ISO 19600 Section 4.5 - Know your Obligations

Raimund Laqua, PMP, P.Eng
ray.laqua@leancompliance.ca
Know Your
Obligations
Hi, I’m an
obligation Wsup A BEST PRACTICE COMPLIANCE
MANAGEMENT FRAMEWORK:
ISO 19600

KNOW YOUR OBLIGATIONS
1. Customer Identification Program
2. Customer Due Diligence
3. On-going Monitoring
Requirements
KYC, KYP, KYB, Etc.
The better you know your customer
the better you can evaluate the risk.

ABC Pipeline Company Environmental Manager
Carl the Environmental Manager

Obligations
managed
Obligations
at Risk
Unknown and Unmanaged Obligations

Carl’s Questions
1. How should we identify our environmental
obligations?
2. What information about these obligations will
help us effectively contend with compliance
risk?
3. How do we improve the use of our legal
register to better manage our obligations?
What do I need to Know

ISO 19600 Guidelines

Obligation Types
Obligation
Requirement
Mandatory Voluntary
Commitment
An obligation is defined as
being a requirement or a
commitment.
Something a company
must do or chooses to do.

4.5 / 4.6 Compliance Obligations
Identification of compliance
obligations and evaluation
compliance risk (4.5./4.6)
Leadership commitment,
Independent compliance
function (5.1), Responsibilities
at all levels (5.3), Support
functions (7)
Planning to address
compliance risks and to
achieve objectives (6)
Operational
planning and
control of
compliance
risks (8)
Performance
evaluation and
compliance
reporting (9)
Managing
compliances and
continual
improvement (10)
Maintain Develop
ImplementEvaluate
Improve

1. Identification of Compliance
Obligations (4.5.1)
2. Identification, analysis and
evaluation of compliance risk (4.6)
3. Maintenance of Compliance
Obligations (4.5.2)
KYO Requirements
Know Your
Obligations
Hi, I’m an
obligation Wsup
The better you know your obligation

▷ The organization should systematically identify its compliance
obligations and their implications for its activities, products and
services.
▷ The organization should take these obligations into account in
establishing, developing, implementing, evaluating, maintaining and
improving its compliance management system.
▷ The organization should document its compliance obligations in a
manner that is appropriate to its size, complexity, structure and
operations.
▷ Sources of compliance obligations should include compliance
requirements and can include compliance commitments.
4.5.1 Identification of Compliance Obligations

Obligation Landscape
Mission
Quality
Health & Safety
Security
Environmental
Process Safety
Social License
Conformance
to Industry Standards
Conformance
to Legal Requirements
Accept Stakeholder
Responsibilities
Accept Public
Responsibilities
Legal
Regulatory
Ethics
Code of Conduct
Contracts
Permits
Certifications
Public Safety
Regulatory License• Voluntary
• Focused on Performance
• Risk-based
• Learn / Improve Cycle
• Proactive
• Mandatory
• Focused on Conformance
• Prescriptive
• Audit / Fix Cycle
• Reactive
ORGANIZATIONAL CORPORATE
OVERLAP

▷ The process to identify obligations.
▷ The obligation requirements or commitments.
▷ Their implications with respect to activities,
products and services.
▷ How obligations should be taken into
account.
▷ How obligations should be documented.
What Do We Need to Know
Are these identified for your organization?

Obligation Sources
Source

Government Obligations
Source
Pan-Canadian Framework on Clean Growth and
Climate Change
Canadian Environmental Protection Act, 1999 (CEPA)
SOR/2018-66 - Regulations Respecting Reduction in
the Release of Methane and Certain Volatile Organic
Compounds (Upstream Oil and Gas Sector)
SOR/2020-60 - Order Declaring that the Provisions of
the Regulations Respecting Reduction in the Release
of Methane and Certain Volatile Organic Compounds
(Upstream Oil and Gas Sector)
Canadian Energy Regulator Onshore Pipeline
Regulations (SOR/99-294)

Industry Specific Obligations
Source
CSA-Z662:19 Oil & Gas Pipeline Systems
CEPA Integrity First Program
API RP 1173 – Pipeline Safety

International Obligations
Source
ISO 14000: 2015 Environmental Management System
ISO 19600: 2014 Compliance Management System

Interna Obligationsl
Source
Corporate EHS Policy

All Sources
Source
Climate Change
Canadian Environmental Protection Act, 1999 (CEPA)
CSA-Z662:19 Oil & Gas Pipeline Systems
CEPA Integrity First Program
ISO 14000: 2015 Environmental Management System
ISO 19600: 2014 Compliance Management System
Corporate EHS Policy
API RP 1173 – Pipeline Safety

Categories
Source Category
Climate Change
Framework
Canadian Environmental Protection Act, 1999 (CEPA) Act
Regulation
Order
CSA-Z662:19 Oil & Gas Pipeline Systems Standard, Regulation
Regulation
CEPA Integrity First Program Association
ISO 14000: 2015 Environmental Management System Standard
ISO 19600: 2014 Compliance Management System Guideline
Corporate EHS Policy Policy
API RP 1173 – Pipeline Safety Guideline

Example Categories
INTERNAL
EXTERNAL
What does
CATEGORY
tell us about how obligations
should be managed?

