Auditing is a management tool that can be used to evaluate and monitor the internal performance and compliance of your company with regulations and standards. An audit can also be used to determine the overall effectiveness of an existing system within your company.
How do you incorporate compliance auditing best practices to help maximize compliance, efficiency, and value of your audit? Here are five critical factors for value-added audits.
1. Goal Aligned with Business Strategy
There are many reasons why companies conduct audits:
- Support commitment to compliance
- Avoid penalties
- Meet management system requirements
- Meet corporate or customer mandates
- Support acquisition or divestiture
- Assess organizational structure and competency
- Identify cost saving and pollution prevention opportunities
- Determine alignment with strategic direction
It is vital to define and understand the goal of your compliance audit program before beginning the audit process. Establishing goals enables recognition of broader issues and can lead to long-term preventive programs. Not establishing a clear, concise goal can lead to a waste of resources.
Audit goals and objectives should be nested within the company business goals, key performance objectives, and values. An example of a goal might be to effectively measure environmental compliance while maintaining a reasonable return on investment.
Once the goal is established, it is important to communicate it across all functions of the organization to get company-wide support. Performance measurements should also be communicated and widely understood.
2. Management Buy-in
The audit program must have upper management support to be successful. Management must exhibit top-down expectations for program excellence, view audits as a tool to drive continuous improvement, and work to imbed audits within other improvement processes. Equally important, management must not use audit results to take punitive action against any person or department.
3. Documented Audit Program Systematically Applied
Describe and document the audit process for consistent, efficient, effective, and reliable application. Audit procedures should be tailored to the specific facility/operation being audited. A documented program will include the following:
- Scope. The scope discusses what areas/media/timeframe will be audited. The scope of the audit may be limited initially to what is manageable and can be done very well, thereby producing performance improvement and a wider understanding and acceptance of objectives. It may also be limited by identifying certain procedural or regulatory shifts and changes. As the program is developed and matures (e.g., management systems, company policy, operational integration), it can be expanded and, eventually, shift over time toward systems in place, prevention, efficiency, and best practices. It is important at the scoping stage to address your timeline. Audits should be scoped to make sure you get them done but also to make sure you have audited all compliance areas in an identified timeframe.
- Criteria. Compliance with requirements will clearly be covered in an audit, but what about other opportunities for improvement (e.g., pollution prevention, energy savings, carbon reduction)? All facilities need to be covered at the appropriate level, with emphasis based on potential compliance and business risks. Assess the program strengths, redundancy, integration within the organization, and alignment with the program goal. Develop specific and targeted protocols that are tailored to operational characteristics and based on applicable regulations and requirements for the facility. As protocols are updated, the ability to evaluate continuous improvement trends must be maintained.
- Auditor training (i.e., competency, bias). A significant portion of the audit program should be conducted by knowledgeable auditors (e.g., independent insiders, third parties, or a combination thereof) with clear independence from the operations being audited and from the direct chain of command. For organizational learning and to leverage compliance standards across facilities, it is good practice to vary at least one audit team member for each audit. Companies often enlist personnel from different facilities and with different expertise to audit other facilities. Periodic third-party audits further bring outside perspective and reduce tendencies toward “home-blindness”.
Training should be done throughout the entire organization, across all levels:
+ Auditors are trained on both technical matters and program procedures.
+ Management is trained on the overall program design, purpose, business impacts of findings, responsibilities, corrections, and improvements.
+ Line operations are trained on compliance procedures and company policy/systems.
Consider having auditor training conducted by an outside source to teach people how to decide what to audit and follow a trail. It can also work well to train internal auditors by having them audit alongside an experienced 3rd party.
- Audit conduct (i.e., positive approach). A positive approach and rationale for the audit must be embraced. Management establishes this tone and sets the expectation for cooperation among all employees. Communication before, during, and after the audit is vital in keeping things positive. It is important to stress the following:
- Auditor interviews are evaluating systems, not personal behaviors.
- The audit is an effective tool to improve performances.
- Results will not be used punitively.
- Audit reporting. Information from auditing (e.g., findings, patterns, trends, comparisons) and the status of corrective actions often are reported on compliance dashboards for management review. Audit reports should be issued in a predictable and timely manner. It is desirable to orient the audit program toward organizational learning and continual improvement, rather than a “gotcha” philosophy. “Open book” approaches help learning by letting facility managers know in advance what the audit protocols are and how the audits will be conducted. Documentation is essential, and reporting should always align with program goals and follow legal guidance. There is variability in what gets reported and how based on the company’s objects. For example:
- Findings only vs. opportunities for improvement and best management practices?
- Spreadsheet vs. long format report?
- Scoring vs. prioritization of findings (beware of the unintended consequences of scores!)?
- Recommendations for corrective actions included or left for separate discussion?
- Corrective and preventive action. Corrective actions require corporate review, top management-level attention, and management accountability for timely completion. A robust root cause analysis helps ensure not just correction/containment of the existing issue, but also preventive action to assure controls are in place to prevent the event from recurring. For example, if a drum is labeled incorrectly, the corrective action is to relabel that drum. A robust plan should be to also look for other drums that might be labeled incorrectly and to add and communicate an effective preventive action (e.g., training or posting signs showing a correctly labeled drum).
