Questions? Call us: 1-800-214-7060

Environment

World-Class Compliance Assurance Program Part 5: Maintaining a Compliance Assurance Program

June 22, 2017 - Kestrel Management

This is the fifth in a series of five articles on developing and maintaining a world-class compliance assurance program.

A well-designed and well-executed compliance assurance program provides an essential tool for improving and verifying business performance and limiting compliance risks. Ultimately, however, a compliance program’s effectiveness comes down to whether it is merely a “paper program” or whether it is being integrated into the organization and used in practice on a daily basis. 

The following can show evidence of a living, breathing program:

  • Comprehensiveness of the program
  • Dedicated staff and resources
  • Employee knowledge and engagement
  • Management commitment and employee perception
  • Internal operational inspections, “walk-abouts” by management
  • Independent insider, plus third-party audits
  • Program tailoring to greatest risks
  • Consistency and timeliness of exception (noncompliance/nonconformance) disclosures
  • Tracking of timely and adequate corrective/preventive action completion
  • Progress and performance monitoring

Best Practices

To achieve a compliance assurance program on par with world-class organizations, there are a number of best practices that companies should employ:

Know the requirements. This means maintaining an inventory of regulatory compliance requirements for each compliance program, as well as of state/local/contractual binding agreements applying to operations. It is vital that the organization keep abreast of current/upcoming requirements (federal, state, local).

Plan and develop the processes to comply. Identify and assess compliance risks, and then set objectives and targets for performance improvement based on top priorities. From here, it becomes possible to then define program improvement initiatives, assign and document responsibilities for compliance (who must do what and when), develop procedures and tools, and then allocate resources to get it done.

Assure compliance in operations. The organization needs to establish routine checks and inspections within departments to evaluate conformance with sub-process procedures. Process audits should be designed and implemented to cut across operations and sub-processes in order to evaluate conformance with company policies and procedures. Regulatory compliance audits should further be conducted to address program requirements (e.g., environmental, safety, mine safety, security). Audit performance must be measured and reported, and then expectations set for operating managers to take responsibility for compliance.

Take action on issues and problems. Capture, log, and categorize noncompliance issues, process nonconformances, and near misses. Implement a corrective/preventive action process based on importance of issues. Be disciplined in timely completion, close-out, and documentation of all corrective/preventive actions.

Employ management of change (MOC) process. Robust MOC processes help ensure that changes affecting compliance (to facility, operations, personnel, infrastructure, materials, etc.) are reviewed for their impacts on compliance. Compliance should be assured before the changes are made. Failure to do so is one of the most common root causes of noncompliance.

Ensure management involvement and leadership. Set the tone at the top. The Board of Directors and senior executives must set policy, culture, values, expectations, and goals. It is just as important that these individuals are the ones to communicate across the organization, to demonstrate their commitment and leadership, to define an appropriate incentive/disincentive system, and to provide ongoing organizational feedback.

Maintaining Ongoing World-Class Compliance Assurance Program

The compliance assurance program must be a living, breathing program. As risks change, the program must be refreshed, refined, and redeployed. A Management System framework can help ensure operational sustainability. A Management System drives the auditing process and helps companies say what they will do, do what they say and, importantly, verify it.

Together, there is real value at the intersection of a compliance assurance program and Management Systems. Management Systems define the internal controls that are in place to reduce risks, prevent losses, and sustain and improve performance over time through the Plan-Do-Check-Act (PDCA) cycle of continual improvement.

Testing and Monitoring

Testing, monitoring, and measuring are crucial elements of this cycle. Without them, it is difficult to understand what is working and what needs improvement. Robust testing and monitoring programs can serve as early warning systems for identifying potential compliance risks before they become enforcement issues.

Compliance should be tested and monitored throughout each level of the organization. A strong testing program will evaluate the results of the compliance risk assessment and assign compliance risks to the business units and processes where they are most likely to occur, creating clear lines of responsibility and accountability. Key risks and the related controls should be tested periodically using statistically valid sampling methodologies, and monitoring activities should be performed on an ongoing basis. Doing so produces trend data that provides the rationale needed for making changes to underlying business processes, as well as emerging risks.

Ongoing compliance excellence relies on top management, operations managers, EHS personnel, and individual employees throughout the organization working together to build and sustain an organizational culture that places compliance on par with business performance. Senior management must focus on the overall culture of the company in terms of taking the necessary steps to reduce risk and make prevention part of daily operations. While it may be impossible to eliminate all risk exposure, a solid risk framework, assessment methodology, and compliance assurance program can help to prioritize risks for active management, sustained compliance, and positive business impacts.

Read the other articles in this series:

Submitted by: Tom Kunes

 

Don’t Miss Kestrel at the EHS Seminar in Galveston 6/5-6/8

June 1, 2017 - Kestrel Management

Join Kestrel at the 30th annual EHS Seminar next week to hear A.W. Armstrong  present on Using a Data-Driven Method of Accident Analysis: A Case Study of the Human Performance Reliability (HPR) Process.


