Auditing is a management tool that can be used to evaluate and monitor the internal performance and compliance of your company with regulations and standards. An audit can also be used to determine the overall effectiveness of an existing system within your company.
How do you incorporate compliance auditing best practices to help maximize compliance, efficiency, and value of your audit? Here are five critical factors for value-added audits.
1. Goal Aligned with Business Strategy
There are many reasons why companies conduct audits:
- Support commitment to compliance
- Avoid penalties
- Meet management system requirements
- Meet corporate or customer mandates
- Support acquisition or divestiture
- Assess organizational structure and competency
- Identify cost saving and pollution prevention opportunities
- Determine alignment with strategic direction
It is vital to define and understand the goal of your compliance audit program before beginning the audit process. Establishing goals enables recognition of broader issues and can lead to long-term preventive programs. Not establishing a clear, concise goal can lead to a waste of resources.
Audit goals and objectives should be nested within the company business goals, key performance objectives, and values. An example of a goal might be to effectively measure environmental compliance while maintaining a reasonable return on investment.
Once the goal is established, it is important to communicate it across all functions of the organization to get company-wide support. Performance measurements should also be communicated and widely understood.
2. Management Buy-in
The audit program must have upper management support to be successful. Management must exhibit top-down expectations for program excellence, view audits as a tool to drive continuous improvement, and work to imbed audits within other improvement processes. Equally important, management must not use audit results to take punitive action against any person or department.
3. Documented Audit Program Systematically Applied
Describe and document the audit process for consistent, efficient, effective, and reliable application. Audit procedures should be tailored to the specific facility/operation being audited. A documented program will include the following:
- Scope. The scope discusses what areas/media/timeframe will be audited. The scope of the audit may be limited initially to what is manageable and can be done very well, thereby producing performance improvement and a wider understanding and acceptance of objectives. It may also be limited by identifying certain procedural or regulatory shifts and changes. As the program is developed and matures (e.g., management systems, company policy, operational integration), it can be expanded and, eventually, shift over time toward systems in place, prevention, efficiency, and best practices. It is important at the scoping stage to address your timeline. Audits should be scoped to make sure you get them done but also to make sure you have audited all compliance areas in an identified timeframe.
- Criteria. Compliance with requirements will clearly be covered in an audit, but what about other opportunities for improvement (e.g., pollution prevention, energy savings, carbon reduction)? All facilities need to be covered at the appropriate level, with emphasis based on potential compliance and business risks. Assess the program strengths, redundancy, integration within the organization, and alignment with the program goal. Develop specific and targeted protocols that are tailored to operational characteristics and based on applicable regulations and requirements for the facility. As protocols are updated, the ability to evaluate continuous improvement trends must be maintained.
- Auditor training (i.e., competency, bias). A significant portion of the audit program should be conducted by knowledgeable auditors (e.g., independent insiders, third parties, or a combination thereof) with clear independence from the operations being audited and from the direct chain of command. For organizational learning and to leverage compliance standards across facilities, it is good practice to vary at least one audit team member for each audit. Companies often enlist personnel from different facilities and with different expertise to audit other facilities. Periodic third-party audits further bring outside perspective and reduce tendencies toward “home-blindness”.
Training should be done throughout the entire organization, across all levels:
+ Auditors are trained on both technical matters and program procedures.
+ Management is trained on the overall program design, purpose, business impacts of findings, responsibilities, corrections, and improvements.
+ Line operations are trained on compliance procedures and company policy/systems.
Consider having auditor training conducted by an outside source to teach people how to decide what to audit and follow a trail. It can also work well to train internal auditors by having them audit alongside an experienced 3rd party.
- Audit conduct (i.e., positive approach). A positive approach and rationale for the audit must be embraced. Management establishes this tone and sets the expectation for cooperation among all employees. Communication before, during, and after the audit is vital in keeping things positive. It is important to stress the following:
- Auditor interviews are evaluating systems, not personal behaviors.
- The audit is an effective tool to improve performances.
- Results will not be used punitively.
- Audit reporting. Information from auditing (e.g., findings, patterns, trends, comparisons) and the status of corrective actions often are reported on compliance dashboards for management review. Audit reports should be issued in a predictable and timely manner. It is desirable to orient the audit program toward organizational learning and continual improvement, rather than a “gotcha” philosophy. “Open book” approaches help learning by letting facility managers know in advance what the audit protocols are and how the audits will be conducted. Documentation is essential, and reporting should always align with program goals and follow legal guidance. There is variability in what gets reported and how based on the company’s objects. For example:
- Findings only vs. opportunities for improvement and best management practices?
- Spreadsheet vs. long format report?
- Scoring vs. prioritization of findings (beware of the unintended consequences of scores!)?
- Recommendations for corrective actions included or left for separate discussion?
- Corrective and preventive action. Corrective actions require corporate review, top management-level attention, and management accountability for timely completion. A robust root cause analysis helps ensure not just correction/containment of the existing issue, but also preventive action to assure controls are in place to prevent the event from recurring. For example, if a drum is labeled incorrectly, the corrective action is to relabel that drum. A robust plan should be to also look for other drums that might be labeled incorrectly and to add and communicate an effective preventive action (e.g., training or posting signs showing a correctly labeled drum).