- Follow-up and frequency. Address repeat findings. Identify patterns and seek root cause analysis and sustainable corrections. Communications with management should be done routinely to discuss status, needs, performance, program improvements, and business impacts. Those accountable for performance need to be provided information as close to “real time” as possible. There are several levels of audit frequency, depending on the type of audit:
- Frequent: Operational (e.g., inspections, housekeeping, maintenance) – done as part of routine day-to-day operational responsibilities
- Periodic: Compliance, systems, actions/projects – conducted annually/semi-annually
- As needed: For issue follow-up
- Infrequent: Comprehensive, independent – conducted every three to four years
4. Robust Corrective Action Program
As mentioned above, corrective actions are a must. If there is no commitment to correction, there is no reason to audit. A robust root cause analysis is essential. This should be a formal, yet flexible, approach. There should be no band-aids. Mistake-proof corrections and include metrics where possible. In the drum example given above, a more robust corrective action program would look at the root cause: Why was the drum mislabeled? Did the person know to label it? If so, why didn’t they do it?
The correction itself is key to the success of the audit program. Establish the expected timeframe for correction (including addressing preventive action). Establish an escalation process for delayed corrections. Corrective actions should be reviewed regularly by upper management using the existing operations review process. There must also be a process for verification that the correction has been made; the next audit cycle may not be sufficient.
Note also that addressing opportunities for improvement, not just non-compliance findings, may increase the return on investment associated with conducting an audit.
5. Sharing of Findings and Best Practices
Audit results should be communicated to increase awareness and minimize repeat findings. Even if conducted under privilege, best practices and corrections can and should still be shared. Celebrate the positives and creative solutions. Stress the value of the audit program, always providing metrics and cost avoidance examples when possible. Inventory best practices and share/transfer them as part of audit program results. Use best-in-class facilities as models and “problem sites” for improvement planning and training.
An audit can provide much additional value and return on organization if it is planned and managed effectively. This includes doing the following:
- Align program goal with business strategy to secure top-down buy-in
- Expand criteria beyond compliance
- Gain goodwill through positive approach
- Document program and results
- Monitor for timely, effective corrective action
- Share opportunities for improvement
BY: Stacey Pisani
Comments: No Comments
Compliance risk assessment helps to identify and assess risks related to applicable regulatory requirements. Internal and external events or conditions affecting the entity’s ability to achieve objectives must be identified, distinguishing between risks and opportunities. These risks are analyzed, considering the following:
- Size of the risk – where, how big, how often/many?
- Severity of the outcome – to what extent can it impact safety, environmental, operational, financial, customer relations, regulatory compliance?
- Likelihood/probability of each risk – how likely is the occurrence of a negative outcome, considering the maturity of existing controls?
Based on this assessment, management can prioritize risks, select appropriate risk responses (avoiding, accepting, reducing, sharing), and develop a set of actions to align with the entity’s risk tolerance/appetite. An acceptable level of residual risk is considered after selected improvements and controls are applied. From there, policies and procedures can be established and implemented to help ensure the risk responses are effectively communicated so operating managers and individuals can carry out their responsibilities.
A deeper dive compliance program assessment may be performed for those risks that are identified as the company’s most significant.
Compliance Program Assessment
A compliance program assessment looks beyond “point-in-time” compliance to critically evaluate how the company manages compliance programs, processes, and activities, with compliance assurance as the ultimate goal. Capability, capacity, programs, and processes to comply are examined as part of this review. Conducting routine process and compliance audits are also key components of a compliance assurance program.
Compliance program assessment should follow a disciplined and consistent process, resulting in an effective program that guides alignment of activities to an integrated management system for sustained compliance and continuous improvement. An essential part of the assessment, audits capture regulatory compliance status, management system conformance, adequacy of internal controls, potential risks, and best practices.
Compliance program assessment enables a company to define and understand:
- Compliance requirements and where regulated activities occur throughout the organization
- Current company programs and processes used to manage those activities and the associated level of program/process maturity
- Deficiencies in compliance program management and opportunities for improvement
- How to feed review recommendations back into elements of the management system to create a roadmap for sustaining and continually improving compliance
There are six phases associated with a compliance program assessment:
Phase 1 – Regulations, Requirements, and Applicability Analysis: Phase 1 focuses on identifying, organizing, validating, and understanding all of the requirements (legal or other) with which the company must comply. It provides an applicability analysis of the requirements to company operations by functional area and evaluates the associated risks. This stage engages representatives across the company who are responsible for activities subject to the requirements.
Phase 2 – Activities Analysis: This phase involves developing an inventory/profile of all company activities that may trigger the requirements identified in Phase 1. It asks the question, “What activities does the company carry out that are covered by the requirements?”
Phase 3 – Desired Compliance Program Standard: Establishing the company’s expectations for compliance program processes and controls—the desired condition—is essential. This “to-be” standard integrates management system principles into compliance program management. Programs should examine relative risks and ensure that risk-based priorities are being set.
Phase 4 – Actual Compliance Program Condition: In contrast to the desired standard identified in Phase 3, Phase 4 is about describing the company’s current compliance program. It defines how the company performs the activities outlined in Phase 3 (along with who, when, and where)—the “as-is” condition. This is done in the same framework as the desired standard in order to compare them in the next phase.
Phase 5 – Gap Analysis: The gap analysis compares actual compliance program management against the desired standard. It evaluates compliance program management processes, controls, and maturity to determine if they are good as is, need improvement, or are missing. These gaps and opportunities provide the basis for the improvement actions developed in Phase 6.
Phase 6 – Improvement Actions: Phase 6 moves the process along to developing action plans and an approach for ongoing management review that will guide the compliance program development and improvement activities. Compliance program management review is established at the end of this last phase. If there is a management system in place, program review information and action plan tracking can be integrated into that management system.
As a whole, this process will help companies evaluate the degree to which:
- Compliance goals and objectives are set and communicated by management.
- Hazards and risks are identified, sized, and assessed, including an inventory of activities subject to the compliance requirements and the relative risks.
