This question came up the other day; a question that I’ve answered on many occasions over the years. Admittedly, the differences between how the terms are used can be quite confusing. The question is usually asked by individuals who do not have a background in enterprise risk compliance management software; they just know they need to follow the Clean Air Act and its associated EPA regulations, NERC, ISO27K, BVPC, etc. and they hear the terms used in a seemingly interchangeable way.
Speaking in terms of North America, the layman’s explanation is fairly easy to grasp. Laws (or Statutes) are the actual laws as passed by the legislative branch, be it the U.S Congress or various state legislatures. In general, these laws specify the “what” the law is to achieve and the “when” it is to go into effect. On a federal level, these laws\statutes compose the entirety of the US Code.
The Executive Branch controls the various departments and agencies of government – from the EPA to Homeland Security, and those agencies are responsible for implementing the laws passed by Congress. These departments and agencies promulgate regulations, dictating the “how” the law is to be implemented. On a federal level, these regulations compose the entirety of the CFR (Code of Federal Regulations).
If this all sounds familiar it is no doubt because we learned about the separation of powers in grade school. The Legislative and Executive branches are two legs of the three-legged stool in our Constitution, the third being the Judicial branch which determines the constitutionality of the laws passed by Congress. Laws and Regulations are just the vehicles for the Legislative and Executive branches of government to exercise their respective powers.
So how do Standards fit into this mix, especially in the GRC space? Many departments and agencies rely on voluntary standards in lieu of prescriptive regulations, and many of these standards are maintained by private organizations (ISO, ASTM, NERC etc.). An example of a voluntary standard that is widely adopted would be ASME BVPC (Boiler and Pressure Vessel Code) although even here the terminology can be confusing as many states have mandated the BPVC as law, and I have heard many people refer to the BPVC as a set of regulations. The confusion arises when a regulatory body makes a standard mandatory. At that point, the standard has the force of law and is treated like a regulation.
How can we help?
Predict360 is a fully configurable and automated Enterprise Risk management platform that has over 40+ modules for the Financial sector, Energy sector, Oil & Gas and other major sectors. Some of the popular modules include policies and procedures management, risks and controls, audit management software, on-line training and qualifications, in a single cloud-based platform.
*All images are the property of their respective owners.
EmoticonEmoticon