Topic
Source Category Topic
Climate Change
Framework Environment, Climate
Canadian Environmental Protection Act, 1999 (CEPA) Act Environment
Regulation Environment
Order Environment
Pipeline Safety, Safety,
Environment
Regulation Environment, Safety
CEPA Integrity First Program Association Environment, Safety
ISO 14000: 2015 Environmental Management System Standard Environment
ISO 19600: 2014 Compliance Management System Guideline Compliance
Environmental, Health,
Safety
Environment, Pipeline
Safety

Example Topics
What does
TOPIC
should be managed?

Compliance Design
Source Category Topic Design
Climate Change
Framework Environment, Climate Performance-based
Canadian Environmental Protection Act, 1999 (CEPA) Act Environment Prescriptive-based
Regulation Environment Performance-based
Order Environment Performance-based
Pipeline Safety, Safety,
Environment
Management-based, Prescriptive-
based, Performance-based
Regulation Environment, Safety Prescriptive-based
CEPA Integrity First Program Association Environment, Safety Performance-based
ISO 14000: 2015 Environmental Management System Standard Environment Management-based
ISO 19600: 2014 Compliance Management System Guideline Compliance Management-based
Environmental, Health,
Safety
Outcome-based, Performance-based
Environment, Pipeline
Safety
Management-based, Performance-
based

Compliance Designs
MICRO MACRO
MEANS
1. Prescriptive-based
Prescriptive regulation
Design standards
Technology-based regulation
Specification standards
Codes
2. Management-based
International Standards
Industry Standards
Goal-based regulation
Safety case regulation
Enforced self-regulation
ENDS
3. Performance-based
Performance Agreements
Output-based regulation
Market-based regulation
4. Outcome-based
Duty and Liability provisions
Outcome-based regulation

Non-Persistent
(event driven)
KNOWING YOUR OBLIGATIONS
Obligation Objectives
Persistent
Maintenance
Persistent
Achievement

Obligation Taxonomy
OBJECTIVE Rank
Agreed Criteria
a. attribute
b. attribute
c. attribute
Scorecard
a. attribute
b. attribute
c. attribute
9
7
4
OUTCOME
Rules
a. rule
b. rule

Obligation Taxonomy
OBJECTIVE Rank
Agreed Criteria
a. attribute
b. attribute
c. attribute
Scorecard
a. attribute
b. attribute
c. attribute
9
7
4
OUTCOME
Outcome-based
Rules
a. rule
b. rule

Obligation Taxonomy
OBJECTIVE Rank
Agreed Criteria
a. attribute
b. attribute
c. attribute
Scorecard
a. attribute
b. attribute
c. attribute
9
7
4
OUTCOME
Outcome-based
Rules
a. rule
b. rule
Performance-based

Obligation Taxonomy
OBJECTIVE Rank
Agreed Criteria
a. attribute
b. attribute
c. attribute
Scorecard
a. attribute
b. attribute
c. attribute
9
7
4
OUTCOME
Outcome-based
Rules
a. rule
b. rule
Performance-based
Prescriptive-based

Obligation Taxonomy
OBJECTIVE Rank
Agreed Criteria
a. attribute
b. attribute
c. attribute
Scorecard
a. attribute
b. attribute
c. attribute
9
7
4
OUTCOME
Validate and
Assure
Verify and
Ensure
Satisfy and
Sustain
Continually
Improve
Outcome-based
Performance-based
Management-based
Prescriptive-based
Rules
a. rule
b. rule
Standard Procedures

Compliance Measures
MoE
MoP
MoC
Measures of Effectiveness
progress against compliance
outcomes towards zero: non-
conformance, injuries,
violations, emissions, etc.
Measures of Performance
capabilities, capacity,
competency to meet
compliance objectives
Measures of Conformance
evidentiary artifacts that
demonstrate conformance to
standard.
MoI
Measures of Integrity
values, beliefs, behavior,
honesty, promise keeping,
disciplined, respect for
people, etc.

Example Compliance Designs
What does
COMPLIANCE DESIGN
should be managed?

