Value Added Approach in Determining ‘Statutory and Regulatory Requirements in ISO 9001:2008 QMS’

One of the magazines published an article on ‘Statutory and regulatory requirements in ISO 9001:2008 QMS’ in its March 2012 issue (this article can also be seen at this blog post dated 23 Feb 2012 at http://iso9001-2008awareness.blogspot.in/2012/02/statutory-and-regulatory-requirements.html) and one of the readers of this article has made comments stating, “I was reading the Mar 12 issue and article on statutory requirements under ISO 9001. On p.10, self regulation has been stated to be regulatory requirement which is not correct.” Since the above comments have made by a top management executive working in an accreditation board, and such comments cannot be ignored, so as a co-author of the earlier published article, I decided to clarify authors’ point of view. I request my readers to please consider with the following:
i. Both statutory and regulatory requirements are those requirements that are required by law.
ii. Statutory refers to laws passed by a state and/or central government, while regulatory refers to a rule issued by a regulatory body appointed by a state and/or central government.
iii. A regulatory requirement can be termed as administrative legislation that constitutes or constraints rights and allocates responsibilities. It is somewhat different from the statutory legislation enacted by passing the law in the legislative assembly or parliament.
iv. There can be following types of regulations applicable on an organization – (i) Legal restrictions or responsibilities promulgated by a government authority, (ii) Self regulation by an industry through trade associations.

I wish to clarify that regulations on an organization can be of two types. We look at "regulatory" as something that is limited by an authoritative group, and that authoritative group may include (i) group appointed by state/central government, (ii) group formed by an industry through trade associations. In this competitive world, we see many codes, regulations and rules (formed by trade associations) takes the status of necessary regulations (as equivalent to law) required to be followed. I would like to clarify our point of view with examples given here in below.

Examples of group appointed by state/central government

First example, Securities and Exchange Board of India (SEBI) is a body appointed by central government through an ordinance. Its regulations are necessary to be followed by organizations dealing in securities.

Second example, Insurance Regulatory and Development Authority (IRDA) is a body appointed by central government. Its regulations are necessary to be followed by organizations dealing with insurance.

A list of a few regulatory bodies appointed by government may be seen at http://india.gov.in/govt/studies/annex/8.1.1.pdf.

Examples of group formed by an industry through trade association

First example, in banking, certain regulations and rules are issued by Indian Banks Association that is required to be followed by bank branches in India. ‘Indian Banks Association’ (IBA) can be termed as a trade association of banking industry comprising of public sector banks, private sector banks, foreign banks having offices in India and urban cooperative banks. Indian Banks’ Association (IBA) is not appointed by any state or central government. ‘Fair Practice Code’ or many other rules and guidelines framed by the Indian Banks Association can be termed as those necessary requirements, as equivalent to regulatory requirements, for the banking industry.


Second Example – Foreign Exchange Dealers’ Association of India (FEDAI) is a group of banks that deals in foreign exchange in India as a self regulatory body. FEDAI is not appointed by state or central government and it can be termed as a trade association of foreign exchange dealers. The role and responsibilities of FEDAI includes – (i) Formulation of FEDAI guidelines and FEDAI rules for Forex (foreign exchange) business, (ii) Rules of FEDAI also include announcement of daily and periodical rates to its member banks. Please note that FEDAI guidelines play an important role in the functioning of the foreign exchange dealers (banks) and its guidelines can be termed as those necessary requirements as equivalent to regulatory requirements.

There are so many self-regulatory bodies in India that are not appointed by any government. Please note that the self-Regulatory authority of a business or profession is a select Body of its members, which is responsible for growth and development of the profession in the background of its responsibility towards customers, society and State. A few more examples of self-regulatory bodies in India are Bar Council of India, Medical Council of India, Institute of Chartered Accountants of India, Institute of Cost and Works Accountants of India, Institute of Company Secretaries of India, Council of Architecture.