- Follow-up and frequency. Address repeat findings. Identify patterns and seek root cause analysis and sustainable corrections. Communications with management should be done routinely to discuss status, needs, performance, program improvements, and business impacts. Those accountable for performance need to be provided information as close to “real time” as possible. There are several levels of audit frequency, depending on the type of audit:
- Frequent: Operational (e.g., inspections, housekeeping, maintenance) – done as part of routine day-to-day operational responsibilities
- Periodic: Compliance, systems, actions/projects – conducted annually/semi-annually
- As needed: For issue follow-up
- Infrequent: Comprehensive, independent – conducted every three to four years
4. Robust Corrective Action Program
As mentioned above, corrective actions are a must. If there is no commitment to correction, there is no reason to audit. A robust root cause analysis is essential. This should be a formal, yet flexible, approach. There should be no band-aids. Mistake-proof corrections and include metrics where possible. In the drum example given above, a more robust corrective action program would look at the root cause: Why was the drum mislabeled? Did the person know to label it? If so, why didn’t they do it?
The correction itself is key to the success of the audit program. Establish the expected timeframe for correction (including addressing preventive action). Establish an escalation process for delayed corrections. Corrective actions should be reviewed regularly by upper management using the existing operations review process. There must also be a process for verification that the correction has been made; the next audit cycle may not be sufficient.
Note also that addressing opportunities for improvement, not just non-compliance findings, may increase the return on investment associated with conducting an audit.
5. Sharing of Findings and Best Practices
Audit results should be communicated to increase awareness and minimize repeat findings. Even if conducted under privilege, best practices and corrections can and should still be shared. Celebrate the positives and creative solutions. Stress the value of the audit program, always providing metrics and cost avoidance examples when possible. Inventory best practices and share/transfer them as part of audit program results. Use best-in-class facilities as models and “problem sites” for improvement planning and training.
An audit can provide much additional value and return on organization if it is planned and managed effectively. This includes doing the following:
- Align program goal with business strategy to secure top-down buy-in
- Expand criteria beyond compliance
- Gain goodwill through positive approach
- Document program and results
- Monitor for timely, effective corrective action
- Share opportunities for improvement
Waste regulations can be difficult to understand, and it can be challenging to comply. Regulatory citations often seem like they are in a different language and the terminology used by inspectors can be confusing and difficult to decipher. Compliance often requires speaking not only the lab/industry language, but also the regulator’s language.
To get a true understanding of what regulations apply, it is important to start by asking two fundamental questions:
- What wastes does my company generate?
- What activities does my company carry out that are covered by waste requirements?
Through an evaluation of chemicals onsite, development of an inventory of both chemicals used and waste generated, and identification of processes to efficiently and effectively manage waste, businesses/labs can ensure they understand and meet their EHS regulatory obligations in the most efficient ways possible.
Environmental Protection Agency (EPA): Where Do You Start?
EPA regulates much of the waste generated by industry. Over the past ten years, the Agency has demonstrated an even stronger focus on labs. The most commonly cited EPA penalties under the Resource Conservation and Recovery Act (RCRA), which governs the disposal of solid and hazardous waste, have resulted from the items listed below:
- Dumping hazardous wastes down the drain
- Not having or having inadequate hazardous waste manifests
- Failing to properly train employees in hazardous waste management, handling, and emergency preparedness
- Lack of or improper labeling
- Open containers of hazardous waste onsite
- Failing to comply with hazardous waste generator regulations
- Improperly managing expired paints or spray paints
- Failing to have hazardous waste determinations on file
- Improper consolidation of waste from other nearby facilities
- Noncompliance with underground storage tank regulations
In order to avoid these citations, it is important to first understand your wastes. This is done through an EPA-required waste determination. In addition to reviewing chemicals that are used in processes and the different types of risk they present, a waste determination should evaluate all waste being generated by processes throughout the facility. The following waste streams are of particular regulatory concern, as they have strict regulatory requirements for their management and disposal.
Hazardous wastes are found in a variety of processes in labs and in industry. Solvents used to operate equipment, chemicals to conduct reactions and create products, maintenance chemicals, and new innovations are all potential sources of hazardous waste and should be included in a comprehensive waste determination.
The most frequently generated hazardous waste type in labs and in industry is flammable liquids. Chemicals such as acetone, toluene, xylenes, and methanol are commonly used flammable liquids that must be managed as hazardous waste. These wastes cannot be dumped down the drain without significant risk of fire, danger to personnel, and regulatory penalty. One of the first questions a regulator will ask in a lab or industrial process setting is to see waste containers. If a facility has chemicals but no waste containers, the regulators immediately jump to the conclusion that waste is not being managed correctly.
Other common hazardous waste streams found in labs and industry include toxic chemicals; corrosive acids and caustic bases; reactive chemicals, such as oxidizers and polymerizing chemicals; and chemicals that are radioactive. All of these are regulated by compliance agencies and require special management.
Examples of EPA regulations applying to labs include such things as identification of the amount of hazardous waste generated in a calendar month by a lab or in industry. The more hazardous waste generated, the more rigorous the EPA regulations.
