1
INTRODUCTION
1.1 This document is intended to provide
useful information on the relationship between an
organisation's accredited Environmental
Management System (EMS) certification and that organisation's degree of
compliance with applicable environmental requirements.
The
intended audience for this document includes organisations that have or are
implementing an EMS, government authorities and environmental regulators,
accreditation bodies, accredited certification bodies (or CABs – Conformity
Assessment Bodies) and other stakeholders.
1.2 With ten years of experience gained since
the publication of the earlier International Standard ISO 14001:1996 and its
replacement by ISO 14001:2004i, the main objective of an EMS remains to improve the organisation’s
environmental performance with respect to its management of direct and indirect
environmental aspects and associated impacts, whether or not they are linked to
legal requirements.
As
part of this improved environmental performance, there have been many examples
of organisations, which have reached and maintained their legal compliance as a
result of implementing and maintaining an EMS that conforms to the standard.
1.3 National and regional
Governments and environmental regulators have, also, recognized the potential
contribution of the implementation and maintenance of an EMS to enhanced environmental
performance.
There
are examples of the use of an EMS in relation to specific environmental
legislation or as a condition made by an environmental regulator. In cases of
the implementation and maintenance of an EMS, there is a growing interest in
the relaxation of regulatory oversight.
1.4 Legal compliance has been defined as:
“Full implementation of applicable environmental legislation. Compliance occurs
when requirements are met and desired changes are achieved.”
ii
The various stages of the environmental
regulatory cycle include, at least:
• Development of the
legislation,
• Issue of an environmental
permit (e.g. licence and authorizations etc.),
• Implementation,
• Compliance checking (e.g.
inspection)
• Enforcement actions, in
non-compliance situations.
The
understanding and implementation of each of these stages may vary from country
to country.
Legal compliance with respect to the
interface between the organization and the environmental regulators can be
understood as the situation when no reactive enforcement actions are made or can
be expected by the organisation. These enforcement actions may include:
warnings, compliance and prohibition notices and administrative, criminal or
civil actions.
1.5 However, the wider concerns of interested
parties will expect that there is absolute legal compliance with the applicable
legal requirements irrespective of the view of the environmental regulator.
1.6 While certification of an EMS against the
requirements of ISO 14001:2004 is not a guarantee of legal compliance, (neither
is any other means of control, including government or other type of control
and/or legal compliance inspections), it is a proven and efficient tool to
achieve and maintain such legal compliance.
Accredited ISO 14001:2004 certification
should demonstrate that an independent third-party (certification body) has
evaluated and confirmed that the organisation has a demonstrably effective EMS
to ensure the fulfillment of its policy commitments including legal compliance.
Ongoing or potential non-compliances with the
applicable legal requirements will show a lack of management control within the
organisation and its EMS and the conformity with the standard should be
carefully reviewed.
1.7 It is recognised that legal compliance is
not the sole determinant of whether an EMS is effective. An EMS is an important
tool to control environmental risks, where legal consequences/impacts from
non-compliance performance is only one of at least four potential
consequences/impacts.
The
others consequences/impacts are:
1.
Environmental consequences (e.g. ecological damage),
2.
Stakeholder consequences (e.g. corporate reputation); and,
3.
Business consequences (e.g. financial, competitive position).
1.8 This document is published as an EA
document and is written to reflect the common understanding of EMS
certification of the EA MLA Accreditation Body Members. It is recognised that
in other regions there might be an alternative understanding to the views described
in this document.
1.9 It does not seek to develop
interpretations of the requirements of ISO 14001:2004 but identifies the
requirements of the International Standard, which directly relate to legal compliance
and explores what the accredited certification process should cover in order to
support a set of reasonable expectations by stakeholders and interested
parties.
2 THE
REQUIREMENTS OF ISO 14001:2004 WITH RESPECT TO
LEGAL COMPLIANCE
2.1 ISO 14001:2004 requires an organization
to make a “commitment” in its environmental policy to comply with applicable
legal requirements that relate to its environmental aspects.
