EHS Audits – Have We Lost Our Way?
Jul 11th, 2010 | By Lawrence B. Cahill | Category: Featured Articles
BP Stock Price Following the Deepwater Horizon Incident
Massey Energy Stock Price Following the Coal Mine Explosion
The year 2010 has reminded us once again that management of environmental, health and safety (EHS) responsibilities can have a substantial impact on people, the environment, and a company’s bottom line. On April 5th of this year Massey Energy experienced an explosion in its West Virginia coal mine that killed 29 miners. That tragedy has been compounded by a drop in the company’s stock price of more than 40 percent over the subsequent two months. (See chart) Similarly, on April 20th BP experienced an explosion and oil spill at its Deepwater Horizon oil platform in the Gulf of Mexico that killed 11 workers. Since that event, BP’s stock price has dropped about 50 percent. (See chart) Also, the financial impacts (e.g., no quarterly BP stockholder dividend, the setting up of a USD 20 billion victims’ fund) go well beyond the drop in stock price and loss in market capitalization.
What impact might these catastrophic events have on EHS compliance and audit programs? A substantial impact, one would hope. Audit programs for decades have focused on achieving compliance with detailed administrative requirements. Particularly in the United States, this is not surprising. Currently, there are more than 25,000 pages of EHS regulations at the federal level (Titles 29 and 40 of the Code of Federal Regulations [CFR]) to say nothing of state and local requirements; the number of CFR pages has grown by 3,000 in the past 5 years alone. So the requirements are not only substantial but changing and becoming more stringent all the time. It is no wonder that audit programs focus on these regulatory requirements, with penalties as high as USD 25,000 per day or more per violation per occurrence.
Although assessing compliance with detailed regulatory requirements such as inspections, permits, plans, manifests, MSDSs, reports, written procedures and the like is important for achieving and maintaining compliance, recent events suggest that ignoring real EHS risks can truly affect a company’s bottom line. One would think that these potential impacts and outcomes should impact how audits are conducted now and in the future. In practice this would beg the question, should one be more concerned about
- A wastewater discharge that has had periodic, minor exceedances of pH or the fact that the underground sewers are 50 years old and have never been surveyed with a camera to determine their integrity.
- The exact height of the containment wall of an above ground storage tank that is two inches too short or the fact that the tank has not been tested for integrity in the last 40 years.
- The lack of an expiration date for a single confined space entry permit or the fact that attendants at an entry are not always focused on the entry itself.
- Failure to set the guarding on a seldom-used grinder in the maintenance shop to the precise gap defined by the regulations or the fact that operators on the production line are routinely clearing debris from working equipment without first shutting down the equipment.
In each of the cases posed above, most traditional compliance audits would focus on the former issue, not the latter, even though the latter in each case poses a higher risk. This is mostly because clear and precise requirements are associated with the first, but not so much with the second, scenario.
A New Approach to Auditing?
It might be time to take a hard look at the objectives and philosophies of our audit programs. Achieving compliance with regulations is quite important, especially in the United States, but identifying, assessing, and managing EHS risks should also be at the core of any audit program. Maybe one way to do this is not to rely so much on detailed compliance audit protocols containing thousands of questions but to identify potential high risk activities in each compliance area (e.g., air, water, confined space, lockout/tagout, etc.) that should be reviewed in detail on each and every audit, and to provide guidance on how that review should be conducted. For example, for a given audit one would identify up front any high risk activities (e.g., ammonia refrigeration, hazardous materials storage tanks and transfer systems, work areas where respirators are required, flammable storage buildings, high production areas requiring significant operator oversight, etc.) in need of special attention and then develop a specific audit plan on how to review that activity. This does not mean that the more mundane activities and operations are ignored. It simply means that there is a defined approach on how to audit individual high risk operations within the context of the larger audit.
After reviewing hundreds of audit reports over the years, I am personally dismayed that we might have lost our way. When I review a finding that tells me that “one weekly inspection of a hazardous waste accumulation point was missed in the past six months” or that “two of two hundred fire extinguishers did not have updated monthly inspections,” I truly wonder whether our audits are helping to protect people and the environment. This is not to say that a more risk-based audit approach would have prevented the Massey Energy or BP tragedies, but maybe it’s worth a try.
About the Author
Lawrence B. Cahill, CPEA, is a Technical Director at Environmental Resources Management in Exton, Pennsylvania, U.S.A.
Mr. Cahill has over 30 years of professional EH&S experience with industry and consulting. He is the principal author of the widely used text, Environmental, Health and Safety Audits, published by Government Institutes, Inc. and now in its 8th Edition. He contributed four chapters in the 1995 book Auditing for Environmental Quality Leadership, published by John Wiley & Sons, Inc. Mr. Cahill has published over 50 articles and has been quoted in numerous publications including the New York Times and the Wall Street Journal.
Images: Provided by Lawrence Cahill.
Return to the EHS Journal Home Page.
I fully agree that the context of need for EHS audits has evolved, while the actual practice has not. From my perspective, I began to get this sense close to 10 years ago. But in the US especially basic regulatory compliance audits/findings continue to be a necessity due to the regulatory agency enforcement actions (and their own performance metrics). In the past 5 years, we have seen “risk” become the newest EHS buzzword, which is a step in the right direction. What concerns me, however, is that EHS functions tend to define “risk” and related benchmarks/parameters in terms different from how the company defines that in other functions. This undermines the credibility of the EHS function within the organization, which ultimately paralyzes its ability to be effective. Therefore it is critical to ensure that EHS defines “risk” in the correct way for the organization overall.
As a corollary, EHS audit programs moving towards a risk-based framework should thoroughly assess exposures in light of control failures, or “gross risk”. The Massey mine disaster and the Gulf oil spill are the most recent events showing the impact of – and arguably, the failure to consider – failed controls. There tends to be a general sense of “that won’t happen” in many current EHS risk-based programs I am familiar with. This could be considered analogous to the “too big to fail” attitude that was pervasive on Wall Street, leading to the economic collapse of the past two years. EHS programs must realize that the events “that won’t happen” are likely to have major to catastrophic business impacts if they do happen. Critical evaluation and assessment of gross risk profiles will greatly assist management in contingency/disaster planning.
Both Lawrences are correct – the sooner auditing takes a truly risk-based approach the better. Like both, I am not saying that we should ignore compliance, just that there needs to be auditing programmes that create a balance between risk (and I mean business risk) and compliance. There is no unlimited audit resource to achieve this, far from it and getting more so every day, so we need to get much smarter and use different tools to help achieve this aim.
Also, we should not try to ‘take over’ the existing risk management structures in the organisation, i.e. the formal identification of key risk areas in the business and creation and implementation of of risk strategies to address them. Auditing needs to supplement them with audit tools and approaches that provide greater intelligence of the risks that are still there despite such actions – or the lack of such actions where risks have not been identified. Most implementations of risk strategies are about putting in place equipment, policies, processes and procedures to address the risks identified, however, this still leaves one big variable – the behaviours happening within the organisation to use and apply these effectively. Quite often risk strategies have been ‘implemented’, but not really applied, whatever the documentation may indicate ……
This is where auditing needs to create a new dynamic, by auditing the behaviours happening within the organisation, as these are the really powerful lead indicators of risk and performance. We could be compliant ans apparently safe today, but if the complex mix of behaviours are not appropriate, there is likely to be a time bomb ticking. Health & Safety has recognised that behaviours are critical, but this is true for all other areas of risk and performance. Tools to do this have been developed that do not add auditor time – they can even reduce it – so it’s high time we as auditors accepted the need to change and start behaving differently ourselves !
EHS auditing in the 21st Century needs to measure EHS management effectiveness through group, role and individual behaviours. Assessment techniques have already been developed to meet this realisation and demand using online behavioural based assessment methodologies. This is against the backdrop of the shortcomings of traditional audit methods that have been identified in the article, especially when put in the context of increased legislation and standards, requiring Directors and Managers to manage their risks effectively, not just their compliance. This is of course, equally as applicable in EHS as it is with other areas of organisational risk. Managers need to understand the impact of behaviours across their organisations as well as suppliers that may also be creating these risks.
Uniquely, online tools assess / test the behaviours which actually drive activity, and hence outcomes, and then report results as risk profiles against EHS values, objectives and the elements that drive performance, rather than just looking at compliance and actual events. The behaviours being demonstrated and experienced by a very broad section of those involved in an organisation are in turn related to the level of risk to the key things that drive the required performance.
The inescapable fact is that it is the behaviours that are exhibited within any organisation that drive the outcomes, including catastrophic events. Behaviours of leaders who create the culture, behaviour of the managers who look after the day-to-day implementation of objectives and behaviours of staff, who are the group who actually make things happen. Add to this the reliance on the supply chain (with their own sets of behaviours) and other stakeholders (yet another dynamic) and the way that these all interact have a profound effect on EHS management and business performance and social/environmental impacts.
These new tools, which assess and analyse these issues in a consistent manner are becoming essential differentiators for corporations to demonstrate that they are effectively managing stakeholder issues, including EHS issues. Applying the traditional auditing methods of the past, (with associated significant carbon footprint), will not be sufficient to demonstrate effective management of these risks.