EHS Seminar
June 5-8, 2017
Moody Gardens Convention Center
Galveston, Texas
Kestrel Presentation: Thursday June 8 at 8:30 a.m.
Kestrel Booth: #611


The Role of Human Error in Occupational Incidents

The concept of human error and its contribution to accidents and incidents has received considerable research attention in recent years. When an accident/incident occurs, investigation and analysis of the human error that led to the incident often reveals vulnerabilities in an organization’s management system.

This recent emphasis on human error has resulted in an expansion of knowledge related to human error and the most common factors contributing to incidents. Kestrel’s Human Performance Reliability (HPR) process helps to classify human error—with the additional step of associating the control(s) that failed to prevent the incident from occurring. This process allows organizations to identify how and where to focus resources to drive safety performance improvements.

In this presentation, A.W. describes Kestrel’s method for identifying the most frequent human errors and most problematic controls, and presents a case study wherein HPR was applied to a large petroleum refining company.

Catch Up with Kestrel

In addition to the presentation on June 8, Kestrel’s experts will also be available in the exhibit hall (booth #611) to discuss HPR, as well as our holistic approach to the management of process safety.

We welcome the opportunity to meet with you, learn more about your needs, and discuss how Kestrel helps our clients:

  • Improve occupational and process safety performance
  • Manage EHS and quality risks
  • Achieve regulatory compliance assurance

See you at booth #611 in Galveston!

Submitted by: A.W.  Armstrong

World-Class Compliance Assurance Program Part 4: Audit Program Best Practices

April 18, 2017 - Kestrel Management

This is the fourth in a series of five articles on developing and maintaining a world-class compliance assurance program.

Audits provide an essential tool for improving and verifying compliance performance. Audits may be used to capture regulatory compliance status, management system conformance, adequacy of internal controls, potential risks, and best practices. An audit is typically part of a broader compliance assurance program and can cover some or all of the company’s legal obligations, policies, programs, and objectives.

There are a number of third-party auditing standards that offer guidelines for ensuring accurate, complete, and reliable EHS audits, including:

  • The Board of Environmental, Health, and Safety Auditing Certifications (BEAC) Standards, 2008
  • ISO 19011 Auditing Guidelines, 2002
  • Auditing Roundtable Standards, 1993
  • USEPA Auditing Policy, 1986, 2000
  • Institute of Internal Auditors Standards, 1997

Best Practices

Companies come in a variety of sizes with a range of different needs, so auditing standards remain fairly flexible. There are, however, a number of audit program elements and best practices that can help ensure a comprehensive audit program:

Goals. Establishing goals enables recognition of broader issues and can lead to long-term preventive programs. This process allows the organization to get at the causes and focus on important systemic issues. It pushes and guides toward continuous improvement. Goal-setting further addresses the responsibilities and obligations of the Board of Directors for audit and oversight and elicits support from stakeholders.

Scope. The scope of the audit should be limited initially (e.g., compliance and risk) to what is manageable and to what can be done very well, thereby producing performance improvement and a wider understanding and acceptance of objectives. As the program is developed and matures (e.g., management systems, company policy, operational integration), it can be expanded and, eventually, shift over time toward systems in place, prevention, efficiency, and best practices.

Committed resources. Sufficient resources must be provided for staffing and training and then applied, as needed, to encourage a robust auditing program. Resources also should be applied to EHSMS design and continuous improvement. It is important to track the costs/benefits to compare the impacts and results of program improvements.

Operational focus. All facilities need to be covered at the appropriate level, with emphasis based on potential EHS and business risks. The operational units/practices with the greatest risk should receive the greatest attention (e.g., the 80/20 Rule). Vendors/contractors and related operations that pose risks must be included as part of the program. For smaller, less complex and/or lower risk facilities, lower intensity focus can be justified. For example, relying more heavily on self-assessment and reporting of compliance and less on independent audits may provide better return on investment of assessment resources.

Audit team. A significant portion of the audit program should be conducted by knowledgeable auditors (independent insiders, third parties, or a combination thereof) with clear independence from the operations being audited and from the direct chain of command. For organizational learning and to leverage compliance standards across facilities, it is good practice to vary at least one audit team member for each audit. Companies often enlist personnel from different facilities and with different expertise to audit other facilities. Periodic third-party audits further bring outside perspective and reduce tendencies toward “home-blindness”.

Most common options for compliance audit team design include the following:

  • Facility-based EHS Team
    • Advantages – awareness of operations and specific facility EHS regulated activities
    • Disadvantages – lack independence and objective outside perspective; may have some responsibilities for activities audited; likely to have limited regulatory expertise needed; likelihood of significant inconsistencies and variability from facility to facility
    • Best use – routine and frequent inspections and monitoring, including progress checks on completion of corrective actions arising from other audits; desirable to have staff from other facilities participate on audit team; auditors should not audit their own departments or operations; may conduct and submit to corporate annual facility compliance self-assessments and assurance statements by facility management
  • Independent Inside EHS Team
    • Typically, from corporate headquarters (may include facility EHS representatives from other facilities)
    • Advantages – improved independence from operations; likely to provide regulatory know-how and multi-facility perspective; consistency in audit methods and content likely across facilities
    • Disadvantages – can be subject to limited independence and internal business pressures; may have limited perspective on best industry practices from outside organization; may not have up-to-date regulatory requirements awareness
    • Best use – dedicated corporate EHS lead auditor(s) supported by subject matter experts on audit team; EHS personnel from other facility(s) participate on team for cross-facility learning; audit protocols maintained to be current; audits conducted annually at higher risk facilities; team review of facility self-assessments at lower risk facilities
  • Third-Party Independent Audit Team
    • Advantages – organizational independence; outside perspective and experience with compliance practices of other companies; auditor credentials and up-to-date awareness of audit methods and regulatory requirements; ability to bring specialized know-how, as needed; must meet client expectations for deliverable quality and timeliness
    • Disadvantages – may not have organizational standing to ensure necessary cooperation and openness of auditees
    • Best Use – periodic audit of the company’s audit program and process (5-year cycle); periodic compliance audits of selected facilities (3-year cycle), including auditing the completion of corrective actions initiated as a result of internal audits by corporate team; audits of company’s management system as part of compliance audits; done under attorney-client privilege