The organization shall establish, implement
and maintain a procedure(s) for periodically evaluating compliance with
applicable legal requirements that is consistent with realizing this
commitment.
2.2 The specific clauses of ISO 14001:2004,
which are most important with respect to legal compliance are the following EMS
elements:
1) public environmental policy commitment to
legal compliance (sub-clause 4.2);
2) identification and having access to
applicable legal requirements and other requirements related to its
environmental aspects (sub-clause 4.3.2 a));
3) how those legal requirements apply to the
organisation's environmental aspects (sub-clause 4.3.2 b));
4) objectives/targets/programs (sub-clause 4.3.3)
5) how legal obligations are routinely
managed and monitored (sub-clauses 4.4.6 and
4.5.1);
6) evaluation of legal compliance (sub-clause
4.5.2);
7) corrective and preventive actions where
necessary (sub-clause 4.5.3);
8) internal audit (sub-clause 4.5.5); and
9) management review (sub-clause 4.6).
3 HOW
SHOULD A CERTIFICATION BODY AUDIT AN EMS WITH
RESPECT TO LEGAL COMPLIANCE
3.0.1 Through the certification assessment
process, a certification body shall evaluate an
organisation’s conformity with the
requirements of ISO 14001:2004 as they relate to legal compliance and should
not grant certification until conformity can be determined.
After certification, the subsequent
surveillance and reassessment audits conducted by the certification body shall
be consistent with the above audit methodology.
3.0.2. With respect to the balance between
office-based review of documents and records and the evaluation of the EMS
implementation during normal activities, the certification body shall ensure that an adequate
audit of the effectiveness of the EMS is undertaken.
3.0.3. There is no formula to define what the
relative proportions should be, as the situation is different in every
organisation. However, there are some indications that too much of the audit time is dedicated to
an office-based review is a problem that occurs with some frequency. This could
lead to an inadequate assessment of the effectiveness of the EMS with respect
to legal compliance issues, and potentially to poor performance being overlooked,
leading to a loss of stakeholder confidence in the certification process.
The certification body shall, through an
appropriate surveillance program, assure that conformity is being maintained
during the certification cycle, normally three-years. The certification body
auditors shall verify the management of legal compliance based on demonstrated
implementation of the system and not rely only on planned or expected results.
3.0.4. Any organization failing to
demonstrate their initial or ongoing commitment to legal compliance through the
key elements discussed below, shall not be certified or continued to be
certified as meeting the requirements of ISO 14001:2004 by the certification
body.
3.0.5. Deliberate or consistent
non-compliance shall be considered a serious failure to support the policy
commitment to achieving legal compliance and should preclude certification or
cause an existing ISO 14001 certificate to be suspended, or withdrawn.
The
following sections of this document identify what should reasonably be expected
on the part of the certification body in evaluating the EMS with respect to
legal compliance.
3.1 A
public environmental policy commitment to legal compliance (sub-clause 4.2)
3.1.1. The certification body shall determine
if the following specific points are demonstrated with regard to the
organization’s environmental policy statement, that:
1) there is a policy;
2) it meets the requirements of sub-clause
4.2 of ISO 14001:2004 and specifically:
3) a commitment to comply with applicable
legal requirements and other requirements;
4) it is communicated to employees and other
persons working for or on behalf of the organisation; and
5) it is publicly available;
6) it is approved and supported by top
management; and,
7) that it is subject to periodic management
review of its suitability, adequacy and effectiveness
.
3.2 Identification
of, and access to, legal requirements (sub-clause 4.3.2 a)
3.2.1. The certification body shall determine
whether the organisation has identified and provides access to all the specific
applicable legal requirements in relation to its environmental aspects to
establish objective evidence of the development and control of the management system
and to enable a complete evaluation of compliance (see sub-clause 4.5.2).
3.2.2. Additionally, the certification body
shall verify that identification of these legal requirements is maintained by
periodical review in order to identify new or changed requirements and to implement
any changes to the EMS.
3.2.3. The certification body shall check the
organization’s identification and access to applicable legal requirements is
complete. The certification body is not responsible for approving the identified
legal requirements as being final or definitive. This sole responsibility lies
with the organisation.
3.2.4. Certification body audit teams shall
be competent with relevant knowledge of the applicable legal requirements for
the location and environmental aspects of the organization to identify errors
or omissions and any deficiencies in the access to the organisation’s
identified legal requirements.
3.3 How
legal requirements apply to the organisation's environmental aspects (sub-clause
4.3.2 b)
3.3.1. During the on-site audit, the
certification body shall verify that the organisation complies with applicable
legal requirements, by considering examples of significant environmental aspects
as well as regional, national and local legal requirements.
3.3.2. The certification body shall audit
whether:
1) the organisation has determined how legal
requirements apply to the environmental aspects; and,
2) those legal requirements have been taken
into account in the establishment, implementation and maintenance of the EMS
and subsequent control measures.
3.3.3. The audit should be undertaken by
examining activities controlled by environmental permits and other applicable
legislation through a risk-based assessment using sampling to confirm that
environmental compliance is realized.
3.3.4. The certification body audit shall
establish that the EMS is capable of achieving legal compliance. This may be
achieved by audit trails from a direct on-site assessment covering the
operational activities and surroundings using either an audit of examples of
significant environmental aspects and the audit trail through the EMS to the
specific legal requirements or, the reverse, the sampling of the legal
requirements and the audit trail through the EMS to the significant
environmental aspects.
3.4
Objectives, targets, programmes (sub-clause 4.3.3)
3.4.1. Objectives and targets and their
supporting programmes are established and implemented to improve the
environmental performance of the organisation beyond the issue of legal compliance
or in areas where no legal requirements exists (e.g. energy consumption in production
or product related aspects.)
3.4.2. Objectives and targets can, also, be
an environmental policy tool for managing the environmental risk of
non-compliance with legal requirements. For instance, the planning for the implementation of
future legal requirements or where an isolated or sporadic noncompliance
With legal requirements occurs, objectives, targets
and programmes may be an appropriate way to resolve the non-compliances in a
controlled and/or managed way.
Nevertheless, too much reliance on general
objectives to reach compliance with legal requirements is not likely to conform
to the standard.
3.4.3. The certification body shall determine
whether the objectives, targets and programmes established, implemented and
maintained within the EMS take into account the current legal requirements and any
changing circumstances identified in the management review (subclause 4.6).
3.5
Operational control (sub-clause 4.4.6)
3.5.1. Operational control is a fundamental
part of the management control of the organisation’s operational activities and
their emissions to the environment and has a direct impact upon the achievement
of legal compliance.
3.5.2. The certification body shall confirm
that the organization has identified and planned its operations that are
associated with the identified significant environmental aspects consistent with its
environmental policy and the commitment to legal compliance.
The documented procedures should control
situations where their absence could lead to a deviation from legal compliance
and define the operating criteria, which is consistent with legal compliance.
3.5.3. These procedures should take into
account the communication of applicable procedures and requirements to
suppliers, including contractors.
3.6
Monitoring and measurement (sub-clause 4.5.1)
3.6.1 Monitoring and measurement is an
important part of Operational control and the audit of this area is, therefore,
important for legal compliance. The output from monitoring and measurement
provides data for the evaluation of compliance (sub-clause 4.5.2.) and corrective
and preventative action (sub-clause 4.5.3.).
3.6.2 Where a non-compliance with legal
requirements is discovered, the organisation is required to take immediate
corrective action (including root cause analysis, correction and measures to
prevent recurrence), which may include actions to immediately inform the
environmental regulator dependent on the specific legal requirements and
magnitude of the noncompliance.
3.6.3 The certification body shall audit
whether the corrective action and, if necessary, preventative action, taken is
effective and timely to the nature and magnitude of the environmental impact of
the non-compliance.
3.7 Evaluation
of legal compliance (sub-clause 4.5.2)
3.7.1. Certification body auditors are
required to audit conformity of an EMS to the requirements of ISO 14001:2004.
They are not required to make a direct evaluation of legal compliance since
this is the requirement for the organisation arising from this sub-clause nor
is the certification body auditor required to conduct a compliance audit, which
would be the role of the environmental regulator or an auditor/inspector
contracted specifically for this purpose.
3.7.2. It is the organisation’s
responsibility, and a function of the EMS, to ensure that the organisation
periodically evaluates compliance with each and every applicable legal requirement & it is
aware of its compliance status. An EMS certified as meeting the requirements of ISO
14001:2004 is expected to be able to identify the organisation’s compliance status.
3.7.3. The certification body should
determine whether the organisation has established the necessary procedures and
has fully evaluated its compliance with each of the applicable legal
requirements. A key element of this auditing should be the competence of the
persons performing the compliance evaluation with respect to the legal
requirements and their application (so indirectly sub-clause 4.4.2 ISO 14001:2004
is also relevant for legal compliance).
3.7.4. The certification body should audit
the effectiveness of the evaluation through:
1) sampling the organisation's determination
of compliance with examples of specific legal requirements;
2) looking for evidence of compliance or
non-compliance during other assessment activities (on-site assessments and
audit of operational controls, etc.);
3) checking that the organisation's
evaluation of compliance has covered all of the identified legal requirements;
4) verifying the capability of the evaluation
(competence of personnel involved, scope of evaluation in relation to
activities of the organisation, etc.)
3.7.5 The conformity of the organisation’s
evaluation and the status of compliance may be determined from a number of
sources, including on-site observations, reports of specific instances of
non-compliance, reports by the environmental regulator and the items provided in the Management Review
as described in Clause 4.6 of ISO 14001:2004.
3.7.6 The certification body may use risk
management techniques in order to sample parts of the EMS during certification
assessments and to target environmental aspects that have significant legal
compliance implications for the organisation (e.g. areas that would attract significant
fines, imprisonment of Directors and management, or that may result in stakeholder
and/or communications issues).
3.8
Corrective and preventive actions where necessary (sub-clause 4.5.3)
3.8.1. The organization should demonstrate
through its EMS that it has the ability to resolve noncompliances in a
controlled and managed way.
3.8.2. The certification body shall determine
that the organization has developed an appropriate corrective action
procedure(s) and non-compliance(s) are managed through corrective and preventive actions within
the EMS. In the absence of such a connection, the certification body should be concerned
about the overall effectiveness of the EMS, and its ability to support the
organization's environmental policy & its objectives and targets.
3.8.3. Corrective actions taken by the
organization should be appropriate to the magnitude of the non-compliance.
Where the magnitude exceeds the organisation’s ability to correct the
noncompliance, there should be an immediate notification to the environmental
regulator of the non-compliance and agreement on the actions needed to return
to compliance (e.g. action plan) and mitigate any harm to the environment.
3.8.4. The certification body should audit
the above situation for conformity with at least clauses
4.3.2. a), b), and 4.5.2 of ISO 14001:2004.
The consequences for the integrity of the certification should be analysed with
regard to the level of environmental risk assumed by the certification body and
the certificate’s value for the interested parties.
3.8.5. The certification body should confirm
that the organisation has a documented consent from the environmental regulator
to implement an agreed corrective action plan to return to full compliance,
this can be considered as conforming with the commitment to comply with the applicable
legal requirements made in the organization’s environmental policy.
3.9
Internal audit (sub-clause 4.5.5)
3.9.1. The certification body shall determine
that the organisation’s internal audit assess the
organisation’s commitment to comply with
legal requirements related to its environmental aspects.
3.9.2. In conducting the certification body’s
audit of the organisation’s internal audit, it is expected that it covers all
of the issues identified in this document.
3.9.3. The certification body shall ensure
that the internal audits assess the extent to which the
organisation has evaluated its legal
compliance status against applicable legal requirements, and that the procedure
for identifying those requirements is effective and robust.
3.9.4. The result of the internal audit does
not alone provide information with regard to the evaluation of legal compliance
(sub-clause 4.5.2). The focus on the internal audit is on the conformity
of the EMS and its proper implementation and maintenance.
This should be distinguished from a legal
compliance audit or the evaluation of compliance that the organisation may
commission separately. The results of legal compliance audits may be an input
into the evaluation of legal compliance under clause 4.5.2 of ISO 14001:2004
and, in turn, to the management review.
3.10
Management review (sub-clause 4.6)
3.10.1. The certification body should
determine whether the organisation has included the results of the evaluations
of compliance (sub-clause 4.5.2) in its management reviews. This is to ensure
top management are aware of the risks of potential or actual non-compliance and
have taken appropriate steps to meet the organisation’s commitment to legal
compliance.
3.10.2. The certification body shall
determine that the organisation’s management review has reviewed any changing
circumstances, including developments in legal and other requirements related to
its environmental aspects.
4
COMPLIANCE CRITERIA FOR THE CERTIFICATION DECISION
4.1 Full legal compliance is expected by
stakeholders and interested parties of an organization claiming conformity with
an EMS standard. The perceived worth of accredited certification in this field
is closely related to the achieved satisfaction of the interested parties in
relation to legal compliance.
4.2 The organisation should be able to
demonstrate that it has achieved compliance with environmental legal
requirements though its own evaluation of compliance prior to the certification body
granting certification.
4.3 Where the organization may not be in
legal compliance, they should be able to demonstrate a documented agreement
with the environmental regulator on a plan to achieve full compliance. The
successful implementation of this plan should be considered as a priority within
the management system.
4.4 Exceptionally the certification body may
still grant certification but shall seek objective evidence to confirm that the
EMS is capable of achieving the required compliance through the above
documented agreement is fully implemented.
5.
SUMMARY
5.1 Accredited certification of an
organization's EMS indicates conformity with the requirements of ISO 14001:2004
and includes a demonstrated and effective commitment to compliance with applicable legal requirements.
5.2 The control of legal compliance by the
organisation is an important component of the EMS assessment and remains the
responsibility of the organization.
5.3 It should be stressed that certification
body auditors are not inspectors of the environmental regulator. They should
not provide “statements” or “declarations” of legal compliance.
Nevertheless they can “verify the evaluation
of legal compliance” in order to assess conformity with ISO 14001:2004.
5.4 Accredited certification of an EMS as
fulfilling the requirements in ISO 14001:2004 cannot be an absolute and
continuous guarantee of legal compliance but neither can any certification or
legal scheme guarantee ongoing legal compliance. However, an EMS is a proven
and efficient tool to achieve and maintain legal compliance and provides top management
with relevant and timely information on the organisation’s compliance status.
5.5
ISO 14001:2004 requires a public commitment to comply with legal requirements.
The organisation should be able to demonstrate that it can achieve compliance
with its applicable legal requirements though its own evaluation of compliance
prior to the certification body granting certification.
5.6 Certification of an EMS as fulfilling the
requirements in ISO 14001:2004 confirms that the environmental management
system has been shown to be effective in achieving its policy commitments including
legal compliance and provides the foundation and support for an organization's continued
legal compliance.
5.7 In order to maintain the confidence of
interested parties and stakeholders in the above attributes of the accredited
certification of an EMS, the certification body shall assure that the system demonstrates
effectiveness before granting or continuing certification.
5.8 The EMS can act as a tool for dialogue
between the organisation and its environmental regulators and form the basis
for a trusting partnership, replacing historical adversarial “them and us”
relationship.
Environmental regulators and the public should
have confidence in organizations with an accredited ISO 14001:2004 certificate
and be able to perceive them as being able to constantly and consistently
manage their legal compliance.
No comments:
Post a Comment