Danielle Tan
Chief Operating Officer
Outdated registers, missed renewals and spreadsheet tracking may expose companies to audit findings, authority inspection concerns and operational risk. Here are the 10 HSE compliance mistakes Malaysian companies should avoid.
Quick Summary: The ten most common HSE legal compliance mistakes Malaysian companies make are an outdated legal register, tracking compliance in spreadsheets, not monitoring regulatory changes, unclear ownership of tasks, poor documentation of evidence, treating compliance as an annual exercise, failing to evaluate compliance status, weak cross-department communication, missed renewal deadlines, and viewing compliance as a cost rather than a business strategy. Each one can increase exposure to fines and audit findings, and each is fixable with a structured, continuously maintained compliance system.
Many Malaysian companies unintentionally fall into the same HSE (Health, Safety and Environment) legal compliance traps that lead to regulatory non-compliance, audit findings, fines, operational disruptions, and even workplace incidents. The most common mistakes include relying on outdated legal registers, tracking compliance manually in spreadsheets, missing regulatory updates, failing to assign clear responsibilities, and lacking evidence that legal requirements have been implemented. Understanding these mistakes is the first step toward building a proactive compliance management system that protects both the business and its employees.
As Malaysia’s regulatory landscape continues to evolve, organizations are expected to comply with numerous requirements under agencies such as the Department of Occupational Safety and Health (DOSH), Department of Environment (DOE), Fire and Rescue Department (Bomba), local authorities, and other applicable regulators. For companies certified to ISO 45001 or ISO 14001, effective legal compliance management is also a key audit requirement.
Here are the ten mistakes: why each is risky, who usually owns it, and how to fix it.
The 10 Mistakes at a Glance
| # | Mistake | Why it’s risky | Best-practice fix | Typical owner |
|---|---|---|---|---|
| 1 | Outdated legal register | Blind spots to amended laws | Review quarterly; track changes digitally | HSE Manager |
| 2 | Tracking compliance in Excel | Version errors, missed reminders | Centralised, reminder-driven system | HSE / IT |
| 3 | Not monitoring regulatory changes | New duties found only at enforcement | Structured legislative-watch process | HSE / Legal |
| 4 | Unclear ownership | Tasks fall through the cracks | Accountability and due dates per task | Dept. Heads |
| 5 | Poor evidence documentation | Findings even when work was done | Central evidence repository | HSE / QA |
| 6 | Compliance as an annual ritual | Reactive and error-prone | Continuous year-round monitoring | HSE Manager |
| 7 | No compliance evaluation | Knowing the law is not complying | Scheduled compliance evaluations | Management Rep |
| 8 | Poor cross-department communication | Duplicated or orphaned tasks | Shared task visibility | All departments |
| 9 | Missed renewal deadlines | Expired permits equal non-compliance | Automated reminders before expiry | Facilities / HSE |
| 10 | Compliance seen as cost | Under-investment, weaker resilience | Position compliance as strategy and ESG | Senior Leadership |
1. Maintaining an Outdated Legal Register
Many organisations build a legal register once during ISO certification and never revisit it. But Malaysian HSE law keeps changing. The 2024 OSHA reforms alone introduced new subsidiary legislation, such as the Occupational Safety and Health (Plant Requiring Certificate of Fitness) Regulations 2024, replacing older provisions that many registers still cite. An outdated register creates blind spots that surface during inspections or surveillance audits, often as an audit finding or nonconformity.
Best practice: Review the legal register at least quarterly, map every entry to the operations it governs, and update it when a relevant legal or regulatory change is identified. If your register still references the repealed Factories and Machinery Act 1967, it needs updating now.
2. Tracking Compliance in Excel Spreadsheets
Excel is familiar and cheap, but it was never built for compliance management. Manual updates, broken formulas, version-control confusion, and forgotten reminders all increase the chance of a gap. The problem only compounds as a company adds sites, permits, and people.
Best practice: Move to a centralised system with automated reminders, document control, and audit-ready reporting. This is the kind of shift Nexus supports through its Business Digitalization service.
