As legislation focuses more on general goal-setting than detailing what needs to be done, it becomes more challenging for organisations and health and safety practitioners to work out what they need to do to comply. Mike Sopp helps navigate the compliance maze.

Why is compliance important?

One of health and safety practitioners’ primary functions is to ensure that the organisations they work for are compliant with their legal requirements in relation to health and safety.

This is noted in HSG65 Managing for Health and Safety, which states that “health and safety inspectors seek to secure compliance with the law”.

The phrase “statutory compliance” is often used to describe what an organisation must do in terms of its legal duties, particularly in relation to property-related health and safety matters.

What does compliance mean?

When considering the need for health and safety compliance, we need to think about the definition of compliance. One dictionary definition is “the state or fact of according with or meeting rules or standards”.

However, in terms of health and safety compliance, research by the Health and Safety Executive (HSE) notes that “many studies make the tacit assumption that compliance equates to complying with legal rules and no more” but that “this does little to enhance an understanding of compliance practice or behaviour in regulatory contexts”.

The HSE research suggested that “compliance is sufficiently malleable a term to encompass a range of activities and aspects of regulation including the act of enforcement of the law, the process of securing the underlying aims and objectives of regulations and the negotiation of regulatory outcomes”.

Taking the above into account, the definition in BS ISO 19600:2014 Compliance Management Systems. Guidelines is perhaps more pertinent to health and safety compliance. This publication refers to “compliance obligations”, which can be:

  • requirements that an organisation has to comply with

  • commitments that an organisation chooses to comply with.

The first includes relevant laws and regulations, but may also take in any necessary licences, permits, protocols, etc; it could also include specific orders or rules from regulatory agencies as well as case law judgments.

The second could comprise organisational requirements such as policy, contractual agreements, voluntary and/or industry standards.

Despite these clearer definitions, the HSE research concluded that “understanding compliance in deterrence terms is highly problematic given that regulated communities rarely if ever acquire a clear or comprehensive understanding of the regulations applying to them”.

This can be particularly tricky where organisations are trying to comply with goal-setting requirements.

Compliance to broad principles

Regulatory requirements can be classified according to two categories: broad principles or detailed and explicit rules.

According to the HSE, the enduring principle of health and safety law is that those who create risks are best placed to control them and that this approach is primarily goal-setting, not prescriptive.

The Robens Report, and subsequent introduction of the Health and Safety at Work, etc Act 1974, marked a shift from a regime heavily reliant upon an application of rigid rules and criminal sanctioning to one where detailed standards were replaced by broad duties, supplemented by Codes of Practice and/or supplementary guidance.

The regulatory regime continues to become more goal-setting due to influences such as the Löfstedt review.

In summary, modern regulations are outcome-based and set out the objectives to be achieved, giving dutyholders flexibility when deciding what measures are needed to meet these objectives.

However, the HSE research referred to above notes that where requirements are relatively precise (eg Regulation 11 of the Provision and Use of Work Equipment Regulations 1998), enforcement and compliance might be less problematic. It states that “the relative visibility of any infraction makes non-compliance easier to enforce and in turn may lessen evidential burdens” with enforcement being made easier.

Where legal requirements are framed in very broad terms, uncertainty can arise regarding whether the regulations have been complied with or to what degree they have been complied with.

It found that terms such as “suitable and sufficient”, “give rise to danger” and “so far as is reasonably practicable” may be subject to different interpretations, which in turn gives leeway for different levels of compliance.

As noted above, official guidance notes that health and safety inspectors seek to secure compliance with the law.

The HSE and local authorities who enforce legislation have to judge whether measures put in place or proposed by those who are under a duty to control and reduce risks as low as reasonably practicable are acceptable.

In other words, has the dutyholder complied?

The HSE website states that “in securing compliance with the law in accordance with the Enforcement Policy… the HSE inspectors take account of the legal interpretations given in statute, relevant case law and the guidance in Principles and Guidelines to assist the HSE in its judgments that dutyholders have reduced risk as low as reasonably practicable, which contains specific advice on the application of good practice”.

How to ensure compliance

Achieving compliance can be challenging and health and safety practitioners need to consider carefully how exactly to achieve this.

A formal approach using a management framework will definitely help.

BS ISO 19600

BS ISO 19600:2014 Compliance Management Systems recommends that the organisation should “systematically identify its compliance obligations and their implications for its activities, products and services” and “have processes in place to identify new and changed laws, regulations, codes and other compliance obligations to ensure ongoing compliance”. Our form Register of Regulations can help with this.

BS ISO 45001

This approach is reflected in ISO 45001:2018 Occupational Health and Safety Management Systems, which recommends that the organisation should establish, implement and maintain processes to determine and have access to up-to-date legal requirements and other requirements that are applicable to its hazards, occupational health and safety risks and management system. See the ISO 45001 topic.

The first step

From a health and safety perspective, the first stage will be to determine the scope of the compliance requirements. For example, will this be property specific or will it apply to people issues as well? From this the practitioner can then determine:

  • the compliance requirements in terms of legislation, regulations, licences, etc

  • where requirements are goal-setting, which standards, Codes of Practice and/or guidance can help

  • whether the organisation wishes to set objectives that go beyond compliance and how these will be met

  • how the compliance commitments affect or are affected by in-house policies.

The risk of non-compliance

As part of the process of determining compliance requirements and measuring to what degree the organisation is compliant, the practitioner may undertake an assessment of the risk of non-compliance. This will typically include all the well-known negative impacts of failing to manage health and safety, such as injury or harm to persons, economic impacts, reputation, enforcement action, etc.

By linking these to the various compliance requirements, it is possible to rank the various risk areas so that a more informed risk management approach can be taken.

This should be kept under review to take account of changes such as new compliance obligations, incidents of non-compliance, organisational change, new work activities and so on.

Compliance register

For practitioners in larger organisations in particular, maintaining compliance across a broad range of requirements can be challenging.

The development of a “compliance register” that lists the compliance obligations (requirements and commitments) monitored may assist in managing compliance, looking at:

  • what the compliance requirements are

  • how they are to be met (including what guidance to follow)

  • who is responsible for meeting compliance

  • how this is to be done.

Such a compliance register can go beyond health and safety obligations and may include environmental, security, business continuity and disability compliance obligations, thereby giving a holistic approach to managing various, but interconnected operational risk/resilience functions. You may find this form useful: Managing Organisational Risks and Opportunities: Example.

In addition, where compliance is related to property health and safety obligations, the development of a comprehensive asset register will be useful. This can then be linked to the compliance register to ensure that all assets are captured and aligned with the relevant compliance obligations.

Further information

The following are available from the HSE website.

  • RR638 The Determinants of Compliance with Laws and Regulations with Special Reference to Health and Safety

  • RR334a An Evidence Based Evaluation of How Best to Secure Compliance with Health and Safety Law

  • HSE: Innovation in Regulation.

The following are available from the British Standards Institution website.

  • BS ISO 19600:2014 Compliance Management Systems. Guidelines

  • ISO 45001:2018 Occupational Health and Safety Management Systems. Requirements with Guidance for Use

Croner-i Health and Safety subscribers have access to our Legal Register tool, which helps you compile a list of the legislation affecting your organisation and track compliance.

Last reviewed 6 September 2018