compliance

Bridging the Compliance Gap: How Organisations Can Identify and Manage Applicable Statutory and Regulatory Requirements

Posted by on in | 62 Views | Leave a response

By Wilson Fernández

Introduction

Across industries, I have observed a recurring issue in businesses of all sizes: a fundamental lack of understanding regarding the Statutory and Regulatory (S&R) requirements applicable to their operations. This isn’t just an oversight—it’s a serious governance risk that exposes organisations to non-compliance, legal penalties, and reputational damage.

This article is a reflection of my experience helping small to large global organisations integrate compliance obligations into their core management systems. My goal is to help organisations close this critical knowledge and accountability gap.

1. The Compliance Blind Spot

Many organisations operate with a false sense of security, believing that:

  • We are too small to be impacted by regulations.
  • Our consultant or legal advisor will handle it.”
  • We’ve been operating this way for years without issues.

These assumptions create blind spots that often result in avoidable incidents, fines, or systemic process failures. In some cases, organisations do not even know what statutory requirements apply to them, let alone how to ensure ongoing conformance.

2. Real-World Challenges I Have Observed

Despite the availability of frameworks, systems, and tools, many organisations struggle with fundamental implementation and oversight challenges. Based on my experience across industries, the following issues are most common and often go unaddressed:

  • Lack of a centralised or decentralised legal register
  • Business & process owners not aware of their legal or regulatory responsibilities
  • Confusion or gaps in accountability between landlords and tenants (especially regarding facility compliance)
  • No structured review or handover of obligations during organisational change (e.g., mergers, acquisitions, project start-ups)
  • Over-reliance on consultants or auditors without internal ownership or understanding
  • Legal obligations not linked to risk assessments, audits, or operational planning
  • Absence of training or awareness programs for applicable S&Rs

These challenges not only increase compliance risk but also affect the organisation’s ability to build a culture of accountability and proactive risk management.

Note to SMEs and Business Owners

Many small and medium-sized enterprises (SMEs) often neglect or act unaware of their statutory and regulatory obligations. This article is written not only for certified organisations but also for SMEs and business owners who must realise that compliance is not optional, it is a legal and operational necessity. When something goes wrong at any stage, the cost of non-compliance is significantly higher than the cost of proactive governance. Even without certification to a Management System Standard, every business must consider S&R requirements a critical pillar of responsible and sustainable operation.

3. Categories of Statutory and Regulatory Requirements

Every organisation, regardless of size or sector, must comply with generic as well as industry-specific S&R requirements. These can include:

a. Generic Requirements:

  • Licensing & Business Operations (Business Names Registration Act 2011, Australian Securities and Investments Commission Act 2001 – ASIC, State-based licensing (e.g., trades, liquor, security, construction)
  • Taxation & Finance (ATO, GST, PAYG, Fringe Benefits Tax Act 1986, Corporations Act 2001 – for companies, Superannuation Guarantee (Administration) Act 1992)
  • Work Health & Safety (WHS Act & Regulation, OHS Act in VIC, Dangerous Goods Act 1985 – VIC, Return to Work Acts e.g., WorkCover, WorkSafe VIC obligations)
  • Employment Law (Fair Work Act, NES, Equal Opportunity Act 2010 VIC, Workplace Gender Equality Act 2012, Modern Awards and Enterprise Agreements, State specific Long Service leave Acts)
  • Environment Protection (Environment Protection and Biodiversity Conservation Act 1999 – EPBC, Environment Protection Act 2017 – VIC, State-based – Waste management and recycling laws, Climate Change Acts – state and federal initiatives)
  • Consumer Protection & Trade (Australian Consumer Law – ACL; under Competition and Consumer Act 2010, Trade Practices Act – historical, now rolled into ACL, Product safety standards and recalls – ACCC
  • Privacy and Data Protection (Privacy Act 1988, NDB scheme, State-based health privacy laws (e.g., Health Records Act 2001 VIC)
  • Security, Anti-corruption & Governance (Australian Security Intelligence Organisation Act 1979, Public Interest Disclosure Act 2013, Whistleblower Protection laws, Foreign Influence Transparency Scheme Act 2018)
  • Transport & Road Safety (if applicable) – (Heavy Vehicle National Law (HVNL) – NHVR obligations, Chain of Responsibility (CoR) legislation, Vehicle Standards and ADRs)
  • Other Common Requirements (Records Retention & Archives Acts, Charitable organisations – ACNC compliance, Procurement & Contracting Laws – for government or public sector)
  • Building and Facilities Compliance (e.g. NCC, fire systems, accessibility)

b. Industry-Specific Requirements:

  • TGA regulations for pharmaceuticals and devices
  • FSANZ for food safety
  • NHVR for transport and logistics
  • APRA for financial services
  • ADRs for automotive; and more

c. Product and Service Requirements:

  • Product safety, labelling, traceability
  • Digital services and cyber security regulations

4. Universal Applicability of S&R Compliance

Statutory and regulatory requirements are not limited to private businesses or organisations certified to management system standards. All entities—regardless of size, sector, or purpose—must comply with applicable laws. This includes, but is not limited to:

  • Educational institutions
  • Non-profit organisations and charitable trusts
  • Religious and faith-based institutions
  • Local councils and government agencies
  • Financial and banking organisations
  • All forms of transport and logistics operations
  • Healthcare, aged care, and community service providers

Every organisation has an obligation to identify, assess, apply, and maintain relevant statutory and regulatory requirements—including industry-specific mandates—throughout its operations.

Compliance is not optional, and no entity is above the law.

It is up to the organisation’s leadership to demonstrate accountability by implementing a robust S&R governance framework, regardless of sector or legal status.

5. Sector Spotlight: Medical, Pharmaceutical, and Medical Device Compliance

Organisations in the medical, pharmaceutical, and medical device sectors are subject to some of the most stringent regulatory requirements due to the potential impact on public health and safety. These sectors must adhere to both domestic and international compliance standards, including:

  • Therapeutic Goods Administration (TGA) regulations
  • Therapeutic Goods Act 1989 and associated regulations
  • Good Manufacturing Practice (GMP) principles
  • PIC/S guidelines and EU GMP Annexes
  • ISO 13485 for medical devices
  • ISO 14971 for risk management in medical devices
  • Medical Device Regulations (MDR) and In Vitro Diagnostic Regulations (IVDR) for exports to Europe
  • FDA 21 CFR Part 820 and Part 11 (for US exports and electronic records)

Key focus areas for compliance in these sectors include:

  • Product registration, licensing, and listing with TGA
  • Validation of manufacturing and laboratory processes
  • Vigilance and post-market surveillance programs
  • Adverse event reporting and corrective action processes
  • Data integrity, traceability, and document control
  • Clinical evaluation and evidence requirements
  • Labelling, packaging, and storage compliance

Organisations must implement robust quality management systems that are aligned with regulatory expectations. Regular internal audits, mock inspections, and continuous training are essential to remain inspection-ready and ensure patient safety and regulatory conformance.

6. A Practical and Proven Approach to S&R Compliance

In my experience working across small to large global organisations, I have successfully integrated applicable Statutory and Regulatory (S&R) requirements into the core of our management systems. Rather than centralising this responsibility, I established a model where each Process Owner was accountable for identifying, implementing, and maintaining compliance with process-specific S&Rs.

This decentralised, ownership-based approach assured clear accountability, improved system effectiveness, and ensured that legal obligations were embedded and sustained within daily operations. It also promoted a proactive culture where compliance was not just a function but a shared responsibility across the business.

To ensure transparency and consistent deployment of Statutory & Regulatory (S&R) compliance across the organisation, I developed and implemented a dedicated S&R Requirements Procedure.

This procedure outlined the process for identifying, evaluating, and maintaining applicable requirements at all organisational levels. A RASIC (Responsible, Approver, Support, Informed, Consulted) chart was integrated into the procedure to clearly assign roles and foster accountability across functions.

The procedure enabled:

  • Transparency and traceability of compliance obligations
  • Clear ownership and process-specific accountability
  • Consistent legal register development and review
  • Ease of integration with ISO 9001, 14001, 45001, and industry-specific standards
  • Streamlined audit readiness and evidence of control implementation

Another key step I embedded into the S&R Procedure was the assessment of technical and commercial impacts related to products, services, safety, security, IT, process hazards, and compliance risks. This pre-quotation assessment enabled the business to:

  • Evaluate potential statutory or regulatory risks before commitment
  • Ensure customer quotations were technically and legally viable
  • Review findings with relevant internal and external (customers, suppliers, contractors) stakeholders for alignment
  • Secure support from top management or business owners

Furthermore, any changes such as new or updated S&R requirements were processed through a formal Change Management Process (CMP). This ensured that:

  • All changes were reviewed for impact
  • Process owners were engaged early
  • Implementation was coordinated across functions
  • Compliance remained consistent with new obligations

This structured approach has proven essential for minimising risk, ensuring informed decisions, and maintaining full lifecycle compliance. This initiative not only enhanced risk management but also empowered each process owner to take charge of their legal responsibilities while being supported by central Quality, Legal, and Risk functions as appropriate.

7. Key Elements of the Statutory & Regulatory (S&R) Integration Process

a. Developed a Statutory & Regulatory (S&R) Requirements Procedure

  • Documented how S&Rs are identified, assessed, owned, deployed, and maintained
  • Integrated a RASIC Chart across processes and functions

b. Process Owner Accountability

  • Each Process Owner took ownership of relevant S&Rs
  • Avoided central bottlenecks and built process-level responsibility

c. Integrated into Management Systems

  • Embedded compliance into ISO 9001, ISO 14001, ISO 45001, and industry-specific frameworks
  • Linked legal obligations with objectives, risks, audits, and review mechanisms

d. Internal and External Communication

  • Communicated requirements clearly across business units including supplier chain
  • Ensured external requirements (e.g., customer or regulatory expectations) were reviewed and acknowledged

e. Compliance Reviewed by Process Owners

  • Regular self-assessment and review of compliance by Process Owners

f. Independent Audits by Management System Auditors

  • Conducted objective verification of implementation and maintenance
  • Identified gaps and ensured continual improvement

8. Using Subscription-Based Legal Update Services

For organisations committed to staying ahead, subscribing to legal update services is a valuable investment. Providers like SAI Global (Intertek), LexisNexis, and Thomson Reuters offer:

Subscription-based platforms typically offer:

  • Automated alerts on changes to laws, regulations, and standards
  • Customisable legal registers tailored to your operations
  • Audit-ready documentation and update logs
  • Expert commentary and practical guidance on implementation
  • Integration with existing management systems and document control platforms

These tools are particularly beneficial for organisations certified to ISO 9001, ISO 14001, ISO 45001, or operating in regulated sectors such as healthcare, food, energy, transport, or finance.

While subscription fees apply, the benefits in terms of compliance assurance, risk mitigation, audit readiness, and regulatory transparency far outweigh the cost—especially when compared to the financial and reputational risks of non-compliance. Immaterial of whether an organisation subscribes to such services or not, it is the responsibility of the assigned Process Owners to:

  • Review and validate the applicability of identified requirements
  • Implement appropriate controls and mitigation measures
  • Communicate obligations to relevant internal and external stakeholders
  • Monitor compliance status regularly
  • Maintain up-to-date records and evidence
  • Assure and sustain compliance throughout the entire lifecycle of the relevant product, service, process, or system

This disciplined ownership ensures that compliance is maintained proactively and sustainably across all levels of the organisation.

9. Digital Compliance Accountability: Integrating IT-Related Statutory and Regulatory Obligations into Business Governance

In today’s technology-driven environment, organisations can no longer afford to overlook their accountability for Statutory and Regulatory (S&R) requirements related to Information Technology and digital operations. With increasing reliance on IT systems, data management platforms, and cloud infrastructure, legal obligations around data privacy, cybersecurity, digital recordkeeping, and cross-border data flows have become critical.

Organisations must ensure that their IT governance frameworks integrate compliance with relevant S&R requirements, such as:

  • Privacy Act 1988 (Cth) and Notifiable Data Breaches (NDB) scheme
  • Australian Cyber Security Centre (ACSC) Essential Eight Maturity Model
  • Digital evidence and audit trail obligations under Corporations Act 2001
  • ISO/IEC 27001 for information security management
  • Industry-specific IT compliance requirements (e.g., APRA CPS 234, GDPR, TGA eCTD guidelines)

Accountability must not rest solely with the IT department. Leadership teams, system owners, and process owners must also understand and implement the applicable digital compliance controls relevant to their business processes. This integrated accountability ensures that organisations remain resilient, trusted, and legally compliant in the digital age.

10. Facility and Infrastructure Compliance: Legal Obligations Beyond Ownership

Organisations must recognise that Statutory and Regulatory (S&R) requirements relating to buildings and facilities are mandatory and non-negotiable. These requirements apply to all workplaces—regardless of whether the premises are owned, leased, or shared. They form part of an organisation’s baseline compliance obligations and directly impact the health, safety, and legal standing of the business.

These requirements include, but are not limited to:

  • Building Code of Australia (BCA) / National Construction Code (NCC)
  • Essential Safety Measures (ESM) compliance (e.g., fire systems, egress, signage)
  • Disability Discrimination Act 1992 – accessibility compliance
  • Work Health & Safety (WHS/OHS) Regulations – facilities, amenities, emergency access
  • Asbestos registers and hazardous materials management
  • Electrical, plumbing, gas, and HVAC compliance certifications
  • Maintenance of plant, equipment, and building services
  • Security, surveillance, and privacy regulations (e.g., Surveillance Devices Act)

To ensure clarity and transparency, organisations must:

  • Assign clear ownership (e.g., Facility Manager, Safety Officer, Property Services)
  • Maintain an S&R compliance register specific to facilities and infrastructure
  • Conduct regular inspections and audits
  • Retain up-to-date documentation and permits (occupancy certificates, maintenance records, etc.)
  • Include responsibilities in job descriptions, contracts, and lease agreements

This approach ensures that workplace safety, legal compliance, and business continuity are not compromised and that obligations are fulfilled regardless of location type or arrangement.

11. Key Recommendations for Organisations

To close the compliance gap and build a resilient, transparent, and legally sound operation, organisations; regardless of size, sector, or certification status—should adopt the following practical steps I recommend:

  • Ensure visible leadership commitment and ongoing support
  • Start with a compliance gap analysis
  • Establish and maintain a compliance obligations register or similar
  • Develop a procedure for managing S&R requirements
  • Allocate accountability to Process Owners and provide training
  • Integrate applicable S&Rs with management systems and audit programs
  • Conduct regular internal reviews (Process Owners) and independent compliance audits
  • Develop and maintain a Records management System (creation to disposal steps)

Note on ISO 37301 Certification

For organisations that wish to demonstrate a higher level of commitment to statutory and regulatory compliance, ethical governance, and responsible business conduct, certification to ISO 37301:2021 – Compliance Management Systems is strongly recommended. This international standard provides a structured framework for establishing, implementing, and continually improving a compliance management system. While certification is not mandatory, aligning with ISO 37301 enables organisations to formalise their compliance efforts, foster trust among stakeholders, and support a culture of integrity, risk awareness, and proactive governance; regardless of industry or size.

Conclusion

Compliance with statutory and regulatory requirements is not optional; it is a critical part of sustainable business operations. Organisations that take a proactive, process-owner-led approach are far more likely to meet their obligations, avoid penalties, and build trust with regulators, customers, and stakeholders.

Compliance should never be a tick-box exercise. It should be embedded, understood, reviewed, and owned by those who influence the outcomes every day. Only then can it truly become a strategic enabler of organisational excellence.

Disclaimer

This article is intended for general guidance and educational purposes only. It reflects the author’s professional experience and interpretation of statutory and regulatory (S&R) obligations at the time of writing. While efforts have been made to ensure accuracy, the content may not reflect the most recent legal or regulatory developments. Readers are encouraged to consult official government sources or seek professional legal or compliance advice relevant to their specific jurisdiction and circumstances.

This article focuses on Australian requirements, with particular reference to the state of Victoria. The applicability of laws may vary across states and industries. Any references to standards, frameworks, or guidelines (e.g., ISO 9001, ISO 37301) are current as of the date of publication.

 

About the author

WilsonWilson Fernandez is an experienced Management Systems Leader, Auditor, and Quality & Safety Professional with a global career spanning across engineering, manufacturing, automotive, infrastructure, and service industries. With deep expertise in ISO-based and industry-specific standards, he has successfully led initiatives in Quality, Health & Safety, Environmental, and Risk Management systems. Wilson has conducted hundreds of audits worldwide, applying process-oriented approaches and driving continual improvement.

He is passionate about sharing practical insights, highlighting regulatory responsibilities, and simplifying complex systems for real-world application. Through his articles, Wilson aims to raise awareness, build robust systems, and foster a culture of responsibility, safety, and quality across businesses of all sizes.

 

This article first appeared on Wilson Fernández’s LinkedIn page and is published here with permission.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.