Orange
Act = Grey
18. Nimonik.com
- 18 -
Intrinsic Value - Synergies With Operational Excellence
Do we recognize the “intrinsic” value of the Management System?
Isn’t it beyond “checking the box”, compliance or even EH&S objectives? I
Isn’t the tactical straw-man model on how to achieve operational compliance also the tactical model for achieving
operational excellence (including reliable and sustained production, lower costs, and operator respect)?
Substitute in the model the Regulatory Requirement box with “Improve Reliability”; “Improve Process Safety”; “Improve worker
safety”; “Improve Worker Respect”, “Capture operational knowledge from retiring worker” etc. – isn’t “plan, do, check, act” it the
same tactical model to achieve this outcome?
Synergies –Is the work a substantially similar effort to do the following?
Identify and integrate operations excellence best practices
Identify and integrate PSM and M&R practices
Capture operational knowledge in “long term employees heads” (e.g. key plant inter-dependencies) – mitigate losing knowledge
from further long term employee retirements
Clarify and optimize if appropriate roles and responsibilities
Develop training materials; and
Integrate compliance assurance requirements into operational controls.
Disciplined execution of accessible, up to date operational controls by competent, qualified workers is the
bread and butter of how we operate assets with excellence (consistency and integrity). Does this not feed into
the culture of integrity management wants? Doesn’t this also feed into operator respect?
Can we thread in continuous improvement on compliance with current or to be commenced initiatives?
Think about work in progress. Are we updating training materials as part of a training initiative? Are we updating operating
procedures to embed process safety management procedures? Am I trying to capture and institutionalize the knowledge and
operating experience of long term employees who are, or may soon be retiring or otherwise leaving Your organization's ?
The output of each, whether training materials, operating procedures or job descriptions are all “Operational Controls”.
We suggest it is relatively low incremental work to address and update the Regulatory components of those materials, or to at least
identify what Regulatory Requirements are addressed by those materials.
19. Nimonik.com
- 19 -
Self Assessment & Audit Compliance Focus Areas
The Legal Registry is supportive of Business Unit compliance related accountabilities and
Corporate Compliance audits in the continuous improvement journey:
Gap Assessment – Does each Regulatory Requirement have a corresponding Operational Control?
Effectiveness - Is the Operational Control effective to manage the Regulatory Requirement?
Has the requirement been translated into effective actions to achieve the intent of the requirement?
Are there interpretation challenges in translating the requirement into actions?
Is there a better way to achieve the same end?
Execution - Are we consistently and relentlessly executing the Operational Control?
The goal is 100%
Operational Upsets can occur – Regulatory Requirements will usually take this into account
Do our workers have sufficient training and capability to execute the requirement with excellence?
Is management doing its part to ensure consistent and relentless execution of the Operational
Control by workers?
What else, or who else, does the Operational Control rely upon for consistent and relentless
execution?
Focus effectiveness and execution assessments and audits on high risk areas identified in Risk Registry
or as significant environmental aspects.
21. Nimonik.com
- 21 -
Recommended Compliance Key Performance Indicators
Lagging Indicators:
# of non-compliance incidents
# of non-compliance audit/assessment findings
% completion of Corrective Actions
Leading Indicators:
% conformance to assessments/audits plan
% of workers trained on Operational Controls (initial and sustainment training)
# of Regulatory MOC’s completed/outstanding
# of non-conformance findings (execution of Operational Controls)
Compliance to Operational Controls review cycle
22. HOW NIMONIK CAN HELP?
To help your organization meet its environmental and health and safety management
system requirements, Nimonik offers easy to use software and comprehensive regulatory
content development support. To know more about our products and services, we invite
you to review them below or simply get in touch with us at 1-888-608-7511
or info@nimonik.com
Software
Audit on web and mobile devices–Android, iOS
Legal Register/ Compliance Obligation Management (ISO 14001 compliance)
Permit and Government Reporting Management
Incident Management
Regulatory Content
Environmental, Health and Safety Audit Protocols for over 80 countries
Legal Registers (ISO 14001 4.3.2 Compliance) for over 80 countries
Contact us at info@nimonik.com for more information.
- 22 -