Call Us Today: 608-260-7468

Blog

09 Aug
Audit program best practices
Audit Program Best Practices: Part 1

Audits provide an essential tool for improving and verifying compliance performance. Audits may be used to capture regulatory compliance status, management system conformance, adequacy of internal controls, potential risks, and best practices. An audit is typically part of a broader compliance assurance program and can cover some or all of the company’s legal obligations, policies, programs, and objectives.

Companies come in a variety of sizes with a range of different needs, so auditing standards remain fairly flexible. There are, however, a number of audit program elements and best practices that can help ensure a comprehensive audit program:

  1. Goals. Establishing goals enables recognition of broader issues and can lead to long-term preventive programs. This process allows the organization to get at the causes and focus on important systemic issues. It pushes and guides toward continuous improvement. Goal-setting further addresses the responsibilities and obligations of the Board of Directors for audit and oversight and elicits support from stakeholders.
  2. Scope. The scope of the audit should be limited initially (e.g., compliance and risk) to what is manageable and to what can be done very well, thereby producing performance improvement and a wider understanding and acceptance of objectives. As the program is developed and matures (e.g., Management Systems, company policy, operational integration), it can be expanded and, eventually, shift over time toward systems in place, prevention, efficiency, and best practices.
  3. Committed resources. Sufficient resources must be provided for staffing and training and then applied, as needed, to encourage a robust auditing program. Resources also should be applied to EHSMS design and continuous improvement. It is important to track the costs/benefits to compare the impacts and results of program improvements.
  4. Operational focus. All facilities need to be covered at the appropriate level, with emphasis based on potential EHS and business risks. The operational units/practices with the greatest risk should receive the greatest attention (e.g., the 80/20 Rule). Vendors/contractors and related operations that pose risks must be included as part of the program. For smaller, less complex and/or lower risk facilities, lower intensity focus can be justified. For example, relying more heavily on self-assessment and reporting of compliance and less on independent audits may provide better return on investment of assessment resources.
  5. Audit team. A significant portion of the audit program should be conducted by knowledgeable auditors (independent insiders, third parties, or a combination thereof) with clear independence from the operations being audited and from the direct chain of command. For organizational learning and to leverage compliance standards across facilities, it is good practice to vary at least one audit team member for each audit. Companies often enlist personnel from different facilities and with different expertise to audit other facilities. Periodic third-party audits further bring outside perspective and reduce tendencies toward “home-blindness”.
  6. Audit frequency. There are several levels of audit frequency, depending on the type of audit:
    • Frequent: Operational (e.g., inspections, housekeeping, maintenance) – done as part of routine EHSMS day-to-day operational responsibilities
    • Periodic: Compliance, systems, actions/projects – conducted annually/semi-annually
    • As needed: For issue follow-up
    • Infrequent: Comprehensive, independent – conducted every three to four years
  1. Differentiation methods. Differentiating identifies and distinguishes issues of greatest importance in terms of risk reduction and business performance improvement. The process for differentiating should be as clear and simple as possible; a system of priority rating and ranking is widely understood and agreed. The rating system can address severity levels, as well as probability levels, in addition to complexity/difficulty and length of time required for corrective actions.
  2. Legal protection. Attorney privilege for audit processes and reports is advisable where risk/liability are deemed significant, especially for third-party independent audits. To the extent possible, make the audit process and reports become management tools that guide continuous improvement. Organizations should follow due diligence elements of the USEPA audit policy.
  3. Procedures. Describe and document the audit process for consistent, efficient, effective, and reliable application. The best way to do this is to involve both auditors and those being audited in the procedure design. Audit procedures should be tailored to the specific facility/operation being audited. Documented procedures should be used to train both auditors and those accountable for operations being audited. Procedures can be launched using a pilot facility approach to allow for initial testing and fine-tuning. Keep procedures current and continually improve them based on practical application. Audits include document and record review (corporate and facility), interviews, and observations.
  4. Protocols & tools. Develop specific and targeted protocols that are tailored to operational characteristics and based on applicable regulations and requirements for the facility. Use “widely accepted or standard practice” as go-by tools to aid in developing protocols (e.g., ASTM site assessment standards; ISO 14010 audit guidance; audit protocols based on EPA, OSHA, MSHA, Canadian regulatory requirements; GEMI self-assessment tools; proprietary audit protocol/tools). As protocols are updated, the ability to evaluate continuous improvement trends must be maintained (i.e., trend analysis).
  5. Information management & analysis. Procedures should be well-defined, clear, and consistent to enable the organization to analyze trends, identify systemic causes, and pinpoint recurring problem areas. Analysis should prompt communication of issues and differentiation among findings based on significance. Audit reports should be issued in a predictable and timely manner. It is desirable to orient the audit program toward organizational learning and continual improvement, rather than a “gotcha” philosophy. “Open book” approaches help learning by letting facility managers know in advance what the audit protocols are and how the audits will be conducted.
  6. Verification & corrective action. Corrective actions require corporate review, top management-level attention and management accountability for timely completion. A robust root cause analysis helps to ensure not just correction/containment of the existing issue, but also preventive action to assure controls are in place to prevent the event from recurring. For example, if a drum is labeled incorrectly, the corrective action is to relabel that drum. A robust plan should also look for other drums than might be labeled incorrectly and to add and communicate an effective preventive action (e.g., training or posting signs showing a correctly labeled drum).
26 Jul
10 Reasons to Implement a Management System
10 Reasons to Implement a Management System