- Existing controls are adequate and effective, recognizing, and addressing changed conditions.
- Plans are in place to address risks not adequately covered by existing controls.
- Plans and controls are resourced and implemented.
- Controls are documented and operationalized across functions and work units.
- Personnel know and understand the controls and expectations, and are engaged in their design and improvement.
- Controls are being monitored with appropriate metrics and compliance auditing and assurance.
- Information system is sufficient to support management system-required functions (e.g., document management and control, action tracking, notifications, training tracking, task calendaring, metrics reporting). Information dashboards can be used for reports to management.
- Deficiencies are being addressed by corrective/preventive action and are being tracked to completion.
- Processes, controls, and performance are being reviewed by management for ongoing improvement, including the maintenance and continual improvement of the integrated management system.
A well-designed and well-executed compliance assurance program provides an essential tool for improving and verifying business performance and limiting compliance risks. Ultimately, however, a compliance program’s effectiveness comes down to whether it is merely a “paper program” or whether it is being integrated into the organization and used in practice on a daily basis.
The following can show evidence of a living, breathing program:
- Comprehensiveness of the program
- Dedicated staff and resources
- Employee knowledge and engagement
- Management commitment and employee perception
- Internal operational inspections, “walkabouts” by management
- Independent insider, plus third-party audits
- Program tailoring to greatest risks
- Consistency and timeliness of exception (noncompliance/nonconformance) disclosures
- Tracking of timely and adequate corrective/preventive action completion
- Progress and performance monitoring
To achieve a compliance assurance program on par with world-class organizations, there are a number of best practices that companies should employ:
Know the requirements. This means maintaining an inventory of regulatory compliance requirements for each compliance program, as well as of state/local/contractual binding agreements applying to operations. It is vital that the organization keep abreast of current/upcoming requirements (federal, state, local).
Plan and develop the processes to comply. Identify and assess compliance risks, and then set objectives and targets for performance improvement based on top priorities. From here, it becomes possible to then define program improvement initiatives, assign and document responsibilities for compliance (who must do what and when), develop procedures and tools, and then allocate resources to get it done.
Assure compliance in operations. The organization needs to establish routine checks and inspections within departments to evaluate conformance with sub-process procedures. Process audits should be designed and implemented to cut across operations and sub-processes in order to evaluate conformance with company policies and procedures. Regulatory compliance audits should further be conducted to address program requirements (e.g., environmental, safety, mine safety, security). Audit performance must be measured and reported, and the expectations set for operating managers to take responsibility for compliance.
Take action on issues and problems. Capture, log and categorize noncompliance issues, process nonconformances, and near misses. Implement a corrective/preventive action process based on the importance of issues. Be disciplined in timely completion, close-out, and documentation of all corrective/preventive actions.
Employ management of change (MOC) process. Robust MOC processes help ensure that changes affecting compliance (to the facility, operations, personnel, infrastructure, materials, etc.) are reviewed for their impacts on compliance. Compliance should be assured before the changes are made. Failure to do so is one of the most common root causes of noncompliance.
Ensure management involvement and leadership. Set the tone at the top. The Board of Directors and senior executives must set policy, culture, values, expectations, and goals. It is just as important that these individuals are the ones to communicate across the organization, to demonstrate their commitment and leadership, to define an appropriate incentive/disincentive system, and to provide ongoing organizational feedback.
Maintaining Ongoing Compliance
The compliance assurance program must be a living, breathing program. As risks change, the program must be refreshed, refined, and redeployed. A management system framework can help ensure operational sustainability. A management system drives the auditing process and helps companies say what they will do, do what they say and, importantly, verify it.
Together, there is a real value at the intersection of a compliance assurance program and management systems. Management systems define the internal controls that are in place to reduce risks, prevent losses, and sustain and improve performance over time through the Plan-Do-Check-Act (PDCA) cycle of continual improvement.
Testing and Monitoring
Testing, monitoring, and measuring are crucial elements of this cycle. Without them, it is difficult to understand what is working and what needs improvement. Robust testing and monitoring programs can serve as early warning systems for identifying potential compliance risks before they become enforcement issues.
Compliance should be tested and monitored throughout each level of the organization. A strong testing program will evaluate the results of the compliance risk assessment and assign compliance risks to the business units and processes where they are most likely to occur, creating clear lines of responsibility and accountability. Key risks and the related controls should be tested periodically using statistically valid sampling methodologies, and monitoring activities should be performed on an ongoing basis. Doing so produces trend data that provides the rationale needed for making changes to underlying business processes, as well as emerging risks.
Ongoing compliance excellence relies on top management, operations managers, EHS personnel, and individual employees throughout the organization working together to build and sustain an organizational culture that places compliance on par with business performance. Senior management must focus on the overall culture of the company in terms of taking the necessary steps to reduce risk and make prevention part of daily operations. While it may be impossible to eliminate all risk exposure, a solid risk framework, assessment methodology, and compliance assurance program can help to prioritize risks for active management, sustained compliance, and positive business impacts.
BY: Stacey Pisani
Comments: No Comments
Virtually every regulatory program—environmental, health & safety, security, food safety—has compliance requirements that call for companies to fulfill a number of common compliance activities. While they do not necessarily need to be addressed all at once or from the start, considering the eight functions of compliance (as outlined below) when designing a compliance Information Management System (IMS) helps define the starting point and build a vision for the “end point” when planning IMS improvements. These compliance functions translate into modules—facility profiles, employee counts, training tracking, corrective action tracking, auditing tasks, compliance calendars, documents and records management, permit tracking, etc.—that are instrumental in establishing or improving a company’s capability to comply.
