Boss your BOS!
… or how to improve regulatory compliance whilst integrating risk management
By Bertrand Kornfeld
A graduate of HEC Montréal with a Theseus-EDHEC MBA, Bertrand Kornfeld is program manager within Bull Management. Located in Strasbourg, he works closely with customers to implement Integrated Management of Regulatory Compliance.
Risk identification and analysis are among decision-makers’ key concerns and are closely intertwined with Corporate governance. Complexity in ecosystems and management cycles , as well as the increasing quantity in regulations and communication channels between stakeholders , are key parameters that every senior manager must master to achieve control and assure regulatory compliance.
But how do you integrate risk management and business processes? Which business issues should you focus on when it comes to detecting risks? How do you prevent accidents and comply with all regulatory texts?
In this ‘Expert voice’, we offer some answers based on the Bill of Substances (BOS) and how it can be managed using a software package.
From information systems’ alignment to programming regulatory compliance
Information systems contribute to an organization’s goals if they are aligned to strategy. Software packages and standardized environments are frequently used to implement information systems. Changes to standard software should be minimized and at least 80% of the stated requirements should be met by a transactional platform to achieve a satisfactory outcome. In order to manage relationships with traditional stakeholders effectively, cross-functional solutions such as CRM, PLM and SRM and even HRIS, have emerged. Last but not least, to effectively implement these solutions and ensure that the needs of the organization are covered by proven business processes, in-depth experience drawn from numerous projects has been capitalized into best practices.
But today, this business ecosystem is characterized by profound and continuous change within organizations, whether publicly or privately-owned. The location where work is carried out, people involved in the work process, the nature of tasks involved, metrics to assess performance… even if goals sometimes remain the same, there have undeniably been fundamental changes over recent decades! And if using technology plays a big role, other factors increasingly influence business conduct, including:
- Stakeholders having interest in what the organization does
- Regulation, whether at an international or national level
- New business risks
- Managers who, rather than being focused on resources, are now focused on results in order to comply with certain regulations, including labor laws.
Many situations lead organizations to formalize the way they manage regulatory compliance, even if constant changes and day-to-day business imperatives make this a tough choice. This includes:
- Switching from dispersed individual efforts to comply with certain regulations, to a team effort to comply with all relevant regulatory texts
- Dropping discussions about the relative ease-of-use of various applications, to jump start the process using auditable applications capable of informing risk management
- Integrating compliance with site-specific regulation into centrally-led compliance initiatives (for instance REACh* compliance)
- Migrating to applications designed to exchange content electronically and infer certain data.
The chart below maps the elements needed for effective risk management (in a French regulatory context) and sketches the scope of programming regulatory compliance and managing risks. This more or less applies to other European States, as well as States governed by law outside Europe.
Design your BOS, and trust it to deliver
Let us take the example of a manufacturing business where a certain number of parts, in pre-determined quantities, are put into a process running on designated machines and equipment. Descriptions of spare parts, as well as the processes used for repair or maintenance (whether preventive or predictive), are kept in order to maintain the machines and equipment in operational condition. To ensure that everything moves smoothly around the shop floor, detailed information about storage areas and the routes taken by internal transit systems might be held in a Manufacturing Execution System, enabling it to plan and control all physical movements of raw materials and products around the manufacturing site.
A Bill of Substances (BOS) lists the all the substances present at a given time in a given location
Regardless of whether it is a raw material, a sub-product, fuel for a machine, a product brought in by a worker employed by a sub-contractor or a measurement device brought in by a maintenance worker, chemical substances are emitted by or contained in all these products. These substances have properties (chemical-physical, toxicological, etc.) and potential interactions that can cause risks.
To create the BOS for a specific location, users of the manufacturing management systems will be given vital help from the nomenclature of discrete products and ‘recipes’ for products coming out of process manufacturing. Copying, coss-referencing and inheritance are common mechanisms used to manage the properties of substances, while interfacing with inventory management system enables users to associate a particular part with one or more substances. An external firm providing workers on site has to be able to input the substances its workers are bringing in into the BOS. This applies equally to workers from other internal departments who are likely to come into that particular area of the site.
Do you really need an IS for a BOS?
It is possible to carry out certain measures manually, but for larger volumes of data or in order to support decision-making, it makes much greater sense to choose an application architecture which includes:
- Materials management
- Substances management
- A portal
- An inference engine
- Roles for named users in a given workflow carrying out segregated duties of planning and authorizing movements of materials (performed by legally liable individuals or individuals to whom the responsibility has been formally delegated).
Similarly, when it comes to acting on a risk that has been detected, information systems could include features that block some courses of action. For example, one could envisage that access badges for workers from an external firm could be blocked if they have failed to enter substances into the BOS, alarms could be sent to the head of security or maintenance equipment could be quarantined in the supervisor’s office before maintenance can start in an ATEX (Explosive Atmosphere) zone.
Do not joke with the BOS!
Three very good reasons to invest in a BOS are supplied by labor laws, as well as by industrial risk analysis best practice and by REACh*.
- Complying with French labor law (Code du Travail article R4412-40) obliges employers to provide the occupational health doctor with an up-to-date list of workers exposed to hazardous substances. But a list of hazardous substances does not exist and life sciences research is gradually moving substances from one category to another in the CMR classification (carcinogenic, mutagenic, toxic for reproduction). As a result, complying with labor law really means registering exposure to all substances on every worker’s exposure file.
- An industrial risk actually only materializes in an accident if a danger, a means of transfer and a target exist. A typical safety program aims at eliminating transfers and minimizing targets, for every danger that it is not possible to eliminate completely. The BOS models danger flows. Putting substances together in a particular location and their interactions represent a means of transfer. Targets are typically workers in that location. Those who share the same air supply, as well as some equipment, are also exposed to some risks such as fire, ATEX and toxic gases.
- REACh* applies to firms in the European Union involved in producing, exporting, importing, selling or using chemical substances. Downstream product safety information (material safety data sheets (MSDS) and labeling of substances) needs to flow from the producer to the user. And it is a legal requirement for information about exposure to chemical substances to flow back up from the users to the producers. Paperless MSDS handling is a good approach. Organizations need to be prepared to put in place an information system that provides a single version of the truth when it comes to chemical substances in shared database, or to wait until their last recourse is to capture this tabular data in a spreadsheet and live with the inherent dangers.
Regardless of your industry, a BOS is essential
Industries physically providing services to people are fundamentally different from manufacturing activities. But here too, risks incurred by workers exist and are furthermore shared with customers. They may be exposed to substances which are covered by regulations (such as chemical substances) or to emerging dangers for which no regulation (yet) exists (such as nano-particles). In these situations – over and above the requirements of labor laws and public liability laws relating to construction and the built environment – the offense of deliberately endangering another person is committed if it can be legally established that there was a duty of care or prudence under the law or regulations; if this measure has been deliberately ignored and someone has been directly exposed; and if an immediate risk of wounding or death exists.
A risk does not have to actually materialize into an accident for charges to be pressed and for liable executive managers – who have not directly caused damage but have created or contributed to the creation of the situation leading to damage, or have not taken measures to enable it to be avoided – to be prosecuted, if the four conditions listed above are met.
BOSs used by high street retailing, hospitals and retail banking industries are more limited in their scope and need to be updated less often than those used in manufacturing activities. But business logic and application architecture components are similar to those for manufacturing businesses.
Programming regulatory compliance, a vital first stepping stone
Company directors’ ability and willingness to comply with regulations, manage risks and communicate consistently with all stakeholders are increasingly important.
Practicing regulatory compliance in an integrated manner creates a consensus among stakeholders, effectiveness within the organization and serenity for company executives. Once this ‘hygiene factor’ is achieved, it is possible to extend risk management to business risks, such as the risk of damage to reputation risk (see http:// gmfactsandfiction.com for an example of how this is being tackled). These foundations can be used to meet broader enterprise goals such as Corporate social responsibility.
The process of documenting chemical substances and their existing links with other objects of interest in information systems such as parts, workers, equipment and customers, seems to be a background task. And because nature also abhors a vacuum in regulatory reporting, this process is underway in most organizations. The timing and relevance of interventions in this process determine the nature of the technologies involved – in a continuum that extends from a module within an integrated software package to maze of spreadsheets – and, as a result, the stress levels of company directors.
Bull consultants, for their part, take a flexible and iterative approach to implementation. From programming regulatory compliance to managing change and implementing information systems, they catalyze improvements in regulatory compliance and risk management.
* REACh: Registration Evaluation and Authorization of Chemicals.