A management system is the framework that enables companies to achieve their operational and business objectives through a process of continuous improvement. In its simplest form, a management system implements the Plan, Do, Check, Act/Adjust cycle. Several choices are available for management systems (ISO is commonly applied), whether they are certified by third-party registrars and auditors, self-certified, or used as internal guidance and for potential certification readiness.

Business Benefits of a Well-Documented Management System

The connection between management systems and compliance is vital in avoiding recurring compliance issues and in reducing variation in compliance performance. In fact, reliable and effective regulatory compliance is commonly an outcome of consistent and reliable implementation of a management system.

Beyond that, there are a number of business reasons for implementing a well-documented management system (environmental, safety, quality, food safety, other) and associated support methods and tools:

  1. Establishes a common documented framework to achieve more consistent implementation of compliance policies and processes—addressing the eight core functions of compliance:
    • Inventories
    • Permits and authorizations
    • Plans
    • Training
    • Practices in place
    • Monitoring and inspection
    • Records
    • Reporting
  1. Provides clear methods and processes to identify and prioritize risks, set and monitor goals, communicate those risks to employees and management, and allocate the resources to mitigate them.
  2. Shifts from a command-and-control, centrally driven function to one that depends heavily on teamwork and implementation of a common system, taking into consideration the necessary local differences and building better know-how at the facility level.
  3. Establishes a common language for periodic calls and meetings among managers, facility managers, and executives, which yields better goal-setting, priority ranking, and allocation of resources to the areas with greatest risk or the greatest opportunity to add business value.
  4. Empowers facilities to take responsibility for processes and compliance performance without waiting to be told “what” and “how”.
  5. Enables better collaboration and communication across a distributed company with many locations.
  6. Enables the selection and implementation of a robust information system capable of tracking and reporting on common activities and performance metrics across the company.
  7. Employs a design and implementation process that builds company know-how, captures/retains institutional knowledge, and enables ongoing improvement without having to continually reinvent the wheel.
  8. Creates consistent processes and procedures that support personnel changes (e.g., transfers, promotions, retirements) and training of new personnel without causing disruption or gaps.
  9. Allows for more consistent oversight and governance, yielding higher predictability and reliability.

 

24 Jul
ASSP Badgerland Board of Directors
Jake Taylor Joins ASSP Board of Directors

Kestrel Senior Consultant Jake Taylor recently joined the Board of Directors for the Badgerland Chapter of the American Society of Safety Professionals (ASSP). ASSP is a global association for occupational safety and health professionals. For more than 100 years, the Society has provided education, standards development, advocacy and a professional community to support the advancement of members and the safety profession.

Jake brings over 20 years of management experience, particularly in the areas of EHS and risk management, to his ASSP Board position. He has vast experience developing and implementing comprehensive, corporate-wide safety programs. Jake also serves as a Responsible Distribution Adviser for the National Association of Chemical Distributors (NACD), where he provides in-depth support and assistance with the design and implementation of members’ Responsible Distribution programs and verifications.

The Badgerland Chapter of ASSP was chartered in 1995 and has over 100 members. Its geographical boundaries are southern Wisconsin—from LaCrosse to Watertown. The Badgerland Chapter strives to give members an opportunity to learn from a technical presentation or a tour of a local business and their safety, environmental and health programs.

19 Jul
compliance assurance best practices
Six Best Practices for Compliance Assurance

A well-designed and well-executed compliance assurance program provides an essential tool for improving and verifying business performance and limiting compliance risks. Ultimately, however, a compliance program’s effectiveness comes down to whether it is merely a “paper program” or whether it is being integrated into the organization and used in practice daily.

The following can show evidence of a living, breathing program:

  • Comprehensiveness of the program
  • Dedicated staff and resources
  • Employee knowledge and engagement
  • Management commitment and employee perception
  • Internal operational inspections, “walk-abouts” by management
  • Independent insider, plus third-party audits
  • Program tailoring to greatest risks
  • Consistency and timeliness of exception (noncompliance/nonconformance) disclosures
  • Tracking of timely and adequate corrective/preventive action completion
  • Progress and performance monitoring

Best Practices

To achieve a compliance assurance program on par with world-class organizations, there are a number of best practices that companies should employ:

  1. Know the requirements. This means maintaining an inventory of regulatory compliance requirements for each compliance program, as well as of state/local/contractual binding agreements applying to operations. It is vital that the organization keep abreast of current/upcoming requirements (federal, state, local).
  2. Plan and develop the processes to comply. Identify and assess compliance risks, and then set objectives and targets for performance improvement based on top priorities. From here, it becomes possible to then define program improvement initiatives, assign and document responsibilities for compliance (who must do what and when), develop procedures and tools, and then allocate resources to get it done.
  3. Assure compliance in operations. The organization needs to establish routine checks and inspections within departments to evaluate conformance with sub-process procedures. Process audits should be designed and implemented to cut across operations and sub-processes in order to evaluate conformance with company policies and procedures. Regulatory compliance audits should further be conducted to address program requirements (e.g., environmental, safety, mine safety, security). Audit performance must be measured and reported, and then expectations set for operating managers to take responsibility for compliance.
  4. Take action on issues and problems. Capture, log, and categorize noncompliance issues, process non-conformances, and near misses. Implement a corrective/preventive action process based on importance of issues. Be disciplined in timely completion, close-out, and documentation of all corrective/preventive actions.
  5. Employ management of change (MOC) process. Robust MOC processes help ensure that changes affecting compliance (to facility, operations, personnel, infrastructure, materials, etc.) are reviewed for their impacts on compliance. Compliance should be assured before the changes are made. Failure to do so is one of the most common root causes of noncompliance.
  6. Ensure management involvement and leadership. Set the tone at the top. The Board of Directors and senior executives must set policy, culture, values, expectations, and goals. It is just as important that these individuals are the ones to communicate across the organization, to demonstrate their commitment and leadership, to define an appropriate incentive/disincentive system, and to provide ongoing organizational feedback.
12 Jul
predictive analytics
Predictive Analytics in Incident Prevention

Companies are generating ever increasing amounts of data associated with business operations, leading to renewed interest in predictive analytics, a field that analyzes large data sets to identify patterns, predict outcomes, and guide decision-making. Companies are also facing a complex and ever expanding array of operational risks to proactively identify and mitigate. While many companies have begun using predictive analytics to identify marketing/sales opportunities, similar strategies are less common in risk management, including safety.

Classification algorithms, one general class of predictive analytics, could be particularly beneficial to the refining and petrochemical industries by predicting the time frame and location of safety incidents based on safety related inspection and maintenance data, essentially leading indicators. There are two main challenges associated with this method: (1) ensuring that leading indicators being measured are actually predictive of incidents, and (2) measuring the leading indicators frequently enough to have predictive value.

Kestrel’s article in the Q3 2018 edition of Petroleum Technology Quarterly (PTQ) features a case study to illustrate this process. Using regularly updated inspection data, the author developed a model to predict where broken rails are likely to occur in the railroad industry. The model was created using a logistic regression modified by Firth’s penalized likelihood method, and predicts broken rail probabilities for each mile of track. Probabilities are updated as additional data are collected.

In addition to predicted broken rail probabilities, the model identifies the variables with the most predictive validity (those that significantly contribute to broken rails). Using the model results, the railroad was able to identify exactly where to focus maintenance, inspection, and capital improvement resources and what factors to address during these activities. Validation tests of the model revealed 70% of the actual broken rail incidents occurred on the 20% of segments at highest risk for broken rails.
The same methodology could be used in the refining and petrochemical industries to manage risks by predicting and preventing incidents, provided that organizations:

  • Identify leading indicators with predictive validity
  • Regularly measure leading indicators (inspection, maintenance, and equipment data)
  • Create a predictive model based on measured indicators
  • Update the model as data are gathered
  • Use the outputs to prioritize maintenance, inspections, and capital improvement projects and review operational processes/practices.

Read the complete article in PTQ.

09 May
Refinery
Join Kestrel: AFPM Safety Conference

It’s time to “Discover the Possible” at the AFPM National Occupational & Process Safety Conference. Beyond the program of interesting industry presentations and learning opportunities, Kestrel Management is looking forward to connecting with many of you in San Antonio.


AFPM National Occupational & Process Safety Conference
May 15-16, 2018
Grand Hyatt San Antonio


We welcome the opportunity to learn more about your needs and discuss how Kestrel helps our clients improve occupational and process safety performance; manage EHS and quality risks; and achieve regulatory compliance assurance. See you in San Antonio!Register Now

28 Feb
Safety Consultant Job in Madison, WI
Now Hiring: Safety Consultant

Kestrel is seeking an experienced professional with a strong safety compliance background to join our team. The ideal candidate will possess a deep knowledge of industrial safety procedures and how safety relates to process improvement to help our clients proactively manage their operational safety-related risks. The Safety Consultant will possess a strong understanding of OSHA requirements, as well as experience assessing, developing, and implementing OSHA safety programs in an industrial setting.

Responsibilities:

  • Perform safety compliance program assessment, development and standardization
  • Conduct assessments, training, and coaching for safety performance improvement projects
  • Perform safety compliance assessments and implement follow-up corrective actions to ensure compliance with applicable regulations
  • Conduct incident investigation and root cause analysis
  • Work with a team to assess, design, implement and audit safety management systems and programs
  • Design safety performance metrics to drive continual improvement
  • Apply quality and process improvement methods and tools
  • Support other Kestrel professionals to effectively manage and deliver projects
  • Effectively steward and build client relationships leading to repeat business

Requirements:

  • Bachelor’s degree in Occupational Safety preferred
  • 3-5 years relevant experience working in safety for industry/manufacturing (chemical industry experience a plus)
  • Strong knowledge of OSHA safety standards and programs
  • Excellent communication, interpersonal, writing, and a variety of computer skills
  • Analytical and problem solving skills
  • Planning and organizational abilities
  • Willingness and ability to learn and use technology – hardware and software – to meet client’s needs
  • Willingness to travel, both within the U.S. and to international locations; must have or be able to obtain a valid passport after employment begins

Interested candidates should forward a resume and cover letter to recruiting@kestrelmanagement.com.

15 Aug
Applying Predictive Analytics in Safety

In recent years, companies have been generating vast and ever-increasing amounts of data associated with business operations. This trend has led to renewed interest in predictive analytics, a field which focuses on analyzing large data sets to identify patterns and predict outcomes to help guide decision-making. While many leading companies use predictive analytics to identify marketing and sales opportunities, similar data analysis strategies are less common in occupational and process safety. Although the use of predictive analytics is less common in the field of safety, the potential benefits of analyzing safety data are considerable.

Just as companies are currently using customer data to predict customer behavior, safety and incident data can be used to predict when and where incidents are likely to occur. Appropriate data analysis strategies can also identify the key factors that contribute to incident risk, thereby allowing companies to proactively address those factors to avoid future incidents.

Predictive Analytics: In Theory

Let’s take a step back and look at what predictive analytics is and what it does. Predictive analytics is a broad field encompassing aspects of various disciplines, including machine learning, artificial intelligence, statistics, and data mining. Predictive analytics uncovers patterns and trends in large data sets for the purpose of predicting outcomes before they occur. One branch of predictive analytics, classification algorithms, could be particularly beneficial to industry, especially when it comes to avoiding incidents.

Classification algorithms can be categorized as supervised machine learning. With supervised learning, the user has a set of data that includes predictive variable measurements that can be tied to known outcomes. The algorithms identify the relationships between various factors and those outcomes to create predictive rules (i.e., a model). Once created, the model can be given a dataset with predictive variable measurements and unknown outcomes, and will then predict the outcome based on the model rules.