EPA also regulates a class of waste referred to as universal waste. Universal wastes are hazardous in their composition but can be recycled (e.g., fluorescent lightbulbs or lamps, CRTs and electronic waste, rechargeable batteries, and mercury-containing items). Failure to collect, label, store, and recycle these types of waste properly can also result in substantial threat of compliance penalty.
EPA regulators have focused on these waste streams as a source of penalty for the past decade. This is one of the most frequent citations issued to businesses. Although not as complex as the requirements for proper hazardous waste management, universal waste has nuances that a generator must be aware of to properly meet the regulatory requirements.
Biohazardous, Sharps, Pharmaceuticals, Unwanted Equipment, and Other Waste Types
Labs and industry have many additional sources of waste that are confusing and present head-scratching challenges as a waste determination is conducted. For example:
- If a facility wants to remove an outdated x-ray machine or electron microscope from service, what are the compliance requirements and is there a way to recycle it?
- If a lab process results in debris that is contaminated with bodily fluids, can they just be thrown in the trash? At what point are they considered “biohazardous?”
Additional regulatory agencies that oversee lab and industry operations include the Occupational Safety & Health Administration (OSHA), Department of Transportation (DOT), Department of Homeland Security (DHS), fire department, and others depending upon the type of work being done, chemicals being used, and resulting end products. As with EPA, identifying the other regulations that apply can be quite challenging and overwhelming. For example:
- Under OSHA, evaluation of worker personal protective equipment (PPE), respiratory protection, safety equipment, including safety showers and eye wash stations, and fire extinguishers requires plans, inspections, and training of workers. These programs should be set up as best practice to protect employees.
- As discussed in our previous article, DOT is often forgotten about in labs; however, there are general DOT requirements for any entity receiving or shipping hazardous materials. Failure to have proper DOT training or to know how to properly ship can result in significant financial penalty.
The waste scenarios seen in labs and industry are countless, and each may hold associated regulatory compliance requirements. While this clearly presents business risks, it also provides a unique opportunity to create strategies to manage wastes more effectively and efficiently, improve safety, and reduce the potential costs of regulatory compliance.
Preparing products for shipment out and receiving raw materials in are both critical parts of the biotech lab/industry supply chain. In fact, managing transportation of these materials is an essential component of achieving operational success. Shipping hazardous waste that has resulted from product manufacturing or industrial processes is also vital to operations, as doing so helps to ensure compliance with regulations and minimize risks onsite.
Yet as important as hazardous waste transportation is in the biotech industry, some of the most overlooked regulations in industry are those requirements the Department of Transportation (DOT) has in place for “offering” (i.e., shipping or receiving) hazardous materials into commerce. Regardless of whether a company is shipping hazardous materials, receiving hazardous materials, or shipping hazardous waste, there are regulatory requirements that must be met to avoid substantial penalty and to maintain safe and compliant operations.
Training Requirements and Common Violations
The most significant DOT requirement related to waste relates to the DOT’s regulations for training, as enforced by the Pipeline and Hazardous Materials Safety Administration (PHMSA) division. PHMSA’s Hazmat Transportation Training requirements identify five areas that anyone offering (i.e., shipping or receiving) hazardous materials into commerce must be trained in to meet the General Awareness Hazardous Materials Regulatory (HMR) requirements (49 CFR 172.704).
One of the most common violations identified by both DOT and the Environmental Protection Agency (EPA) is failure of personnel signing hazardous waste manifests to have appropriate DOT training. A manifest tracks hazardous waste movement from your site to the proper destination (i.e., from “cradle to grave”). Each party that handles the waste signs the manifest and retains a copy for themselves. This ensures critical accountability in the transportation and disposal processes. If you are required to use a manifest for off-site shipments of hazardous waste, it is likely that you are required to have some form of hazardous waste training.
Training must be completed within 90 days of employment and must be refreshed at a minimum of every three years. Failure to meet this training requirement can result in substantial financial penalty. Perhaps even more important, lack of training may also impact the understanding of employees in how to correctly—and safely—perform their duties.
The 2019 DOT HMR penalty amounts are as follows:
- The maximum civil penalty for a violation of hazardous materials transportation law (49 U.S.C. 5123(a)(1)) is $79,976 per day, per violation.
- For a violation that results in death, serious illness, severe injury, or substantial property damage, the fine is $186,610.
- The minimum penalty for a violation related to hazmat training (required once every three years for all hazmat employees per 49 CFR 172.704) is $481 per day, per violation.
Training and Resources
Training is key to compliance when it comes to shipping and receiving hazardous materials. Kestrel offers training with competency demonstration that meets the DOT Hazardous Materials General Awareness Training requirements. In a one-day seminar, participants:
- Learn all five required areas of compliance
- Develop understanding of various hazard classes and appropriate shipping requirements
- Practice identification of shipping names and use of the DOT Hazardous Materials Table in 49 CFR 172.101 as a reference for information
- Demonstrate competency and understanding through a written exercise at the completion of the class
Kestrel’s next offering of the 8-hour DOT Triennial General Awareness Training is being offered specifically for the biotech industry on Thursday, October 23 in Madison, Wisconsin. Register online.
