There is a common thread running through quality assurance, Privacy Act compliance, and company policy implementation. They all take their starting point as a document – internal or external – and use it to determine the actions of people within the organisation.
All of these are forms of ‘compliance management’: ensuring that the actions of a set of people comply with a set of rules.
There are two compliance management models that you can use to ensure this:
the ten commandments model: publish the set of rules, and punish people who transgress them
the quality management model: publish an intermediate set of policies and procedures which comply with the rules, and ensure that people follow the policies and procedures
The ‘ten commandments’ model works well where there is a simple set of rules that everyone can understand. It breaks down completely where there is a complex set of rules (such as ISO9001, or the Privacy Act) which need interpretation, or are just too large to memorise or access.
The quality management model is widely used, and is actually specified by regimes such as AQTF, ISO9001, and the Financial Services Reform Act. However, each of these regimes looks at the model in the context of the implementation of a single set of rules (AQTF, ISO9001, etc). The problem facing most organisations now is that they have to cope with more than one set of rules.
Many organisations have ISO9001 certification, and in fact we’ll assume for the rest of this article that the organisations we’re dealing with either have ISO9001 certification, or intend to get it, or have something equivalent.
On top of that, all organisations have to comply with the law. The Privacy Act is just the latest in a long line of legislation aimed at the actions of organisations. The Trade Practices Act has been around for a while, and is every bit as binding (and if anything, more complex) than the Privacy Act. There are numerous pieces of legislation covering the operation of companies.
Many industries have their own codes of practice or other sets of rules. Registered Training Organisations have to comply with AQTF standards. Companies that manufacture medical goods have to comply with TGA’s GMP code.
In short, every organisation in the country has to comply with multiple, overlapping, sets of codes, requirements and laws.
The purpose of this article is to ask the question: how do you extend an ISO9001 system so that it becomes a general-purpose compliance management system, which allows you to track and comply with any number of laws and codes?
An ISO9001 implementation works like this: The requirements of ISO9001 are translated into a set of policies and procedures, which are then implemented. A regular ‘desk audit’ checks the policies and procedures against ISO9001, and a series of ‘site audits’ checks the policies and procedures against what actually happens in the organisation.
An extension of this to accommodate other codes looks like this:
Standards and legislation register
ISO9001 is replaced with a register (really, just a list) of the various codes, legislation and standards that the organisation has to comply with.
On a regular basis, the quality manager (or compliance manager, company secretary, etc) carries out a ‘scan’ of the current legislation, standards, etc. There are two things to look for during this scan:
additional codes, etc, that need to be added
new versions, changes, rulings, for existing codes
The ‘various sources’ box represents things like the newspapers, trade press, legal firms, Government publications, trade shows, associations, suppliers, customers, etc.
Desk audit, structure of policies and procedures
One of the more major changes is the need to manage the cross-referencing between the Standards and legislation register and the policies and procedures.
In the early days of ISO 9001 implementation, there was a tradition of structuring a ‘quality manual’ with 20 sections, which related directly to the 20 sections of ISO 9001. The new version (ISO 9001:2000) put the cat among the pigeons by moving the elements of the standards around, and adding some new ones, so that the old ’20 sections’ quality manuals no longer seemed appropriate.
The need to match policies and procedures against multiple codes means that a simplistic ‘one for one’ approach is no longer valid.
Australia has over one million pages of legislation alone. But by simple organisation and a little automation, organisations can live with all of that and still get on with the job of serving customers.
Other reading: Australian Standard AS 3806-1998 Compliance programs