Audit frequency. There are several levels of audit frequency, depending on the type of audit:

  • Frequent: Operational (e.g., inspections, housekeeping, maintenance) – done as part of routine EHSMS day-to-day operational responsibilities
  • Periodic: Compliance, systems, actions/projects – conducted annually/semi-annually
  • As needed: For issue follow-up
  • Infrequent: Comprehensive, independent – conducted every three to four years

Differentiation methods. Differentiating identifies and distinguishes issues of greatest importance in terms of risk reduction and business performance improvement. The process for differentiating should be as clear and simple as possible; a system of priority rating and ranking is widely understood and agreed. The rating system can address severity levels, as well as probability levels, in addition to complexity/difficulty and length of time required for corrective actions.

Legal protection. Attorney privilege for audit processes and reports is advisable where risk/liability are deemed significant, especially for third-party independent audits. To the extent possible, make the audit process and reports become management tools that guide continuous improvement. Organizations should follow due diligence elements of the USEPA audit policy.

Procedures. Describe and document the audit process for consistent, efficient, effective, and reliable application. The best way to do this is to involve both auditors and those being audited in the procedure design. Audit procedures should be tailored to the specific facility/operation being audited. Documented procedures should be used to train both auditors and those accountable for operations being audited. Procedures can be launched using a pilot facility approach to allow for initial testing and fine-tuning. Keep procedures current and continually improve them based on practical application. Audits include document and record review (corporate and facility), interviews, and observations. 

Protocols & tools. Develop specific and targeted protocols that are tailored to operational characteristics and based on applicable regulations and requirements for the facility. Use “widely accepted or standard practice” as go-by tools to aid in developing protocols (e.g., ASTM site assessment standards; ISO 14010 audit guidance; audit protocols based on EPA, OSHA, MSHA, Canadian regulatory requirements; GEMI self-assessment tools; proprietary audit protocol/tools). As protocols are updated, the ability to evaluate continuous improvement trends must be maintained (i.e., trend analysis).

Information management & analysis. Procedures should be well-defined, clear, and consistent to enable the organization to analyze trends, identify systemic causes, and pinpoint recurring problem areas. Analysis should prompt communication of issues and differentiation among findings based on significance. Audit reports should be issued in a predictable and timely manner. It is desirable to orient the audit program toward organizational learning and continual improvement, rather than a “gotcha” philosophy. “Open book” approaches help learning by letting facility managers know in advance what the audit protocols are and how the audits will be conducted.

Verification & corrective action. Corrective actions require corporate review, top management-level attention and management accountability for timely completion. A robust root cause analysis helps to ensure not just correction/containment of the existing issue, but also preventive action to assure controls are in place to prevent the event from recurring. For example, if a drum is labeled incorrectly, the corrective action is to relabel that drum. A robust plan should also look for other drums than might be labeled incorrectly and to add and communicate an effective preventive action (e.g., training or posting signs showing a correctly labeled drum).

Action item closure. Address repeat findings. Identify patterns and seek root cause analysis and sustainable corrections.

Training. Training should be done throughout the entire organization, across all levels:

  • Auditors are trained on both technical matters and program procedures.
  • Management is trained on the overall program design, purpose, business impacts of findings, responsibilities, corrections, and improvements.
  • Line operations are trained on compliance procedures and company policy/systems.

Communications. Communications with management should be done routinely to discuss status, needs, performance, program improvements, and business impacts. Communications should be done in business language—with business impacts defined in terms of risks, costs, savings, avoided costs/capital expenditures, benefits. Those accountable for performance need to be provided information as close to “real time” as possible, and the Board of Directors should be informed routinely.

Leadership philosophy. Senior management should exhibit top-down expectations for program excellence. EHSMS quality excellence goes hand-in-hand with operational and service quality excellence. Learning and continual improvement should be emphasized.

Roles & responsibilities. Clear roles, responsibilities, and accountabilities need to be established. This includes top management understanding and embracing their roles/responsibilities. Owners of findings/fixes also must be clearly identified.

Funding for corrective actions. Funding should be allocated to projects based on significance of risk exposure (i.e., systemic/preventive actions receive high priority). The process should incentivize proactive planning and expeditious resolution of significant problem areas and penalize recurrence or back-sliding on performance and lack of timely fixes.

