Please also visit following blogs:
- 'EMS Awareness' Blog

Academic comments are invited.

Encouragement Support - National Centre for Quality Management. Please become a member of NCQM.

Keshav Ram Singhal

Various information, quotes, data, figures used in this blog are the result of collection from various sources, such as newspapers, books, magazines, websites, authors, speakers etc. Unfortunately, sources are not always noted. The editor of this blog thanks all such sources.

People from more than 145 countries/economies have visited this blog: Afghanistan, Albania, Algeria, Angola, Argentina, Aruba, Australia, Austria, Azerbaijan, Bahrain, Bangladesh, Belarus, Belgium, Belize, Benin, Bhutan, Bosnia and Herzegovina, Botswana, Brazil, Brunei, Bulgaria, Burundi, Cameroon, Cambodia, Canada, Chile, China, Colombia, Costa Rica, Croatia, Cyprus, Czech Republic, Denmark, Dominican Republic, Ecuador, Egypt, El Salvador, Estonia, Ethiopia, European Union, Fiji, Finland, France, Georgia, Germany, Ghana, Gibraltar, Greece, Guatemala, Guyana, Haiti, Honduras, Hong Kong S. A. R. (China), Hungary, Iceland, India, Indonesia, Iraq, Ireland, Israel, Italy, Ivory Coast, Jamaica, Japan, Jersey, Jordan, Kazakhstan, Kenya, Kuwait, Laos, Latvia, Lebanon, Lesotho, Libya, Lithuania, Luxembourg, Macao S. A. R. (China), Macedonia, Malawi, Malaysia, Maldives, Malta, Manila, Mauritius, Mexico, Moldova, Mongolia, Montenegro, Morocco, Mozambique, Myanmar, Namibia, Nepal, Netherlands, New Zealand, Nigeria, Niue, Norway, Oman, Pakistan, Palestinian Territory, Panama, Papua New Guinea, Peru, Philippines, Poland, Portugal, Puerto Rico, Qatar, Rwanda, Romania, Russia, Saint Lucia, Samoa, Saudi Arabia, Saint Kitts and Navis, Serbia, Seychelles, Singapore, Slovakia, Slovenia, Somalia, South Africa, South Korea, Spain, Sri Lanka, Sudan, Swaziland, Sweden, Switzerland, Syria, Taiwan, Tanzania, Thailand, Trinidad and Tobago, Tunisia, Turkey, Turks and Caicos Islands, UAE, Uganda, UK, Ukraine, USA, Uzbekistan, Venezuela, Vietnam, Zambia, Zimbabwe etc. Total visitors number crossed 100,000 on 14. 02. 2013. Total visitors number crossed 145,000 on 30. 09. 2013. Total visitors > 200,000 (from 01.08.2014)

Thursday, February 23, 2012

Statutory and Regulatory Requirements in ISO 9001:2008 QMS

Dr. Divya Singhal
Keshav Ram Singhal

Not less than nine times the term ‘statutory and regulatory requirements’ has been stated in the ISO 9001:2008 QMS Standard. This article is an attempt to understand the meaning of the term, and what and how organization needs to comply it.
The term ‘statutory and regulatory requirements’ are legal requirements as clarified in Note 2 under the clause 1.1 (General) of ISO 9001:2008 QMS Standard. This term expresses two types of requirements:
(i) Statutory requirements
(ii) Regulatory requirements

Both statutory requirements and regulatory requirements are those requirements that are required by law. These requirements are non-negotiable and must be complied with. Failure to comply a legal requirement may result in a fine or penalty and possibly a custodial sentence for the person or persons responsible for such failure. Statutory refers to laws passed by a state and/or central government, while regulatory refers to a rule issued by a regulatory body appointed by a state and/or central government.

