ISO 14001 Legal Registers/Compliance Obligations Overview and Audit Checklist

By ,

ISO 14001

by Jonathan Brun

This article discusses:

  • What is ISO 14001
  • What is a legal register a.k.a. compliance obligation and how is it related to ISO 14001
  • What do legal registers/compliance obligations look like
  • Difference between legal register and audit
  • Maintainability of legal register/compliance obligation
  • Summary and conclusion
  • ISO 14001: 2015 audit checklist

What is ISO 14001?

ISO 14001 is an internationally agreed standard that sets out the requirements for an environmental management system.

It helps organizations improve their environmental performance through more efficient use of resources and reduction of waste, gaining a competitive advantage and the trust of stakeholders by demonstrating compliance with current and future statutory requirements.

ISO 14001 is one of the many different management standards. Some organizations adopt it just for a certification while many others incorporate its structure into their own environmental management system without aiming for a certification.

A management system, whether it’s ISO 14001 or any other, is really a framework for industry best practices for everyone who wishes to implement good environmental practices at their organization.

ISO 14001 is special because this framework is comprehensive as it has been built by experts from around the world each of whom brought in the best of a particular standard that they had been following at their organization.

Ideally, environmental concern should be the only reason why organizations should follow standards like the ISO 14001 but unfortunately, many organizations aim for this certification only because many of their important potential clients refuse to do business with organizations that are not ISO 14001 certified. One of the downsides of adopting this standard for mere certification is that an organization who does so starts to view this management standard as a cost centre that eats up time and financial resources when in reality this standard brings in tremendous value.

Now let’s learn about a Legal Register.

What is a legal register and how is it related to ISO 14001?

A legal register or compliance obligation is a list of the laws, regulations, codes, and statutes that apply to an organization. A legal register is a requirement within ISO 14001, as well as many other standards like energy standard 50001 and safety standard 18001.

If there is an environmental spill or any other problem an organization cannot plead ignorance in court. One cannot simply say in the court “We didn’t know this law existed, we didn’t know this regulation, so we didn’t know we had to file that report.”

So ultimately, all organizations need to have some sort of documentation to help their staff at all levels, whether the upper management or the people on the shop floor understand their environmental regulatory requirements. ISO 14001 forces organizations to do so.

The legal register has to identify and have access to applicable legal and other requirements. Other requirements refer to environmental permits obtained from appropriate government authorities and internal environmental standards that an organization has implemented. These requirements should then be related to the environmental aspect that the organization is involved in such as air emissions, wastewater, CO2 etc.

Some compliance obligations/legal registers are mandatory while others are voluntary.

The mandatory ones are found in legal codes, statutes, acts, and regulations. The voluntary ones are found in industry standards or corporate standards that an organization has adopted internally. They can be an NFPA standard or a BSI or CSA or any another standard that an organization has decided to adopt.

Between mandatory and voluntary standards is what is commonly referred to as the “Great Law”, which is a voluntary standard, but is referenced in law in legal documents (as opposed to rewriting the standard in the law). Great laws may sound voluntary but because of their reference in the law, they are mandatory. They have to be taken into account when an organization is building its legal register.

One has to remember three things in terms of compliance obligations; operational requirements, operational permits and collaborative agreements.

Operational requirements are things like permitting and monitoring programs where the government has issued an organization’s facility a permit to do something but the facility needs to respond to the government on a regular basis, for example, water samples or results from emissions stack.

Operational permits are things around actual requirements that are set forth in laws and regulations.

Collaborative agreements are agreements implemented by an organization either internally or with external partners that would be part of the organization’s compliance obligation.

What do legal registers/compliance obligations look like?

A typical, primitive, and old-fashioned way to prepare a legal register is Excel. Usually, a consultant comes in and builds the legal register in Microsoft Word or an Excel file and looks something like this with a number of different columns:

The only common element that I have seen amongst the legal registers of many different organizations even though they’re all following the same standard is the legislation name, the actual name of the legal document that applies to the organization.

Better elements that sadly I do not see in most legal registers, elements that are crucial but absent in most legal registers are:

  • control measures
  • the jurisdiction that dictates a particular requirement; provincial or federal (especially important if an organization operates in multiple locations)
  • the last revision date (the last time a specific legal requirement was revised to determine whether or not it had changed and whether it’s still applicable to the organization)
  • the environmental aspect
  • the work area or of the organization.
  • a summary of the requirement (something between one and four sentences long. It’s a summary of the requirement that’s not specific to your organization).
  • applicability text (again one to four sentences on how the legal requirement applies to the organization’s operations. A multi-operational company should have an applicability text for each operation. For example, if an organization has two plants in the state of New York, it should have two different versions of the applicability texts for each plant even if the plants are fairly similar).
  • the department, government, ministry that has issued the compliance obligation (this can be helpful in terms of digging deeper when one wants to see more context as to the compliance obligation and how it was put out; by the air district, by the EPA or by the ministry of such and such).
  • the last revision person or group. (this is a big thing for external ISO 14001. When they come in they want to see not only that the register is up-to-date, but they also want to see who did the last revision so they can do follow-up questions with the appropriate people).
  • associate the compliance obligations to specific hazards or specific assets (for example if the organization’s operations are associated with specific hazards like fuel oil or equipment, associate the compliance obligations related to those hazards and equipment).

