Top 5 risks of non-compliance in building maintenance

Top 5 risks of non-compliance in building maintenance

Jennifer Williams: Nobody is safe from non-compliance. Ask yourself, are you confident that you know what you need to do to achieve compliance and what the risks of non-compliance are? Some of the risks may surprise you. In this webinar, we're joined by David Hemming, a highly experienced chartered civil engineer, portfolio, programme, project, and estates manager who has over 30 years of experience in the industry.

We discuss what being compliant means, the biggest compliance challenges faced by FMs and building owners, the main risks that come with non-compliance, as well as how to mitigate them and more.

David Hemming: Hi there. So I'm David Hemming. I've been in the property and construction sector for over 30 years now. I'm a chartered civil engineer by background. I'm also a fellow of the Institute of Workplace and Facilities Management, so I have a broad-based understanding. The first 20 years of my career I spent in defence, both being on the contractor side, constructing elements. I also then helped look after large swathes of defence locations, both in the UK and internationally. On retiring from defence, I have then been a Director of Estates and Facilities Management for two large universities. And I've also been the Managing Director of the Parliamentary Estate down in London. So large complex estates with many different issues, a lot of which are in regulated environments, and obviously it's within the regulations that you get an excessive amount of compliance, but there are general compliance issues that apply to all estates and buildings.

Lisa Hamilton: So perhaps before we start talking about risk, David, and the risks of non-compliance, can we perhaps start by thinking about what does being compliant mean in relation to building maintenance?

David Hemming: Absolutely. In simple terms, compliance means adhering to a set of requirements or principles that will really keep people safe, and that's the predominant area, but it's also about protection of the property and in real terms, the mitigation of risk for an organisation. At the top end of compliance there is the term statutory compliance. And what that means is what is written into law and a number of the professional bodies – BESA, CIBSE, IWFM – got together and provided a clear definition of what statutory compliance was, so please go and refer to those professional bodies. You can see it, but in broad order, it means what is in both primary legislation and secondary legislation.

However, you need to be aware that sometimes that legislation only gives generic guidance into what it means to be compliant. It may require you to then look at specialist publications such as approved codes of practice or industry standards where you get prescription of exactly what it means. Now, in some cases, you won't actually get any prescription at that point in time. What you are expected to do is use industry best practice to mitigate the risks that are involved with it. So, you know, part of this is how do you keep up to date and ensure that you know what is the right side of the law and what is potentially the wrong side of the law.

On top of that, I talked about being in regulated environments. So on top of legal aspects, certain organisations talk about mandatory requirements. These are guidelines and principles that are set out by those institutions, and you see them in the aviation industry, in defence, in health, in the food industry, and it's a separate guidance that is specific to that industry that also needs to be adhered to, and it's another layer down underneath statutory compliance.

Lisa Hamilton: That's brilliant, David. It's a difficult topic to express in simple terms. So what I basically understand from it is you need to do the right work. You need to do it at the right time with the right people. I.e. they need to be skilled and competent to do the job.

David Hemming: It's very much that. Yeah.

Lisa Hamilton: So moving on. In your experience, what are the biggest challenges facing FMs and building owners when trying to achieve compliance?

David Hemming: Well, first and foremost, it's about whether the resources that you have at your disposal are competent to understand the requirement. When we talk about competence, I talk about the skills, knowledge, attitude, training, and experience that you need to actually comply with that.

The other big challenge is, and you talked about knowing what you need to do, that is just the first part. And sadly, in the event of something going wrong, it's actually then having the records to demonstrate that you were adhering to the law or the mandatory requirements. And therefore, you know, a key part is the retaining and maintaining of records, and a lot of organisations fall down because they can't demonstrate how they're being compliant. They might well have done all of the checks and balances, done all of the inspections and testing, but they don't have the body of records to actually prove it. And sometimes if you unfortunately are in a situation post-incident where you have to demonstrate that you have a culture of compliance, not having sufficient records means that, you know, you haven't got the overwhelming evidence to demonstrate that you are by culture a compliant organisation, and therefore you run significant risks.

And the, you know, the evidence needs to be what was done and when it was done because there is prescription in certain elements of compliance, saying that you have to do it within a fixed period of time. So being able to demonstrate that you always were systematic in doing that activity is also a key thing. So the records, I would say is definitely a real issue. And the challenge also with the records bit is the continuation of error. If you don't have details of what you have, you don't know whether you are maintaining it. So, you know, part of this is, you know, that full evidence base that you need.

Lisa Hamilton: Absolutely. I think there was a question that just came through that I saw pop up from the audience. So how can you best demonstrate compliance through documentation, practice and processes?