Predictive Analytics: In Practice

Like many in the transportation industry, this railroad had experienced a number of derailments caused by broken rails. Broken rail derailments can have particularly severe consequences, since they typically occur on mainline tracks, at full speed, and with no warning of the impending broken rail. Kestrel was asked to create a predictive model of track-caused derailments on a mile-by-mile basis to identify areas of high broken rail risk so the railroad could target those areas for maintenance, increased inspections, and capital improvement projects.

Penalized Likelihood Logistic Regression

As described above, classification models learn predictive rules in an original data set that includes known outcomes, then apply the learned rules to a new data set to predict outcomes and probabilities. In this case study, Kestrel used a logistic regression modified by Firth’s penalized likelihood method to:

  • Fit the model
  • Identify eleven significant predictive variables (based largely on past incidents)
  • Calculate broken rail probabilities for each mile of mainline track based on track characteristics

Final Model

The final model calculates a predicted probability of a broken rail occurring on each mile of track over a two-year period. The results suggest that the final model effectively predicted broken rail risk, with 33% of broken rails occurring on the riskiest 5% of track miles and 70% occurring in the riskiest 20%. Further, the model shows that the greatest risk reduction for the investment may be obtained by focusing on the 2.5% of track miles with the highest probability of a broken rail. This ability to predict where broken rails are likely to occur will allow the company to more effectively manage broken rail derailment risk through targeted track inspections, maintenance, and capital improvement programs.

Implications for Other Industries

The same general approach described in the above case study can also be applied to other industries—using KPIs to determine predictive variables and incidents as the outcome. The process is as follows:

  • Measurements for defined variables would be taken regularly at each facility or unit. Precision increases as the measurements become more frequent and the observed area (facility/unit) becomes smaller.
  • Once a sufficient number of measurements has been taken, they would then be combined with incident data to provide both the predictive variable measurements and the outcome data needed for training a model. This dataset would be fed into a logistic regression or other classification algorithms to create a model.
  • Once the model has been created, it can be applied to new measurements to predict the probability of an incident occurring at that location during the applicable timeframe.

Once predicted incident probabilities have been found, management would be able to focus improvement resources on those locations that have the highest probabilities of experiencing an incident. The classification algorithms also identify which factors have predictive validity, so management will know how improving those factors will affect the predicted probability of incidents occurring. In other words, they will know which factors have the strongest relationship with incidents and can focus on improving those first.

Data-Driven Decisions

Industrial companies are generating and recording unprecedented amounts of data associated with operations. Those that strive to be best-in-class need to use that data intelligently to guide future business decision-making.

The versatility of predictive analytics, including the method described in this case study, can be applied to help companies analyze a wide variety of problems. In this way, companies can:

  • Explore and investigate past performance
  • Gain the insights needed to turn vast amounts of data into relevant and actionable information
  • Create statistically valid models to facilitate data-driven decisions
22 Jun
ISO 45001
Q&A: The New ISO 45001 Standard

What is ISO 45001?

ISO 45001 is a new international standard created by the International Organization for Standardization (ISO) that specifies requirements for an occupational, health & safety management system (OHSMS). It provides a framework for managing the prevention of death, work-related injury, and work illnesses. The ultimate goal of the standard is to help organizations proactively improve OHS performance and create a safe and healthy workplace.

Note that ISO 45001 provides guidance. It does not state specific criteria for OHS performance, nor is it prescriptive about the OHSMS design. It is a management tool for voluntary use by organizations to minimize OHS risks.

Why is ISO 45001 necessary?

There are several reasons why the creation of an international standard to manage OHS performance is necessary:

  • First and foremost, organizations are responsible for minimizing the risk of harm to all individuals that may be impacted by their activities. The standard aims to protect human lives by encouraging organizations to create a safer, healthier workplace.
  • According to the International Labour Organization (ILO), there were 2.34 million deaths worldwide in 2013 as a result of worker activities. The greatest majority (2 million) are associated with health issues, as opposed to injuries. The economic burden associated with this number of occupational injuries and illnesses is significant. Organizations must manage all their risks—including OHS—to survive. Poor OHS management can result in loss of key employees, business interruption, claims, higher insurance premiums, regulatory action, reputational damage, loss of investors, and loss of business.
  • Finally, increased globalization creates new OHS challenges. ISO 45001 is an international standard that promotes global conformity.

What are the key aspects of ISO 45001?

