ISO 14001 and Regulatory Compliance
by Susan L.K. Briggs
There has been much debate about the effectiveness of the international environmental management system (EMS) standard, ISO 14001, in ensuring an organization has satisfactorily met its regulatory compliance obligations.
Some believe the standard does not go far enough because it falls short of requiring full compliance as a prerequisite to certification. Others believe compliance cannot be guaranteed because its existence appears only as a snapshot in time. What is compliant today could be just as easily out of compliance tomorrow.
To truly fulfill its regulatory obligations, an organization must systematically implement the elements of a compliance assurance program. This program must:
- Be embedded in the commitments and goals of an organization.
- Include supporting processes to identify and implement requirements.
- Incorporate robust methods for evaluating performance at all levels in the organization.
These critical elements are, in fact, found in the ISO 14001 requirements.
Commitment to Compliance
First and foremost, an organization must be committed to compliance and assert as much in a documented, publicly available environmental policy statement (clause 4.2).
Turning commitment to action is the critical step in ensuring compliance. Regulations are many and complex, necessitating a substantial investment in technical expertise, program development and implementation and, in many cases, technology upgrades.
In most cases, an organization is able to anticipate new legal requirements and incrementally invest in program upgrades over time to meet the regulatory schedule. On the other hand, there may be cases of identified noncompliance that necessitate a multiyear corrective action plan to manage and address.
In either case, to successfully fulfill its compliance obligations, an organization needs to tap into its strategic planning processes to set and achieve its compliance goals and objectives (clause 4.3.3). In that way, a realistic and achievable balance of business and environmental priorities can be formulated, annual performance targets established, associated action plans (programs) to achieve those targets developed and requisite resources allocated.
Compliance Support Processes
Recent revisions to clause 4.3.2 on legal and other requirements were made, saying an organization must determine the applicability of requirements to its environmental aspects and ensure these requirements are taken into account when developing, implementing and maintaining the EMS.
The revised standard acknowledges the complexity of regulations and range of applicability to various organizations and operations. Although two different U.S. organizations may both generate hazardous waste and be subject to the Resource Conservation and Recovery Act, the act may apply to them in very different ways.
One company need only contract with a licensed transporter to send its waste to a permitted landfill, while the other must inspect waste accumulation areas weekly, adhere to strict labeling requirements, train staff members who generate and handle hazardous waste, file periodic regulatory reports and maintain emergency response plans.
While it is important to identify and have access to applicable legal requirements, this determination of applicability also enables an organization to implement the requisite support processes to both maintain a satisfactory compliance status and conform to ISO 14001.
Translating these regulations into procedural requirements and operating criteria (clause 4.4.6) is the next step in the compliance assurance process. Administrative controls (such as documented procedures, internal approvals or inspections) and engineered controls (such as pollution control equipment, secondary containment or overfill alarms) are employed to ensure operation within permit limits.
Further, a representative sampling program that uses periodic or continuous measurements of operating conditions and emissions/effluents as appropriate (clause 4.5.1) satisfies regulatory reporting requirements, monitors process control and provides objective evidence of compliance status.
Other ISO 14001 EMS elements that support compliance assurance are communication, training and documentation/records (clauses 4.4.3, 4.4.2 and 4.4.4/4.5.4, respectively).
Internal communication channels (such as meetings, newsletters, electronic media and special events) provide a venue for management to convey the importance of regulatory compliance to the organization’s success and express its expectation of each employee to perform his or her work activities in conformance with specified requirements. These channels are also used to communicate the applicable regulatory requirements and provide feedback on performance results.
As appropriate, more formal methods may be used to ensure employees are fully equipped to perform their job assignments. An organization may provide training for a job such as hazardous waste operator/emergency responder, or require its employees to attain standards of competency, such as maintaining certification for water treatment operation or pesticide application.
Examples of documentation to support and verify implementation of these compliance assurance program elements include the following:
- Applicable regulatory requirements and permits.
- Operational control procedures deemed necessary by the organization.
- A compliance evaluation procedure and objective evidence of its implementation with any associated corrective and preventive actions put in place.
- Evidence of the monitoring of results.
- Employee training and certification records.
- Documented evidence management has reviewed the organization’s compliance performance.
Robust Compliance Evaluation
To conform to ISO 14001, it is necessary to evaluate not only the implementation and effectiveness of EMS requirements, but also to also evaluate the organization’s compliance with legal requirements.
This is true for both the original 1996 and new 2004 versions of the standard. Although the revised standard was designed to be responsive to criticism lodged against ISO 14001, the changes were less substantive than perceptual, in that no new requirements pertaining to regulatory compliance evaluation were imposed. But the importance of regulatory compliance was elevated.
Previously, the regulatory compliance evaluation requirement was embedded in the monitoring and measurement clause. The revised standard establishes a separate and dedicated clause on the subject (clause 4.5.2), thereby drawing more attention to this requirement.
This compliance evaluation can take many shapes and forms and be executed in a variety of ways at various levels of an organization. The evaluation starts early in the design phase when drawings and process flowcharts are reviewed to ensure incorporation of legal requirements and system optimization to eliminate or reduce environmental impact.
Analysis of monitoring data, mentioned earlier, is one method of evaluating compliance; periodic inspection of work and storage areas is another; programmatic regulatory auditing is yet another. Collectively, these processes assess operational implementation and adherence to specific regulatory administrative and technical requirements.
If noncompliance conditions are identified, an organization’s EMS includes processes for taking corrective action to prevent recurrence and, as appropriate, for proactively taking action to prevent occurrence elsewhere in the organization (clause 4.5.3). Actions requiring multiyear investments may be managed through the objectives, targets and program system element.
Independent assessment by a certification/registration body (CRB) is yet another source of assurance an organization has a sound EMS that effectively addresses its compliance obligations.
Although CRBs do not make a comprehensive evaluation of compliance as does a regulatory auditor, they perform a sampling of specific regulations and operations to collect objective evidence to determine procedures are established as necessary. Such procedures identify and address compliance requirements and show the organization has periodically evaluated its status with respect to all of the applicable regulations.
The CRB verifies the evaluation was performed by a knowledgeable and qualified person and the organization is addressing any noncompliance identified in a systematic manner—for example, through its corrective and preventive action system or through its objectives, targets and program processes.
In no way does a certification audit verify the organization is in full compliance. More importantly, it verifies the organization’s capability to effectively self-assess its compliance status and self-correct any noncompliance situations.
Ultimately the final evaluation of compliance is performed during the management review process (clause 4.6). Top managers review the organization’s environmental performance and evaluate the adequacy, suitability and effectiveness of the EMS in achieving the policy commitments.
The organization’s compliance performance results and status as determined internally as well as independently by regulatory agencies is included in this evaluation. Through this evaluation, areas for prioritized improvement are identified and addressed.
Many organizations improve their regulatory compliance status as a result of implementing an ISO 14001 based EMS. State, regional and national agencies are also actively implementing programs and incentives to encourage more organizations to do this.
These incentives include recognition programs, reduced priority for multimedia audits and relaxation of administrative regulatory requirements (such as extending waste storage limits).
Although there is no system or regulatory scheme that can guarantee full compliance at all times, the ISO 14001 standard enables an organization to systematically identify its compliance status and address its noncompliance issues. Those skeptical of ISO 14001’s effectiveness in assuring compliance should be pleased to see the increased emphasis on compliance in the new revision.
SUSAN L.K. BRIGGS is deputy manager, corporate environment, safety, health and quality, for the Battelle Memorial Institute, Columbus, OH. She holds a bachelor’s degree in environmental science and statistics from Harvard University. Briggs is a U.S. expert on the ISO technical committee 207, subcommittee 1, working groups revising ISO 14001 and ISO 14004 and vice chair of the American National Standards Institute-Registrar Accreditation Board Environmental Management System Council that oversees the ISO 14001 registration process in the United States. She is a member of ASQ and an ASQ certified quality engineer, quality auditor and quality manager.