The following resources may also be helpful in understanding your hazardous waste transportation requirements:
Biotech labs and industrial processes traditionally produce many different types of waste that can present significant waste management challenges. Identifying all the different waste sources in operations is not as easy as it sounds. For example, labs and industry may not fully take the time to evaluate the chemicals in reagents, and as a result, they can make errors in managing the associated waste—errors that present significant risk of regulatory penalty, unnecessary expenditures, or exposure to personnel.
However, as the following case study shows, appropriately identifying and managing wastes also presents opportunities for reduced risk, cost savings, and improved compliance.
Case Study in Waste
Recently, Kestrel assisted an industrial lab located in a large production facility with waste management concerns. An EPA inspection identified several negative findings with an estimated potential fine of $350,000. Kestrel assisted with penalty negotiations and development of waste management strategies.
Inventory and Risk Identification
As Kestrel worked to get the facility in compliance, the inventory and risk identification process uncovered one waste stream that contained small amounts of mercury in test vials. The lab had been comingling this waste stream with their vials of flammable solvent waste, resulting in large lab packs of waste that were expensive to dispose. A five-gallon bucket of vials cost them approximately $250 for disposal, and they were generating up to six buckets per month. While the process of comingling is not a compliance issue when handled as a hazardous waste, it is often an unnecessarily expensive way to manage non-hazardous waste.
A thorough evaluation of the reagent used indicated that there were alternative test methods that could be used to test for the same analyte. The lab was able to switch the mercury-containing reagent with a non-mercury-containing alternative. The cost for disposal of the five-gallon buckets dropped from $250 to $85 per bucket. Importantly, the testing methods were just as accurate and met the lab’s needs. This change minimized the risk of mercury exposure or a costly mercury cleanup event and resulted in a cost savings of approximately $1,000 per month.
Removal of the mercury-containing reagent was just one of many strategic improvements implemented at the lab based on the initial waste evaluation. Kestrel was able to develop strategies to resolve the remainder of the EPA findings. Based on the comprehensive compliance improvements, the EPA penalty was negotiated to a no-penalty ruling and the company did not have to pay any amount in fines. They have now operated for an additional two years with no EPA penalty, continued reduction in waste management costs, minimized risk to employees, and operated a more efficient and streamlined lab.
How About You?
Have you considered your operations and your waste streams? Ask yourself:
- Are there waste streams that you are paying too much to manage?
- Are there alternatives to the reagents or kits you are using that may minimize your risk and improve safety in your lab?
- Are there strategies that can make waste management simpler, more cost-effective, and more compliant that you could implement in your lab?
- Are you managing your waste correctly?
- Are you disposing of your waste efficiently and cost-effectively?
- Do you have a system to track your waste and sustain its management?
Waste is one of those risks that is often overlooked at companies because it isn’t something core to operations. Unfortunately, if waste is incorrectly managed, there are regulatory compliance risks, exposure risks, and potential financial penalties that can impact your business.
The following represent just some of the challenging waste situations facing biotech companies that must be addressed:
- Chemical liquid waste going down the drain
- Chemicals being evaporated up the hood
- Biohazardous materials being thrown in the trash
- Chemical spill cleanup materials that are being thrown in the trash
Waste products such as these do not belong in standard trash and may hold either more value or more risk to the organization. For example, some wastes have continued value through recycling or repurposing. Conversely, other wastes may be regulated, requiring special disposal processes. Improperly disposing these regulated wastes (i.e., through standard trash) can create safety or environmental risks that may cost big dollars.
How do you avoid making pricey mistakes?
A methodical, analytical approach to characterizing and evaluating waste can substantially improve efficiencies when it comes to handling waste, and minimize the risks of improper waste management. Evaluation of waste streams (i.e., the type of waste generated and how/where it is generated) can help to identify:
- Areas to improve efficiencies in waste management processes
- Wastes that can be minimized and/or prevented to reduce disposal costs
- Alternative strategies for disposal and waste management that may result in minimized inputs and lower cost of initial supplies
- Regulatory requirements to avoid any potential penalties for non-compliance
Let’s take the evaluation of waste solvent as one example. Companies frequently purchase large quantities of solvent and then end up paying for its disposal. Reviewing the type of solvent and how it is being used may reveal an alternative with the potential for significant savings, such as a bench–top distillation unit, which would provide for:
- Lower upfront costs in the purchase of solvent
- Lower costs in the disposal of hazardous waste solvent
- Fewer risks and regulatory requirements associated with stocking less solvent
Strategic evaluation of one type of generated waste may also lead to significant business benefits beyond the waste itself. A thorough review of business and operational processes and the waste being generated creates the opportunity for a “bottom–to–top” evaluation of all regulatory compliance. And that can lead to potential savings that a business may not have previously identified. Review and understanding of wastes being generated within a lab or business often leads to the following program area discussions:
- Review of EPA hazardous waste and opportunities to minimize or more cost-effectively manage this expensive waste stream.
- Evaluation of compliance with EPA waste requirements to make sure waste is labeled, stored, disposed, and reported correctly.
- Review of other waste streams, such as biohazardous, radiological, and universal waste streams, to assure they are being efficiently managed and in compliance with regulations.
- Evaluation of how chemicals are being managed in accordance with regulatory requirements (e.g., EPA, OSHA, DOT).