▷The organization should identify and evaluate its compliance risks.
This evaluation can be based on a formal compliance risk
assessment or conducted via alternative approaches. Compliance
risk assessment constitutes the basis for the implementation of the
compliance management system and the planned allocation of
appropriate and adequate resources and processes to manage
identified compliance risks.
▷The organization should identify compliance risks by relating its
compliance obligations to its activities, products, services and
relevant aspects of its operations in order to identify situations
where noncompliance can occur. The organization should identify the
causes for and consequences of noncompliance.
4.6 Identification, Analysis and Evaluation of Compliance Risk

▷ The organization should analyse compliance risks by
considering causes and sources of noncompliance and the
severity of their consequences, as well as the likelihood that
noncompliance and associated consequences can occur.
Consequences can include, for example, personal and
environmental harm, economic loss, reputational harm and
administrative liability.
▷ Risk evaluation involves comparing the level of compliance
risk found during the analysis process with the level of
compliance risk the organization is able and willing to accept.
Based on this comparison, priorities can be set as a basis for
determining the need for implementing controls and the
extent of these controls (see 6.1).
Risk Evaluation

“The effects of uncertainty
on compliance objectives.”
Risk Definition
THREATS
OPPORTUNITIES
CAUSES
CONSEQUENCES
Preventive
Controls
Mitigative
Controls
Bow-Tie Analysis

▷ Organizations should have processes in place to
identify new and changed laws, regulations, codes
and other compliance obligations to ensure on-
going compliance.
▷ Organizations should have processes to evaluate
the impact of the identified changes and
implement any changes in the management of the
compliance obligations.
4.5.2 Maintenance of Compliance Obligations

Obligation Change Process
INITIATION
• Change description
• Type of change
• Reason for change
• Time limitations
IMPACT ANALYSIS
• Identify implications of change
• Conduct risk assessment
• Identify affected parties
APPROVAL
• Approve implementation of
requested change
PLANNING
• Develop implementation plan
• Develop communication plan
INITIATION
IMPLEMEN-
TATION
IMPACT
ANALYSIS
PLANNING APPROVAL
IMPLEMENTATION
• Execute implementation plan
• Notify affected parties
• Conduct necessary training
and qualification

What Do We Need To Know?

OBLIGATION
Obligation Source
Obligation Category
Obligation Topic
Obligation Design
Obligation Reference
Obligation Requirement
/ Commitment
Obligation Outcome
Obligation Objectives
Obligation Criteria
Obligation
Dependencies
What do we need to know?

OBLIGATION IMPACT
Obligation Source Products
Obligation Category Services
Obligation Topic Activities
Obligation Design Systems
Obligation Reference Processes
/ Commitment
Organization
Obligation Outcome Governance
Obligation Objectives Culture
Obligation Criteria Stakeholders
Obligation
Dependencies

OBLIGATION IMPACT RISK
Obligation Source Products Risk Threshold
Obligation Category Services Inherit Risk
Obligation Topic Activities Treated Risk
Obligation Design Systems Causes
Obligation Reference Processes Effects
/ Commitment
Organization Likelihood
Obligation Outcome Governance Severity
Obligation
Dependencies

OBLIGATION IMPACT RISK CHANGE
Change
Description
Obligation Category Services Inherit Risk Change Impact
Obligation Topic Activities Treated Risk Change Risk
Change
Implementation
/ Commitment
Obligation
Dependencies

OBLIGATION IMPACT RISK CHANGE MEASURES
Change
Description
Measures of
Integrity
Measures of
Effectiveness
Measures of
Performance
Change
Implementation
Measure of
Conformance
/ Commitment
Obligation
Dependencies

OBLIGATION IMPACT RISK CHANGE MEASURES CONTROLS
Change
Description
Measures of
Integrity
Administrative
Controls
Measures of
Effectiveness
Risk Controls
Measures of
Performance
Preventative
Controls
Change
Implementation
Measure of
Conformance
Detection
Controls
Mitigative
Controls
/ Commitment
Obligation
Dependencies

How did we do?
If you were Carl would this information
help you better manage your
environmental obligations?

How did we do?
Would it help you
better manage your
obligations?

What steps can you take to know your obligations better?
1. Which attributes or sets of attributes tend to
be missing from your obligation register?
2. What 3 attributes would significantly improve
your ability to manage your obligations?
3. What steps could you take to start including
those attributes in your obligation registers?
4. Will you be acting on those steps in the
upcoming weeks?

The better you know your obligations
A BEST PRACTICE COMPLIANCE
MANAGEMENT FRAMEWORK:
ISO 19600
Know Your
Obligations
Hi, I’m an
obligation Wsup

Know Your
Obligations
Hi, I’m an
obligation Wsup

ISO 19600 Section 4.5 - Know your Obligations

More Related Content

What's hot

Similar to ISO 19600 Section 4.5 - Know your Obligations

More from Nimonik

Recently uploaded

ISO 19600 Section 4.5 - Know your Obligations