Using Risk Factors to Determine EHS Audit Frequency

Apr 23rd, 2011 | By | Category: Auditing

Establishing how often to carry out environmental, health, and safety (EHS) audits at sites and facilities considered to be part of the auditable universe can be a trying exercise.  Auditing high-risk operations too infrequently can lead to unwanted surprises because of the lack of oversight and governance.  On the other hand, auditing too frequently can be costly, can lead to a feeling of unbearable oversight by the audited community, and can eventually compromise the effectiveness of the program, to say nothing of how it affects the reception given to audit teams when they arrive at a site.

On one environmental audit some years ago at a large chemical plant in California, U.S.A., at the start of the opening meeting, the plant manager stated, “I can’t believe we’re being audited yet again.  Do you know that we’ve been audited or inspected over 75 times this quarter alone?”  The team leader (and the company) had failed to recognize that this site, a major military contractor for the U.S. government, was receiving regular “attention” from the corporate audit group, customers, and regulators on topics such as finance, security, environment, health and safety, process safety, transportation, and so forth.

So, what’s the right frequency, and where can one go for guidance?  This article attempts to help answer these questions.  Discussions include

  • Expectations of regulatory agencies and professional organizations
  • Assigning risk factors to auditable sites to establish frequency
  • Examples of how nine companies have addressed audit frequency

Although there is no perfect solution that applies to all cases, the general approach and following examples from nine companies can be used to develop a solution.

 

Audit Frequency Expectations

No agency or professional organization prescribes exact frequencies for EHS audits.  Some that do address the subject say that audit frequency should be based on risk (Auditing Roundtable, Board of Environmental, Health and Safety Auditor Certifications [BEAC], and The Institute of Internal Auditors [IIA]), whereas others say the frequency should be “periodic” (ANSI/AIHA Z10, ISO 14001, OHSAS 18001, U.S. Environmental Protection Agency [EPA], and U.S. Sentencing Commission) (see Figure 1).  Although most of the external guidelines are silent on specific quantitative expectations for audit frequency, the commonly held expectation is that major facilities will be audited no less frequently than once every two to three years.

 

Figure 1 – Audit Frequency Expectations of Regulatory Agencies and Professional Organizations

  Organization   Document   Frequency Expectation
 American National Standards
 Institute/American Industrial
 Hygiene Association
 (ANSI/AIHA)
 Occupational Health and Safety
Management Systems Standard
(ANSI/AIHA Z10-2005)
 “Periodic”
 ASTM International  Standard Practice for
Environmental Regulatory
Compliance Audits (E2107-06)
 Silent on the subject
 Auditing Roundtable  Standard for the Design and
Implementation of an EH&S
Audit Program (1996)
 Frequency “based on existing or
potential EHS impacts, taking
into account such factors as level
of EHS risk …”
 Board of Environmental, Health
 and Safety Auditor Certifications
 (BEAC)
 Performance and Program
Standards for the Professional
Practice of EH&S Auditing
(2008)
 “…facilities which pose the
greatest risk to the company are
audited earlier in the cycle, or at
more frequent intervals, than
other facilities which pose less
risk.”
 Institute of Internal Auditors  Standards for the Professional
Practice of Internal Auditing
(1997)
 Primarily risk based
 ISO 14001  Environmental Management
Systems (ISO 14001:2004[E])
 “Periodic”
 ISO 19011  Guidelines for quality and/or
environmental management
systems auditing (ISO
19011:2002[E])
 Silent on the subject
 Occupational Health and Safety
 Assessment Series
 Occupational Health and Safety
Management Systems Standard
(OHSAS 18001:2007)
 “Periodic”
 U.S. EPA  Environmental Auditing Policy
Statement (1986)
 “Periodic”
 U.S. Sentencing Commission  Sentencing Guidelines Manual,
Effective Compliance and Ethics
Program (§8B2.1) (2010)
 “Periodic”

 

Risk Factors and Audit Frequency

There are, of course, many approaches to ranking facilities by risk and by other factors and subsequently setting frequencies based on these rankings. Generally, there are two types of site risk factors: inherent and external. The inherent risks of operation include the materials handled, the age of the facility, and the complexity of the process.  These risks are important but perhaps more controllable than the external risks, which may include the company’s compliance history, the community and environmental setting, and the state or local agency’s regulatory stringency.

If one views these two classes of risk in concert, as in Figure 2, a facility-by-facility risk evaluation can be conducted.  We can find fairly large facilities, such as facility A, that pose high risks, and efforts can be undertaken to reduce both inherent and external risks and move this facility into either a relatively safe or a controllable situation.  Such efforts might include increasing measures to reduce noncompliance (i.e., increased audit frequency) or investigating the possibility of materials substitution.  For another facility, such as facility B, which poses only a modest inherent risk but is in so unstable an external environment that it is vulnerable to unwanted surprises, a public relations or compliance improvement program can be developed that will move the facility to the “relatively safe” category.

 

Figure 2 – Assessing Risk in a Multi-Plant Environment

 

 

Figure 3 – Establishing Audit Frequencies

  Type of Operation   Risk Class*   Frequency

  Duration

  No. of
Auditors

  Large chemical plant   Very high   Annual

5 days

 5

  Metal-working and
  fabricating plant
  High   Every 2 years

3.5 days

3

  Light assembly plant   Medium   Every 3 years

1.5 days

2

  Warehouse   Low   Every 4 years

1 day

1

 

* – Based on incident history, materials handled, complexity and environmental setting

Figure 3 can also be used as a resource planning tool. Once the company’s inventory of facilities to be audited is established and a frequency, audit duration, and team size are assigned to each facility, the manpower loading for field audits can be determined for any given year. Further, if the number of field hours is increased by 50 percent or so to account for audit preparation and report writing, the result should indicate full labor cost accounting for the program, except for management and administration time.  Compiling this information on a spreadsheet will allow the program manager to manipulate critical factors, such as audit frequency, to determine the financial or budgetary impacts of increasing or decreasing the frequency. 

 

Audit Frequency Case Studies

Provided below are specific examples of how nine companies establish audit frequencies.  This information is taken from actual corporate audit procedures.  It is clear that “no one size fits all.”  The idea is to present some options that allow an organization to design a tailored program, drawing from the most applicable attributes of each example.

 

A Large Pharmaceutical Company

No facility within the audit “pool” is to be evaluated at a frequency of longer than four years.  Schedules are set by using a “criticality matrix,” which evaluates the relative risk of facilities using criteria such as employee population, regulatory climate, complexity of operations, facility location, accident rates, site EHS resources, extent of facility self-assessments, and the like.  Nominally, audit frequency is established using the schedule presented in Figure 4.

 

Figure 4 – Audit Frequency Schedule Based on Risk

   Relative EHS Risk     Audit Frequency
  High   Every 18-24 months
  Medium high   Every 26-32 months
  Medium low   Every 34-40 months
  Low   Every 42-48 months

Each site within the auditable pool is assigned an initial audit frequency.  This frequency is adjusted annually and at the conclusion of each audit, depending on a reassessment using the criticality matrix.  Based on the established frequency and the number of sites in the pool, the program should be conducting about 27 evaluations annually.  This analysis is shown in Figure 5 below.

 

Figure 5 – Number of EHS Evaluations Required Each Year Using the Criticality Matrix

 

Criticality Risk Factors

 
  Factors Low Medium low Medium high High Totals
     <1.5  1.5-1.9  2.0-2.5  >2.5  
  Number of facilities
  with factor
 11  31  35  3  80
  Maximum allowed
  frequency (months)
 48  40  32  24  —
  Required facilities
  per year
2.8 9.3 13.1 1.5 ~26.7

 

A Medium-Sized Mining and Minerals Processing Company

The audit program director will develop the audit schedule for each year and assign audit team leaders from the staff of managers.  The frequency at which a site is audited, how long the audit will take, and how many auditors will participate is based on the perceived risks of the site.  An evaluation of these parameters is made by the end of each year by the audit program director in consultation with group EHS coordinators, based on the criteria presented in Figure 6.  The criteria are used as a guide, not as a quantitative scoring system.  Thus, a site does not necessarily have to have all of the characteristics associated with a category I site to be classified as category I.  The site may have only one characteristic, or it may have more characteristics to be classified as such.  Based on the coordinators’ evaluations, in December of each year the audit program director publishes an annual schedule and distributes it to corporate and group management. Site and group management may request to have any site audited more, but not less, frequently than as determined by the annual program schedule.

 

Figure 6 – Risk Factors Used in Assigning Site Audit Frequency

 Site Characteristics   Category I
(Every 3 Years)

 

 Category II
(Every 4 Years)
 Category III
(Every 5 Years)
  Size and type Major manufacturing, mining, or processing Minor manufacturing, mining, or processing Warehouses, real estate, administrative buildings
  Employee safety Lost Workday Case Incident Rate worse
than industry average
Lost Workday Case Incident Rate at industry average Lost Workday Case Incident Rate better than industry average
  Process safety Covered by the Process Safety Management
rule
Covered by the Process Safety Management
rule
Not covered by the Process Safety Management rule
  Chemical exposure Covered under >10 chemicals listed in 29 CFR 1910.1001-50 Covered under 3-10  chemicals listed in 29 CFR 1910.1001-50 Covered under <3 chemicals listed in 29 CFR 1910.1001-50
  Air emissions Major source of air
toxics or significant  emissions; multiple permits
Moderate emissions; some air permits No sources require air permits
  Community relations Major documented problems with the community Periodic formal complaints No or isolated
complaints
  Hazardous materials
  releases
Has 3 or more Toxic Release Inventory chemicals Has 1 or 2 Toxic Release Inventory chemicals Has no Toxic Release Inventory chemicals
  Hazardous waste Large-quantity generator Small-quantity generator Conditionally exempt small-quantity generator
  Wastewater Operates on-site treatment or pretreatment plant Discharges process wastewater to publicly owned treatment works Discharges sanitary wastewater only or has no discharges
  Spill potential On-site bulk petroleum or hazardous
substances storage of >50,000 gallons
On-site bulk petroleum or hazardous
substances storage of 1000 to 50,000 gallons
On-site bulk petroleum or hazardous
substances storage of <1000 gallons

