Call Us Today: 608-260-7468

Blog

09 Aug
Audit program best practices
Audit Program Best Practices: Part 1

Audits provide an essential tool for improving and verifying compliance performance. Audits may be used to capture regulatory compliance status, management system conformance, adequacy of internal controls, potential risks, and best practices. An audit is typically part of a broader compliance assurance program and can cover some or all of the company’s legal obligations, policies, programs, and objectives.

Companies come in a variety of sizes with a range of different needs, so auditing standards remain fairly flexible. There are, however, a number of audit program elements and best practices that can help ensure a comprehensive audit program:

  1. Goals. Establishing goals enables recognition of broader issues and can lead to long-term preventive programs. This process allows the organization to get at the causes and focus on important systemic issues. It pushes and guides toward continuous improvement. Goal-setting further addresses the responsibilities and obligations of the Board of Directors for audit and oversight and elicits support from stakeholders.
  2. Scope. The scope of the audit should be limited initially (e.g., compliance and risk) to what is manageable and to what can be done very well, thereby producing performance improvement and a wider understanding and acceptance of objectives. As the program is developed and matures (e.g., Management Systems, company policy, operational integration), it can be expanded and, eventually, shift over time toward systems in place, prevention, efficiency, and best practices.
  3. Committed resources. Sufficient resources must be provided for staffing and training and then applied, as needed, to encourage a robust auditing program. Resources also should be applied to EHSMS design and continuous improvement. It is important to track the costs/benefits to compare the impacts and results of program improvements.
  4. Operational focus. All facilities need to be covered at the appropriate level, with emphasis based on potential EHS and business risks. The operational units/practices with the greatest risk should receive the greatest attention (e.g., the 80/20 Rule). Vendors/contractors and related operations that pose risks must be included as part of the program. For smaller, less complex and/or lower risk facilities, lower intensity focus can be justified. For example, relying more heavily on self-assessment and reporting of compliance and less on independent audits may provide better return on investment of assessment resources.
  5. Audit team. A significant portion of the audit program should be conducted by knowledgeable auditors (independent insiders, third parties, or a combination thereof) with clear independence from the operations being audited and from the direct chain of command. For organizational learning and to leverage compliance standards across facilities, it is good practice to vary at least one audit team member for each audit. Companies often enlist personnel from different facilities and with different expertise to audit other facilities. Periodic third-party audits further bring outside perspective and reduce tendencies toward “home-blindness”.
  6. Audit frequency. There are several levels of audit frequency, depending on the type of audit:
    • Frequent: Operational (e.g., inspections, housekeeping, maintenance) – done as part of routine EHSMS day-to-day operational responsibilities
    • Periodic: Compliance, systems, actions/projects – conducted annually/semi-annually
    • As needed: For issue follow-up
    • Infrequent: Comprehensive, independent – conducted every three to four years
  1. Differentiation methods. Differentiating identifies and distinguishes issues of greatest importance in terms of risk reduction and business performance improvement. The process for differentiating should be as clear and simple as possible; a system of priority rating and ranking is widely understood and agreed. The rating system can address severity levels, as well as probability levels, in addition to complexity/difficulty and length of time required for corrective actions.
  2. Legal protection. Attorney privilege for audit processes and reports is advisable where risk/liability are deemed significant, especially for third-party independent audits. To the extent possible, make the audit process and reports become management tools that guide continuous improvement. Organizations should follow due diligence elements of the USEPA audit policy.
  3. Procedures. Describe and document the audit process for consistent, efficient, effective, and reliable application. The best way to do this is to involve both auditors and those being audited in the procedure design. Audit procedures should be tailored to the specific facility/operation being audited. Documented procedures should be used to train both auditors and those accountable for operations being audited. Procedures can be launched using a pilot facility approach to allow for initial testing and fine-tuning. Keep procedures current and continually improve them based on practical application. Audits include document and record review (corporate and facility), interviews, and observations.
  4. Protocols & tools. Develop specific and targeted protocols that are tailored to operational characteristics and based on applicable regulations and requirements for the facility. Use “widely accepted or standard practice” as go-by tools to aid in developing protocols (e.g., ASTM site assessment standards; ISO 14010 audit guidance; audit protocols based on EPA, OSHA, MSHA, Canadian regulatory requirements; GEMI self-assessment tools; proprietary audit protocol/tools). As protocols are updated, the ability to evaluate continuous improvement trends must be maintained (i.e., trend analysis).
  5. Information management & analysis. Procedures should be well-defined, clear, and consistent to enable the organization to analyze trends, identify systemic causes, and pinpoint recurring problem areas. Analysis should prompt communication of issues and differentiation among findings based on significance. Audit reports should be issued in a predictable and timely manner. It is desirable to orient the audit program toward organizational learning and continual improvement, rather than a “gotcha” philosophy. “Open book” approaches help learning by letting facility managers know in advance what the audit protocols are and how the audits will be conducted.
  6. Verification & corrective action. Corrective actions require corporate review, top management-level attention and management accountability for timely completion. A robust root cause analysis helps to ensure not just correction/containment of the existing issue, but also preventive action to assure controls are in place to prevent the event from recurring. For example, if a drum is labeled incorrectly, the corrective action is to relabel that drum. A robust plan should also look for other drums than might be labeled incorrectly and to add and communicate an effective preventive action (e.g., training or posting signs showing a correctly labeled drum).
26 Jul
10 Reasons to Implement a Management System
10 Reasons to Implement a Management System