Statutory requirements are those requirements which are applicable by virtue of law enacted by the government. A regulatory requirement can be termed as administrative legislation that constitutes or constraints rights and allocates responsibilities. It is somewhat different from the statutory legislation enacted by passing the law in the legislative assembly or parliament. There can be following types of regulations applicable on an organization:
- Legal restrictions or responsibilities promulgated by a government authority
- Self regulation by an industry through trade association

ISO 9001:2008 QMS Standard requires an organization to determine and control the statutory and regulatory requirements applicable to the organization’s products (including services). It is up to the organization how to comply this within its quality management system. On perusal of ISO 9001:2008 QMS Standard, we find, in the introduction part of the standard indicates that the standard, ISO 9001:2008 QMS, can be used by parties to assess organization’s ability to meet:
- Customer requirements
- Statutory and regulatory requirements applicable to the product
- Organization’s own requirements

So it is for the people involved in assessing the organization’s quality management system, such as third party auditors and internal auditors, need to be aware of the general and specific statutory and regulatory requirements applicable to the product within the scope of the quality management system.

The term ‘statutory and regulatory requirements’ has been used four times in clause 1 (Scope) – two times in mentioning the general scope of the standard in clause 1.1, one time in explaining the term in the note 2 under clause 1.1 and one time in mentioning the application in clause 1.2 of the standard. Accordingly, an organization, wishes to implement ISO 9001:2008 QMS Standard, needs to (i) consistently provide product that must meet applicable statutory and regulatory requirements, (ii) apply effective management system that aims to comply applicable statutory and regulatory requirements, (iii) ensure that any exclusions within clause 7 of the Standard do not affect the organization’s ability or responsibility to provide product that meets requirements.

Even in case of an outsourced process, it is the responsibility of the organization to comply statutory and regulatory requirements. This is clarified in note 3 under clause 4.1 (General requirements) of the Standard.
The Standard, in its clause 5.1 (Management commitment), has provided responsibility on the part of the top management to communicate the importance of meeting statutory and regulatory requirements and, in clause 7.2.1 (Determination of requirements related to the product), it requires the organization to determine statutory and regulatory requirements applicable to the product. Clause 7.3.2 (Design and development inputs) of the standard requires including statutory and regulatory requirements in the design input and reviewing it for adequacy.

Accordingly, the organization should have a methodology in place (i) for determining, maintaining and updating all applicable statutory and regulatory requirements, (ii) for communicating all applicable statutory and regulatory requirements within the organization. The organization should ensure that determined statutory and regulatory requirements are utilized as ‘process inputs’. The organization should monitor ‘process outputs’ for compliance with statutory and regulatory requirements.

In this regard, one suggestion could be to have a task-force team in place comprising of one In-charge and a few members, having legal knowledge or background. Task-force team should determine the applicable statutory and regulatory requirements applicable to the product and to the organization, and also ascertain the responsibility of personnel/departments in meeting these determined requirements. Task-force members may also study the national/international level best practices in this regard to gain ideas about smooth implementation of such requirements. The In-charge should ensure: communication of determined statutory and regulatory requirements to the management representative and personnel/departments concerned with a copy to the top management.

It should be the responsibility of the personnel/departments concerned to meet these determined requirements. The top management should also review at defined intervals meeting applicable statutory and regulatory requirements.
The term ‘statutory and regulatory requirements’ is invisible in clause 8 (Measurement, analysis and improvement), however internal auditors can play a significant role in meeting statutory and regulatory requirements. It will be a good idea that the auditor during the audit preparation phase obtains relevant information from internal as well as external sources with respect to the statutory and regulatory requirements that may apply to the organization and its product, such as, legal requirements related to health, safety and environment. An internal auditor can find the compliance during audit process by inquiring to the following:
- Whether the organization has determined applicable statutory and regulatory requirements related to the product?
- What are the determined applicable statutory and regulatory requirements?
- How the organization’s people are communicated the importance of meeting statutory and regulatory requirements?
- Whether the determined statutory and regulatory requirements are utilized as process inputs in determination of requirements related to the product and also in reviewing design and development inputs.

In case the auditor finds any noncompliance to any of the statutory and regulatory requirements, it should be reported as CAR (corrective action request) and such action will help the organization in improving the effectiveness of the organization’s quality management system.

1 comment:

Nithya Srivatsan said...

Kindly provide some examples of Statutory and Regulatory requirements in a BPO.