Performance measurement system. Audit goals and objectives should be nested with the company business goals, key performance objectives, and values. A balanced scorecard can display leading and lagging indicators. Metrics should be quantitative, indicative (not all-inclusive), and tied to their ability to influence. Performance measurements should be communicated and widely understood. Information from auditing (e.g., findings, patterns, trends, comparisons) and the status of corrective actions often are reported on compliance dashboards for management review.

Degree of business integration. There should be a strong link between programs, procedures, and methods used in a quality management program—EHS activities should operate in patterns similar to core operations rather than as ancillary add-on duties. In addition, EHS should be involved in business planning and MOC. An EHSMS should be well-developed and designed for full business integration, and the audit program should feed critical information into the EHSMS.

Accountability. Accountability and compensation must be clearly linked at a meaningful level. Use various award/recognition programs to offer incentives to line operations personnel for excellent EHS performance. Make disincentives and disciplinary consequences clear to discourage non-compliant activities.

Deployment plan & schedule. Best practice combines the use of pilot facility audits, baseline audits (to design programs), tiered audits, and a continuous improvement model. Facility profiles are developed for all top priority facilities, including operational and EHS characteristics and regulatory and other requirements.

Relation to best practices. Inventory best practices and share/transfer them as part of audit program results. Use best-in-class facilities as models and “problem sites” for improvement planning and training.  The figure illustrates an audit program that goes beyond the traditional “find it, fix it, find it, fix it” repetitive cycle to one that yields real understanding of root causes and patterns. In this model, if the issues can be categorized and are of wide scale, the design of solutions can lead to company-wide corrective and preventive measures. This same method can be used to capture and transfer best practices across the organization. They are sustained through the continual review and improvement cycle of an EHSMS and are verified by future audits.

In our fifth and final article in this series, we talk about compliance program best practices and what it takes to maintain an ongoing world-class compliance assurance program.

Read the other articles in this series:

Submitted by: Tom Kunes

EPA Proposes to Delay RMP Rule Effective Date to 2019

April 5, 2017 - Kestrel Management

On Friday, March 31, U.S. Environmental Protection Agency (EPA) Administrator Scott Pruitt announced a proposed rule to further delay the effective date of the Obama Administration’s Risk Management Program (RMP) final rule until February 19, 2019. This will give the agency time to reconsider the final RMP rule published on January 13, 2017.

Industry organizations have raised serious concerns about the final rule. The proposal to further delay the effective date of the amendments will allow the Agency time to evaluate these objections and consider other issues that may benefit from additional public input.

Read the entire EPA press release.

Submitted by: Sarah Burton

EPA Puts Risk Management Program Rule on Hold

March 15, 2017 - Kestrel Management

This January, the much anticipated final RMP amendments were published in the Federal Register. According to the EPA, these amendments are intended to:

  • Prevent catastrophic accidents by improving accident prevention program requirements
  • Enhance emergency preparedness to ensure coordination between facilities and local communities
  • Improve information access to help the public understand the risks at RMP facilities
  • Improve third-party audits at RMP facilities

As Kestrel indicated in a recent article when the final RMP amendments were published, RMP faces an uncertain future under the Trump Administration. It is not clear at this point whether the final RMP rule will actually be implemented as published—or at all.

We are seeing the first wave of that uncertainty demonstrated. EPA received a petition dated February 28, 2017, from the RMP Coalition requesting a reconsideration and request for stay for the RMP rule amendments. After a proceeding for reconsideration on March 13, 2017, EPA’s Administrator signed a final rule that provides a three-month (90-day) administrative stay of the effective date of the RMP rule amendments, delaying the effective date of the final rule to June 19, 2017. This stay is intended to allow the EPA to revisit these important issues and consider alternative approaches.

Submitted by: Sarah Burton

World-Class Compliance Assurance Program Part 3: Compliance Risks and Compliance Program Assessment

February 15, 2017 - Kestrel Management

This is the third in a series of five articles on developing and maintaining a world-class compliance assurance program.

Compliance risk assessment helps to identify and assess risks related to applicable regulatory requirements. Internal and external events or conditions affecting the entity’s ability to achieve objectives must be identified, distinguishing between risks and opportunities. These risks are analyzed, considering the following:

  • Size of the risk – where, how big, how often/many?
  • Severity of the outcome – to what extent can it impact safety, environmental, operational, financial, customer relations, regulatory compliance?
  • Likelihood/probability of each risk – how likely is the occurrence of a negative outcome, considering the maturity of existing controls?

Based on this assessment, management can prioritize risks, select appropriate risk responses (avoiding, accepting, reducing, sharing), and develop a set of actions to align with the entity’s risk tolerance/appetite. An acceptable level of residual risk is considered after selected improvements and controls are applied. From there, policies and procedures can be established and implemented to help ensure the risk responses are effectively communicated so operating managers and individuals can carry out their responsibilities.

A deeper dive compliance program assessment may be performed for those risks that are identified as the company’s most significant.

Compliance Program Assessment

A compliance program assessment looks beyond “point-in-time” compliance to critically evaluate how the company manages compliance programs, processes, and activities, with compliance assurance as the ultimate goal. Capability, capacity, programs, and processes to comply are examined as part of this review. Conducting routine process and compliance audits are also key components of a compliance assurance program.