3. Not Monitoring Regulatory Changes
Many companies only discover a new legal requirement after an enforcement visit. Yet environmental permits, occupational-safety regulations, and sector rules all change throughout the year. The DOE updates scheduled-waste expectations under the Environmental Quality (Scheduled Wastes) Regulations 2005, DOSH issues new guidelines, and Bomba revises designated-premises requirements.
Best practice: Set up a structured legislative-watch process. Assign someone to monitor DOSH, DOE, and Bomba updates, then formally assess how each change affects your operations and your register.
4. Unclear Ownership of Compliance Responsibilities
When everyone assumes someone else owns a task, the task does not get done. Common casualties include fire certificate renewals, machinery certificates of fitness, scheduled-waste reporting, chemical health risk assessments (CHRA), employee medical surveillance, and scheduled environmental monitoring.
Best practice: Assign responsibility, accountability, and a due date to every legal obligation. The new Section 29A duty to appoint an OSH Coordinator, for workplaces with five or more employees that do not require a Safety and Health Officer, makes clear ownership a legal expectation rather than just good practice.
5. Poor Documentation of Compliance Evidence
Doing the work is only half the requirement. You also have to demonstrate that you complied. In any DOSH or DOE inspection, a missing inspection report, training record, calibration certificate, or eSWIS consignment note can trigger a non-conformity even when the underlying work was done correctly.
Best practice: Store all compliance records (certificates, monitoring results, training logs, consignment notes) in a centralised, searchable repository, so evidence can be retrieved quickly during an audit instead of after a lengthy search.
6. Treating Compliance as an Annual Audit Exercise
Reviewing legal requirements only a few weeks before a surveillance or certification audit is a recipe for avoidable corrective actions. This reactive sprint raises stress and increases the odds of an overlooked obligation slipping through.
Best practice: Monitor compliance continuously across the year. A live view of obligations, statuses, and upcoming deadlines makes audit preparation more manageable and evidence-based, instead of a last-minute scramble.
7. Failing to Evaluate Compliance Status
Knowing which regulations apply is not the same as verifying that you actually comply, and that distinction is a frequent source of findings. Both ISO 45001:2018 and ISO 14001:2026, the latest edition published in April 2026 and replacing ISO 14001:2015 (certified organisations transition on a timeline set by their certification body), require organisations to periodically evaluate compliance with their legal and other requirements (clause 9.1.2) and to keep documented evidence of the results.
Best practice: Schedule formal compliance evaluations, for example half-yearly, record the outcome against each obligation, and track every identified gap to closure.
8. Poor Communication Across Departments
HSE compliance is not the HSE department’s job alone. Engineering, Maintenance, Production, HR, Procurement, and Facilities each hold pieces of the legal puzzle: machinery inspections, contractor management, medical surveillance, chemical purchasing, and building systems. Without shared visibility, duties get duplicated or, worse, orphaned.
Best practice: Build cross-functional ownership and give every relevant department visibility of the compliance tasks assigned to it, from a single source of truth.
9. Missing Critical Renewal Deadlines
Expired licences, permits, certificates, and registrations are among the most common and most avoidable causes of regulatory non-compliance in Malaysia. High-risk examples include:
• Fire Certificate (Perakuan Bomba): required for designated premises under Section 28 of the Fire Services Act 1988 (Act 341) and renewable annually. The renewal (Form III) must reach Bomba at least 30 days before expiry, and renewals may be subject to Bomba review or inspection.
• Machinery Certificate of Fitness: for plant such as pressure vessels and hoisting equipment, under the OSHA Certificate of Fitness regime.
• Scheduled-waste reporting: generators must notify the DOE within 30 days of generating new scheduled waste and report movements through the eSWIS portal. Scheduled waste may generally be stored on-site for no longer than 180 days, and up to 20 metric tonnes, before treatment or disposal, unless the DOE approves otherwise.
• Competency certificates: for SHOs, scaffolders, gas testers, and other competent persons.
Best practice: Set automated reminders well before each expiry date (for example at 90, 60, and 30 days) so there is always enough runway to inspect, rectify, and renew.
10. Viewing Compliance as a Cost Instead of a Business Strategy
When compliance is treated purely as a regulatory burden, it gets under-resourced, and under-resourced compliance can contribute to audit findings, incidents or enforcement exposure. With Malaysia recording 38,950 occupational injury cases in 2023, up from 34,216 in 2022 (Department of Statistics Malaysia), the cost of non-compliance is rarely abstract.
