World-Class Compliance Assurance Program Part 2: Management Systems & their Importance to Compliance Assurance
December 16, 2016 - Kestrel Management
This is the second in a series of five articles on developing and maintaining a world-class compliance assurance program.
The connection between Management Systems and compliance assurance is vital in avoiding recurring compliance issues and in reducing variation in compliance performance. In fact, reliable and effective regulatory compliance is commonly an outcome of consistent and reliable implementation of a Management System.
A Management System is the organizing framework that enables companies to achieve and sustain their operational and business objectives through a process of continuous improvement. As shown, policy is the foundation of the Management System. It establishes the vision and overall corporate expectations. Processes and standards set corporate expectations for performance. They establish what must be done to meet the requirements of the policy—but they don’t define “how” it will be done. Procedures, then, define “how” the processes/standards will be met and, thereby, meet the requirements of the policy. Finally, proof/metrics provide the measurable “proof of performance”.
A Management System is designed to identify and manage risks—safety, environmental, quality, business continuity, security (and others)—through an organized set of policies, procedures, practices, and resources that guide the enterprise and its activities to maximize business value. In its simplest form, a Management System implements the Plan, Do, Check, Act/Adjust cycle of continual improvement and addresses the following:
- What is done and why
- How it is done and by whom
- How well it is being done
- How it is maintained and reviewed
- How it can be improved
The following table compares the attributes of a program with a “Compliance Only” emphasis against those of a “Compliance within a Management System” program.
Management System Standards
Industry standards are available to guide the design and implementation of the EHSMS. The most widely recognized and applied are the harmonized ISO standards—ISO 14001 (Environmental), OHSAS 18001 and draft ISO 45001 (Safety), and ISO 9001 (Quality).
The figure below depicts the standard Management System cycle of control and improvement. Two key procedures within this cycle that guide auditing involve understanding legal, regulatory and other requirements (under “Planning and Management of Change”) and evaluating compliance (under “Checking & Corrective Action”).
Each company’s Management System reflects its unique culture, vision, and values. To be effective and valuable, the Management System must be tailored and focused on how it can enhance the business performance of the organization. It must also be:
- Useful to people in the operations
- Intuitive—organized the way operations people think
- Flexible—making use of methods and tools as they are developed and documented
- Valuable from the outset—addressing the most critical risks and processes
- Linked to the business of the business (not “pasted on”), with ownership at the operational level
- A means to better align operational quality, safety, and environment with the business
There are a number of business reasons for implementing a well-documented Management System and associated support methods and tools:
- Establishes a common documented framework to achieve more consistent implementation of compliance policies and processes—addressing the eight core functions of compliance: inventories, permits and authorizations, plans, training, practices in place, monitoring and inspection, records, reporting.
- Provides clear methods and processes to identify and prioritize risks, set and monitor goals, communicate those risks to employees and management, and allocate the resources to mitigate them.
- Shifts from a command-and-control, centrally driven function (or, at the other extreme, totally decentralized and lacking adequate guidance and oversight) to one that depends heavily on teamwork and implementation of a common system, taking into consideration the necessary local differences and building better know-how at the facility level.
- Establishes a common language for periodic calls and meetings among managers, facility managers, and executives, which yields better goal-setting, priority ranking, and allocation of resources to the areas with greatest risk or the greatest opportunity to add business value.
- Empowers facilities to take responsibility for processes and compliance performance without waiting to be told “what” and “how”.
- Enables better collaboration and communication across a distributed company with many locations.
- Enables the selection and implementation of a robust information system capable of tracking and reporting on common activities and performance metrics across the company.
- Employs a design and implementation process that builds company know-how, captures/retains institutional knowledge, and enables ongoing improvement without having to continually reinvent the wheel.
- Creates consistent processes and procedures that support personnel changes (e.g., transfers, promotions, retirements) and training of new personnel without causing disruption or gaps.
- Allows for more consistent oversight and governance, yielding higher predictability and reliability.
- Better ensures that employees and contractors return home from work safely every day, and that the public and the environment are protected.
- Reduces incident costs and accrued liabilities and protects assets.
- Improves and sustains regulatory compliance and allows the organization to continually improve quality, environmental, and safety performance (employee, public, equipment, infrastructure).
The next article in this series will move on to identifying and assessing risks and the subsequent compliance program assessment.
Read the other articles in this series:
- Part 1: Enterprise and Compliance Risk Management
- Part 3: Compliance Risks and Compliance Program Assessment
- Part 4: Audit Program Best Practices
- Part 5: Maintaining a Compliance Assurance Program
Submitted by: Tom Kunes