David Hemming: Well, first and foremost, what I would say is have you got a well-articulated maintenance strategy and plan that talks about how you achieve compliance? Because part of this is demonstrating there is a methodology to it all. So ensuring you have a written document that talks about compliance, talks about the tools for compliance, talks about how you identify competency. And competency is a much bigger issue now, post the Building Safety Act, because there is a strong requirement to demonstrate that. So it's having that evidence base in all that you do that you can fall back on.

Then it's also about having a systematic approach. Small organisations, it may be that you are using a spreadsheet to say what you need to service, but in doing that it needs to be kept up to date and managed well. You know, bigger organisations, you will move to CAFM systems, IWMS systems and the like, but it's actually using the tools appropriately and making sure that evidence is recorded accurately. It is nothing worse than, you know, knowing that you have a system, investing in the system, but it not being used.

Lisa Hamilton: Absolutely. Yeah. It's something that we hear time and time again. Actually this loss of building information and accurately recording what's being done and that it's being done by a competent person and when, and documenting when changes have been done and why.

Okay. So in your experience, where do organisations tend to fall down with compliance? And does that in fact differ by sector?

David Hemming: So, you know, the main issue that I find is, you know, first and foremost, do you have a clear understanding of the assets that you have within your estate? Have you got a clear record? It is not unusual, especially when you are using outsourced providers and it's, you know, then there is an issue of who has responsibility for providing a clear asset list of what you have. So, you know, understanding what you have is the first point. Making sure then that you have a system to actually understand when you need to do it. And you can do work order processing, whether it's, as I said, a manual spreadsheet and it rotates or it's a more automated system. So, you know, having the documentation there and then also once you have done it, unfortunately human nature is of a type where you'll get some people that will, you know, say they have done activities but not necessarily completed it. So you need to be able to close the loop and be able to audit the activity to ensure that your trade staff have actually been completing the work and doing the, you know, the activities that they're being directed to. So making sure there is an audit trail and you can actually show that you are ensuring things are being done the way they should be.

Lisa Hamilton: So David, I'd like to now turn the conversation to talking about risk, which you've already started touching on. So what are the main risks of non-compliance?

David Hemming: So if we talk about statutory compliance, you know, there is a law in place, so a breach of the law can lead to a prison sentence. Now, technically the law that the majority of prosecutions are made under is the Health and Safety at Work Act. However, you know, in the event of a fatality, there is now a new law, an amended law that talks about gross negligence manslaughter, and that's really the worst charge that any FM or a property owner can face. And currently, that carries a maximum sentence of 18 years, or it could possibly be more because that's predicated on a single loss. If there are multiple losses, you know, it can be much higher. So, you know, 18 years in prison should be enough to focus most people's minds, you know, on the seriousness of staying in compliance and obviously understanding whether an individual is in, you know, a position of responsibility or accountability is a key thing. Just because you have manager in the title and not director, it doesn't mean that you will not be deemed to have responsibility. You may not have final accountability, but you may be responsible.

Next issue, obviously is financial penalties. Now, depending on the severity of the issue will depend on, you know, the court that it goes to. So lower courts, magistrates courts now have a £20,000 fine. But if it's significant enough and it goes into a Crown court, it is an unlimited fine. You know, so that is significant, you know, exposure, you know, for an organisation to have.

Next element is where you have an outsourced provision, you have an issue. Then depending on which party is in, you know, in breach, is a contractual breach. So you have a legal issue between parties, which is under civil law, and that can create all sorts of issues and really sour a relationship.

Next one I would say is reputational. You know, you don't want to be an organisation that is renowned for not looking after its people and putting them at risk because it is a significant negative when you are trying to recruit or build an organisation if you have that reputation. Also, for those of you, people with large enough organisations that have shareholders, shareholders have a tendency not to like that level of exposure, and potentially it can impact significantly on share price.

And last but not least, there is psychological damage. You know, for those people who work in organisations, if they don't believe that somebody has their back or actually experience, you know, a significant issue and, you know, an accident, it can stay with them and cause, you know, harm. We know for a fact that mental health is one of the biggest issues that we face in the modern working environment, and this is just part of it. So it's ensuring that we are looking after all of our people.

Lisa Hamilton: Okay, thank you. And maybe some of you're sitting there and thinking, well, you know, what are the chances of this really happening? What's the level of risk here? Well, you may have seen last week there was a logistics company that was fined £1 million by the HSE, and it was held accountable for failures because an employee fell whilst performing routine maintenance work and there was no risk assessment in place.

So actually the risk that David's talking about, it really could happen to you if you are not taking the appropriate actions. There was a good question I just saw that came in at this point. So when a client has set a low budget for FM, how to, I guess this is a contractor asking this question, how to handle this situation when we can't maintain the high quality FM delivery?

David Hemming: So the bottom line is, you know, in any tender response, it's up to the supply chain to identify what is the bare minimum that needs to be done to achieve statutory compliance. You know, and if the financial envelope from the supply chain or from the client doesn't allow you to do that, then it should tell you something about the value of that contract to you as an organisation. And unfortunately, you have to take a conscious decision whether your reputation, your liberty and potentially a fine is something that you are willing to take for that business, you know? But again, some of this may be a lack of understanding as to what is actually required to achieve compliance.

And part of this is how do you educate the client and a good, you know, contractor will help a client understand that. So you know, working with them, you know, to say, well actually this is the bare minimum. However, you know, there are still risks because you know you will end up with greater wear and tear on your assets. You will have less understanding of when they could fail. So what will a failure of your assets mean to you from a business continuity, EPRR if you use that terminology, and try and explain it to them in a way that they will understand from an operational point of view for their business, and that's all you really can do. But it's a professional choice whether you wish to enter into a contract where, you know, there isn't sufficient money to achieve statutory compliance.

Lisa Hamilton: Yeah. Trying to cut corners. Absolutely. I'm going to ask my colleague Alex, who's working away in the background to launch a poll question. So question number one, please, Alex. So, quite often we ask you about facts, you know, what are the main challenges that you are experiencing. For example, today we'd like to ask you a question, which is more feelings-based. So talking about risk. So thinking about your own organisation, does your organisation's current level of risk make you feel pressured?

And we've just given you three possible answers here: very, somewhat, and not very. So obviously nothing's going to be analysed on an individual level. We're just trying to get a straw poll of what the sentiment is. How are you all feeling about risk? And I think just about everybody has cast a vote. I can see one or two still coming through. Let's just give you five more seconds. Votes are still coming in. Cast your vote now. Otherwise you'll miss out on the opportunity. Oh, we've still got votes coming in. Okay. 5, 4, 3, 2, 1. And can I ask Alex to share the results of the poll so we can see that for 23% of you, you are feeling very pressured about the level of risk within your organisation. The majority of you at 54%, feeling somewhat pressured, and 23% of you not very. Okay. If you wouldn't mind just unsharing that please, Alex. Thank you for taking part in that, everyone.

Okay. So moving on. So David, let's try and give the people some advice and some potential solutions, some tips if you like, on how to achieve compliance.

David Hemming: So I think, you know, as I stated earlier, you know, the first and foremost thing you need to do is have up-to-date data on your assets and the level of intervention that you've undertaken on them or for other organisations. If you are a contractor and you are bidding on outsourced work, you know what is the level of confidence that you have in that data? Is part of your approach to do 100% asset capture? So you can do that. Obviously. Then there is risk about the price, but you should then look at negotiating a mechanism by which you can then say, above this level of assets, you know, there is an adds and omits process. But having accurate data and information is really key to this.

As I've said, having articulated maintenance plans and strategies and clear processes because part of this is whilst the high level management may have a clear understanding of what they're trying to achieve, but it's how you articulate that down to the lowest level to the trade staff. You know, do they understand where they fit into that process and what aspects they need to do in terms of the activities and recording those activities and making sure they're correctly attributed to the activity? So, you know, being able to, you know, demonstrate practice and procedures is there.

And I suppose, you know, the next piece really is having a greater awareness as to what is required to maintain your assets. If you are busy, the law has a tendency to change and we've seen a massive raft of changes in primary and secondary legislation in the last 24 months. You know, Fire Safety Act, Building Safety Act, and all of that. So unless you are able to keep on top of, you know, all those changes, unless you are, you know, members of professional bodies where you regularly attend, you know, webinars and CPD on it, you really need to think about having a tool where you can actually let other people provide that level of research and that data.

BESA, back 20 plus years ago, recognised the challenge from, you know, their members of how to stay compliant because of this changing environment. And it was because of that, that, you know, SFG20 was created to create, you know, a standard set of lists where people could automatically refer to this as an industry standard. And SFG20 has absolutely become an industry standard. However, the challenge then is the timeliness. Back in the dim distant past, you know, it was all spreadsheets and people would use historic spreadsheets and SFG20 schedules to plan things. However, you know, they're only as accurate as the day that they were printed. So when the law changes, you know, if you've got an out-of-date SFG20 schedule, it doesn't provide you any defence to say why you are not being compliant.

So in this day and age, it's about ensuring that you have an up-to-date licence that you are using. SFG20 is that tool to help, you know, examine all of the changing environments and provide advice and guidance. And, you know, my experience, and I've used SFG20 in nearly every organisation I've been in the last 20 years, is, you know, to make sure that you are using the updates and then looking at how that impacts you, whether it's an in-house staff, whether it's an outsourced staff, and there needs to be, you know, open and honest conversation, especially when you've got a contracted staff of what those changes, you know, are, you know.

In real terms risk should sit where it's best managed. So, you know, don't, you know from a client's point of view, you can't just throw it over the fence to a contractor and say, well, you know, you should have known that the law could have changed. You should have priced for this. If it wasn't clearly articulated in that, you know, then there is a conversation where there's an alteration to contract. And you know, and being open and honest between client and supply chain is the only way to really keep on top of this, because you need a good, strong working relationship. It's about people and property. It's not just about the contract. You know, be aware of what it actually, you know, entails at the end of the day.

Lisa Hamilton: Yeah. Wise words. So everybody's responsible, aren't they, in their own different ways. What I'm going to do is ask Alex again, please to put up poll question number two because David's talking about the SFG20 standard. So if you would like to see, to understand a little bit more about the standard and what is contained within it, we can arrange to have an expert contact you. We can show you the kind of content that is going to be relevant to your facilities, your estates. I think this question you can answer one or the other, so don't worry if you want to talk about both the software and the standard, that's absolutely fine. Just register for one.

So yeah, the standard is incredibly important and as David said, it's constantly changing. So, for example, there were over 700 updates in the last 12 months alone to incorporate all of the new legislation, supporting regulations. And of course, codes of practice are changing all the time and best practice is changing. So that standard is the best way of keeping on top of all of your statutory requirements that you need to complete to stay compliant.

And then SFG20 Mobiliser. So maybe this is a new name for you. So, as David referenced, we knew, you know, this is 2024, time's moving on, we shouldn't be relying on outdated paper printouts of a standard that's dynamic and always changing. So this is the new software that we just launched earlier this year. So if you haven't seen SFG20 Mobiliser in action, I really do recommend that you click that button and make sure that you see it. It's a significant step forward. For those of you who are familiar with SFG20 content, this allows you to work with the standard, get a lot more value from the standard and save a heap of your time. Because when updates are created, there are now features, like you can compare side by side the comparison of what's changed in a schedule, and then it puts users in control of when they can accept updates. So for example, if you've got a new contract starting, you might decide to implement changes at that point.

The other big step forward is that we knew that getting the standard from SFG20 into all of your operational systems was a headache for you all. So now what we've done is created a new API, which is free for everyone to use, and that means that once your updates have been accepted in SFG20 Mobiliser, it just flows through into your CAFM or your other operational system. And we've also structured all of our guidance to be more CAFM friendly, as we like to say. So all of that information flows through really seamlessly. So, uh, enough said, you know, the offer's there. And we look forward to speaking to those of you who've raised your hand on that.

Okay. So we can get rid of that poll please, Alex. So I want to ask another question to David, which is, how can FMs make building maintenance compliance a priority in their organisations?

David Hemming: Again, the majority of organisations and especially the ones I've been in, when, when you, you know, you talk to board or sit on the board, there isn't a great deal of understanding of what the building does for them and what it involves. However, you know, what a board or senior, you know, managers understand to a certain level is risk. And you know that in the basic terms, risk is bad and therefore we don't want to deal with risk. And whilst they'll talk about being risk averse, and we have an example, you know, with a client, you know, potentially setting a low, you know, financial envelope, they may say they're averse to risk, but then they need to actually be clear on what they mean, what is their actual appetite to it and how does it manifest itself?

And there's a difference between, you know, their appetite. They may say that they are risk averse, but then that means that they will need to spend, you know, unlimited amounts of money to mitigate that risk, and invariably, most organisations aren't. So it's having a clear conversation about risk appetite, also about what level the organisation can tolerate because you will get a difference between what an organisation can tolerate and what individuals are happy to tolerate.

Once they have a clear understanding that actually their risk appetite and their risk exposure are different, they need to bring those together and they need to then understand what the implications are and whether it's a legal implication or a moral implication, and what the sanctions are for that, for failure. So, you know, the next thing is talking about safety management and actually because this, most of compliance is all about safety. It's about keeping people safe. And the second order effects is keeping the property safe. So having a formal management within that risk management of saying what it actually means.

And unfortunately, you regularly see a little bit over-exaggeration sometimes on health and safety. So it, it can be felt sometimes a little bit like crying wolf when it comes to some, you know, risk assessments. So it's being pragmatic, but being open and honest about it. And, you know, the issue with safety management and any sort of quality management system is that plan, do, check, act is making sure that you, you know, once you say that there is a risk, you look at what the mitigation is and putting that mitigation and it may be the level of maintenance and everything else. You then come back and look at what that impact is. Is productivity impacted? Is the operational activity impacted? If it is and it's, you know, outside of a risk appetite, then you change what you do and you impact more. If it's within it, you are happy and it's making sure that there's that circular motion, but it's bringing that to the attention of senior management.

Because if they don't know, they cannot make informed decisions. You know, if you talk about widgets, boilers, pipework, you know, electronics, they're unlikely to understand it. If you talk about things that they are likely to understand, which is money, productivity, operational outputs, and the risks involved in that, you are likely to have a much better conversation with them about what it actually really means.