Compliance rules: Tips on where to find them.

People searching with metal detectors

I’ve had a few people contact me about my articles


I’m responsible for reporting on compliance and I’m not comfortable we are tracking everything we should be. What should we be tracking as the Control or mandatory required documents?

The short answer is

  • ask around, your suppliers and fellow professionals are a great source of information
  • go through your policies and procedures, they define 60% of your compliance requirements
  • go through your maintenance records.

You are not alone

Before we start the first thing to say is that STAY CALM, YOU ARE NOT ALONE! Our research showed that over 60% of managers were wholly unsure or partially unsure of their compliance obligations.

Compliance is a vast subject. We cannot be an expert in everything but what we can do is provide you with some tools to help.

Control (or mandatory required) Documents

So how do you define your list of control documents? First, you need to find the rules. The rules define the required documents.

  • Compliance is “the adherence to a set of rules”, and
  • Compliance Administration is “managing the documentary evidence that the rules are being followed”

Depending on your job title, “compliance” means completely different things. You could be responsible for workplace health and safety, facility compliance, supplier compliance, food safety, a combination of these or something else entirely.

Depending on your role, compliance administration means you now have hundreds, if not thousands of mandatory and optional documents that need to be tracked and renewed. Some documents need to be renewed on a daily basis (daily cleaning of kitchens) and yet some only need to be renewed every 30 years (30-year maintenance for sprinkler systems). So how do you tame this beast?

Back to Basics

In Two easy steps to begin to take control of your red tape we split compliance into Internal Compliance, External Compliance and Class. Now we look at

  • Regulations (a rule or directive made and maintained by an authority), and
  • Policies (rules made by your organisation to achieve its aims and goals)
Updated in Feb 2022 to take account of ISO37301 and the Obligation Hierarchy
  • Mandatory (a regulation made and maintained by an Act, regulation or statutory body)
  • Voluntary (rules self-inflicted by the organisation)

Regulatory-driven compliance defines control documents and Policies define control documents. Your organisation will happily define control documents in its policies and procedures. For example, there is no regulatory requirement for public liability insurance but every buyer demands it as part of their internal policies, so every reputable supplier gets public liability insurance in order to do business.

Table of compliance versus control documents
Table updated Feb 2022

Step 1 – Mandatory compliance. It’s only 40% of the picture

These are enshrined in law and defined by

  • National Government, Federal Government or Common Market
  • State Government, if you are part of a federation
  • Local Government
  • Statutory bodies

OK, so the good news is that, according to Deloitte, only 40% of your compliance rules are defined by external regulatory authorities. The bad news is that if these rules are breached, there can be serious personal consequences, fines and even jail terms.

The fun part is that according to Deloitte, some governments sometimes don’t even know how many rules there are out there! So how are you supposed to find out about rules that even the government has forgotten about?

Tip 1 – Where to ask for help for regulatory compliance obligations
  • Ask your suppliers. They have to comply across all their customers and are a good source of information.
  • Contact your supplier’s trade associations. For example, if you use locksmiths, your national security or locksmith association is a good source of information. They want to remove any dodgy suppliers from the industry
  • Contact your relevant trade association. For example, if you manufacture food products, your national association should be able to help. They may ask you to join but it can be a worthwhile investment.
  • Contact your relevant professional association. Are you a Facility Manager or Workplace Health and Safety professional? Ask your local association for help. Heck join and ask other professionals in your field.
  • Ask your Procurement department. When you onboard a new supplier, what does procurement demand? Note of warning, Procurement demand Regulatory and Policy drive compliance documents. For example, demanding insurance certificates is a policy-driven requirement, not a regulatory driven requirement.
  • and of course Google.

Step 2 – Voluntary compliance, the other 60%.

OK, so you are now well on the way to capture 40% of your compliance obligations. The other 60% are all in your organisation’s policies, procedures and forms.

These voluntary obligations include best practice, industry standards, manufacturers’ recommendations, risk mitigation, but they are all self-inflicted.

So where do you start? Where does compliance fit into the grander scheme of things in your organisation, no matter how large or how small.

Every organisation has a Mission and a Vision, even if it’s not written down somewhere and displayed on a wall. From these, your organisation will (hopefully) have developed Policies, Procedures, Processes and Forms. Your organisations’ policies, procedures, processes and forms probably have a larger impact on your compliance role than anything else.

Governance flow chart

I’m afraid that now you simply have to go out and collect them all and go through them. Unfortunately, you may need to update them as 90% of policies and procedures we come across are out of date. We recommend they get reviewed every 5 years.

As you go through them, make a note of every time a policy, procedure, process or form looks for documentary evidence of something and why. This is how you build up your list of control documents.

Tip 2 – Split Policies, Procedures, Process and forms in to the six classes of compliance

To make it easier, split them by class, i.e

  • Company policies, procedures, processes and forms
  • Staff policies, procedures, processes and forms
  • Product policies, procedures, processes and forms
  • Asset policies, procedures, processes and forms
  • Property policies, procedures, processes and forms
  • Project policies, procedures, processes and forms

Points to note

  • At this stage, it is irrelevant if the service is provided by internal staff or external contractors, the requirements should be the same, i.e are insurances in place, are people qualified etc.
  • Policies; procedures and processes should have review dates to make sure they reflect the current vision, mission and relevant legislation

Step 3 – Maintenance Records

The last place to look is your maintenance records. These often expose control documents. For example, you must have a maintenance record for your fire alarm systems. This exposes that (at least in Australia) you need documentary evidence that are serviced every 6 months, every year and every 5 years.

Finally, if you need some help or pointers, drop us a line, we would love to hear from you.

Table of Contents

Nigel Dalton-Brown, GAICD, AMIIA, MBA

Managing Director, Chair, Speaker, Lecturer, Author

Nigel is the Founder of Strytex and has been presenting and writing on Goverence, Obligational Awarenss, Risk Management and Compliance administration (GORC) since 2010.

Leave a Comment