Many of the elements of ISO 45001 are the same or similar to those found in OSHAS 18001. However, there are additions and changes in ISO 45001 that differentiate the new standard.ISO 45001 Hierarchy of Controls

ISO 45001 establishes new roles for the organization’s people. First, it emphasizes worker participation in the OHSMS. This includes ensuring that workers are competent and have the appropriate skills to safely perform their tasks. Second, the role of top management is different than in OHSAS 18001. Of note, a designated Management Representative is no longer required; however, those individuals in management roles are expected to take ownership and demonstrate a commitment to OHS through leadership. Top management must demonstrate direct involvement and engagement with the OHSMS by:

  • Ensuring the organization’s OHS policy and objectives are compatible with the overall strategic direction of the organization
  • Integrating OHSMS processes and requirements into business processes
  • Developing and promoting an OHS culture that supports the OHSMS
  • Being accountable for the OHSMS’s effectiveness

In addition to people, ISO 45001 follows a risk-based approach that advocates prevention. This requires identifying activities that could harm those working on behalf of the organization. A large part of this involves understanding the “context” of the organization, another new element of ISO 45001. Organizations must be able to identify all external and internal factors that have the potential to impact OHS management objectives and results.

To address risks and opportunities, there are new clauses related to hazard identification, as well. As with other sections of the standard, hazard identification becomes a process rather than a procedure and, importantly, considers all individuals near the workplace who may be impacted by the organization’s activities. ISO 45001 further outlines a more defined hierarchy for organizations to determine appropriate controls.

How does ISO 45001 fit in with other ISO standards and management system approaches?

ISO 45001 follows the same high-level management system approach being applied to other ISO management system standards (e.g., ISO 14001 and ISO 9001)—Annex SL. Because of this, the ISO 45001 requirements should be consistent with the other standards to allow for relatively easy alignment and integration into the organization’s overall management processes.

In addition, ISO 45001 takes into account other OHS standards, including OHSAS 18001, ILO-OSH Guidelines, various national standards, and the ILO’s international labor standards and conventions.

What is Annex SL?

As mentioned above, Annex SL is the structure for all new and revised ISO standards. It defines the framework for a generic management system—and is then customized for each discipline. This standard structure allows for easier integration between management systems and improved efficiencies. The major clauses for all ISO management system standards are identical under Annex SL and fall into the Play-Do-Check-Act (PDCA) cycle. Organizations who have already implemented ISO 9001:2015 or ISO 14001:2015 will be familiar with the Annex SL structure.

The table below outlines the main clauses in Annex SL, as well as the OHSMS-specific clauses. Highlighted areas indicate those sections that are significant changes/additions to the existing OHSAS 18001 standard.ISO 45001 Table

What does this mean for OHSAS 18001?

As outlined in the table above, ISO 45001 does not conflict with OHSAS 18001. In fact, it expands and enhances the existing standard to improve integration of the OHSMS into the overall business. ISO 45001 is intended to replace OHSAS 18001. Much like other management system standards, current users of OHSAS 18001 will need to update their systems according to the requirements of the new standard within a three-year transition period.

Who should use ISO 45001?

The short answer is everyone. ISO 45001 is designed to be a flexible management system that can be implemented by any organization, no matter the size, type, or industry. As long as the organization has people who may be affected by its activities, an OHSMS has value in ensuring worker health and safety and fulfilling legal requirements.

Why should I do this? Why are management systems like ISO 45001 beneficial?

A management system is an organizing framework that enables companies to achieve and sustain their operational and business objectives through a process of continuous improvement. A management system is designed to identify and manage risks through an organized set of policies, procedures, practices, and resources that guide the enterprise and its activities to maximize business value.

What do I do next?

  • Get informed! Start reading up on ISO 45001 to get familiar with how the new standard is structured.
  • Identify gaps in your existing OHSMS that will need to be addressed to meet any new requirements. If you don’t have an existing OHSMS, review the requirements and determine what pieces you may already have in place.
  • Develop an implementation plan. There is a three-year transition period. Plan according to this timeline.
  • Provide training. It is vital to ensure that workers and management are engaged in the OHSMS and that they are competent in any new skills/responsibilities that may be required.
  • Put your plan into action. Update/develop your OHSMS to meet the ISO 45001 requirements and provide verification of its effectiveness to ensure certification.
22 Jun
World-Class Compliance Pt 5: Compliance Assurance Program

This is the fifth in a series of five articles on developing and maintaining a world-class compliance assurance program.

A well-designed and well-executed compliance assurance program provide an essential tool for improving and verifying business performance and limiting compliance risks. Ultimately, however, a compliance program’s effectiveness comes down to whether it is merely a “paper program” or whether it is being integrated into the organization and used in practice on a daily basis.

The following can show evidence of a living, breathing program:

  • Comprehensiveness of the program
  • Dedicated staff and resources
  • Employee knowledge and engagement
  • Management commitment and employee perception
  • Internal operational inspections, “walkabouts” by management
  • Independent insider, plus third-party audits
  • Program tailoring to greatest risks
  • Consistency and timeliness of exception (noncompliance/nonconformance) disclosures
  • Tracking of timely and adequate corrective/preventive action completion
  • Progress and performance monitoring

Best Practices

To achieve a compliance assurance program on par with world-class organizations, there are a number of best practices that companies should employ:

Know the requirements. This means maintaining an inventory of regulatory compliance requirements for each compliance program, as well as of state/local/contractual binding agreements applying to operations. It is vital that the organization keep abreast of current/upcoming requirements (federal, state, local).

Plan and develop the processes to comply. Identify and assess compliance risks, and then set objectives and targets for performance improvement based on top priorities. From here, it becomes possible to then define program improvement initiatives, assign and document responsibilities for compliance (who must do what and when), develop procedures and tools, and then allocate resources to get it done.

Assure compliance in operations. The organization needs to establish routine checks and inspections within departments to evaluate conformance with sub-process procedures. Process audits should be designed and implemented to cut across operations and sub-processes in order to evaluate conformance with company policies and procedures. Regulatory compliance audits should further be conducted to address program requirements (e.g., environmental, safety, mine safety, security). Audit performance must be measured and reported, and the expectations set for operating managers to take responsibility for compliance.

Take action on issues and problems. Capture, log and categorize noncompliance issues, process nonconformances, and near misses. Implement a corrective/preventive action process based on the importance of issues. Be disciplined in timely completion, close-out, and documentation of all corrective/preventive actions.

Employ management of change (MOC) process. Robust MOC processes help ensure that changes affecting compliance (to the facility, operations, personnel, infrastructure, materials, etc.) are reviewed for their impacts on compliance. Compliance should be assured before the changes are made. Failure to do so is one of the most common root causes of noncompliance.

Ensure management involvement and leadership. Set the tone at the top. The Board of Directors and senior executives must set policy, culture, values, expectations, and goals. It is just as important that these individuals are the ones to communicate across the organization, to demonstrate their commitment and leadership, to define an appropriate incentive/disincentive system, and to provide ongoing organizational feedback.

Maintaining Ongoing World-Class Compliance Assurance Program

The compliance assurance program must be a living, breathing program. As risks change, the program must be refreshed, refined, and redeployed. A Management System framework can help ensure operational sustainability. A Management System drives the auditing process and helps companies say what they will do, do what they say and, importantly, verify it.

Together, there is a real value at the intersection of a compliance assurance program and Management Systems. Management Systems define the internal controls that are in place to reduce risks, prevent losses, and sustain and improve performance over time through the Plan-Do-Check-Act (PDCA) cycle of continual improvement.

Testing and Monitoring

Testing, monitoring, and measuring are crucial elements of this cycle. Without them, it is difficult to understand what is working and what needs improvement. Robust testing and monitoring programs can serve as early warning systems for identifying potential compliance risks before they become enforcement issues.

Compliance should be tested and monitored throughout each level of the organization. A strong testing program will evaluate the results of the compliance risk assessment and assign compliance risks to the business units and processes where they are most likely to occur, creating clear lines of responsibility and accountability. Key risks and the related controls should be tested periodically using statistically valid sampling methodologies, and monitoring activities should be performed on an ongoing basis. Doing so produces trend data that provides the rationale needed for making changes to underlying business processes, as well as emerging risks.

Ongoing compliance excellence relies on top management, operations managers, EHS personnel, and individual employees throughout the organization working together to build and sustain an organizational culture that places compliance on par with business performanceSenior management must focus on the overall culture of the company in terms of taking the necessary steps to reduce risk and make prevention part of daily operations. While it may be impossible to eliminate all risk exposure, a solid risk framework, assessment methodology, and compliance assurance program can help to prioritize risks for active management, sustained compliance, and positive business impacts.

Read the other articles in this series:

Sidebar: