Regulatory & Legal Compliance
5 Stage Process to Compliance
Management Systems
ISO Auditing

Compliance Services

5 Stage Process to
Compliance

We know that it is sometimes difficult to stay one step ahead of the regulatory control bodies that exist in each industry but we encourage all businesses to be proactive on this front. When determining what level of compliance should exist in your business we ask ourselves ‘what should good look like?’ and we use the following 5 stage process firstly to determine your status against a  ‘mandatory’ level of compliance.

We would conduct a gap analysis of your status in regards to these following 5 stages and provide an action plan to assist you in firstly achieving that level of compliance and giving you recommendations on how to achieve higher levels of compliance and ultimately excellence.

1

Understanding Risks & Threats

If you do not have it already we will help you create a ‘Risk Register’ that will identify a complete range of risks appropriate to your business and provide a risk mitigation/treatment plan to manage those risks and threats to your success.

Similarly, if you do have an existing ‘Risk Register’ we will review it and assist with improvements (if required). We can also assist you in developing a risk management methodology suitable to your business and work with you to get it integrated at a level you are comfortable with.

2

Understanding Obligations & Expectations

If you do not have it already we will help you create an ‘Obligations Register’ that will identify the complete range of obligations (regulatory and legal) that govern your business operations. We will conduct a gap analysis to determine the level of compliance in each relevant business area. It will also link to a strategy for mitigation and the actions required to achieve the preferred outcome.

We can also assist you to engage with regulators to install confidence in your capabilities. This would be done in a structured way and would detail your compliance strategy and progress against your journey to achieving not just mandatory levels but excellence in this field. Again, if you have an existing methodology we would assist with a review and improvement project should you feel it is required.

3

Mapping Critical Processes

We work with you to either improve existing process documentation or to create new process documents relating to business critical processes. It is important that these are current and at point of use with an appropriate control process to ensure that this is done in a considered and practical way.

Before critical processes can be introduced to your business it is important to understand what you are trying to achieve and why. This will be part of our early engagement and gap analysis to determine the areas that will give you the highest reward e.g. financial, systems or human resources or link this strategy to objectives identified in stages 1 & 2.

4

Identifying Appropriate Resources

Every business needs capable people and suitable systems to deliver the controls required for any compliance strategy. We will assist you to determine the right level for your business. It will likely be a blend of procuring outsourcing services or bringing the right people to your business to fill any identified gaps in resource requirements.

We work with systems consultants that will also provide an analysis of your needs now and for the future. We understand that it is not cost beneficial to ‘gold plate’ your business for every eventuality that is why we will match our recommendations to any needs identified in stages 1, 2 or 3. This will be risk and reward based and always with the best intentions and with the prioritised needs of your business at the core.

5

Monitoring & Testing

You always need to know how well you are performing against your requirements and processes therefore we will help you establish suitable monitoring and testing processes. This will likely be a blend of quality test methods and auditing across the business to gauge the level of compliance at any given time.

We will help you establish an internal auditing strategy suitable to your needs and in particular the objectives identified in all the previous stages. Ultimately, it should give you a recurring ‘health check’ against compliance. We will also help you to prepare for external audits and can facilitate them on your behalf as an outsourced service.

Management Systems

We recommend that any business has a structured way of working and the best way of doing that in the early stages is to establish control over your processes and systems to mitigate any identified risks. We will assist you in developing documented management systems following our 5 stage Project Management process to deliver the following:

- A complete management system of processes to any requirements (e.g. ISO or Industry standards) that will consist of policies, procedures, work instructions, forms and records.
- Integrate the documents with your business through a familiarisation and targeted training programme.
- Audit and test the newly established processes to identify areas for improvement.
- If required, facilitate an external audit (e.g. by a UKAS accredited body) to achieve certification against relevant standards (e.g. ISO or Industry specific).

Management systems can be self-certified and your ISO status referred to as ‘compliant’ this is something we can provide for you. However, to become externally certified a certification body appointed by UKAS will need to independently assess and verify your system. We can also prepare you for this process and facilitate the audit itself.  

Although it is not our recommended approach (albeit necessary whilst working in the COVID climate), engagements can be completed remotely.

We have specific experience delivering both compliance projects and certified ISO Standards to a range of business quality, environmental, safety, risk , information security, cyber security and data protection standards detailed on our home page.

ISO Certification

ISO Certification has become one of the most widely recognised and understood assurance marks across the UK, and the World.  If you haven’t noticed the certification logos on vehicles, websites or letterheads yet – you will from now on.

Many of the management system standards we work with can be certified by impartial UKAS accredited bodies, after a series of audits.

One of the main attractions of ISO Certification is the certification mark that you can use to demonstrate having achieved a particular standard, however this is not the only benefit.

ISO Certification audits often provide useful feedback from an external party who may help you to identify improvements and efficiencies by testing your existing processes by looking for objective evidence.

Additionally, ISO Certification can provide a competitive advantage during the tender process, with many procurement departments taking ISO certification into consideration at the early stages of a tender. In some cases, certification can exempt organisations from answering entire parts of a pre-qualification questionnaire, which speeds up the response process.

Certification is achieved after the stage 2 visit and your certificate will be available a short time after the audit. For the stage 2 visit there needs to be at least three months of records to show that the management system has been successfully operating in the organisation.

Q. Risk Control can provide support through the whole ISO certification process. We see ISO consultancy as a partnership between consultant and client, with the mutual objective of improving your organisation.

ISO Compliance or Certification Projects

Short Engagements

Short consultancy engagements are often needed to resolve a particular problem such as:

- Resolving a non-conformance from an ISO audit.
- Providing knowledge transfer to a new staff member.
- Responding to a tender document.
- Providing short-term cover for a member of staff.
- Or other.

Large Engagements

Some engagements are more complex than others and can involve a team of our consultants over a number of days and months, for example:-

Bringing a new branch/location in to the scope of your management system.
- Implementing a risk management framework.
- Cultural or systems change management driven by regulatory requirements.
- Evaluating your supply chain and supplier audits.
- Other due diligence.
- Or Other.

ISO Auditing

Our ISO Auditing services offer you an impartial evaluation of your ISO Management System, identifying weakness and driving improvement.  

Internal audits are required as part of most management system standards, but our auditors can also support your supplier due diligence and other internal or external verification activities.

Many organisations find it more cost effective and efficient to outsource their internal audit activity to an ISO Consultant like Q. Risk Control.

Our auditors bring a wealth of experience to support your management system, taking a pragmatic approach that’s bespoke to your organisation.  It also avoids the conflict-of-interest that comes with auditing your own work.

There are many benefits to engaging with Q. Risk Control for your auditing needs:

- Meet requirements of management system standards.
- Impartial audit of your management system.
- Managed audit programme and schedule.
- Clear Reporting.
- Non-Conformance trend analysis.

Scoping Internal
Audits

Our team will work with you to define the scope of an effective audit programme to meet your requirements.  This usually encompasses the whole management system and all activities of the organisation, however we can also limit the scope of our audits to provide a part of your internal audit programme.

We can also work as part of your Audit Team providing expertise that you don’t have in-house, or covering a location where you don’t have an auditor.

Managed Audit Programmes to ISO 19011

We conduct our internal audits to ISO 19011, the standard for auditing management systems, so you can be assured that our work is thorough and to industry standards.

With the benefit of our office team to manage the programme and our experienced auditors, you are in good hands.

Non-Conformity Management

Any weaknesses our auditors find in your management system will be raised within the report as a non-conformance, which you can address through your non-conformance process.

There are several levels of internal audit findings depending on the severity and impact of the issue.

There will be enough information within the report for your team to understand the problem and find an effective corrective action, however Q. Risk Control can also provide a consultant to advise on any of these.

Audit Reporting

We’ll provide a clear report detailing the audit activity and any findings, positive or negative.

Our auditors will discuss everything with you throughout the audit, so there should be no surprises in the report, and you can use the documented report during supplier or certification audits.

We also conduct a robust Report Review Process against a set of criteria including Coherence, Clarity and Confidentiality.

Audit Data Analysis

Q. Risk Control provides added-value to your Internal Audits through our analysis of your non-conformance data, so you can identify and address trends.

We present data within the ‘Audit Analysis’ section of the report to show:

- Clauses where Non-Conformances occur most often.
- Locations which have the most non-conformance.
- A Breakdown of Non-Conformance by Severity.
- A Breakdown of Non-Conformance by Standard, (if multiple - standards or an integrated system).

Audit Principles

Integrity – Ethical conduct.
Fair Presentation – Report truthfully and accurately.
Due Professional Care – Application of diligence and judgement.
Confidentiality – Security of knowledge acquisition.
Approach – Rational method for reaching reliable and reproducible conclusions.

Who we’ve worked with