Compliance program assessment should follow a disciplined and consistent process, resulting in an effective program that guides alignment of activities to an EHSMS for sustained compliance and continuous improvement. An essential part of the assessment, audits capture regulatory compliance status, EHSMS conformance, adequacy of internal controls, potential risks, and best practices.

Compliance program assessment enables a company to define and understand:

  • Compliance requirements and where regulated activities occur throughout the organization
  • Current company programs and processes used to manage those activities and the associated level of program/process maturity
  • Deficiencies in compliance program management and opportunities for improvement
  • How to feed review recommendations back into elements of the EHSMS to create a roadmap for sustaining and continually improving compliance

There are six phases associated with a compliance program assessment:

Phase 1 – Regulations, Requirements, and Applicability Analysis: Phase 1 focuses on identifying, organizing, validating, and understanding all of the requirements (legal or other) with which the company must comply. It provides an applicability analysis of the requirements to company operations by functional area and evaluates the associated risks. This stage engages representatives across the company who are responsible for activities subject to the requirements.

Phase 2 – Activities Analysis: This phase involves developing an inventory/profile of all company activities that may trigger the requirements identified in Phase 1. It asks the question, “What activities does the company carry out that are covered by the requirements?”

Phase 3 – Desired Compliance Program Standard: Establishing the company’s expectations for compliance program processes and controls—the desired condition—is essential. This “to-be” standard integrates Management System principles into compliance program management. Programs should examine relative risks and ensure that risk-based priorities are being set.

Phase 4 – Actual Compliance Program Condition: In contrast to the desired standard identified in Phase 3, Phase 4 is about describing the company’s current compliance program. It defines how the company performs the activities outlined in Phase 3 (along with who, when, and where)—the “as-is” condition. This is done in the same framework as the desired standard in order to compare them in the next phase.

Phase 5 – Gap Analysis: The gap analysis compares actual compliance program management against the desired standard. It evaluates compliance program management processes, controls, and maturity to determine if they are good as is, need improvement, or are missing. These gaps and opportunities provide the basis for the improvement actions developed in Phase 6.

Phase 6 – Improvement Actions: Phase 6 moves the process along to developing action plans and an approach for ongoing management review that will guide the compliance program development and improvement activities. Compliance program management review is established at the end of this last phase. If there is an EHSMS in place, program review information and action plan tracking can be integrated into that Management System.

As a whole, this process will help companies evaluate the degree to which:

  • EHS compliance goals and objectives are set and communicated by management.
  • Hazards and risks are identified, sized, and assessed, including an inventory of activities subject to the compliance requirements and the relative risks.
  • Existing controls are adequate and effective, recognizing and addressing changed conditions.
  • Plans are in place to address risks not adequately covered by existing controls.
  • Plans and controls are resourced and implemented.
  • Controls are documented and operationalized across functions and work units.
  • Personnel know and understand the controls and expectations, and are engaged in their design and improvement.
  • Controls are being monitored with appropriate metrics and compliance auditing and assurance.
  • Information system is sufficient to support EHSMS-required functions (e.g., document management and control, action tracking, notifications, training tracking, task calendaring, metrics reporting). Information dashboards can be used for reports to management.
  • Deficiencies are being addressed by corrective/preventive action and are being tracked to completion.
  • Processes, controls, and performance are being reviewed by management for ongoing improvement, including the maintenance and continual improvement of the ISO 14001 and OHSAS 18001-certified EHSMS.

With this foundation, the next article in this series discusses audit program best practices.

Read the other articles in this series:

Submitted by: Tom Kunes

Risk Management Plan (RMP) Final Amendments

February 15, 2017 - Kestrel Management

Chemicals are an important part of many aspects of our lives; however, improper handling and management of chemicals can result in catastrophic releases that have severe and lasting impacts—loss of life, injury, property damage, community disruption. USEPA’s Risk Management Plan (RMP) data shows that in the last 10 years, there have been more than 1,517 reportable incidents of accidental chemical releases. Those incidents were responsible for 58 deaths, 17,099 injuries, the evacuation or shelter-in-place of almost 500,000 people, and over $2 billion in property damage.

Charting the Changes to RMP

The USEPA’s RMP Rule (Section 112(r) of the Clean Air Act Amendments) is aimed at reducing the frequency and severity of accidental chemical releases. Changes to the RMP Rule have been in progress since former President Obama issued Executive Order (EO) 1365, Improving Chemical Safety and Security, in August 2013. The focus of the EO is to reduce risks associated with hazardous chemicals to owners and operators, workers, and communities by enhancing the safety and security of chemical facilities. Modernizing policies and regulations—including the RMP Rule—falls under this umbrella.

A July 2014 Request for Information (RFI) sought initial comment on potential revisions to RMP under the EO. This was followed by a Small Business Advocacy Review (SBAR) Panel discussion in November 2015. On March 14, 2016, the USEPA published Proposed Rule: Accidental Release Prevention Requirements: Risk Management Programs Under the Clean Air Act, Section 112(r)(7), outlining proposed amendments to the RMP Rule.

Since the initial action to revise the RMP Rule commenced two and a half years ago, the USEPA has received over 60,000 public comments and has had extensive engagement with nearly 1,800 people.

Final Amendments

The much anticipated final RMP amendments were published in the Federal Register on January 13, 2017. According to the USEPA, these amendments are intended to:

  • Prevent catastrophic accidents by improving accident prevention program requirements
  • Enhance emergency preparedness to ensure coordination between facilities and local communities
  • Improve information access to help the public understand the risks at RMP facilities
  • Improve third-party audits at RMP facilities

The final changes in the RMP Rule are outlined in the table below.

Compliance

The effective date for the final RMP amendments is March 14, 2017. Compliance dates are set according to this date, as follows:

The Future of RMP

The final RMP amendments have the potential to significantly affect the 12,500 facilities in the U.S. that are subject to the RMP program. However, like many environmental rules, RMP faces an uncertain future under the Trump Administration. It is not clear at this point whether the final RMP Rule will actually be implemented as published—or at all.

Among the possible outcomes, environmental law firm Beveridge & Diamond PC cites the following possibilities:

  • Congress may rescind the Rule using the Congressional Review Act.
  • The USEPA might stay the Rule and then unilaterally seek to repeal it through amendment.
  • The Rule might be challenged through a petition for reconsideration to the USEPA or a petition for review by the federal courts.

Kestrel will continue to track the RMP Rule and potential upcoming actions or compliance dates that may affect impacted facilities.

Submitted by: Sarah Burton

World-Class Compliance Assurance Program Part 2: Management Systems & their Importance to Compliance Assurance

December 16, 2016 - Kestrel Management

This is the second in a series of five articles on developing and maintaining a world-class compliance assurance program.

The connection between Management Systems and compliance assurance is vital in avoiding recurring compliance issues and in reducing variation in compliance performance. In fact, reliable and effective regulatory compliance is commonly an outcome of consistent and reliable implementation of a Management System.

Management System Document HierarchyA Management System is the organizing framework that enables companies to achieve and sustain their operational and business objectives through a process of continuous improvement. As shown, policy is the foundation of the Management System. It establishes the vision and overall corporate expectations. Processes and standards set corporate expectations for performance. They establish what must be done to meet the requirements of the policy—but they don’t define “how” it will be done. Procedures, then, define “how” the processes/standards will be met and, thereby, meet the requirements of the policy. Finally, proof/metrics provide the measurable “proof of performance”.

A Management System is designed to identify and manage risks—safety, environmental, quality, business continuity, security (and others)—through an organized set of policies, procedures, practices, and resources that guide the enterprise and its activities to maximize business value. In its simplest form, a Management System implements the Plan, Do, Check, Act/Adjust cycle of continual improvement and addresses the following:

  • What is done and why
  • How it is done and by whom
  • How well it is being done
  • How it is maintained and reviewed
  • How it can be improved

The following table compares the attributes of a program with a “Compliance Only” emphasis against those of a “Compliance within a Management System” program.

compliance_table

Management System Standards

Industry standards are available to guide the design and implementation of the EHSMS. The most widely recognized and applied are the harmonized ISO standards—ISO 14001 (Environmental), OHSAS 18001 and draft ISO 45001 (Safety), and ISO 9001 (Quality).

The figure below depicts the standard Management System cycle of control and improvement. Two key procedures within this cycle that guide auditing involve understanding legal, regulatory and other requirements (under “Planning and Management of Change”) and evaluating compliance (under “Checking & Corrective Action”).

Management System Cycle of Control & Improvement

Creating Value

Each company’s Management System reflects its unique culture, vision, and values. To be effective and valuable, the Management System must be tailored and focused on how it can enhance the business performance of the organization. It must also be:

  • Useful to people in the operations
  • Intuitive—organized the way operations people think
  • Flexible—making use of methods and tools as they are developed and documented
  • Valuable from the outset—addressing the most critical risks and processes
  • Linked to the business of the business (not “pasted on”), with ownership at the operational level
  • A means to better align operational quality, safety, and environment with the business

There are a number of business reasons for implementing a well-documented Management System and associated support methods and tools:

  • Establishes a common documented framework to achieve more consistent implementation of compliance policies and processes—addressing the eight core functions of compliance: inventories, permits and authorizations, plans, training, practices in place, monitoring and inspection, records, reporting.
  • Provides clear methods and processes to identify and prioritize risks, set and monitor goals, communicate those risks to employees and management, and allocate the resources to mitigate them.
  • Shifts from a command-and-control, centrally driven function (or, at the other extreme, totally decentralized and lacking adequate guidance and oversight) to one that depends heavily on teamwork and implementation of a common system, taking into consideration the necessary local differences and building better know-how at the facility level.
  • Establishes a common language for periodic calls and meetings among managers, facility managers, and executives, which yields better goal-setting, priority ranking, and allocation of resources to the areas with greatest risk or the greatest opportunity to add business value.
  • Empowers facilities to take responsibility for processes and compliance performance without waiting to be told “what” and “how”.
  • Enables better collaboration and communication across a distributed company with many locations.
  • Enables the selection and implementation of a robust information system capable of tracking and reporting on common activities and performance metrics across the company.
  • Employs a design and implementation process that builds company know-how, captures/retains institutional knowledge, and enables ongoing improvement without having to continually reinvent the wheel.
  • Creates consistent processes and procedures that support personnel changes (e.g., transfers, promotions, retirements) and training of new personnel without causing disruption or gaps.
  • Allows for more consistent oversight and governance, yielding higher predictability and reliability.
  • Better ensures that employees and contractors return home from work safely every day, and that the public and the environment are protected.
  • Reduces incident costs and accrued liabilities and protects assets.
  • Improves and sustains regulatory compliance and allows the organization to continually improve quality, environmental, and safety performance (employee, public, equipment, infrastructure).

The next article in this series will move on to identifying and assessing risks and the subsequent compliance program assessment.

Read the other articles in this series:

Submitted by: Tom Kunes

World-Class Compliance Assurance Program Part 1: Enterprise and Compliance Risk Management

October 11, 2016 - Kestrel Management

This is the first in a series of five articles on developing and maintaining a world-class compliance assurance program.

Global organizations face increasing pressure to operate in a manner that is safe, sustainable, and in compliance with an ever-growing array of regulations and other requirements regarding material use, supply chain, byproducts, and Environmental, Health & Safety (EHS) practices, among many others.

In order to achieve these objectives, developing and maintaining key internal controls that ensure reliability of compliance programs/systems that adhere to current and pending regulations, industry standards, and other requirements is critically important. Further, the connection between EHS management and compliance assurance needs to be harmonized. Reliable and effective regulatory compliance commonly is an outcome of consistent and reliable EHS Management System (EHSMS) design and implementation. This connection is especially important to avoid recurring compliance issues.

This article is the first in a series written to provide a description of world-class compliance assurance and how it is integrated into an overarching EHSMS starting with a review of Enterprise and Compliance Risk Management.

Enterprise Risk Management (ERM)

Enterprise Risk Management (ERM) is the process of identifying and analyzing risk from an integrated, company-wide perspective. The framework focuses on the necessity of a consistent “risk and control consciousness” throughout the enterprise; importance of considering risk during the formulation of strategy; interrelationships of risks across business and functional units and at every level of the organization; and allocation of resources to risks within the company’s risk appetite and tolerances.

There are natural linkages between ERM, improved financial reporting and transparency, and regulatory compliance assurance. In fact, ERM is geared at achieving objectives in one or more separate but overlapping categories:

  • Strategic – high-level goals, aligned with and supporting its mission
  • Operations – effective and efficient use of its resources
  • Compliance – compliance with applicable laws and regulations
  • Metrics – for measuring risk management performance and progress
  • Reporting – reliability of reporting

Compliance Risk

One significant form of enterprise risk—compliance risk—is present to varying degrees in virtually all of a company’s business systems, operations, infrastructure, and other assets.

Compliance risk is essentially the threat posed to an entity’s financial, organizational, or reputational standing, which may result from violating laws, regulations, codes of conduct, or organizational standards of practice. It applies to both operating and support functions.  

Compliance requirements are set by various levels of government (e.g., federal, state, local), many domestic agencies (e.g., EPA, OSHA, MSHA, COE, DOT, FDA), non-governmental organizations (NGOs), and agencies specific to other countries in which the organization operates or does business. Requirements are typically published in associated law, rule, and regulatory documents; industry standards; or the organization’s own policies. Environmental and occupational safety compliance are significant types of compliance risks facing an enterprise.

risk_types

A compliance risk assessment requires a focused approach to help the organization understand the full range of its compliance risk exposure, including the likelihood that a risk event may occur, the reasons it may occur, and the potential severity of its impact. It also helps the organization prioritize risks, identify applicable owners, and allocate appropriate resources for risk mitigation.

U.S. Federal Sentencing Guidelines for Organizations and Corporate Compliance Programs

Beyond the organizational impacts stated above, a strong compliance assurance program may result in the reduction of fines and penalties under the U.S. Federal Sentencing Guidelines for Organizations and Corporate Compliance Programs in the event of a compliance failure.

The U.S. Federal Sentencing Guidelines were promulgated in 1991 to ensure that organizations cannot profit from wrongdoing. The purpose of these Guidelines is to promote good corporate citizenship by encouraging implementation of compliance programs that prevent criminal conduct. The Guidelines provide organizations with a tangible incentive to implement effective programs that encourage positive organizational behavior.

The Sarbanes-Oxley Act—and renewed focus on corporate ethics—prompted certain clarifying revisions to the Guidelines in 2004, requiring more high-level oversight of the compliance program, along with more training, monitoring, and emphasis on creating an ethical work environment. The Sentencing Guidelines’ minimum requirements include the following seven compliance program elements:

  • Organizational infrastructure—Ensure that the Board has knowledge of content and operation of compliance program and exercises reasonable oversight; high-level individuals have direct, overall responsibility; specific individuals have day-to-day operational responsibility, adequate resources and appropriate authority, and direct access to Board or Audit Committee.
  • Risk assessment—Periodically assess risk of non-compliant activities; implement or modify programs to reduce risk.
  • Standards and procedures—Develop and implement to prevent, detect, and respond to noncompliance.
  • Due care in delegation—Exclude from compliance authority those who have engaged in illegal activities or act inconsistently with the program.
  • Training/communication—Conduct effective training and disseminate information regarding responsibilities.
  • Monitoring and auditing—Take steps to ensure compliance program is followed, including auditing and monitoring, with a system for reporting noncompliant conduct without fear of retaliation.
  • Incentives and discipline—Promote and enforce program consistently through incentives supporting compliance and discipline for engaging in or failing to take steps to prevent or detect noncompliance.

Importantly, these Guidelines have become a barometer for prosecutors in determining whether a company should be charged with a crime at the end of an investigation (and the severity of the action) or may be eligible for a reduced sentence/fine based on its compliance and ethics program. They are helpful in defining the attributes of world-class compliance assurance, in which EHS compliance would be structured.

Read the other articles in this series:

Submitted by: Tom Kunes

Frank R. Lautenberg Chemical Safety for the 21st Century Act

August 15, 2016 - Kestrel Management

Last year, we came to you with breaking news about Toxic Substances Control Act (TSCA) reform taking hold, as the U.S. House of Representatives passed the TSCA Modernization Act of 2015 (H.R. 2576) on June 23, 2015.

Almost one year later—and approximately 40 years since the Act’s inception—President Obama signed the Frank R. Lautenberg Chemical Safety Act (FRL-21) into law on June 22, 2016, amending the nation’s primary chemical management law. An historic bipartisan achievement, this Act gives the USEPA immediate authority to begin evaluating the risk of any chemical it designates as “high priority”.

Background

TSCA was developed to ensure that products are safe for intended use by providing the USEPA authority to review and regulate chemicals in commerce. Despite its intention, TSCA has proven to be rather ineffective in providing adequate protection and in facilitating U.S. chemical manufacturing and use. More than 80,000 chemicals available in the U.S. have never been fully tested for their toxic effects on health and the environment. In fact, under TSCA, the USEPA has only banned five chemicals since 1976.

According to a blog by USEPA Administrator Gina McCarthy, “While the intent of the original TSCA law was spot-on, it fell far short of giving EPA the authority we needed to get the job done.”

And that is where FRL-21 takes over, strengthening the foundation built by TSCA to ensure that chemical safety remains paramount.

Key Changes

FRL-21 remains consistent with the 2009 Principles for TSCA Reform. The USEPA outlines the following key regulatory changes in its Q&A briefing on the Act.

Evaluates the safety of existing chemicals in commerce, starting with those most likely to cause risks. This is the first time that all chemicals in commerce will undergo risk-based review by the USEPA. The Agency is charged with creating a risk-based process to determine which chemicals should be prioritized for assessment. High-priority chemicals may present an unreasonable risk to health or the environment due to potential hazard and route of exposure. A high-priority designation, in turn, triggers a risk evaluation to determine the chemical’s safety. This prioritization ensures that those chemicals that present the greatest risk will be reviewed first.

Evaluates new and existing chemicals against a new risk-based safety standard. Under the law, the USEPA will evaluate chemicals based purely on the health and environmental risks they pose. The evaluation must also include considerations for vulnerable populations (e.g., children, elderly, immune-compromised). FRL-21 further repeals the requirement that the Agency apply the least burdensome means of adequately protecting against unreasonable risk from chemicals. Costs and benefits will not be factored into the evaluation. 

Empowers USEPA to require development of chemical information necessary to support these evaluations. In short, the Agency has expanded authority to demand additional health and safety or testing information from manufacturers and/or to conduct risk evaluations on a chemical. USEPA may also expedite the process through new order and consent agreement authorities.

Enforces clear and enforceable deadlines that ensure timely review of prioritized chemicals and timely action on identified risks. Strict deadlines are designed to keep the USEPA’s work on track and to ensure compliance by manufacturers. For example, the Agency must have 10 ongoing risk evaluations within the first 180 days and 20 ongoing risk evaluations within 3.5 years. When unreasonable risks are identified, USEPA must then take final risk management action within two years. Action, which may include labeling, bans, and phase outs, must begin no later than five years after the final regulation.

Increases public transparency of chemical information by limiting unwarranted claims of confidentiality. The USEPA must review and make determinations on all new confidentiality claims for chemical identity, as well as review past confidentiality claims to determine if they are still warranted. This will allow companies to preserve their intellectual property and competitive advantage, while still providing transparency to the public.

Provides a source of funding for the USEPA to carry out these changes. The USEPA can collect up to $25 million annually in user fees from chemical manufacturers and processors when they:

  • Submit test data for USEPA review
  • Submit a pre-manufacture notice for a new chemical
  • Manufacture or process a chemical that is the subject of a risk evaluation
  • Request that the USEPA conduct a chemical risk evaluation

Impacts

For companies, the most immediate impacts of FRL-21 will be on the new chemicals review process, as the USEPA has to approve any new chemical or significant new use of an existing chemical before manufacturing can commence and chemicals can enter the marketplace. This process will help provide regulatory certainty throughout the supply chain—from raw material produces to retailers. And, in the end, the risk evaluations will help ensure that manufacturers are able to bring new chemicals to the market in a safe and efficient way.

As for the general public, FRL-21 creates a new standard of safety to protect the public and the environment from unreasonable risks associated with chemical exposure. For the first time in 40 years, it provides assurance and greater confidence that chemicals are being used safely.

Submitted by: Liz Hillgren

Insights & Updates

  • Categories

  • Archives