Picking the right solution for compliance management is trickier than it might seem. Here are some helpful tips. This post is written for EHS managers/directors, Risk managers/directors, and compliance officers who are trying to understand their options for compliance solutions.
This post is written by a software vendor, but we have tried to remain as neutral. The purpose of this post is to help you understand your options for assuring comprehensive compliance for all of your facilities. If your organization has a goal of staying in compliance with evolving regulations, standards, codes and your internal documents (permits, contracts,…), you will need software. Excel files, email and word documents are just not going to cut it in 2021.
We have decided to structure this post as a series of questions you might be asking yourself. We will likely add to this list as we continue to learn more about the options on the market.
Some questions you may want to consider:
Should all management system elements be in one central software?
This is a perennial question that all companies struggle with. At the end of the day it is a decision to balance the benefits of one integrated system vs. point solutions that are better at specific tasks and functions. The extreme version of a one system solution is SAP. SAP was originally designed for enterprise resource planning in a manufacturing setting. It has evolved to host many more functions, but its core competency is still in a manufacturing setting. ServiceNow is perhaps the closest equivalent to SAP for service oriented businesses. Those of us who have worked with SAP or ServiceNow know that the further away we get from their core competencies of ERP, the worse the modules get. Costs for integration and maintenance are substantial and are unlikely to ever go down. So, before you embark on a centralization project it is critical to look at your maintenance and upgrades costs as that will be the main issue over the years to come. There is no doubt that there is a real benefit to having all of your data in one system, but it also comes with financial costs and usability costs that your organization must bear.
For the specific tasks of risk and EHS management, there are companies that position themselves as catch-all platforms. Companies that are looking for one of these comprehensive EHS and Risk solutions may look at (Enablon, Intelex, Gensuite, VelocityEHS, or others..) or General Risk and Compliance software (GRC) (Archer, MetricStream, LogicGate,…). These two systems have a lot of similarities and some key differences. The variety in these systems is beyond the scope of this article, but it should be noted that each software usually emanated from a specific solution (Hazardous Waste Management, Incident Tracking, Document Management,…) and though it has grown to offer much more – the module that the overall system emerged from is usually where its strengths still lie. Many organizations we have spoken with will have multiple instances of these “all in one platforms” because in fact, each software is actually much better at certain things.
When it comes to regulatory compliance monitoring software, there are a few different paths you can take. The paths generally break down into:
- You can opt for a “compliance” module in one of these large platforms
- This requires the purchase of regulatory data from a third party supplier
- You can buy a series of local solutions for the various countries and industries you work in
- You can purchase an integrated global compliance tool (like Nimonik)
If you are considering a large system with multiple modules and you also want to obtain regulatory data and extract data from internal documents, then you need to take into account the cost of purchasing services from various vendors and putting all the pieces together. It can be done, but it needs to be carefully planned out and expect the budget for a compliance module from a major vendor and regulatory data to start at 30,000 USD and go up from there. We outlined some of the costs and benefits of various compliance approaches in this blog post from 2020.
An alternative to one large system is to pick and choose the systems that best fit your various needs. The significant benefit of this is that you can obtain the best of class in each category, better control costs and reduce your dependency on a single vendor. If you want to pull together your data from multiple systems, a robust Business Intelligence tool can help cross-reference and identify trends across various systems.
There is no perfect solution or one size fits all, it is all about your priorities and needs and whether or not compliance management is something that you want to excel at.
Do you tackle regulatory compliance separately from compliance to internal documents?
When it comes to compliance, organizations are subject to much more than just regulatory requirements. All organizations have a myriad of Internal Documents that their teams and operations need to stay in compliance with. Some common examples include:
- Environmental permits
- Stakeholder engagements
- Corporate policies
- And so on.
If your organization is serious about compliance, it needs to take a holistic approach to ALL of its requirements. It should have a clear and streamlined process to tackle existing and emerging obligations – regardless of their source. The challenge in accomplishing this vision of comprehensive compliance is actually locating, organizing and then processing of all of your obligations (requirements). Because the vast majority of these obligations are buried in PDF and Word files, most companies never get down to the granular level and end up settling on “being in compliance generally”. With a tool like Nimonik, you can load in your internal documents and have our software and team extract all of your obligations. This is a massive timesaver that will free up resources to actually review your compliance.
In short, your team needs to determine the scope of the compliance you are trying to achieve. Is it just regulations? Are you including standards? What about internal documents? E, HS,..? Once the scope is clarified and is mapped to the responsibilities within your organization, you can then make an educated decision on the type of system and functionality you require.
Should corporate drive compliance or should it be decentralized to facilities?
The easy solution for compliance is to delegate it to the local facilities. The benefit of this approach is that the corporate does need to allocate much budget for compliance management, teams to supervise and coordinate and it allows the local facilities to make decisions that are best for them. There does seem to be a general trend towards more compliance solutions at the corporate level. Nimonik conducted a survey on this issue in 2019 which concluded that the benefits of a central view of compliance outweighed the benefits of a decentralized approach.
When evaluating regulatory compliance solutions, it is important to remember that there are generally two types of legal register companies. There are companies (ENHESA, STP) that were designed to provide services to corporations and their business model, sales and service is all centered around helping corporations get visibility across their operations.
The companies focused on local solutions (Notisum (Nordic), Pegasus (Ireland), Gutwinski (Austria, Germany), Echoline (France, Belgium) tend to have more content, faster updates and more analysis of requirements. Each country usually has a series of local solutions. In Canada, there are a few options for regulatory monitoring tools (Nimonik being one of them). These country specific solutions also tend to be more cost effective. These solutions are typically preferred by operators who need to go into the details of their regulatory requirements. In Nimonik’s case, we have a number of customers who have global solutions from corporate, but find them lacking in important areas. We covered this topic of two types of legal register companies in greater detail in this blog post.
In summary, there is no perfect solution to compliance. The only thing we can recommend is that you have a clear process to evaluate your options and determine what is best for your organization. The fast and cheap way to assure a certain level of comfort is to hire consults. Consultants can be great guides, but eventually their mandate ends and you are left holding the responsibility. Another common strategy is to delegate to the local facilities and cross your fingers (they will probably hire consultants and do the minimum required to stay out of trouble). The third option is to tack on a compliance module to an existing solution you have and then try to find some regulatory content to load into that tool. This can work, but it will prove challenging to use and potentially expensive. Another option is to create a dedicated system to manage and monitor compliance. This system should allow sites to assess their compliance to a comprehensive list of regulations, standards and corporate obligations. It must also allow corporate headquarters to easily track progress and issues across all the sites.