I request, please don’t go alone by a dictionary meaning or a limited meaning of the ‘regulatory’. Please consider a broader meaning of the term ‘regulatory’ in the interest of implementing an effective quality management system in an organization. The purpose of the quality management system is to have an effective quality management system that provides product/service to customer. If you refer to ISO 9001:2008 QMS Standard and/or its normative reference document, ISO 9000:2005, you will notice that the term ‘statutory and regulatory requirements’ has not been clearly clarified in any of the standards, although it has been stated in note 2 of the clause 1.1 of ISO 9001:2008 QMS Standard that statutory and regulatory requirements may be termed as legal requirements. Simply stating the term ‘statutory and regulatory’ as ‘legal’ does not clarify the meaning of the term in a broader way and this may be the reason why people look to this term differently. Even the term ‘legal’ has different meaning to different people. In one opinion a contract entered between two private parties can be termed as a ‘legal’ contract as it is legally binding on both parties.

There may be two approaches in implementing ISO 9001:2008 QMS Standard, first, a bureaucratic approach, and second, a value-added approach. To me, the approach of the reader, who made the above comments, appears to be a bureaucratic approach. Our emphasis is on a value-added approach to implement an effective quality management system in an organization to gain maximum benefits from the quality management system. I would request my readers, please don’t keep a bureaucratic approach, instead keep a value-added approach. A certification body or an accreditation body may have a bureaucratic approach as they are purely related to ‘certification’ business. My concern is to apply a value added approach.

The reader of the article also stated, “The article also does not clarify what statutory/regulatory requirements are to be considered. An organization may be subject to many laws – Income Tax, Excise, product related, fire safety, occupational health and safety etc. It would have been useful to clarify what is to be considered under ISO 9000.”

In this connection, I thank the reader who has provided us an opportunity to clarify the issue in relation to above query. I would like to clarify the following:
(i) ISO 9001:2008 QMS Standard is a generic quality management system standard that can be implemented by all organizations, regardless of type, size and product provided. So it is very difficult to provide a common example of statutory/regulatory requirements. However, please see a few examples* pertaining to organization specific given here in below to understand the issue in a better way.
(ii) ISO 9001:2008 QMS Standard – clause 7.2.1 (d) – stipulates determination of the statutory and regulatory requirements applicable to the product. Clause 7.2.1 (d) comes under product realization and has a direct effect on the product realization process of the organization and also on the product provided to customer.

ISO 9001:2008 QMS Standard requires an organization to determine and control the statutory and regulatory requirements applicable to the products (including services). It is up to the organization how to do this within its quality management system. We believe that a methodology as suggested in the article is followed; then the organization will be on the right path in establishing, implementing and maintaining an effective quality management system. I hope that readers will agree to authors’ point of view.

For an organization, implementing ISO 9001:2008 QMS Standard, should demonstrate that the statutory and regulatory requirements applicable to its products/services have been properly determined, are available and easily retrievable. The term ‘statutory and regulatory requirements’ is invisible in clause 8 of ISO 9001:2008 QMS Standard, however, internal auditors need to be aware of the general and specific statutory and regulatory requirements applicable to the products/services included within the scope of the quality management system.

Examples*:
(i) For the purpose of quality management system of a consulting organization providing financial, income tax, excise consultancy services; determination of income tax rules and regulations, financial rules and regulations, excise rules and regulations may be relevant statutory and regulatory requirements applicable to the product. But for the purpose of quality management system of other organizations, these may not be relevant. (ii) For the purpose of quality management system of an organization manufacturing children toys, then legal requirements related to the health and safety of children from toys may be the relevant statutory and regulatory requirements applicable to the product. But for the purpose of quality management system of other organizations, these may not be relevant.

‘ISO 9001 Auditing Practice Group’ has issued a guidance paper on ‘Auditing statutory and regulatory requirements’ (can be seen at the websites of ‘International Organization for Standardization’ and ‘International Accreditation Forum’) that states that nonconformities should be issued only in situations where identification has been made of the system deficiencies or of direct violation in respect of statutory and regulatory requirements applicable to the products/services of the organization. However, if nonconformities with other kinds of statutory requirements (e.g. health and safety, environment, etc.) are co-incidentally, detected during the audit, this fact cannot be ignored by the audits. It should be reported without delay. Accordingly, I feel that if any internal auditor comes to know noncompliance of any of the legal requirements during internal audit, it must be reported as CAR (corrective action request) as a measure to add value in the internal audit and such action will help the organization in improving the effectiveness of the organization’s systems including the quality management system.

As a co-author of the earlier article published, I hope, I have clarified authors’ point of view in this write-up. However, if any readers still have any different opinion that may be brought out to our information.

- Keshav Ram Singhal