Compliance is the minimum or the “floor”

I’ve been hearing a lot of this cliché lately. Safety folks like to tout their progressive and forward-leaning safety efforts by saying, “We far and exceed the regulatory requirements. Safety isn’t only about compliance. Compliance is only the minimum”. It’s interesting that several clients I audited offered this as a confession early on in the audit. My response was, “That may or may not be so. . . let’s see”. Invariably they over-estimated their degree of supposed compliance.

The phrase (I’ll say cliché or slogan) “compliance is the floor, not the ceiling” has become common in modern safety discourse. It is typically used to suggest that legal compliance represents a minimum standard, and that meaningful safety performance requires moving “beyond compliance” into some of the softer and often vague concepts like culture, leadership, and innovation.

It sounds progressive. But is it evidence-based? Or is it simply a value judgement repeated often enough to be accepted as truth?

Where is the evidence?

From what I’ve been able to ascertain there is no identifiable body of empirical research demonstrating that treating compliance as a “minimum” produces superior safety outcomes compared to treating compliance as the central mechanism of accident prevention. The statement is normative — not scientific. It reflects a philosophical stance about, in the opinion of some, safety ought to be viewed. But it’s my contention that it’s not a validated conclusion derived from controlled evidence.

That does not make things like culture and leadership unimportant. It simply means the “floor” framing itself lacks objective validation.

What compliance actually means

Much of the criticism aimed at compliance is based on an outdated caricature — paperwork, box-ticking, and rigid, prescriptive rules for various technical safety requirement like LOTO, confined space entry, fall protection, etc. But modern occupational health and safety law in most jurisdictions is largely performance-based and duty-based. Employers and supervisors are legally required to:

• Provide supervision and competent leadership
• Identify hazards and related risk controls
• Provide supervision (leadership) information, instruction, and training
• Enforce safe systems of work
• Take all reasonable precautions

These are not minimal technical checklists. They are behavioral, managerial, and organizational obligations. I would argue they can be grouped under the banner of leadership and when done consistently, professionally and with a high degree of diligence, are the activities which help shape so-called “safety culture” perhaps more than any other activities.

Compliance, properly understood, is not about doing the least required. It is about fulfilling legally defined responsibilities in a way that withstands scrutiny when something goes wrong.

The accountability test

Every serious safety review - whether internal investigation, regulatory inspection, or court proceeding - ultimately reduces to the same core questions:

• Who had a duty?
• What was required?
• Was it done? (or not done)
• Was it reasonable?

Those are compliance questions.

Culture, leadership, and engagement are only relevant to the extent that they improve how reliably those duties are met. If they do not translate into improved supervision, better hazard control, clearer decision-making, or more consistent enforcement, they have no defensible connection to accident prevention. 

Is everything a compliance activity?

I would argue that everything that today’s safety practitioner and their organization does in the name of accident prevention is functionally a compliance activity. If not, what’s the point?

Every activity undertaken in the name of accident prevention must ultimately connect to one of two things:

• Fulfilling a duty, or
• Strengthening the organization’s ability to fulfill a duty.

A leadership workshop that improves supervisory decision-making supports compliance. A culture initiative that increases reporting of hazards supports compliance.

A learning team that results in improved controls supports compliance.

If an activity cannot be tied to duty fulfillment or risk control, the honest question is not whether it is “beyond compliance.” The question is: why are we doing it?

The problem with the “floor” framing

Calling compliance the floor subtly suggests that legal obligations are somehow insufficient, bureaucratic, or uninspiring and that real safety begins elsewhere. You’ll see all kinds of safety marketing products and services aimed at moving beyond the compliance obligation, as if that obligation was for novices. But when you look at it with a critical eye, compliance is the framework that:

• Defines accountability;
• Assigns responsibility;
• Establishes standards of care; and
• Provides objective criteria for performance.

Without that framework, culture and leadership float free of measurable obligation. Here’s a challenge. If you haven’t already developed a regulatory applicability matrix for your organization, start one.  The steps are:

1. Take each safety compliance obligation in an Act or regulation applicable to your organization
2. Determine if it’s applicable to your organization (Yes or No).
3. If yes, document what policy, procedure, form, checklist, training program, process, activity or initiative can be produced as objective evidence in support of you meeting those compliance obligations.

You’ll clearly see that everything you do in safety is in some way tied to a compliance obligation.

Management system standards -  steeped in compliance obligations

Some might counter my perspective and ask, “well what about safety standards like ISO/CSA 45001?”  Good question. If we’re professionally arrogant to the point where we somehow believe 45001 doesn’t have compliance as its core objective, we’ve missed the boat.

That’s where the marketing language of consultants misses the boat when they attempt to frame ISO 45001 as “culture transformation”, “leadership alignment”, “resilience building” and “beyond compliance”

But if you examine the text of 45001, none of those concepts stand alone.

• Leadership - required because laws impose duties.
• Worker participation - required because law requires consultation.
• Risk assessment - required because hazard control is a legal obligation.
• Incident investigation - required because regulators demand corrective action.

Remove compliance, and 45001 has no practical anchor.

Conclusion

“Compliance is the floor” is not a research-validated safety principle. It is a rhetorical device -  a cliché- often used to contrast traditional regulation with modern safety thinking. In reality, compliance is not beneath safety performance. It is the structure through which safety performance is defined, delivered, and judged. Culture and leadership do not sit above compliance. They are the mechanisms that make compliance consistent and effective.

If any safety activity does not advance the fulfillment of legal and operational duties of prevention and risk control, no matter the complexion, tone or focus of those safety activities, then why are you doing it?

Should someone claim their safety efforts are “beyond compliance” the burden is on them to define what operational process, control or requirement exists that is no, at its core compliance with some obligation.