8 Functions of Compliance
- Inventory means taking stock of what exists. The outcome of a compliance inventory is an operational and EHS profile of the company’s operations and sites. In essence, the inventory is the top filter that determines the applicability of regulatory requirements and guides compliance plans, programs, and activities. For compliance purposes, the inventory is quite extensive, including (but not limited to) the following:
- Activities and operations (i.e., what is done – raw material handling, storage, production processes, fueling, transportation, maintenance, facilities and equipment, etc.)
- Functional/operational roles and responsibilities (i.e., who does what, where, when)
- Hazardous materials
- Discharges (operational and stormwater-related)
- Safety practices
- Food safety practices
- Authorizations, permits & certifications provide a “license to construct, install, or operate.” Most companies are subject to authorizations/permits at the federal, state, and local levels. Common examples include air permits, operating permits, Title V permits, safe work permits, tank certifications, discharge permits, construction authorization. In addition, there may be required fire and building codes and operator certifications. Once the required authorizations, permits, and/or certifications are in place, some regulatory requirements lead companies to the preparation and updating of plans as associated steps.
- Plans are required by a number of regulations. These plans typically outline compliance tasks, responsibilities, reporting requirements, schedule, and best management practices to comply with the related permits. Common compliance-related plans may include SPCC, SWPPP, SWMP, contingency, food safety management, and security plans.
- Training supports the permits and plans that are in place. It is crucial to train employees to follow the requirements so they can effectively execute their responsibilities and protect themselves, company assets and communities. Training should cover operations, safety, security, environment, and food safety aimed at compliance with regulatory requirements and company standards and procedures.
- Practices in place involve doing what is
required to follow the terms of the permits, related plans and regulations.
These are the day-to-day actions (regulatory, best management practices,
planned procedures, SOPs, and work instructions) that are essential for
following the required processes.
- Monitoring & inspections provide
compliance checks to ensure locations and operations are functioning within the
required limits/parameters and the company is achieving operational
effectiveness and performance expectations. This step may include some physical
monitoring, sampling, and testing (e.g., emissions, wastewater). There are also
certain regulatory compliance requirements for the frequency and types of
inspections that must be conducted (e.g., forklift, tanks, secondary
containment, outfalls). Beyond regulatory requirements, many companies have
internal monitoring/inspection requirements for things like housekeeping,
sanitation, and process efficiency.
- Records provide documentation of what has
been done related to compliance—current inventories, plans, training,
inspections, and monitoring required for a given compliance program. Each
program typically has recordkeeping, records maintenance, and retention
requirements specified by type. Having a good records management system is
essential for maintaining the vast number of documents required by regulations,
particularly since some, like OSHA, have retention cycles for as long as 30
- Reports are a product of the above
compliance functions. Reports from ongoing implementation of compliance
activities often are required to be filed with regulatory agencies on a regular
basis (e.g., monthly, quarterly, semi-annually, annually), depending on the
regulation. Reports also may be required when there is an incident, emergency, recall,
Reliable Compliance Performance
Documenting procedures on how to execute these eight
functions, along with management oversight and continual review and
improvement, are what eventually get integrated into an overarching management
system (e.g., environmental, health & safety, food safety, security,
quality). The compliance IMS helps create process standardization and,
subsequently, consistent and reliable compliance performance.
In addition, completing and organizing/documenting these
eight functions of compliance provides the following benefits:
- Helps improve the company’s capability to comply
on an ongoing basis
- Establishes compliance practices for when an
- Creates a strong foundation for internal and 3rd-party
compliance audits and for answering outside auditors’ questions (agencies,
customers, certifying bodies)
- Helps companies know where to look for
- Reduces surprises and unnecessary spending on
reactive compliance-related activities
- Informs management’s need to know
- Enhances confidence of others (e.g. regulators,
shareholders/investors, insurers, customers), providing evidence of commitment, capability, reliability and
consistency in the company’s compliance program
A management system is the organizing framework that enables companies to achieve and sustain their operational and business objectives through a process of continuous improvement. A management system is designed to identify and manage risks—safety, environmental, quality, business continuity, food safety (and many others)—through an organized set of policies, procedures, practices, and resources that guide the enterprise and its activities to maximize business value.
The management system addresses:
- What is done and why
- How it is done and by whom
- How well it is being done
- How it is maintained and reviewed
- How it can be improved
Creating an Effective and Valuable Management System
Each company’s management system reflects its unique culture, vision, and values. To be effective and valuable, the management system must be tailored and focused on how it can enhance the business performance of the organization. It must also be:
- Useful to people in the operations
- Intuitive—organized the way operations people think
- Flexible—making use of methods and tools as they are developed and documented
- Valuable from the outset—addressing the most critical risks and processes
- Linked to the business of the business (not “pasted on”), with ownership at the operational level
- A means to better align operational quality, safety, and environment with the business
Attributes of an effective management system are senior management expectations and guidance coupled with employee engagement. Importantly, a management system involves a continual cycle of planning, implementing, reviewing, and improving the way in which safety, quality, and environmental obligations and objectives are met. In its simplest form, this involves implementing the Plan, Do, Check, Act/Adjust (P-D-C-A) cycle for continuous improvement.
Auditing for Ongoing Compliance
The connection between management systems and compliance is vital in avoiding recurring compliance issues and in reducing variation in compliance performance. In fact, reliable and effective regulatory compliance is commonly an outcome of consistent and reliable implementation of a management system.
Conducting periodic audits is a practical way to test a management system’s implementation maturity and effectiveness. One of the many advantages of audits is that they help identify gaps so that corrective/preventive actions can be put into place and then sustained and improved through the management system.