- Review of OSHA safety programs and discussions to ensure training, documentation, and procedures are in place to keep employees safe while meeting requirements for such programs as hazard communication, personal protective equipment (PPE), respiratory protection, safety showers, eye wash stations, fire extinguishers, confined space, energy control and emergency response planning.
- Exploration of options for recycling and best practices that have the potential to significantly improve financial bottom line management and increase sustainability of lab operation.
Strategy Going Forward
Effectively managing your waste really begins with a comprehensive review of operations. It is a process of understanding what you have, where it fits, and what you need to do with it to minimize risk, reduce costs, and ensure compliance. This process walks a company through the following basic questions:
- What are my business processes?
- What kind of waste does my company generate?
- What waste regulations apply to my business?
- How do I understand the potential impacts of my waste?
- How do I come up with a strategy to effectively minimize waste and reduce cost while keeping employees safe?
- How do I ensure that we efficiently and cost-effectively manage waste and compliance for the long run?
On August 14, 2019, the U.S. Department of Transportation’s (DOT) Pipeline and Hazardous Materials Safety Administration (PHMSA) released a proposed rule to make several miscellaneous amendments to the Hazardous Materials Regulations (HMR) to ensure the safe and secure movement of hazardous materials to industry and consumers by all modes of transportation.
This proposed rule is in response to numerous petitions submitted requesting PHMSA address a variety of provisions, including some on packaging, hazardous communication, and incorporation by reference documents.
According to PHMSA, the amendments are intended to update, clarify, improve the safety of, or provide relief from various regulatory requirements in the HMR. The proposed amendments include:
- Adopting a phase-out schedule for certain railroad tank cars used to transport poisonous-by-inhalation materials
- Clarifying the cleaning standard for metal drums, including removing residual adhesive from labels
- Allowing the continued use of certain portable and mobile refrigerator systems commonly used in the produce industry
- Allowing for all waste materials to be managed in accordance with the lab pack exception whether they meet the definition of a hazardous waste per the U.S. EPA
- Incorporating an industry standard that can help to enhance the production of oil and gas wells
- Several additional proposed amendments derived from PHMSA’s petition for rulemaking process
EPA’s Hazardous Waste Generator Improvements Rule became effective on May 30, 2017, federally and in those states and U.S. Territories not authorized for RCRA (i.e., Iowa, Alaska, tribal lands and most of the territories). In the remainder of the states, the rule becomes effective when the state adopts it and adds it to their regulations. States were required to adopt more stringent revisions by July 1, 2019, which means the impacts of this rule should start to be realized across the country. The states are in various stages of adopting the regulation; check the status for your state.
For all intents and purposes, this is a good
thing, as the Improvements Rule is designed to:
- Make the RCRA hazardous waste generator regulations
easier to understand;
- Provide greater flexibility in how hazardous waste is managed to
better fit today’s business operations; and
- Improve environmental protection.
Substantial Regulatory Revisions
The final rule includes over 60 revisions and new provisions to the hazardous waste generator program to make requirements more “user-friendly” in the end. Many of the revisions are technical corrections that address inadvertent errors in the regulations, remove obsolete programs, and clarify unclear citations. Some of the more substantial changes in the final rule, which states are required to adopt unless their requirements are more stringent, are outlined below.
Very Small Quantity Generators (VSQGs)
Conditionally exempt small quantity generators are now called very small quantity generators (VSQGs), and VSQG regulations are moved from 40 CFR 261.5 to 40 CFR 262. A VSQG generates less than 100 kg of hazardous waste in a month and may not accumulate more than 1,000 kg of hazardous waste.
Renotification for Small Quantity Generators (SQG)
The new rule now requires
periodic renotification for SQGs every four years; SQGs were previously only required
to notify once.
Any facility that generates waste needs to determine
whether that waste is hazardous. According to the Improvements Rule, his waste
determination must be made at the point of generation of the waste, prior to
any dilution, mixing, and/or alteration.
VSQGs are allowed to send hazardous waste to a large quantity
generator (LGQ) to consolidate it before sending it to a RCRA-designated
facility for management, under the condition that the facilities are under the
control of the same person. Waste containers must be appropriately labeled
(i.e., VSQG Hazardous Waste), and the LQG must notify the state of their
Episodic generation of hazardous waste occurs when
a non-routine event (planned or unplanned) results in a smaller generator
generating atypically larger amount of hazardous waste in a month, triggering
more stringent regulations. Under the Improvements Rule, VSQGs and small
quantity generators (SQGs) are allowed to maintain their existing generator
category in the event they experience an episodic generation event. The Rule
allows for one event per calendar year, with the potential to petition for a
second. Generators must notify EPA/state agency 30 days prior to initiating a
planned event or within 72 hours of an unplanned event.
Previous RCRA program labeling regulations did not require waste generators to identify the hazards of wastes, which resulted in failure to communicate risks of wastes being transported, accumulated, or stored in different locations. Under the Improvements Rule, labeling and marking of containers and tanks must clearly indicate the hazards of the hazardous waste contained inside and include the words “Hazardous Waste” .
Waste generators may use one of several established methods to indicate the waste hazards, including:
- DOT hazard communication consistent with 49
CFR part 172 subpart E (labeling) or subpart F (placarding)
- OSHA hazard statement or pictogram, as
described in the OSHA Hazard Communication Standard in 29 CFR section 1910.1200
- NFPA code 704 chemical hazard label
- RCRA hazardous waste characteristic (i.e.,
ignitable, corrosive, reactive, toxic)
The labeling requirements for containers in
the satellite accumulation areas and for containers in the central accumulation
area are identical, with the additional requirement that containers in the
generator’s central accumulation area are marked with the date that the
satellite container was moved to the storage area or the date that waste was
initially added to the container in the central accumulation area.
Note that marking containers with RCRA codes is required for SQGs and LQGs prior to sending hazardous waste off-site, per 40 CFR 262.32.
Previous regulations required generators to make arrangements with Local Emergency Planning Commissions (LEPCs) for potential emergency situations. The Improvements Rule expands this to require documentation of these arrangements/efforts with the LEPCs. In addition, LQGs must prepare an executive summary of their contingency plans containing the information most critical for immediate response to an emergency situation. This Quick Reference Guide must contain the following eight elements:
- Types/names of hazardous waste and associated
- Estimated maximum amounts of hazardous waste
- Hazardous wastes requiring special treatment
- Map highlighting where hazardous wastes are
generated, accumulated, and treated
- Map of facility and surroundings that
identifies routes of access and evacuation
- Location of water supply
- Identification of onsite notification systems
- Name of emergency coordinator and contact
Again, the final rule includes over 60 revisions and new provisions, and authorized states are required to adopt the more stringent portions of the rule and may choose to adopt the less stringent portions. It is important for facilities to:
- Get a solid understanding of the rule for the states in which it operates. Regulations may vary from state to state.
- Determine waste generator status to understand which requirements are applicable. VSQGs, SQGs, and LQGs have some different requirements due to their potential impacts on the environment.
- Assess compliance with the new and revised provisions. Each facility should be assessed to compare existing efforts with updated regulatory requirements.
- Create a plan to close any compliance gaps. In many cases, the rule offers flexibility to help facilities in their efforts to comply. There are alternatives facilities can and should explore to find solutions that offer the greatest economic and environmental benefits.
BY: Stacey Pisani
Comments: No Comments
Compliance risk assessment helps to identify and assess risks related to applicable regulatory requirements. Internal and external events or conditions affecting the entity’s ability to achieve objectives must be identified, distinguishing between risks and opportunities. These risks are analyzed, considering the following:
- Size of the risk – where, how big, how often/many?
- Severity of the outcome – to what extent can it impact safety, environmental, operational, financial, customer relations, regulatory compliance?
- Likelihood/probability of each risk – how likely is the occurrence of a negative outcome, considering the maturity of existing controls?
Based on this assessment, management can prioritize risks, select appropriate risk responses (avoiding, accepting, reducing, sharing), and develop a set of actions to align with the entity’s risk tolerance/appetite. An acceptable level of residual risk is considered after selected improvements and controls are applied. From there, policies and procedures can be established and implemented to help ensure the risk responses are effectively communicated so operating managers and individuals can carry out their responsibilities.
A deeper dive compliance program assessment may be performed for those risks that are identified as the company’s most significant.
Compliance Program Assessment
A compliance program assessment looks beyond “point-in-time” compliance to critically evaluate how the company manages compliance programs, processes, and activities, with compliance assurance as the ultimate goal. Capability, capacity, programs, and processes to comply are examined as part of this review. Conducting routine process and compliance audits are also key components of a compliance assurance program.
Compliance program assessment should follow a disciplined and consistent process, resulting in an effective program that guides alignment of activities to an integrated management system for sustained compliance and continuous improvement. An essential part of the assessment, audits capture regulatory compliance status, management system conformance, adequacy of internal controls, potential risks, and best practices.
Compliance program assessment enables a company to define and understand:
- Compliance requirements and where regulated activities occur throughout the organization
- Current company programs and processes used to manage those activities and the associated level of program/process maturity
- Deficiencies in compliance program management and opportunities for improvement
- How to feed review recommendations back into elements of the management system to create a roadmap for sustaining and continually improving compliance
There are six phases associated with a compliance program assessment:
Phase 1 – Regulations, Requirements, and Applicability Analysis: Phase 1 focuses on identifying, organizing, validating, and understanding all of the requirements (legal or other) with which the company must comply. It provides an applicability analysis of the requirements to company operations by functional area and evaluates the associated risks. This stage engages representatives across the company who are responsible for activities subject to the requirements.
Phase 2 – Activities Analysis: This phase involves developing an inventory/profile of all company activities that may trigger the requirements identified in Phase 1. It asks the question, “What activities does the company carry out that are covered by the requirements?”
Phase 3 – Desired Compliance Program Standard: Establishing the company’s expectations for compliance program processes and controls—the desired condition—is essential. This “to-be” standard integrates management system principles into compliance program management. Programs should examine relative risks and ensure that risk-based priorities are being set.
Phase 4 – Actual Compliance Program Condition: In contrast to the desired standard identified in Phase 3, Phase 4 is about describing the company’s current compliance program. It defines how the company performs the activities outlined in Phase 3 (along with who, when, and where)—the “as-is” condition. This is done in the same framework as the desired standard in order to compare them in the next phase.
Phase 5 – Gap Analysis: The gap analysis compares actual compliance program management against the desired standard. It evaluates compliance program management processes, controls, and maturity to determine if they are good as is, need improvement, or are missing. These gaps and opportunities provide the basis for the improvement actions developed in Phase 6.
Phase 6 – Improvement Actions: Phase 6 moves the process along to developing action plans and an approach for ongoing management review that will guide the compliance program development and improvement activities. Compliance program management review is established at the end of this last phase. If there is a management system in place, program review information and action plan tracking can be integrated into that management system.
As a whole, this process will help companies evaluate the degree to which:
- Compliance goals and objectives are set and communicated by management.
- Hazards and risks are identified, sized, and assessed, including an inventory of activities subject to the compliance requirements and the relative risks.
- Existing controls are adequate and effective, recognizing, and addressing changed conditions.
- Plans are in place to address risks not adequately covered by existing controls.
- Plans and controls are resourced and implemented.
- Controls are documented and operationalized across functions and work units.
- Personnel know and understand the controls and expectations, and are engaged in their design and improvement.
- Controls are being monitored with appropriate metrics and compliance auditing and assurance.
- Information system is sufficient to support management system-required functions (e.g., document management and control, action tracking, notifications, training tracking, task calendaring, metrics reporting). Information dashboards can be used for reports to management.
- Deficiencies are being addressed by corrective/preventive action and are being tracked to completion.
- Processes, controls, and performance are being reviewed by management for ongoing improvement, including the maintenance and continual improvement of the integrated management system.
A well-designed and well-executed compliance assurance program provides an essential tool for improving and verifying business performance and limiting compliance risks. Ultimately, however, a compliance program’s effectiveness comes down to whether it is merely a “paper program” or whether it is being integrated into the organization and used in practice on a daily basis.
The following can show evidence of a living, breathing program:
- Comprehensiveness of the program
- Dedicated staff and resources
- Employee knowledge and engagement
- Management commitment and employee perception
- Internal operational inspections, “walkabouts” by management
- Independent insider, plus third-party audits
- Program tailoring to greatest risks
- Consistency and timeliness of exception (noncompliance/nonconformance) disclosures
- Tracking of timely and adequate corrective/preventive action completion
- Progress and performance monitoring
To achieve a compliance assurance program on par with world-class organizations, there are a number of best practices that companies should employ:
Know the requirements. This means maintaining an inventory of regulatory compliance requirements for each compliance program, as well as of state/local/contractual binding agreements applying to operations. It is vital that the organization keep abreast of current/upcoming requirements (federal, state, local).
Plan and develop the processes to comply. Identify and assess compliance risks, and then set objectives and targets for performance improvement based on top priorities. From here, it becomes possible to then define program improvement initiatives, assign and document responsibilities for compliance (who must do what and when), develop procedures and tools, and then allocate resources to get it done.
Assure compliance in operations. The organization needs to establish routine checks and inspections within departments to evaluate conformance with sub-process procedures. Process audits should be designed and implemented to cut across operations and sub-processes in order to evaluate conformance with company policies and procedures. Regulatory compliance audits should further be conducted to address program requirements (e.g., environmental, safety, mine safety, security). Audit performance must be measured and reported, and the expectations set for operating managers to take responsibility for compliance.
Take action on issues and problems. Capture, log and categorize noncompliance issues, process nonconformances, and near misses. Implement a corrective/preventive action process based on the importance of issues. Be disciplined in timely completion, close-out, and documentation of all corrective/preventive actions.
Employ management of change (MOC) process. Robust MOC processes help ensure that changes affecting compliance (to the facility, operations, personnel, infrastructure, materials, etc.) are reviewed for their impacts on compliance. Compliance should be assured before the changes are made. Failure to do so is one of the most common root causes of noncompliance.
Ensure management involvement and leadership. Set the tone at the top. The Board of Directors and senior executives must set policy, culture, values, expectations, and goals. It is just as important that these individuals are the ones to communicate across the organization, to demonstrate their commitment and leadership, to define an appropriate incentive/disincentive system, and to provide ongoing organizational feedback.
Maintaining Ongoing Compliance
The compliance assurance program must be a living, breathing program. As risks change, the program must be refreshed, refined, and redeployed. A management system framework can help ensure operational sustainability. A management system drives the auditing process and helps companies say what they will do, do what they say and, importantly, verify it.
Together, there is a real value at the intersection of a compliance assurance program and management systems. Management systems define the internal controls that are in place to reduce risks, prevent losses, and sustain and improve performance over time through the Plan-Do-Check-Act (PDCA) cycle of continual improvement.
Testing and Monitoring
Testing, monitoring, and measuring are crucial elements of this cycle. Without them, it is difficult to understand what is working and what needs improvement. Robust testing and monitoring programs can serve as early warning systems for identifying potential compliance risks before they become enforcement issues.
Compliance should be tested and monitored throughout each level of the organization. A strong testing program will evaluate the results of the compliance risk assessment and assign compliance risks to the business units and processes where they are most likely to occur, creating clear lines of responsibility and accountability. Key risks and the related controls should be tested periodically using statistically valid sampling methodologies, and monitoring activities should be performed on an ongoing basis. Doing so produces trend data that provides the rationale needed for making changes to underlying business processes, as well as emerging risks.
Ongoing compliance excellence relies on top management, operations managers, EHS personnel, and individual employees throughout the organization working together to build and sustain an organizational culture that places compliance on par with business performance. Senior management must focus on the overall culture of the company in terms of taking the necessary steps to reduce risk and make prevention part of daily operations. While it may be impossible to eliminate all risk exposure, a solid risk framework, assessment methodology, and compliance assurance program can help to prioritize risks for active management, sustained compliance, and positive business impacts.
BY: Stacey Pisani
Comments: No Comments
Virtually every regulatory program—environmental, health & safety, security, food safety—has compliance requirements that call for companies to fulfill a number of common compliance activities. While they do not necessarily need to be addressed all at once or from the start, considering the eight functions of compliance (as outlined below) when designing a compliance Information Management System (IMS) helps define the starting point and build a vision for the “end point” when planning IMS improvements. These compliance functions translate into modules—facility profiles, employee counts, training tracking, corrective action tracking, auditing tasks, compliance calendars, documents and records management, permit tracking, etc.—that are instrumental in establishing or improving a company’s capability to comply.
8 Functions of Compliance
- Inventory means taking stock of what exists. The outcome of a compliance inventory is an operational and EHS profile of the company’s operations and sites. In essence, the inventory is the top filter that determines the applicability of regulatory requirements and guides compliance plans, programs, and activities. For compliance purposes, the inventory is quite extensive, including (but not limited to) the following:
- Activities and operations (i.e., what is done – raw material handling, storage, production processes, fueling, transportation, maintenance, facilities and equipment, etc.)
- Functional/operational roles and responsibilities (i.e., who does what, where, when)
- Hazardous materials
- Discharges (operational and stormwater-related)
- Safety practices
- Food safety practices
- Authorizations, permits & certifications provide a “license to construct, install, or operate.” Most companies are subject to authorizations/permits at the federal, state, and local levels. Common examples include air permits, operating permits, Title V permits, safe work permits, tank certifications, discharge permits, construction authorization. In addition, there may be required fire and building codes and operator certifications. Once the required authorizations, permits, and/or certifications are in place, some regulatory requirements lead companies to the preparation and updating of plans as associated steps.
- Plans are required by a number of regulations. These plans typically outline compliance tasks, responsibilities, reporting requirements, schedule, and best management practices to comply with the related permits. Common compliance-related plans may include SPCC, SWPPP, SWMP, contingency, food safety management, and security plans.
- Training supports the permits and plans that are in place. It is crucial to train employees to follow the requirements so they can effectively execute their responsibilities and protect themselves, company assets and communities. Training should cover operations, safety, security, environment, and food safety aimed at compliance with regulatory requirements and company standards and procedures.
- Practices in place involve doing what is
required to follow the terms of the permits, related plans and regulations.
These are the day-to-day actions (regulatory, best management practices,
planned procedures, SOPs, and work instructions) that are essential for
following the required processes.
- Monitoring & inspections provide
compliance checks to ensure locations and operations are functioning within the
required limits/parameters and the company is achieving operational
effectiveness and performance expectations. This step may include some physical
monitoring, sampling, and testing (e.g., emissions, wastewater). There are also
certain regulatory compliance requirements for the frequency and types of
inspections that must be conducted (e.g., forklift, tanks, secondary
containment, outfalls). Beyond regulatory requirements, many companies have
internal monitoring/inspection requirements for things like housekeeping,
sanitation, and process efficiency.
- Records provide documentation of what has
been done related to compliance—current inventories, plans, training,
inspections, and monitoring required for a given compliance program. Each
program typically has recordkeeping, records maintenance, and retention
requirements specified by type. Having a good records management system is
essential for maintaining the vast number of documents required by regulations,
particularly since some, like OSHA, have retention cycles for as long as 30
- Reports are a product of the above
compliance functions. Reports from ongoing implementation of compliance
activities often are required to be filed with regulatory agencies on a regular
basis (e.g., monthly, quarterly, semi-annually, annually), depending on the
regulation. Reports also may be required when there is an incident, emergency, recall,
Reliable Compliance Performance
Documenting procedures on how to execute these eight
functions, along with management oversight and continual review and
improvement, are what eventually get integrated into an overarching management
system (e.g., environmental, health & safety, food safety, security,
quality). The compliance IMS helps create process standardization and,
subsequently, consistent and reliable compliance performance.
In addition, completing and organizing/documenting these
eight functions of compliance provides the following benefits:
- Helps improve the company’s capability to comply
on an ongoing basis
- Establishes compliance practices for when an
- Creates a strong foundation for internal and 3rd-party
compliance audits and for answering outside auditors’ questions (agencies,
customers, certifying bodies)
- Helps companies know where to look for
- Reduces surprises and unnecessary spending on
reactive compliance-related activities
- Informs management’s need to know
- Enhances confidence of others (e.g. regulators,
shareholders/investors, insurers, customers), providing evidence of commitment, capability, reliability and
consistency in the company’s compliance program