Understanding differences between conformance and compliance
Last month we spoke to some provincial and COR requirement for auditing and the basis for starting your audit program . Now we want to give you some perspective on the changing regulatory landscape which will be important to understand in helping convince your management teams on their importance of your audit process.
Over the past 30 years of so, there has been a veritable explosion of environmental, health, and safety (HSE) laws and regulations at all levels of governments. As a result, businesses in all sectors of the economy are subject to requirements that affect a broad spectrum of activities.
In response to the broad spectrum of HSE requirements now in place, many businesses have developed new and innovative ways to ensure that their operations are conducted in conformance and compliance with applicable HSE requirements. Compliance audits at a facility will frequently cover environmental, health, and safety requirements together because the issues are intertwined and because many corporate programs manage HSE issues in a single unit. And in some organizations, the overarching requirements of their quality management system also have relationships to the activities being conducted on an HSE level (corporate oversight and direction for things like internal audits, document control, training and competency, management review, etc.)
Function of HSEQ Audits
First things first. Even the definitions in your audit program make a difference. So, let’s first look at the difference between compliance and conformance.
In ISO standards, the terms conformance and compliance are sometimes used interchangeably in everyday conversation, but they have distinct definitions and applications. Here’s how ISO generally defines them:
Conformance (also called conformity). ISO Definition (from ISO/IEC 17000:2020, Clause 4.1): "Fulfilment of a requirement." A requirement is a need or expectation that is stated, generally implied, or obligatory (ISO 9000:2015, Clause 3.6.4). Conformance is typically used internally within an organization or system to demonstrate that a product, service, or process meets specified internal standards or external standards like ISO 9001.
Compliance. ISO Definition (from ISO 37301:2021 - Compliance management systems): "Fulfilment of a requirement." While the formal definition is the same as conformance, in practical usage, compliance usually refers to: Meeting external requirements, such as laws, regulations, and contractual obligations. It's often used in the context of legal and regulatory compliance.
Key Distinction in Conformance and Compliance
|
Term |
Typical Use Case |
Source of Requirements |
Examples |
|---|---|---|---|
|
Conformance |
Conformance, Voluntary, internal, or industry standards |
Internal standards, ISO, customer specs |
ISO 9001 conformance, internal audits |
|
Compliance |
Legal or contractual obligations |
Laws, regulations, contracts |
Provincia lor federal OHS or environmental compliance |
HSEQ compliance assessments or audits
HSEQ compliance assessments or audits are typically designed to evaluate whether specific activities or operations are being conducted in conformance with applicable regulatory requirements or compliance obligations, and whether associated equipment and facilities meet HSEQ standards.
In this regard, compliance assessments may help businesses with making informed decisions regarding the appropriate deployment of capital and personnel. They are also useful in identifying opportunities for reducing emissions, minimizing the generation of waste, diminishing workplace hazards, or enhancing services to customers and their requirements.
This can be important if you’re looking to participate in certain sectors of the global marketplace, or if certain clients want a higher level of assurance for the money they spend.
Role of HSEQ Audits in Regulatory Compliance
As regulatory programs have matured, agencies have generally recognized that multiple approaches to facilitate compliance are necessary. This is in marked contrast to the view that an aggressive enforcement program, by itself, is the lynchpin in promoting compliance. While enforcement actions remain an important component of the overall HSEQ regulatory framework, they can be confrontational, expensive, resource intensive, and time consuming.
If we assume that performing HSEQ audits is a positive step in assuring compliance and improving performance, then should the results of the audits be promptly disclosed based on the promise of more lenient enforcement, or should they be privileged and subject only to a duty to address areas of identified noncompliance?
Practical Considerations and Recommendations
The overall benefits of performing regular HSEQ audits are clear, and the incentives created by various levels of governments, either in the form of legislation or policy, support the process. Below are several recommendations for optimizing these opportunities:
- Any self-audit should be carefully planned. It is essential that an organization develops the audit process with a full understanding of the available legal protections, whether they are audit policies, statutes, or legal privileges.
- The team of professionals who will be involved in the self-audit should be identified beforehand and should include, at a minimum, a representative of the regulated entity with knowledge concerning the operations to be evaluated, a technical consultant (or in-house HSEQ staff person), and an attorney, in some cases if it's deemed applicable. Input from each of these disciplines is quite important, especially if the results of the audit report are to be shared with external stakeholders (i.e.: regulatory agencies, clients, customers, etc.).
- The time frames for disclosure and remediation set forth in the audit policies and statutes are typically short. This will be very important based on the perceived risk consequences of not fixing the audit finding in a time-line appropriate to the risk.
- Depending on the circumstances, a regulated entity may wish to conduct audits either in discrete phases or of discrete aspects of its operations. By dividing an audit into “bite-size pieces,” it may be easier to ensure that issues are identified and resolved in a timely and prudent fashion.
- The assessment team should understand the legal framework applicable to the operations being evaluated.
- Before conducting an audit, the regulated entity must be committed to addressing the issues likely to be identified. Performing an audit and ignoring the results will likely leave the regulated entity in a markedly worse set of circumstances than not performing the audit at all.
- Take care in preparing any written documentation of audit findings, and the language used, to avoid speculation and unnecessary legal conclusions. Do not use speculative or subjective language.
HSEQ laws and regulations can be extremely complex and are ever changing. Environmental, health, safety and quality audits can serve a pivotal function both in assuring compliance and in establishing protocols to determine areas of noncompliance.
