If you work in manufacturing, you know the importance of compliance, but you might not be as well-versed in it if you’re not personally enforcing it or involved in each aspect of it. You have a lot to familiarize yourself with, but we should never scorn an opportunity to learn something new.
There are actually eight main areas of compliance you need to be familiar with, as we will see in a minute. Why do you need to bother with all this? Well, for one thing, compliance is not optional. It’s like death and taxes—the two things Benjamin Franklin famously called the only certain things in this world. Compliance might be a close third place. As you’re about to see, there are laws and regulations for just about everything in manufacturing.
Luckily, companies that stay compliant actually reap a lot of benefits. So do their employees, their customers, and the general public.
What is compliance in manufacturing?
Before diving into manufacturing, we first need to understand what compliance is in the first place. It’s a word that gets floated around in many jobs, and with good reason. It is an essential part of your business operations, no matter what industry you are in. As the term suggests, compliance is the act of adhering to a command—laws, regulations, standards, policies, and ethical practices, specifically. It can also be used to refer to the state of meeting those commands, also known as being compliant.
For manufacturing companies, compliance comes in two forms: regulatory compliance and corporate compliance.
For regulatory compliance, businesses need to follow state, federal, and international laws and regulations relevant to their operations. Governments and industry groups establish and enforce these laws.
For corporate compliance, businesses are responsible for ensuring they are operating lawfully while also following their own internal policies and regulations.
Businesses and organizations need to be aware of what’s expected of them. They also need to be in control of what’s happening inside their own company in terms of satisfying those expectations (and expectations they create themselves). Protecting the company is the number one goal of compliance—protecting it from risks like fraud, abuse, discrimination, waste, lawsuits, financial problems, and more.
What are the main areas of compliance in manufacturing?
The main categories your manufacturing business needs to be concerned with are as follows:
- Data protection
- Employment law
- Export controls
- Fair competition
- Environment, health, and safety
- IT safety and security
- Product safety
All of these are important, so let’s break them down one by one.
No business wants to believe that its workers are inclined to commit or even capable of committing corrupt acts, but wanting does little to discourage those who would try. That’s why companies need to establish programs for preventing the most common forms of corruption, including bribery, fraud, embezzlement, extortion, kickbacks, facilitation payments (or “grease payment”), money laundering, and illegal payments to public officials.
The United States has signed onto a number of international conventions against corruption. They have also created anti-corruption laws of their own, such as the Foreign Corrupt Practices Act (FCPA). This legislation prohibits U.S. citizens and entities from bribing foreign officials to benefit their business interests. Likewise, foreign firms and persons cannot carry out corrupt payments in the U.S. It also requires corporations with securities listed in the U.S. to comply with generally accept accounting principles (GAAP) such as fairly and transparently keeping financial records and maintaining a system of internal accounting controls.
Howard Weissman writing Global Compliance News has an excellent article on creating an anti-corruption “culture of compliance” that is worth a read. He contends that stopping corruption in your company begins with top-level leadership being openly “committed to doing business in an honest, ethical and legally compliant manner.”
Today, companies collect, handle, process, store, and dispose of copious amounts of personal data. Personal data is any data that can be used to identify a living person. Even a simple email address can be considered personal information. When you handle that data, you are trusted with safeguarding and protecting it against breaches, meeting data privacy laws and regulations pertaining to it, and generally acting ethically with it.
In 2016, the European Union produced and published the General Data Protection Regulation (GDPR), and it went into effect in 2018. It broadly protects personal data processing of EU citizens, including their right to request copies of their data from companies as well as request that =data be deleted or de-identified.
Similar protections exist in the United States. The California Consumer Privacy Act (CCPA) enhances data privacy regulations, as does the Health Portability and Accountability Act (HIPAA) which helps to maintain the privacy, security, and integrity of U.S. patients’ health information.
Businesses need to develop and implement strong data security policies and practices as part of an effort to prevent data breaches and other serious incidents that affect customers and employees. Non-compliance can come in the form of unlawful processing and disclosure of personal information, resulting in hefty fines, regulatory investigations into data security, and even lawsuits.
John P. Mello Jr. writing for TechBeacon has a good article covering the five keys to data protection compliance based on a Micro Focus whitepaper, and it’s worth reading. Perhaps the biggest takeaway is that companies should have automated systems to respond to data requests. Performing these tasks manually can eat up huge amounts of time, inflating the cost of compliance.
These laws establish the legal framework that dictates how organizations must treat their employees. For the most part, adhering to these laws is the same for everybody. However, some aspects of employment compliance such as health and safety are more complex for manufacturing companies than other firms.
The laws covering employment fall into four main categories: anti-discrimination, compensation, labor relations, and health and safety.
- Anti-discrimination laws are plentiful, but the most important is Title VII of the Civil Rights Act of 1964 which prohibits employment discrimination based on race, color, religion, national origin, and sex.
- Compensation laws center around the 1938 Fair Labor Standards Act (FSLA), which, among other things, established the minimum wage and mandated that employees working over 40 hours earn overtime pay.
- Labor relations regulations concern the interactions of unions and management with the 1935 Wagner Act guaranteeing workers’ basic right to organize.
- Finally, and perhaps most importantly for manufacturing companies, there are health and safety laws. The primary law in the U.S. is the Occupational Safety and Health Act (OSHA), passed in 1970. A body known by the same acronym (“Administration” rather than “Act”) enforces the complex and detailed safety standards for businesses. Here are 2018’s top ten OSHA violations in the manufacturing industry; they include violations related to proper machine guarding, control of hazardous energy (lockout/tagout), and chemical hazard communication (HAZCOM).
These laws regulate and restrict the release of critical technology, information, and services to foreign people and nations for reasons of U.S. national security and foreign policy. Both physical shipments and electronic transmissions of information are monitored and affected by U.S. export controls.
The Export Administration Regulations (EAR) regulate the export and movement of less sensitive military items, commercial items that also have a military application, and purely commercial items. When shipping certain items to certain individuals, entities, or geographic locations, sellers must obtain special licenses through the Bureau of Industry and Security (BIS).
Many countries have established laws that protect consumers from predatory business practices, and the U.S. is no exception. Fair competition laws, also known as antitrust laws, prohibit a wide range of greedy activities, including market allocation, big rigging, price fixing, and monopolies. It is in the public interest to have competition in an open-market economy. With an equal playing field, businesses have to compete with each other for market share, leading them to drop prices, innovate, and focus on customer service. In this way, consumers see the benefits. With reduced competition, however, consumers have less choice when buying goods and services, and the businesses selling to them have little incentive to improve their service or lower their prices. In fact, they often raise prices.
The Federal Trade Commission (FTC) is responsible for enforcing antitrust laws. The three core federal antitrust laws today are the Sherman Act (1890), the Clayton Act (1914), and the Federal Trade Commission Act (1914) which created the FTC.
Businesses can comply with these laws by establishing codes of conduct that all employees must understand and follow. These codes should instruct employees to object immediately if inappropriate topics are brought up between competitors, to report incidents of such discussions, and to refuse to discuss, agree, or exchange information with competitors about prices, terms, quotes, sales, or market allocation.
Environment, health, and safety (EHS)
We’ve already seen how manufacturing companies have a responsibility to guarantee a safe work environment free of hazards, which the achieve by complying with OSHA. However, the EHS category extends beyond just OSHA; it encompasses the protection of workers, the public, and the planet.
Efforts need to be taken to develop safe, high-quality, and eco-friendly processes that reduce the risk of harm to people in general, be they operators, customers, passersby, or the general public. EHS also involves creating systematic approaches to complying with laws and regulations enforced by the Environmental Protection Agency (EPA). These include managing the company’s carbon footprint and managing emissions. Regarding air pollution, for example, the EPA mandates compliance with the Clean Air Act.
IT safety and security
We’ve already seen how data protection covers the collection, handling, processing, storage, and disposal of personal information. That’s pretty broad, but cybersecurity goes even further, with a number of sources offering and sometimes mandating specific practices and technologies to keep data safe.
The National Institute of Standards and Technology (NIST), for example, has a Cybersecurity Framework that is considered a best practice. The five key functions the framework describes are identify, protect, detect, respond, and recover. ISO/IEC 27001 is another one of their frameworks; this one establishes requirements for information security management systems (ISMS) that handle the security for intellectual property, employee records, financial information, and third-party data.
There are also steps you need to take when cyberattacks occur. For example, every single state in the U.S. has a laws requiring companies to notify consumers if their data has been involved in a data breach. You need to comply with these regulations quickly, so it is advised to have a comprehensive business continuity plan in place so as to speed up the process should a breach occur.
Manufacturing companies should be conduct risk assessments as they establish their plans for cybersecurity. This begins with an analysis of what needs to be protected and how as well where any flaws or vulnerabilities currently are. You need to ask tough questions about what controls are in place and how effectively they are. Depending on your tolerance for risk and the specific regulations you need to comply with, you then establish new technical controls. These include:
- Data encryption
- End-point protection
- Ant-virus software
- Automated updates
- Log monitoring for networks
- Data backups to the cloud
Succeeding in that, companies should move on to non-technical controls. This begins with developing and communicating written policies that follow best practices for manufacturing. Trainings come next as employees need to understand security policies and procedures in order to follow them. Security audits and testing will test how well everything works together to protect personal information from attack.
Companies will need to routinely reassess their cybersecurity controls. For one thing, new regulations in the future may make what you’re doing now obsolete and non-compliant. Furthermore, cyberattacks are constantly evolving and adapting. Being at the cutting edge of cybersecurity will allow you to adapt in response.
As mentioned in our article covering the top threats risks to manufacturing in 2021, product liability is an umbrella term that indicates a person was harmed by the manufacturer of a product. If a plaintiff can show that the product had a defect or deviation that made it dangerous or that the manufacturer failed to warn the user of inherent risks associated with the product, he or she might have a case.
That can mean loss of revenue, legal fees, regulatory fines, reputation damage, and lasting mistrust of a product.
The Consumer Product Safety Commission (CPSC) is the relevant government agency for product safety. It develops safety standards and pursues recalls for dangerous products. In some cases, it even has the authority to outright ban products. The CPSC advises manufacturing companies to have a recall plan in place so that it can be executed as soon as possible if the need arises.
Cybersecurity Lessons from the Pandemic
What Can an MSP Do for Your Cybersecurity?
Cover Your Assets: Planning for the Next Disaster
COVID-19 and the Cloud: Are Your Systems Resilient?
Compliance in the Healthcare Industry (HIPPA & HITECH)
4 Pandemic Business Trends Here to Stay: Time to Rethink Everything?