So, in summary, an organization should link each of its business activities with applicable environmental law and then organize it by aspect like air, wastewater etc. and have a short and sweet applicability text, as to how the specific compliance obligations impact the organization’s business and what it needs to do to respect it. And it has to be short.

The metric that organizations should use when they’re building a legal register is: “Is legal register actionable?” Can a new employees, a new environmental managers and coordinators, come in and take the legal register, read it, and take action within a couple of days after having, of course, familiarized themselves a bit with the operations? A lot of times, professionals say “oh, ISO 14001 is a lot of papers”. That’s because the documents built within the frameworks such as a legal register are not actionable enough, are not operational specific and so end up just being paperwork as opposed to being genuinely useful documents for new and current staff.

The other metric to use is: “Can a new employee understand the critical environmental legislation, how it applies to organization’s operations in under 8 hours”? So if someone from a different state or country who is not familiar with the legal requirements in that country comes in, he/she should be able to understand the facility’s legal requirements and responsibilities by looking at the legal register.

Difference between legal register and audit

Many professionals often ask if a legal register can be converted to an audit. To summarize the difference between a legal register and an audit is that a legal register is a living document. It’s a document that one keeps up-to-date as the laws and regulations change and as an organization’s operations change. Whereas an audit is a point in time portrait or picture of an organization’s operations and its compliance with the relevant laws and regulations that the organization is auditing against.

With software, like Nimonik, it is possible to convert a legal register into an audit protocol at the click of a button.

Maintainability of a legal register

Don’t think that the cost a legal register is the cost of building it. That’s a small cost. The cost of a legal register is really about maintaining it over the long term. It’s like a kid, it’s a low cost to have a kid but a lot higher cost to raise the kid.

So legal register should be so structured that its maintenance costs are not excruciatingly high.

Now there are a few ways to do that. Some organizations who make the legal register/compliance obligation using Word or Excel keep it broad, they only have the legislation name and some very high-level information about the organization.That’s a low-cost solution, but also a low-value solution. One is not going to get much information by just knowing the top 15 pieces of legislation that applies to the organization and that’s it. Organizations can do the same thing with a piece of software, whether it’s Nimonik or STP or another company. But if it is broad it will still be a low-value solution.

Now for a high-value solution, the sections of the regulations need to be broken down and applied to various aspects and control measures of an organization. This again can be done with Word/Excel or software but the difference with doing it with a software like Nimonik is that the legal register’s maintenance cost will be much lower than if the register is made on Word/Excel.

The best value for money solution that helps an organization reduce the cost of maintaining the register while still keeping the high-valued organization specific information which is up-to-date with revisions and names of the persons who did the revision is to embed operational knowledge with a good piece of software and a great database of regulatory information.

Summary and Conclusion

So, in conclusion, the purpose of a legal register is to know what an organization’s compliance obligations are for the jurisdictions and the industry it operates in. It has to link those compliance obligations to its specific business activities and operations. An organization should be able to demonstrate to an external auditor the efforts made to stay compliant on an ongoing basis. This is one of the big things auditors look during an ISO 14001 audit.

Often organizations scramble to “oh, we have an ISO 14001 audit next month. Let’s run and hire a consultant to update our legal register.” Well, that’s not really respecting the spirit of the standard. It is critical to demonstrate ongoing compliance efforts by revision dates on the items in the legal register and the names of the people or the committees that did the revisions.

The document should be easily transferable to new employees so they can pick up the legal register and say “oh, okay, I understand what the plant is subject to. I understand what parts of the plant have to respect which obligations and how those obligations apply to them.” That’s not an easy thing to do but that should be the end goal.

The initial cost of building a high-value legal register is high whether on Word/Excel or software but with software the maintenance cost of the legal register is much lower than Excel/Word.

Contact information

I hope that this article was helpful in providing an overview of legal registers/compliance obligations. At Nimonik we are always available to discuss your organization’s compliance obligations and solutions.

ISO 14001:2015 Audit Checklist

Here is the complete ISO 14001:2015 audit checklist that you can use on Nimonikapp, available on web and mobile devices. It will save you hours in conducting audits, generating reports, and issuing corrective actions.