Best practice: Position HSE compliance as part of business resilience and operational excellence. Strong compliance helps reduce operational risk, protect employees, strengthen customer and investor confidence, support better audit performance, and advance your ESG and corporate-governance objectives.
Common Questions Malaysian Companies Ask About HSE Legal Compliance
1. What is HSE legal compliance?
A: HSE legal compliance is the act of meeting all applicable health, safety, and environmental laws, regulations, permits, and obligations relevant to your operations. In Malaysia, that is principally OSHA 1994 (Act 514), the Environmental Quality Act 1974 (Act 127), and the Fire Services Act 1988 (Act 341), along with their subsidiary regulations.
2. Why is HSE legal compliance important in Malaysia?
A: Because non-compliance is costly. It exposes organisations to fines, enforcement action, operational shutdowns, workplace accidents, environmental incidents, and reputational damage. Following the 2024 OSHA amendments, the maximum fine for core employer-duty breaches rose to RM500,000.
3. Which Malaysian authorities regulate HSE compliance?
A: Mainly three: DOSH for workplace safety, the DOE for environmental matters, and Bomba (JBPM) for fire safety. Local authorities and sector-specific regulators may also apply, depending on your industry.
4. Does ISO 14001 or ISO 45001 require legal compliance management?
A: Yes. Both standards require organisations to identify applicable legal and other requirements, keep them current, and periodically evaluate compliance (clause 9.1.2), retaining documented evidence of the results.
5. Why are spreadsheets not ideal for managing HSE legal compliance?
A: Because they depend on manual updates, are prone to human error, lack automated reminders and audit trails, and become hard to maintain across multiple sites. That makes missed renewals and lost evidence far more likely.
6. How can a digital compliance system improve HSE management?
A: A centralised system helps you keep the legal register current, assign responsibilities, send renewal reminders, store evidence, and generate audit-ready reports. The result is a more audit-ready organisation with fewer missed obligations.
7. What changed for OSHA compliance in Malaysia in 2024?
A: On 1 June 2024, the OSH (Amendment) Act 2022 (Act A1648) took effect and the Factories and Machinery Act 1967 was repealed. Key changes include coverage extended to almost all workplaces, a statutory duty to conduct risk assessment, a new OSH Coordinator role for workplaces with five or more employees (where an SHO is not required), and the maximum fine raised from RM50,000 to RM500,000.
8. How often should a legal register be reviewed?
A: At minimum quarterly, and immediately whenever a relevant law or guideline is amended, such as the 2024 OSHA and FMA changes, so the register never falls behind current obligations.
Moving From Reactive to Proactive Compliance
For most Malaysian companies, identifying applicable regulations is rarely the hard part. The real challenge is managing them efficiently across multiple sites, departments, and renewal cycles.
A structured, digital approach centralises your legal register, helps you monitor regulatory updates across DOSH, DOE, and Bomba, assigns responsibilities, automates renewal reminders, stores evidence, and produces audit-ready reports on demand. This cuts administrative load while raising compliance visibility across the organisation. Instead of maintaining spreadsheets and chasing documents, HSE teams can focus on what actually reduces risk: managing hazards, evaluating compliance, and improving performance.
Done well, a digital approach does more than save time. It strengthens compliance, reduces risk, and keeps you ready for an increasingly demanding regulatory environment.
How Nexus Consultancy Can Help
Nexus Consultancy helps organisations build HSE compliance into a managed, audit-ready system:
• ISO 45001 and ISO 14001 Consultancy: establish and maintain your legal register, your legal-and-other-requirements process, and your compliance evaluation as part of a certified management system.
• ISO 45001 Training and ISO 14001 Training: upskill your team on legal requirements, internal auditing, and compliance evaluation (HRD Corp claimable, subject to eligibility and approval).
• Business Digitalization: move compliance tracking off spreadsheets and into a centralised, reminder-driven system.
Book a consultation to review your legal register and identify your compliance gaps before your next audit.
👉 Book Your Professional 1-on-1 Consultation: https://nexustac.com/contact
👉 WhatsApp (Fast Response): https://wa.link/34icb2