A management system is the framework that enables companies to achieve their operational and business objectives through a process of continuous improvement. In its simplest form, a management system implements the Plan, Do, Check, Act/Adjust cycle. Several choices are available for management systems (ISO is commonly applied), whether they are certified by third-party registrars and auditors, self-certified, or used as internal guidance and for potential certification readiness.

Business Benefits of a Well-Documented Management System

The connection between management systems and compliance is vital in avoiding recurring compliance issues and in reducing variation in compliance performance. In fact, reliable and effective regulatory compliance is commonly an outcome of consistent and reliable implementation of a management system.

Beyond that, there are a number of business reasons for implementing a well-documented management system (environmental, safety, quality, food safety, other) and associated support methods and tools:

  1. Establishes a common documented framework to achieve more consistent implementation of compliance policies and processes—addressing the eight core functions of compliance:
    • Inventories
    • Permits and authorizations
    • Plans
    • Training
    • Practices in place
    • Monitoring and inspection
    • Records
    • Reporting
  1. Provides clear methods and processes to identify and prioritize risks, set and monitor goals, communicate those risks to employees and management, and allocate the resources to mitigate them.
  2. Shifts from a command-and-control, centrally driven function to one that depends heavily on teamwork and implementation of a common system, taking into consideration the necessary local differences and building better know-how at the facility level.
  3. Establishes a common language for periodic calls and meetings among managers, facility managers, and executives, which yields better goal-setting, priority ranking, and allocation of resources to the areas with greatest risk or the greatest opportunity to add business value.
  4. Empowers facilities to take responsibility for processes and compliance performance without waiting to be told “what” and “how”.
  5. Enables better collaboration and communication across a distributed company with many locations.
  6. Enables the selection and implementation of a robust information system capable of tracking and reporting on common activities and performance metrics across the company.
  7. Employs a design and implementation process that builds company know-how, captures/retains institutional knowledge, and enables ongoing improvement without having to continually reinvent the wheel.
  8. Creates consistent processes and procedures that support personnel changes (e.g., transfers, promotions, retirements) and training of new personnel without causing disruption or gaps.
  9. Allows for more consistent oversight and governance, yielding higher predictability and reliability.

 

19 Jul
compliance assurance best practices
Six Best Practices for Compliance Assurance

A well-designed and well-executed compliance assurance program provides an essential tool for improving and verifying business performance and limiting compliance risks. Ultimately, however, a compliance program’s effectiveness comes down to whether it is merely a “paper program” or whether it is being integrated into the organization and used in practice daily.

The following can show evidence of a living, breathing program:

  • Comprehensiveness of the program
  • Dedicated staff and resources
  • Employee knowledge and engagement
  • Management commitment and employee perception
  • Internal operational inspections, “walk-abouts” by management
  • Independent insider, plus third-party audits
  • Program tailoring to greatest risks
  • Consistency and timeliness of exception (noncompliance/nonconformance) disclosures
  • Tracking of timely and adequate corrective/preventive action completion
  • Progress and performance monitoring

Best Practices

To achieve a compliance assurance program on par with world-class organizations, there are a number of best practices that companies should employ:

  1. Know the requirements. This means maintaining an inventory of regulatory compliance requirements for each compliance program, as well as of state/local/contractual binding agreements applying to operations. It is vital that the organization keep abreast of current/upcoming requirements (federal, state, local).
  2. Plan and develop the processes to comply. Identify and assess compliance risks, and then set objectives and targets for performance improvement based on top priorities. From here, it becomes possible to then define program improvement initiatives, assign and document responsibilities for compliance (who must do what and when), develop procedures and tools, and then allocate resources to get it done.
  3. Assure compliance in operations. The organization needs to establish routine checks and inspections within departments to evaluate conformance with sub-process procedures. Process audits should be designed and implemented to cut across operations and sub-processes in order to evaluate conformance with company policies and procedures. Regulatory compliance audits should further be conducted to address program requirements (e.g., environmental, safety, mine safety, security). Audit performance must be measured and reported, and then expectations set for operating managers to take responsibility for compliance.
  4. Take action on issues and problems. Capture, log, and categorize noncompliance issues, process non-conformances, and near misses. Implement a corrective/preventive action process based on importance of issues. Be disciplined in timely completion, close-out, and documentation of all corrective/preventive actions.
  5. Employ management of change (MOC) process. Robust MOC processes help ensure that changes affecting compliance (to facility, operations, personnel, infrastructure, materials, etc.) are reviewed for their impacts on compliance. Compliance should be assured before the changes are made. Failure to do so is one of the most common root causes of noncompliance.
  6. Ensure management involvement and leadership. Set the tone at the top. The Board of Directors and senior executives must set policy, culture, values, expectations, and goals. It is just as important that these individuals are the ones to communicate across the organization, to demonstrate their commitment and leadership, to define an appropriate incentive/disincentive system, and to provide ongoing organizational feedback.
15 Jun
Join Our Team EHS Director
Now Hiring: EHS Director

Kestrel Management is seeking a senior market-facing EHS professional with an emphasis on environmental services to join our team. The EHS Director has responsibility for leading the development of new clients, including engaging with trade associations; meeting with clients; and managing the proposal development, contracts, and invoicing process. This individual will monitor and understand Kestrel’s current target markets (i.e., chemicals, utilities, manufacturing), including market drivers and industry leaders; promote and position Kestrel within the industry; target appropriate clients; develop needed services; and lead the growth of sales, particularly in the environmental arena. There is opportunity for expansion outside of Kestrel’s target markets depending on the candidate’s depth of experience in other markets.

In addition, the EHS Director will work closely with Kestrel Client Service Managers, Project Managers, and Consultants in making service improvement recommendations to meet changing market and client needs. S/he will assist in understanding clients’ ongoing needs, guiding the development and provision of Kestrel services to meet those needs, and periodically assessing client satisfaction.

This position offers an ownership opportunity for the appropriate candidate.

Responsibilities:

  • Identify and recommend services, strategies, and actions to improve Kestrel’s services, productivity, and profitability, particularly in the environmental arena
  • Provide market feedback on industry needs, monitor competitor products/services, and offer insight for service/product research
  • Identify new business and/or market opportunities
  • Establish and maintain relationships with industry influencers and key strategic partners
  • Effectively develop, build, and expand client relationships leading to repeat business
  • Meet with select key clients, assisting in sales, maintaining relationships, negotiating and closing sales
  • Review client satisfaction and track issues resolution through corrective/preventive action
  • Review and analyze sales performance
  • Represent Kestrel at select trade association meetings/conferences
  • Work with Kestrel’s Marketing Director to promote and position Kestrel within the industry

Requirements:

  • Relevant bachelor’s degree or commensurate experience
  • Minimum of ten years of consulting experience with a focus on environmental services; industry experience a plus
  • Demonstrated ability to grow and develop business
  • Knowledge of client service principles and practices
  • Problem analysis and problem-solving skills
  • Planning and organizational abilities
  • Ability and willingness to travel up to 50%

Location: Upper Midwest (Wisconsin, Illinois, Minnesota, Michigan)

How to Apply: Forward a resume to recruiting@kestrelmanagement.com.

13 Jun
chemical plant RMP Reconsideration Proposed Rule
RMP Reconsideration Proposed Rule

Chemicals are an important part of many aspects of our lives; however, improper handling and management of chemicals can result in catastrophic releases that have severe and lasting impacts—loss of life, injury, property damage, community disruption.

The USEPA’s Risk Management Plan (RMP) Rule (Section 112(r) of the Clean Air Act Amendments) is aimed at reducing the frequency and severity of accidental chemical releases. While the intent of the RMP Rule is positive, there has been much controversy over what the rule requires. This has resulted most recently in the RMP Reconsideration Proposed Rule, which was published on May 30, 2018.

The History of Modernizing RMP

RMP regulations were first created in 1996 to protect first responders and communities adjacent to facilities with chemical substances. Changes to the original RMP Rule have been in progress since former President Obama issued Executive Order (EO) 1365, Improving Chemical Safety and Security, in August 2013. Modernizing policies and regulations—including the RMP Rule—falls under this umbrella.

A July 2014 Request for Information (RFI) sought initial comment on potential revisions to RMP under the EO. This was followed by a Small Business Advocacy Review (SBAR) Panel discussion in November 2015. On March 14, 2016, the USEPA published Proposed Rule: Accidental Release Prevention Requirements: Risk Management Programs Under the Clean Air Act, Section 112(r)(7), outlining proposed amendments to the RMP Rule.

The much anticipated final RMP Amendments were published in the Federal Register on January 13, 2017. According to the USEPA, these amendments were intended to:

  • Prevent catastrophic accidents by improving accident prevention program requirements
  • Enhance emergency preparedness to ensure coordination between facilities and local communities
  • Improve information access to help the public understand the risks at RMP facilities
  • Improve third-party audits at RMP facilities

After the USEPA published the final rule, many industry groups and several states filed challenges and petitions, arguing that the rule was overly burdensome, created potential security risks, and did not properly coordinate with OSHA’s Process Safety Management (PSM) standard. Under the Trump administration, the USEPA delayed the effective date of the rule until February 2019 and announced its plan to reconsider the rule’s provisions.

Reconsideration

That brings us full circle to the RMP Reconsideration Proposed Rule that was published at the end of May. According to the USEPA, this reconsideration proposes to:

  • Maintain consistency of RMP accident prevention requirements with the OSHA PSM standard.
  • Address security concerns.
  • Reduce unnecessary regulations and regulatory costs.
  • Revise compliance dates to provide necessary time for program changes

What’s Going?

USEPA Administrator Scott Pruitt said in a press release, “The rule proposes to reduce unnecessary regulatory burdens, address the concerns of stakeholders and emergency responders on the ground, and save Americans roughly $88 million a year.”

To accomplish this, the reconsideration proposes making the following changes:

  • All accident prevention program provisions have been rescinded in the reconsideration so the USEPA can coordinate revisions with OSHA and keep regulatory costs in check. This includes repealing the requirements for conducting:
    • Third-party audits
    • Safer Technology and Alternatives Analysis (STAAs) as part of the process hazard analyses
    • Root cause analyses as part of an accident investigation of a catastrophic release or near-miss
  • Most of the public information availability provisions have been rescinded due to their redundancy and security concerns, particularly regarding specific chemical hazard information. The USEPA is proposing to retain the requirement for facilities to hold a public meeting within 90 days of a reportable incident.

What’s Staying?

Many of the emergency coordination and exercise provisions of the Amendments rule are staying–but are being modified to address security concerns and provide more flexibility. The Reconsideration Proposed Rule still requires facilities to:

  • Coordinate response needs at least annual with local emergency planning councils (LEPCs) and response organizations, and to document these activities
  • Provide emergency action plans, response plans, updated emergency contact information, and other information necessary for developing and implementing the local emergency response plan to LEPCs
  • Perform annual exercises to test emergency response notification mechanisms (Program 2 and 3 facilities)

Looking Ahead

The proposed rule is available for public comment for 60 days after its publication date (May 30, 2018). In addition, a public hearing is scheduled for June 14, 2018. If the Reconsideration Proposed Rule is published, compliance dates will be as follows based on the effective date of the final rule.RMP Reconsideration Rule Compliance Timeline

For more information, visit the USEPA website on the RMP Reconsideration Proposed Rule.

 

28 Jun
EPA Announces Chemical Safety Milestones

EPA Announces Chemical Safety Milestones

To celebrate the one-year anniversary of the Frank R. Lautenberg Chemical Safety for the 21st Century Act, EPA Administrator Scott Pruitt announced on June 22, 2017, that the Agency has met its first-year statutory responsibilities under the law. This includes the following actions:

Read the EPA press release: https://www.epa.gov/newsreleases/epa-marks-chemical-safety-milestone-1st-anniversary-lautenberg-chemical-safety-act

22 Jun
World-Class Compliance Pt 5: Compliance Assurance Program

This is the fifth in a series of five articles on developing and maintaining a world-class compliance assurance program.

A well-designed and well-executed compliance assurance program provide an essential tool for improving and verifying business performance and limiting compliance risks. Ultimately, however, a compliance program’s effectiveness comes down to whether it is merely a “paper program” or whether it is being integrated into the organization and used in practice on a daily basis.

The following can show evidence of a living, breathing program:

  • Comprehensiveness of the program
  • Dedicated staff and resources
  • Employee knowledge and engagement
  • Management commitment and employee perception
  • Internal operational inspections, “walkabouts” by management
  • Independent insider, plus third-party audits
  • Program tailoring to greatest risks
  • Consistency and timeliness of exception (noncompliance/nonconformance) disclosures
  • Tracking of timely and adequate corrective/preventive action completion
  • Progress and performance monitoring

Best Practices

To achieve a compliance assurance program on par with world-class organizations, there are a number of best practices that companies should employ:

Know the requirements. This means maintaining an inventory of regulatory compliance requirements for each compliance program, as well as of state/local/contractual binding agreements applying to operations. It is vital that the organization keep abreast of current/upcoming requirements (federal, state, local).

Plan and develop the processes to comply. Identify and assess compliance risks, and then set objectives and targets for performance improvement based on top priorities. From here, it becomes possible to then define program improvement initiatives, assign and document responsibilities for compliance (who must do what and when), develop procedures and tools, and then allocate resources to get it done.

Assure compliance in operations. The organization needs to establish routine checks and inspections within departments to evaluate conformance with sub-process procedures. Process audits should be designed and implemented to cut across operations and sub-processes in order to evaluate conformance with company policies and procedures. Regulatory compliance audits should further be conducted to address program requirements (e.g., environmental, safety, mine safety, security). Audit performance must be measured and reported, and the expectations set for operating managers to take responsibility for compliance.

Take action on issues and problems. Capture, log and categorize noncompliance issues, process nonconformances, and near misses. Implement a corrective/preventive action process based on the importance of issues. Be disciplined in timely completion, close-out, and documentation of all corrective/preventive actions.

Employ management of change (MOC) process. Robust MOC processes help ensure that changes affecting compliance (to the facility, operations, personnel, infrastructure, materials, etc.) are reviewed for their impacts on compliance. Compliance should be assured before the changes are made. Failure to do so is one of the most common root causes of noncompliance.

Ensure management involvement and leadership. Set the tone at the top. The Board of Directors and senior executives must set policy, culture, values, expectations, and goals. It is just as important that these individuals are the ones to communicate across the organization, to demonstrate their commitment and leadership, to define an appropriate incentive/disincentive system, and to provide ongoing organizational feedback.

Maintaining Ongoing World-Class Compliance Assurance Program

The compliance assurance program must be a living, breathing program. As risks change, the program must be refreshed, refined, and redeployed. A Management System framework can help ensure operational sustainability. A Management System drives the auditing process and helps companies say what they will do, do what they say and, importantly, verify it.

Together, there is a real value at the intersection of a compliance assurance program and Management Systems. Management Systems define the internal controls that are in place to reduce risks, prevent losses, and sustain and improve performance over time through the Plan-Do-Check-Act (PDCA) cycle of continual improvement.

Testing and Monitoring

Testing, monitoring, and measuring are crucial elements of this cycle. Without them, it is difficult to understand what is working and what needs improvement. Robust testing and monitoring programs can serve as early warning systems for identifying potential compliance risks before they become enforcement issues.

Compliance should be tested and monitored throughout each level of the organization. A strong testing program will evaluate the results of the compliance risk assessment and assign compliance risks to the business units and processes where they are most likely to occur, creating clear lines of responsibility and accountability. Key risks and the related controls should be tested periodically using statistically valid sampling methodologies, and monitoring activities should be performed on an ongoing basis. Doing so produces trend data that provides the rationale needed for making changes to underlying business processes, as well as emerging risks.

Ongoing compliance excellence relies on top management, operations managers, EHS personnel, and individual employees throughout the organization working together to build and sustain an organizational culture that places compliance on par with business performanceSenior management must focus on the overall culture of the company in terms of taking the necessary steps to reduce risk and make prevention part of daily operations. While it may be impossible to eliminate all risk exposure, a solid risk framework, assessment methodology, and compliance assurance program can help to prioritize risks for active management, sustained compliance, and positive business impacts.

Read the other articles in this series:

18 Apr
World-Class Compliance Pt 4: Audit Best Practices

This is the fourth in a series of five articles on developing and maintaining a world-class compliance assurance program.

Audits provide an essential tool for improving and verifying compliance performance. Audits may be used to capture regulatory compliance status, management system conformance, adequacy of internal controls, potential risks, and best practices. An audit is typically part of a broader compliance assurance program and can cover some or all of the company’s legal obligations, policies, programs, and objectives.

There are a number of third-party auditing standards that offer guidelines for ensuring accurate, complete, and reliable EHS audits, including:

  • The Board of Environmental, Health, and Safety Auditing Certifications (BEAC) Standards, 2008
  • ISO 19011 Auditing Guidelines, 2002
  • Auditing Roundtable Standards, 1993
  • USEPA Auditing Policy, 1986, 2000
  • Institute of Internal Auditors Standards, 1997

Best Practices

Companies come in a variety of sizes with a range of different needs, so auditing standards remain fairly flexible. There are, however, a number of audit program elements and best practices that can help ensure a comprehensive audit program:

Goals. Establishing goals enables recognition of broader issues and can lead to long-term preventive programs. This process allows the organization to get at the causes and focus on important systemic issues. It pushes and guides toward continuous improvement. Goal-setting further addresses the responsibilities and obligations of the Board of Directors for audit and oversight and elicits support from stakeholders.

Scope. The scope of the audit should be limited initially (e.g., compliance and risk) to what is manageable and to what can be done very well, thereby producing performance improvement and a wider understanding and acceptance of objectives. As the program is developed and matures (e.g., management systems, company policy, operational integration), it can be expanded and, eventually, shift over time toward systems in place, prevention, efficiency, and best practices.

Committed resources. Sufficient resources must be provided for staffing and training and then applied, as needed, to encourage a robust auditing program. Resources also should be applied to EHSMS design and continuous improvement. It is important to track the costs/benefits to compare the impacts and results of program improvements.

Operational focus. All facilities need to be covered at the appropriate level, with emphasis based on potential EHS and business risks. The operational units/practices with the greatest risk should receive the greatest attention (e.g., the 80/20 Rule). Vendors/contractors and related operations that pose risks must be included as part of the program. For smaller, less complex and/or lower risk facilities, lower intensity focus can be justified. For example, relying more heavily on self-assessment and reporting of compliance and less on independent audits may provide a better return on investment of assessment resources.

Audit team. A significant portion of the audit program should be conducted by knowledgeable auditors (independent insiders, third parties, or a combination thereof) with clear independence from the operations being audited and from the direct chain of command. For organizational learning and to leverage compliance standards across facilities, it is good practice to vary at least one audit team member for each audit. Companies often enlist personnel from different facilities and with different expertise to audit other facilities. Periodic third-party audits further bring outside perspective and reduce tendencies toward “home-blindness”.

Most common options for compliance audit team design include the following:

  • Facility-based EHS Team
    • Advantages – awareness of operations and specific facility EHS regulated activities
    • Disadvantages – lack independence and objective outside perspective; may have some responsibilities for activities audited; likely to have limited regulatory expertise needed; likelihood of significant inconsistencies and variability from facility to facility
    • Best use – routine and frequent inspections and monitoring, including progress checks on completion of corrective actions arising from other audits; desirable to have staff from other facilities participate on audit team; auditors should not audit their own departments or operations; may conduct and submit to corporate annual facility compliance self-assessments and assurance statements by facility management
  • Independent Inside EHS Team
    • Typically, from corporate headquarters (may include facility EHS representatives from other facilities)
    • Advantages – improved independence from operations; likely to provide regulatory know-how and multi-facility perspective; consistency in audit methods and content likely across facilities
    • Disadvantages – can be subject to limited independence and internal business pressures; may have limited perspective on best industry practices from outside organization; may not have up-to-date regulatory requirements awareness
    • Best use – dedicated corporate EHS lead auditor(s) supported by subject matter experts on audit team; EHS personnel from other facility(s) participate on team for cross-facility learning; audit protocols maintained to be current; audits conducted annually at higher risk facilities; team review of facility self-assessments at lower risk facilities
  • Third-Party Independent Audit Team
    • Advantages – organizational independence; outside perspective and experience with compliance practices of other companies; auditor credentials and up-to-date awareness of audit methods and regulatory requirements; ability to bring specialized know-how, as needed; must meet client expectations for deliverable quality and timeliness
    • Disadvantages – may not have organizational standing to ensure necessary cooperation and openness of auditees
    • Best Use – periodic audit of the company’s audit program and process (5-year cycle); periodic compliance audits of selected facilities (3-year cycle), including auditing the completion of corrective actions initiated as a result of internal audits by corporate team; audits of company’s management system as part of compliance audits; done under attorney-client privilege

Audit frequency. There are several levels of audit frequency, depending on the type of audit:

  • Frequent: Operational (e.g., inspections, housekeeping, maintenance) – done as part of routine EHSMS day-to-day operational responsibilities
  • Periodic: Compliance, systems, actions/projects – conducted annually/semi-annually
  • As needed: For issue follow-up
  • Infrequent: Comprehensive, independent – conducted every three to four years

Differentiation methods. Differentiating identifies and distinguishes issues of greatest importance in terms of risk reduction and business performance improvement. The process for differentiating should be as clear and simple as possible; a system of a priority rating and ranking is widely understood and agreed. The rating system can address severity levels, as well as probability levels, in addition to complexity/difficulty and length of time required for corrective actions.

Legal protection. Attorney privilege for audit processes and reports is advisable where risk/liability are deemed significant, especially for third-party independent audits. To the extent possible, make the audit process and reports become management tools that guide continuous improvement. Organizations should follow due diligence elements of the USEPA audit policy.

Procedures. Describe and document the audit process for consistent, efficient, effective, and reliable application. The best way to do this is to involve both auditors and those being audited in the procedure design. Audit procedures should be tailored to the specific facility/operation being audited. Documented procedures should be used to train both auditors and those accountable for operations being audited. Procedures can be launched using a pilot facility approach to allow for initial testing and fine-tuning. Keep procedures current and continually improve them based on practical application. Audits include document and record review (corporate and facility), interviews, and observations.

Protocols & tools. Develop specific and targeted protocols that are tailored to operational characteristics and based on applicable regulations and requirements for the facility. Use “widely accepted or standard practice” as go-by tools to aid in developing protocols (e.g., ASTM site assessment standards; ISO 14010 audit guidance; audit protocols based on EPA, OSHA, MSHA, Canadian regulatory requirements; GEMI self-assessment tools; proprietary audit protocol/tools). As protocols are updated, the ability to evaluate continuous improvement trends must be maintained (i.e., trend analysis).

Information management & analysis. Procedures should be well-defined, clear, and consistent to enable the organization to analyze trends, identify systemic causes, and pinpoint recurring problem areas. An analysis should prompt communication of issues and differentiation among findings based on significance. Audit reports should be issued in a predictable and timely manner. It is desirable to orient the audit program toward organizational learning and continual improvement, rather than a “gotcha” philosophy. “Open book” approaches help learning by letting facility managers know in advance what the audit protocols are and how the audits will be conducted.

Verification & corrective action. Corrective actions require corporate review, top management-level attention and management accountability for timely completion. A robust root cause analysis helps to ensure not just correction/containment of the existing issue, but also preventive action to assure controls are in place to prevent the event from recurring. For example, if a drum is labeled incorrectly, the corrective action is to relabel that drum. A robust plan should also look for other drums than might be labeled incorrectly and to add and communicate an effective preventive action (e.g., training or posting signs showing a correctly labeled drum).

Action item closure. Address repeat findings. Identify patterns and seek root cause analysis and sustainable corrections.

Training. Training should be done throughout the entire organization, across all levels:

  • Auditors are trained on both technical matters and program procedures.
  • Management is trained on the overall program design, purpose, business impacts of findings, responsibilities, corrections, and improvements.
  • Line operations are trained on compliance procedures and company policy/systems.

Communications. Communications with management should be done routinely to discuss status, needs, performance, program improvements, and business impacts. Communications should be done in business language—with business impacts defined in terms of risks, costs, savings, avoided costs/capital expenditures, benefits. Those accountable for performance need to be provided information as close to “real time” as possible, and the Board of Directors should be informed routinely.

Leadership philosophy. Senior management should exhibit top-down expectations for program excellence. EHSMS quality excellence goes hand-in-hand with operational and service quality excellence. Learning and continuous improvement should be emphasized.

Roles & responsibilities. Clear roles, responsibilities, and accountabilities need to be established. This includes top management understanding and embracing their roles/responsibilities. Owners of findings/fixes also must be clearly identified.

Funding for corrective actions. Funding should be allocated to projects based on the significance of risk exposure (i.e., systemic/preventive actions receive high priority). The process should incentivize proactive planning and expeditious resolution of significant problem areas and penalize recurrence or back-sliding on performance and lack of timely fixes.

Performance measurement system. Audit goals and objectives should be nested with the company business goals, key performance objectives, and values. A balanced scorecard can display leading and lagging indicators. Metrics should be quantitative, indicative (not all-inclusive), and tied to their ability to influence. Performance measurements should be communicated and widely understood. Information from auditing (e.g., findings, patterns, trends, comparisons) and the status of corrective actions often are reported on compliance dashboards for management review.

Degree of business integration. There should be a strong link between programs, procedures, and methods used in a quality management program—EHS activities should operate in patterns similar to core operations rather than as ancillary add-on duties. In addition, EHS should be involved in business planning and MOC. An EHSMS should be well-developed and designed for full business integration, and the audit program should feed critical information into the EHSMS.

Accountability. Accountability and compensation must be clearly linked at a meaningful level. Use various award/recognition programs to offer incentives to line operations personnel for excellent EHS performance. Make disincentives and disciplinary consequences clear to discourage non-compliant activities.

Deployment plan & schedule. The best practice combines the use of pilot facility audits, baseline audits (to design programs), tiered audits, and a continuous improvement model. Facility profiles are developed for all top priority facilities, including operational and EHS characteristics and regulatory and other requirements.

Relation to best practices. Inventory best practices and share/transfer them as part of audit program results. Use best-in-class facilities as models and “problem sites” for improvement planning and training.  The figure illustrates an audit program that goes beyond the traditional “find it, fix it, find it, fix it” repetitive cycle to one that yields a real understanding of root causes and patterns. In this model, if the issues can be categorized and are of wide scale, the design of solutions can lead to company-wide corrective and preventive measures. This same method can be used to capture and transfer best practices across the organization. They are sustained through the continual review and improvement cycle of an EHSMS and are verified by future audits.Audit Cycle Diagram

In our fifth and final article in this series, we talk about compliance program best practices and what it takes to maintain an ongoing world-class compliance assurance program.

Read the other articles in this series:

18 Apr
Technology Tip: Software and Audits Top 10

All types of business and operational processes demand a variety of audits and inspections to evaluate compliance with standards—ranging from government regulations to industry codes, to system standards (i.e., ISO), to internal corporate requirements.

Audits provide an essential tool for improving and verifying compliance performance. Audits may be used to capture regulatory compliance status, management system conformance, adequacy of internal controls, potential risks, and best practices.

By combining effective auditing program design, standardized procedures, trained/knowledgeable auditors, and computerized systems and tools, companies are better able to capture and analyze audit data, and then use that information to improve business performance. Having auditing software of some sort can greatly streamline productivity and enhance quality, especially in industries with many compliance obligations.

The following tips can help ensure that companies are getting the most out of their auditing process:

  1. Have a computerized system. Any system is better than nothing; functional is more important than perfect. The key is to commit to a choice and move forward with it. Companies are beginning to recognize the pitfalls of “smart people” audits (i.e., an audit conducted by an expert + notebook with no protocols or systems). While expertise is valuable, this approach makes it difficult to compare facilities and results, is not replicable, and provides no assurance that everything has been reviewed. A defined system and protocol helps to avoid these pitfalls.
  1. Invest time before the audit. The most important time in the audit process is before the audit begins. Do not wait until the day before to prepare. There is value in knowing the scope of the audit, understanding expectations, and developing question sets/protocol. This is also the time to ensure that the system collects the data desired to produce the final report.
  1. Capture data. Data is tangible. You can count, sort, compare and organize data so it can be used on the back end. Data allows the company to produce reports, analytics, and standard metrics/key performance indicators.
  1. Don’t forget about information. Information is important, too. The information provides descriptions, directions, photos, etc. to support the data and paint a complete picture.
  1. Be timely. Reports must be timely to correct findings and demonstrate a sense of urgency. Reports serve as a permanent record and begin the process of remediation. The sooner they are produced, the sooner corrective actions begin.
  1. Note immediate fixes. During the audit, there may be small things uncovered that can be fixed immediately. These items need to be recorded even if they are fixed during the audit. Unrecorded items “never happened”. Correspondingly, it is important to build a culture where individuals are not punished for findings, as this can result in underreporting.
  1. Understand the audience. Who will be reading the final report? What do they need to know? What is their level of understanding? Not all data presentation is useful. In fact, poorly presented data can be confusing and cause inaction. It is important to identify key data, reports desired, and the ways in which outputs can be automated to generate meaningful information.
  1. Compare to previous audits. The only way to get an accurate comparison is if audits have a common scope and a common checklist/protocol. Using a computerized system can ensure that these factors remain consistent. Comparisons reinforce and support a company’s efforts to maintain and improve compliance over time.
  1. Manage regulatory updates. It is important to maintain a connection to past audits and the associated compliance requirements at the time of the audit. Regulations might change and that needs to be tracked. Checklists, however, may remain the same. Companies should have a process for tracking regulatory updates and making sure that the system is updated appropriately.
  1. Maintain data frequency. For data, the frequency is key. Consider what smaller scope, higher frequency audits look like. These can allow the company to gather more data, involve more people, and improve the overall quality and reliability of reports.

A well-designed and well-executed auditing program—with analysis of audit data—provides an essential tool for improving and verifying business performance. Audits capture regulatory compliance status, management system conformance, adequacy of internal controls, potential risks, and best practices. And using a technology tool or system to manage the audit makes that information even more useful.

05 Apr
EPA Proposes to Delay RMP Rule Effective Date to 2019

EPA Proposes to Delay RMP Rule Effective Date to 2019

On Friday, March 31, 2017, U.S. Environmental Protection Agency (EPA) Administrator Scott Pruitt announced a proposed rule to further delay the effective date of the Obama Administration’s Risk Management Program (RMP) final rule until February 19, 2019. This will give the agency time to reconsider the final RMP rule published on January 13, 2017.

Industry organizations have raised serious concerns about the final rule. The proposal to further delay the effective date of the amendments will allow the Agency time to evaluate these objections and consider other issues that may benefit from the additional public input.

Sidebar: