The key to compliance | CQI | IRCA Skip to main content
Lead Auditor Ravindiran Gurusamy

The key to compliance

Progress indicator

Lead Auditor Ravindiran Gurusamy
Published: 23 Nov 2023

IRCA Principal Auditor Ravindiran Gurusamy examines the compliance obligations that are required in an environmental management system.

In the present context of increasingly stringent legislation, growing pressures on the environment from pollution, and improper waste management, every organisation should adopt sustainable development into their business processes. This article describes how the compliance obligations should be mandated in an organisation’s environmental management system (EMS).

Plan, do, check, act

The clauses of ISO 14001:2015 Environmental Management Systems – Requirements with guidance for use follow a high-level structure (HLS) and are framed in line with Deming’s plan, do, check, act (PDCA) approach. All the clauses are interlinked and understood as a whole.

The clauses Compliance Obligations (6.1.3), Monitoring & Measurement (9.1.1) and Evaluation of Compliance (9.1.2) are considerably more interlinked. Fulfilment of these also requires a complete understanding of the organisation’s legal requirements.

ISO 14001 defines compliance obligations as "legal requirements that an organisation has to comply with and other requirements that an organisation has to, or chooses to, comply with". While determining the legal requirements, the organisation shall take inputs from the external issues and the needs and expectations of external interested parties.

In evaluating environmental aspects, the organisation shall take into account the legal requirements. The majority of organisations perceived that the identification of more applicable legal requirements poses a risk to the organisation in maintaining its EMS, warranting more monitoring and inviting unnecessary observations during the audit.

However, it is actually an opportunity for the organisation to demonstrate its commitment to meeting not only the EMS requirements, but also to addressing external issues and meeting the needs and expectations of external interested parties.

Compliance Obligations (clause 6.1.3)

The organisation shall maintain the documented information in the form of a legal register that includes all the applicable legal requirements. The legal register should be adequate and up to date. The organisation may establish a legal cell in the form of a cross-functional approach, comprising all the organisation’s stakeholders who are directly or indirectly involving in compliance obligations.

An organisation’s size and complexity, and the criticality of the processes, may be considered in establishing the legal cell.

"Systematic identification, periodical review and suitable actions on shortfalls are required to prevent any noncompliances."

Ravindiran Gurusamy, IRCA Principal Auditor

The legal register should be in two sections. One section should include applicable international, national, regional and local rules and regulations, or requirements specified in permits, licences, authorisations, orders or guidelines from regulatory bodies, judgments of courts or tribunals.

The other section should have organisational requirements, voluntary principles, relevant organisational standards and industry standards. The team should meet at the defined frequency, to review and update the legal register with the latest revisions. The same should be discussed in the management review meeting, to get directions from top management.

Monitoring, measurement, analysis and evaluation (Clause 9.1.1)

The organisation’s legal cell should take inputs from the legal register and define the process of what, when, where, who and how to measure and monitor.

For effective implementation, the legal cell will consider the requirements mandated by the statutory and regulatory bodies as questions, and establish answers in the form of monitoring and measurement. The legal cell should also assign the responsibility within the organisation to monitor, measure, analyse and evaluate applicable legal requirements for them.

The responsible person shall review the measurement results to ensure the values are meeting the requirements. They should also analyse the results and take appropriate action for shortfalls. The same person should then submit results to the legal cell as part of the agenda in the management review meeting.

Evaluation of Compliance (Clause 9.1.2)

The individual process owners who have been assigned the responsibility for evaluation of compliance should evaluate and submit the evidences for the applicable legal and other requirements assigned to them, ensuring compliance with process within the organisation. The legal cell shall review the evidence and submit to leadership for any decision or direction.


The compliance obligations of the organisation in relation to an environmental management system depends on participation from all the levels and functions of the organisation. Systematic identification, periodical review, and suitable actions on shortfalls are required to prevent any non-compliances. The organisation should review the legal register document periodically, or whenever notifications arrive from the statutory/regulatory bodies, by adopting the PDCA approach.


Gain global recognition and boost your career prospects with IRCA. 

Quality World

Get the latest news, interviews and features on quality in our industry leading magazine.

The International Quality Awards 2024

This year's awards span eight categories, celebrating the achievements of exceptional quality professionals and auditors across the globe.