Updated: Mar 8
With the most recent revision of ISO 9001:2015, there has been a shift for companies to understand their position within their respective markets. This comes in through understanding the organization and its context. In order to really understand the organization as a whole there must be some self reflection done within management to ensure that the needs and expectations of all interested parties are being met. Considering the government, at all levels, as being an interested party, there is an urgent need to ensure that all statutory and regulatory requirements are accounted for and appropriate controls put into place.
At MSI, we are seeing an emerging pattern in External Registrar Audits. Auditors are now examining for conformance to any and all applicable statutory and regulatory requirements. So much so, that we believe it necessary to communicate to our clients the importance of complying with these requirements.
Throughout each of the ISO and sector-specific management system Standards, the terms “statutory and regulatory requirements” appear numerous times. These requirements cover a broad spectrum of items including, but not limited to, the health and safety of employees (OSHA), environmental protection (EPA) and other legal requirements.
Examples of common statutory and regulatory requirements that would apply to all companies:
Community Right-to-Know (RTK)
Fork Truck Operation
Local Building Codes
Waste Disposal Reports
Identifying an organization's specific requirements stem from thoroughly understanding and developing the "The Context of the Organization" or (CoTO).
"How do I know what requirements apply to my organization?"
"How do I demonstrate that compliance to these requirements has been integrated into my management system?"
We use the “Context of the Organization” (CoTO) as the means to gather all of these requirements into one document. The CoTO is also used to demonstrate the connection from each requirement to the related Management System “control” (i.e.: procedure, record, filing). This helps to demonstrate that our management system has been constructed in response to the needs and expectations of all interested parties.
A simple yet effective way of ensuring that all interested parties' needs and expectations are being met is to keep a living document (log) which breaks down all of the companies departments/areas, their factors/issues, interested parties (both internal & external), any statutory & or regulatory requirements involved, and the controls which need to be or are already in place. Once done completely and effectively, the organization will have a better understanding of who/what is required of them and how to ensure the needs and expectations/statutory and regulatory requirements are controlled and maintained.
Following is a partial example of a typical CoTO Log showing how to reflect the interested parties, the relevant requirements and the related management system control:
Even though the management system of your organization may not include compliance to ISO 14001 and/or ISO 45001 requirements (Environmental Health and Safety), there are still environmental, health and safety requirements that must be complied with.
Following are some relevant requirements from ISO 9001:2015 and AS9100D (in bold) which reflect the “statutory and regulatory” requirements:
It is emphasized that the requirements specified in this standard are complementary (not alternative) to customer and applicable statutory and regulatory requirements.
This International Standard specifies requirements for a quality management system when an organization:
a) needs to demonstrate its ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements, and
b) aims to enhance customer satisfaction through the effective application of the system, including processes for improvement of the system and the assurance of conformity to customer and applicable statutory and regulatory requirements.
All the requirements of this International Standard are generic and are intended to be applicable to any organization, regardless of its type or size, or the products and services it provides.
NOTE 2: Statutory and regulatory requirements can be expressed as legal requirements.
4.1 Understanding the Organization and its Context
The organization shall determine external and internal issues that are relevant to its purpose and its strategic direction and that affect its ability to achieve the intended result(s) of its quality management system.
The organization shall monitor and review information about these external and internal issues.
NOTE 2: Understanding the external context can be facilitated by considering issues arising from legal, technological, competitive, market, cultural, social and economic environments, whether international, national, regional or local.
4.2 Understanding the Needs and Expectations of Interested Parties
Due to their effect or potential effect on the organization’s ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements, the organization shall determine:
a) the interested parties that are relevant to the quality management system;
b) the requirements of these interested parties that are relevant to the quality management system.
The organization shall monitor and review information about these interested parties and their relevant requirements.
8.2.2 Determining the Requirements for Products and Services
When determining the requirements for the products and services to be offered to customers, the organization shall ensure that:
a) the requirements for the products and services are defined, including:
1) any applicable statutory and regulatory requirements;
As can be seen, the term “statutory and regulatory requirements” can be found throughout the Standards. When completing the Context of the Organization Log it is important to keep all of these requirements in mind, as not being compliant with some, if not all, can have major ramifications for the company. Keeping all of this information in one place is a unique way of ensuring that the entirety of the organization has been considered and that all of the needs and expectations of interested parties are being met as well as all of the applicable statutory and regulatory requirements.