Audits also help companies with continuous improvement initiatives; properly developed audit programs help measure results over time. To achieve best value, audits should emphasize finding patterns that can yield opportunities for learning and continual improvement, rather than “gotchas” for exceptions that are discovered.
Management System Standards
Several options are available for structuring management systems, whether they are certified by third-party registrars and auditors, self-certified, or used as internal guidance and for potential certification readiness.
The International Organization for Standardization (ISO) standards are some of the most commonly applied. The ISO standards for quality (ISO 9001), environment (ISO 14001), health & safety (OHSAS 18001), business continuity (ISO 22301), and food safety (FSSC 22000) have consistent elements, allowing organizations to more easily align their various management systems. Aligned management systems help companies to achieve improved and more reliable quality, environmental, and health & safety performance, while adding measurable business value.
Companies can become certified to each of the standards discussed above. Certification has a number of benefits, including the following:
- Meet customer or supply chain requirements
- Use outside drivers to maintain management system process discipline (e.g., periodic risk assessment, document management, compliance evaluation, internal audits, management review)
- Take advantage of third-party assessment and recommendations
- Improve standing with regulatory agencies (e.g., USEPA, OSHA, FDA, and state programs)
- Demonstrate the application of industry best practice in the event of incidents/accidents requiring defense of practices
However, if there is no market or other business driver, certification can lead to unnecessary additional cost and effort regarding management system development. Certification in itself does not mean improved performance—management system structure, operation, and management commitment determine that.
There are a number of reasons to implement a management system. A properly designed and implemented management system brings value to organizations in a number of ways:
- Risk management
- Identify risks
- Set priorities for improvement, measurement, and reporting
- Provide great opportunity to identify, share, and learn best practices, while recognizing operational differences
- Protection of people
- Send people home the way they arrived at work
- Protect the public and the environment
- Compliance assurance
- Improve and sustain regulatory compliance
- Business value
- Continually improve quality, environmental, and safety performance across the organization (employee, public, equipment, infrastructure)
- Reduce incident costs and accrued liabilities
- Protect assets
- Assure processes, methods, and practices are in place, documented, and consistently applied
- Reduce variability in processes and performance
- Employee engagement
- Help employees to find and use current versions of all procedures and documents
- Provide a ready reference for field management to structure location-specific procedures
- Enable the effective transfer of standards, methods, and know-how in employee training, new job assignments, and promotions
When business is disrupted, the costs can be substantial. Unfortunately, every organization is at risk from potential operational disruptions—natural disasters, fire, sabotage, information technology (IT) viruses, data loss, acts of violence. Recent world events have further challenged organizations to prepare to manage previously unthinkable situations that may threaten the future of the business.
Securing Company Assets
This goes beyond the mere Emergency Response Plan or disaster recovery activities that have been previously implemented. Organizations must now engage in a more comprehensive process to secure their companies’ assets (e.g., people, technology, products, and services). Today’s threats require implementation of an ongoing, interactive process that assures the continuation of the organization’s core business activities and data center(s) before, during, and, most importantly, after a major crisis event.
Creating a Resilient Organization
Business continuity planning helps ensure that companies have the resources and information needed to maintain service, reliability, and resiliency under adverse conditions. While companies can’t plan for everything, they can take steps to understand and effectively manage events that might compromise their products/services, supply chain, quality, security, and future as an organization.
A Business Continuity Plan ensures that all involved parties understand who makes decisions, how the decisions are implemented, and what the roles and responsibilities of participants are when an incident occurs. Through business continuity planning, companies are able to:
- IDENTIFY the human, property, and operational impacts of potential business threats
- EVALUATE the potential severity of associated risks
- ESTIMATE the likelihood of business threats occurring
- CREATE timelines for restoration and strategies that proactively mitigate the most pressing business threats, take advantage of opportunities that lie ahead, and provide for a more resilient and sustainable future
A sound Business Continuity Program relies on a systematic approach to identify and critically evaluate risks/opportunities, as outlined below. This approach broadens the scope of issues beyond mere emergency response and allows companies to budget for and secure the necessary resources to support critical business activities before, during, and after a major crisis event. Ultimately, following this process helps companies to stay in business through a time of crisis.
Sustaining Business for the Long Term
Sustainability is about staying in business for the long term, and today, business continuity is key to sustaining business over time. That is because a well-developed and implemented Business Continuity Plan:
- Keeps employees and the community safe when an incident occurs
- Protects the organization’s important assets (e.g., people, technology, products, services)
- Reduces disruption to critical functions in order to limit financial impacts due to loss of product/service
- Reduces adverse publicity, loss of credibility, and loss of customers
- Reduces legal liability and regulatory exposure
- Reduces the risk of losing critical business data (e.g., historical, operational, customer, regulatory compliance)
- Provides for an orderly and timely recovery by allowing critical decisions to be made in a non-crisis mode
- Helps companies mitigate risks and focus on the future
ISO 22301: Societal Security – Business Continuity Management Systems is specifically designed to help organizations protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise. Like other ISO standards, ISO 22301 applies the Plan-Do-Check-Act/Adjust model to developing, implementing, and continually improving a Business Continuity Management System. Following this internationally recognized standard allows organizations to leverage their existing management systems and ensure consistency with any other ISO management system standards that may already be in place (e.g., ISO 14001 – environment, ISO 9001 – quality, ISO 45001 – safety, ISO 22000 – food safety).
The American Society for Industrial Security (ASIS) Business Continuity Management System Standard, National Fire Protection Association (NFPA) 1600: Standard on Disaster/Emergency Management and Business Continuity Programs, and Office of the Comptroller of the Currency (OCC) federal banking requirements for business continuity provide further industry-specific guidance on business continuity management.
Today’s business managers face greater complexities than ever when it comes to making business decisions. For every business decision, there are a number of factors that impact the associated risks. Fortunately, the use of statistics, predictive analytics, and data mining has become increasingly useful in taking the “gut feel” out of making important and often complex business decisions.
Most people are familiar with common descriptive statistical techniques, like measures of central tendency (e.g., mean, median, mode) or variability (e.g., interquartile range, standard deviation). More advanced data mining and predictive analytical techniques are increasingly being used to explore and investigate past performance to gain insight for future business decision making.
Data mining draws on large amounts of data to identify patterns, which are often classified as opportunities or risks. Predictive analytics encompasses a variety of statistical techniques that are used to analyze historical data to predict the most probable future events. A few examples of these include the following:
- Discriminant Analysis – a machine learning model where a computer program “learns” a pre-existing data set that includes attributes and outcomes for each individual, and then predicts probable outcomes for individuals in the new data set based on attributes.
- Linear Regression – creates an equation so that one variable can be predicted based on the known values of other variables.
- Logistic Regression – a machine learning model where a computer program “learns” a pre-existing data set that includes attributes and a binary (“yes/no”) outcome for each individual, then predicts “yes/no” outcome for each individual in a new data set, along with a probability associated with the decision.
- Decision trees – machine learning model where a computer program “learns” a pre-existing data set that includes attributes and outcomes (not necessarily binary) for each individual, then predicts outcomes for each individual in a new data set, along with confidence in the decision; also identifies the attributes that are most helpful for making predictions (i.e., those that are best able to discriminate between outcomes).
- Neural networks – similar to decision tree, but more effective if finding the connections between attributes is a concern.
Together, this information can help decision makers to predict the outcome(s) of a decision before it is made—and make smarter decisions based on data instead of gut feelings. The following case studies demonstrate the value that statistics provide when it comes to making important business decisions.
Case Study: Wildfire Risk Index
For a large transportation organization, wildfires have historically presented a unique challenge. The company has worked diligently over the past several years to control its fire risk through research and a number of assessments. To help further minimize the wildfire risk, the company turned to past data and is working with Kestrel to develop a comprehensive Wildfire Risk Index to:
- Quantify the operational risks of wildfires (i.e., identify environmental conditions, determine areas of concern)
- Make informed business decisions to help minimize identified risks
Creating the Index requires a significant amount of data from both internal and external resources, including traffic, weather, geography, internal fire incidents, and others. This information is used in several components contained within two main models that create the Wildfire Risk Index. These model components are relatively simple when used on their own. The complexity arises when combining the various models and their components into a single Wildfire Risk Index that reasonably reflects relative risks, while considering all variables.
The ultimate output of the Wildfire Risk Index is a single number that quantifies the relative risk of wildfire by location and by month. This information will help the company to:
- Identify the areas of greatest risk.
- Focus resources on those areas.
- Make more informed decisions regarding operations—like when to plan hot work and when and where to perform vegetation control—to help prevent future incidents.
Case Study: Incident Data
For a large petroleum refining organization, safety and environmental incidents present a significant risk to operations. In order to reduce incident frequency, the company has implemented a robust safety management system, which includes frequent audits and inspections. Despite the company’s best efforts, however, incidents have continued to occur.
To further improve safety and environmental performance, Kestrel is working with the company to conduct detailed reviews of previous incidents using Kestrel’s proprietary Human Performance Reliability (HPR) approach. This approach identifies and classifies the human factors contributing to incidents, as well as the controls associated with those human factors (engineered, administrative, and/or PPE). Once the reviews are finished, the results are statistically analyzed to generate a prioritized list of human factors to be addressed. Kestrel’s Human Factors Integration Tool (HFIT™) software then generates a list of existing controls associated with the top human factors, as well as a list of missing controls that could be created and implemented.
The ultimate output of the incident review process is to help the company identify the human factors contributing to incidents, create or improve associated controls, manage operational risks, and protect the health and safety of workers and the surrounding environment.
These examples demonstrate how predictive analytics can be used to support decision making. The versatility of predictive analytics, combined with the variety of statistical techniques available, can be applied to help companies analyze a wide variety of problems and gain insight for future business decision making.
BY: Stacey Pisani
Comments: No Comments
This is the fifth article in Kestrel’s Drones 101 series.
As we’ve discussed in our Drones 101 series, both large and small companies can establish safe and reliable drone programs; however, lack of planning will (at best) add up to a short-lived drone program or (at worst) cause your company undue risk or injury.
In short, buying and operating UAS equipment without a plan in place can lead to:
- Sunk costs
- Delayed success
- Safety incidents
- Service delays
- Employee injury
- Loss of financial backing legal and regulatory issues
On the flip side, when implemented appropriately, using drones often results in a solution that is:
- Faster – Significantly reduce manhours to complete work (e.g., inspections, audits, monitoring) without requiring plant shutdown.
- Safer — Eliminate the need for humans to complete high-risk activities (e.g., climbing towers, entering confined spaces, inspecting disaster zones).
- More accurate — Gather comprehensive and reliable data with less room for human error and less variability.
Here are Kestrel’s top six tips for managing a successful drone program:
- Establish a plan and budget to accurately track and communicate costs and determine your return on investment.
- Establish standard processes, procedures, and communication protocols to ensure end users, company, and management teams understand expectations and obligations.
- Engage a cross-functional team, which may include program management, field operations, engineering and maintenance, human resources, legal, information technology, etc. to effectively manage all aspects of your UAS program.
- Create a UAS program operations manual that lays out expectations and company-approved applications of UAS technology.
- Set metrics and evaluation methods for the UAS program overall and its impacts on the core business. This will help show the value of your UAS program.
- Follow the classic management system plan-do-check-act cycle to drive continual improvement in not only the drone program, but in the core business, as well.
Learn more about Kestrel’s UAS Program Management services. Be sure to check out the entire Drones 101 series:
BY: Stacey Pisani
Comments: No Comments
This is the fourth article in Kestrel’s Drones 101 series.
Drones can reduce risk in commercial operations, but it is important to acknowledge that they can also introduce risk through damage to property, safety incidents, loss of UAS assets, and legal and regulatory issues. And without a planned, organized UAS program, your risks increase significantly.
Why UAS Programs Fail
Why do some drone programs fail? Both large and small companies can establish safe and reliable drone programs, but a solid foundation early in the process is essential for success. Lack of planning will (at best) add up to a short-lived drone program or (at worst) cause your company undue risk or injury.
In short, buying and operating UAS equipment without a plan in place can lead to:
- Sunk costs
- Delayed success
- Safety incidents
- Service delays
- Employee injury
- Loss of financial backing legal and regulatory issues
Foundations of a Drone Program
A solid, sustainable UAS program starts with consideration of a handful of essential elements, as discussed below.
Financial Resources. Your program needs to consider cost. Not only will you need to create a budget for approval, but you will want to be aware of and able to accurately communicate costs and have a basis for arriving at a return on your investment. A good approach is to categorize your costs into one-time capital costs; recurring costs related to equipment, software and pilots; and costs for expansion.
Incidentally, the cost to take the Part 107 Airmen Knowledge Test is $150 per attempt. A prep course online will run about $200 -$300. To stay current, pilots are required to take a test every two years, which also costs $150 per attempt
The key point is to understand your costs, budget for them, and put the drone program in the best position to be funded as needed.
Ideally, you want a team of people with different functional expertise working toward the common goal of helping the company achieve the benefits associated with a drone program. Consider involving individuals in program management, operations management, legal/compliance, human resources, information technology, and others.
Depending on how large your organization is, the team may be one or two individuals who wear many hats and juggle responsibilities. Larger organizations may expand the size and functions beyond this example. Think about how your organization might function:
- Is your program manager and operations manager the same person?
- Which of the following is the highest priority for your legal team: data security, regulatory compliance, or employee safety?
- Do you have the in-house IT resources to support the technical needs of a UAS program?
You don’t necessarily have to have a large team, but you do need to consider how you’ll cover all the related functions and responsibilities.
UAS Program Operations Manual
A UAS program operations manual – whether it is a paper binder or an online resource – is a must. It’s important that you have well thought-out policies and procedures, standard practices, and emergency plans. It is just as important that all your pilots and team members are familiar with them, so everyone is operating from the same playbook.
Your operations manual should lay out expectations and company-approved applications of UAS technology. In general, it should include the following:
- Policies, procedures, standard operating practices, safety programs
- Identified risks, hazards, and emergency situations; mitigation measures
- Data management and documentation requirements
- How/when to verify federal and state regulations for UAS technology
- Employment terms/contracts (employee, contractor, vendor)
Much like the cross-functional team we just covered, your internal business systems should include drone program-related tasks and subsystems. These should be integrated into the normal flow of business in your organization.
If your company operates under an ISO-style management system (e.g., ISO 9001, ISO 140001, or ISO 45001), you have the opportunity to align and integrate systems with your existing program and take advantage of the plan-do-check-act cycle associated with ISO management systems. Consider systems for communication, inventory management, data management, employee management, and technical support, among others.
It’s a standard exercise in any management system to set measurable goals and track progress against them. The same standard should be upheld for drone program management. Setting metrics and evaluation methods will allow you to show the value of your UAS program.
- First, set goals for the drone program overall. This may include:
- UAS pilot effectiveness (e.g., safety, training status, reportables, compliance)
- Effectiveness of policies and procedures
- ROI of the UAS program (e.g., money saved, time saved, fewer injuries, lower workers compensation rates)
- Second, set goals to measure the impact of the drone program on your core business.
- How will UAS enhancements change/improve existing company performance metrics?
- For example, can you move from biannual inventory of resources to quarterly due to ease of inspections? Or monitor high-risk bridges, wind turbines, etc. every 3 months?
- Set or adjust thresholds based on the knowledge you gain from UAS enhancements.
Plan for Continuous Improvement
Finally, you should have a plan for continuous improvement. An effective plan will follow the classic management system plan-do-check-act cycle to drive improvement in not only the drone program, but in the core business as well.
In the diagram below, drone program goals related to improved policies and procedures lead to standard operations practices. The effectiveness of these actions is evaluated, gaps are identified, and additional goals are set. As an example, let’s say one of those policies and procedures is to address how we manage flight data. A goal is set, the procedure is examined, previously unidentified risks are discovered, and mitigation measures are put in place in the policies, procedures and SOPs.
Drones can enhance your current business operations by reducing the time and safety risks involved with routine tasks, but they bring with them their own operational and regulatory considerations. To help ensure your drone program’s success:
- Establish a solid foundation early.
- Establish policies and procedures to reduce inefficiencies and ensure compliance.
- Create systems to reliably track the location, status, and condition of your drone fleet – regardless of size.
- Establish systems to track and manage the training and certification status of all employees or contractors in the UAS program.
- Monitor and manage maintenance and repairs/replacements of the drone fleet to reduce operational risks of drone failure during flight and to ensure that employees are operating their drones safely and efficiently.
- Develop systems to manage and organize huge quantities of data from drone flights so you can easily find footage/stills and leverage the data gathered.
- Design and implement integrated software systems to prevent liabilities, loss of ROI, and safety risks.
Learn more about Kestrel’s UAS Program Management services. Be sure to check out the entire Drones 101 series:
- Terminology & Technology
- Drone Program Management
- Top 6 Tips for Managing Your Drone Program
BY: Stacey Pisani
Comments: No Comments
This is the third article in Kestrel’s Drones 101 series.
Drone usage is regulated by the Federal Aviation Administration (FAA). In 2016, FAA issued new rules for non-hobbyist (i.e., commercial) small Unmanned Aircraft System (sUAS) operations in 14 CFR Part 107. Part 107 covers a broad spectrum of commercial uses for drones weighing less than 55 pounds at time of takeoff and landing.
Commercial vs. Hobby
For the purposes of Part 107, commercial is considered as anything except recreational or hobby use. Whether you are making money directly with your drone or just using it as a tool within your company, Part 107 applies to drone pilots and drones used for business purposes.
Many of the rules in Part 107 are common sense; others are not. This list provides an overview of the operating requirements for complying with Part 107:
- The remote pilot must keep the drone within visual line of sight (VLOS) at all times.
- The operator should always avoid manned aircraft.
- Neither the pilot nor a visual observer can be responsible for more than one sUAS at a time.
- You are only allowed to fly during daylight hours. If you attach the proper anti-collision lighting, you may conduct operations during twilight hours. Night operations are prohibited without proper authorization from the FAA.
- Minimum weather visibility is three miles from your control station.
- Maximum allowable altitude is 400 feet above the ground (higher if your drone remains within 400 feet of a structure, such as when you inspect a tower or tall building).
- Maximum speed is 100 mph (87 knots).
- You cannot fly directly over any people unless they are directly and knowingly involved in the operation.
- You can carry an external load if it is securely attached, does not adversely affect the flight characteristics or controllability of the aircraft, and maintains the weight limit of 55 lbs. at time of takeoff and landing.
- The National Airspace System is divided into several categorizations and it is imperative that all UAS operators know and understand the various airspace designations.
- Operations in Class A are prohibited unless authorizations from the FAA are secured and the operators coordinate their operation through air traffic control. sUAS operations in Class A airspace is extremely unlikely due to the altitude.
- Class B and Class C airspace designations surround all major and minor airports. Operations in Class B and Class C airspace require prior authorization from the FAA, which can be difficult to obtain. Certain exceptions are made and, in the event that operations are approved in either of these airspaces, coordination with air traffic control and/or airport operator is required.
- Class E airspace resides between the top limits of all the other airspace designations and the bottom of Class A airspace. Class E airspace can also be found around non-towered airports with instrument approach requirements and can require air traffic control or airport operations coordination during hours when the tower is operational. This varies, and operators should refer to their sectional maps and flight planning tools before every flight to verify their current airspace requirements.
- Class G airspace does not require any additional approvals for operations; a majority of commercial UAS operations occur within these areas.
- Airspace designations can change, and temporary flight restrictions are frequently established for various reasons. Operators should always refer to their sectional maps and flight planning tools before, during, and after all UAS operations.
You can request a Certificate of Waiver from certain Part 107 regulations, and/or authorization to operate in restricted airspace by submitting a request directly to the FAA. There are tools that can help with this process, but waiver requests can be complicated, and most are not approved by the FAA. Kestrel can help you write effective waivers.
Low Altitude and Notification Capability (LAANC)
For access to restricted airspaces that are at low altitudes (under 400 feet), operators can use a new tool recently released by the FAA referred to as LAANC (Low Altitude Authorization and Notification Capability). LAANC aims to provide near real-time airspace authorizations for UAS operations under Part 107.
LAANC automates the application and approval process for airspace authorizations at nearly 300 air traffic facilities covering approximately 500 airports. It dramatically decreases the wait time experienced with the manual authorization process, provides greater flexibility in operational planning, and directly supports UAS integration into the airspace.
To operate a sUAS under Part 107, pilots need a remote pilot airman certificate with a small UAS rating or must be under the direct supervision of a person who holds such a certificate. This certification entails passing a two-hour Airmen Knowledge Test to become certified, and then applying for your certificate online, which includes passing a TSA background check. Operators must retake the Airmen Knowledge Test every two years to stay current.
If you already have a Part 61 pilot certificate, other than a student pilot certificate, you must have completed a flight review in the previous 24 months and you must take a sUAS online training course provided by the FAA. Pilots receive a certificate of completion, which must be renewed every 24 months.
If you are acting as pilot in command, you must:
- Make your drone available to the FAA for inspection or testing on request, and provide any associated records required to be kept under the rule.
- Report to the FAA within 10 days any operation that results in serious injury, loss of consciousness, or property damage (to property other than the UAS) of at least $500.
Drone laws and regulations are constantly evolving as the industry evolves.
. As an example of the ever evolving regulations, effective February 25, 2019 the FAA now requires that all sUAS display their aircraft registration number on an external surface of the aircraft. This rule was established under 14 CFR Part 48. Additional rules regarding night operations and flights over people are in the proposed rule phase and are expected to become effective by the end of April. In addition, record retention laws are forthcoming for drone footage and may vary by state.
Not surprisingly, pilots can unknowingly (and easily) violate FAA regulations. One very important task as part of your overall UAS program management strategy should be to keep current on pilot certifications, drone registrations, and regulatory changes to remain compliant.
Learn more about Kestrel’s UAS Program Management services. Be sure to check out the entire Drones 101 series: