How do you ensure compliance with 4.3.2 - Legal & other requirements?

[Bill Mitchell]

Ironic you should ask, we are currently teaching a 14001 Internal Auditor Class and just covered this.

Intent: To provide a mechanism for identifying and maintaining a list of relevent regulatory and other requirements that apply to the enviromental aspects of the orginizations operations products and activities.

Guidance: This includes Federal, State, City and Municipal code. Orginizations tend to outsource this or activity is assigned to their leagal department.

Other requirements:
A. Agreemnets with public authorities, customers, community groups
B. Requirements of the Corporation/company, trade associations or the public

What to Audit
How do they have access to legal and other pertinent requirements as it applies to the orginization.
How is the information maintained to include capturing of changes in requirements

There is more. Simply put this is not as simple as creating acouple of procedures. This is a critical piece.

 

[Randy]

Yep, ya gotta look at look at the relationship between legal and other compliance requirments and aspects and a whole lotta folks miss the boat starting here.

 

[John Broomfield]

Clause 4.3.2 states



My specific queries are:

1. What procedure is generally adopted to identify the applicable legal (& other) requirements?

2. What procedure is generally adopted to comply with point # (b) above?

2. Can there be more than one procedure in the sane organization both for (a) & (b)? [since the statement specifies 'procedure(s)]


Your valuable feedback is appreciated.

Thanks.

Samsung,

Existing LORs are addressed by the management system which includes a process for deploying new and changed LORs to the management system generally and/or projects specifically.

The process shows the subject matter experts (SMEs) either monitoring relevant websites or subscribing to updating services.

SMEs review the laws, regulations and other requirements and any upcoming changes to ensure the management system has internalized the requirements as part of the relevant procedures. Updates to the management system are implemented per the procedures for designing processes, controlling documents and training.

SMEs then evaluate compliance and report any noncompliance for corrective action.

Evaluations of compliance with LORs are separate from internal audit so audit covers the entire management system.

John

 

[Paul Simpson]

This thread seems to have started up as a spin off to another thread on regulatory compliance. I had a couple of responses - the first one here to draw the link between 4.3.2 and 4.5.2.

 

[Ron Rompen]

We took a similar approach to one previously mentioned, after an external audit found that we were not aware of a specific piece of legislation which was applicable to our plant.

1) Retained a consultant to perform an audit of our plant facility, to determine which legislation (at all levels) was applicable. You would be amazed at the amount of legislation that is out there, and only a specialist in this field is aware of some of them.

2) Created a database of all legislation, with review date, key words, etc (to enable quick sorting and review). Much of this legislation was also reviewed by the applicable management team members, to ensure awareness.

3) Designated a responsible person (our EMS/H&S co-ordinator) to regularly review (I believe it is quarterly) all of the legislation, to ensure that there are no pertinent revisions, additions or deletions. To assist in this, we have subscribed to a notification service, which advises via email of new and upcoming legislation which may affect us.

4) Scheduled regular (bi-annual) external review by a consultant, to ensure that we stay in compliance.

Yes, its a little expensive, and yes it's a lot of work; but noncompliance and the potential of losing our 14001 certification would be much MUCH more expensive in the long run.

 

[samsung]

Excellent responses so far and I must express my sincere thanks to all who immensely contributed to help me understand the intent of 4.3.2.

Now things are quite clear to me and based on all the inputs, I'm now sure to prepare and document a fairly robust procedure that truly meets the requirements of 4.3.2. I will certainly share it once I complete it in a few days.

Infact, we maintain two separate procedures for identification of LORs - one for OHS that I have recently re-documented (after a few minors in RC audit) with less problems for one simple reason that there are not many laws as far as H&S is concerned but the one I have to revise for EMS seemed a daunting task to me - a long list of legislation (& a lot many in pipeline) that typically apply to a manufacturing industry like ours.

Currently I am involved in a project where IMS is to be implemented very shortly. So, in view of the audit findings as well as the new project requirements, I had to revise the procedure for 4.3.2 OHSAS which I have attached herewith.

I have also shared a document (steps for setting up a Greenfield project) which I recently prepared for the new project. This document also serves as a source of information in respect of the legal requirements that would apply during the course of construction and afterward.

But I stuck around the EMS procedure to consistently meet out the requirements of 4.3.2. I wish to change the existing procedure which I don't find as effective as needed to keep pace with the fast changing environmental legislative scenario. And I can't apply the same methodology I adopted for OHS legal requirements.

Thanks once again to all for your valuable contribution.

 

[arivu21]

can u please send me the Legal register for my reference?

Thank you

 

[samsung]

can u please send me the Legal register for my reference?

Thank you

There are some simple rules that need to be followed while identifying and documenting the applicable legal requirements. Generally speaking, there can be 3 types of requirements in respect of each of the applicable legal obligations and they are:
1. Procedural requirements means the requirements related to prior permission /consent/ clearance/ registration/ authorization/ site notification etc.
2. Operational requirements (e.g. submission of returns or monitored data, reporting of accidents/ incidents, periodic compliance reporting, maintenance of records etc.
3. Monitoring requirements (e.g. monitoring and measurement of effluent quantity/ quality, measurement of noise, dust, illumination or monitoring of water/energy usage etc.)

It's very much important to identify each of them separately in the 'legal register' or any such document since it relates to assignment of responsibility. One (any deptt.) who is responsible for complying with procedural requirements of, say, H&S Permit, may not be liable for monitoring or reporting or for other requirements. e.g. the Administrative or Legal cell may fetch a Health & Safety Permit/ License to run a factory but it is (normally) somebody else who is to monitor the workplace dust concentration and someone else to take actions if it exceeds the prescribed limits and further someone else to report the monitored data to the regulatory authorities.

I have attached a sample format which I just now prepared (at home) and that's the reason I had to keep it short else the list of rules & regulations is quite long. Detailed checklists are maintained by various deptts. for the purpose of compliance evaluation and auditing.

We maintain a separate register for H&S laws and it's format is also different. Right now it's not with me but I can post it later on.

 

[batman1056]

Thanks _ I like this look of this - cleaner than what I am using - just need to find a compelte version of it.

 

[lennon121]

What's the best notification service available, is it free?