 

A Large Construction Company

Audits are scheduled using a formal risk ranking tool, which is completed for each site every two years.  This aids substantially in prioritizing sites based on risk.  Facilities that fall in the high-risk category are audited once every five years.  Medium-risk sites are audited once every ten years.  Low-risk sites are audited if a request is made by the facility, business unit, or law department; if the site is near high- or medium-risk sites that are to be audited; or if all high- and medium-risk sites have been audited within the last five- to ten-year cycle.  Generally, the company relies on the site self-assessment process to address low-risk sites.


A Medium-Sized Chemical Company

The company has developed a site assessment frequency algorithm based on risk.  Classes of facilities are assigned frequencies ranging from once every two years to once every ten years, based on relative risk.  Major facilities are generally assigned a frequency of every two to three years.  The audit frequency for a particular facility type is defined based on several criteria, including

  • Relative issue impact or exposure in the operations
  • Hazard analysis or risk assessment results
  • Prior assessment results
  • Accident or incident experience
  • Compliance history
  • Corporate requirements 

 

A Large Chemical Company

EHS audits are to be conducted at least every three years unless the regional program manager extends audit frequency to four years for a particular site or process unit.  Audit frequency is based on the following factors:  

    • The existence of an effective first-party EHS audit program
    • Legal or regulatory requirements
    • Performance on EHS metrics and prior audits
    • Potential hazards
    • Type of site or process unit (e.g., office or warehouse)
    • Management-of-change considerations (e.g., turnover of EHS and management personnel and processes)

 

A Medium-Sized Agricultural Products Company

The frequency and scope of the periodic audits are defined by corporate EHS management and depend on facility size, complexity, performance information, regulatory compliance history, and other appropriate risk factors.  The frequency is documented in a rolling five-year audit plan, which is reviewed and revised annually by corporate EHS management


A Public Power Authority

Audits of the authority’s operating projects are conducted according to the following schedule:

 

Figure 7 – Audit Frequency by Project Type

  Project Type
  Frequency
  Power generation   Once every 3 years
  Substations   Once every 4 years
  Ancillary operations   Once every 5 years

 

Audits of any authority facility can be conducted more or less frequently than shown in the above schedule, on the basis of certain risk factors. These risk factors include

  • Results of the previous audit
  • Results of environmental performance metrics
  • On-time closure of audit action items
  • Extent of change (e.g., people, equipment, regulatory requirements) at the operation


A Large Electric Utility

The audit program has established a ranking system to determine the required audit frequency.  This system is based on the size and complexity of the site, degree of EHS risk, history of compliance, financial liability, and results of prior audits.  The major sites are audited approximately once every two to three years, and low-priority sites are audited approximately every four or more years.  The frequency criteria are adequately defined and communicated, and stakeholders agree that the audits occur according to an appropriate schedule.


A Major Oil and Gas Company

Audits are to be conducted at the business unit level.  Audits must address compliance with the requirements of each process in each subsidiary organization, and they take place at the following frequencies:

 

Figure 8 – Audit Frequency by Process Risk

  Process Type
  Audit Frequency
  High-risk processes   All organizations to be audited on a 3-year cycle
  Medium-risk processes   All organizations to be audited on a 5-year cycle
  Low-risk processes   Frequency to be designated by responsible organization

 

The business unit, including each subsidiary, may elect to increase audit frequency.

The design of an audit plan and audit frequencies may take into account any scheduled or completed external audits that adequately address process verification.  These external audits could come from regulatory agencies, joint ventures or other partners, or certification bodies. 

  

About the Author

Lawrence B. Cahill, CPEA, is a Technical Director at Environmental Resources Management in Exton, Pennsylvania, U.S.A.  He has over 30 years of professional EHS experience with industry and consulting.  He is the editor and principal author of the widely used text, Environmental, Health and Safety Audits, published by Government Institutes, Inc. and now in its 9th Edition.  He contributed four chapters in the 1995 book Auditing for Environmental Quality Leadership, published by John Wiley & Sons, Inc.  Mr. Cahill has published over 50 articles and has been quoted in numerous publications including the New York Times and the Wall Street Journal.

Other Articles by Lawrence Cahill in the EHS Journal

Measuring the Success of an EHS Audit Program

EHS Audits – Have We Lost Our Way?

Statistically Representative Sampling on EH&S Audits: Expectations Established by Third Parties

Outsourcing EHS Audits: Does it Make Sense?

 

Photograph: Sunset in Paris by by Vladimir Fofanov, Moscow, Russia.

 

Return to the EHS Journal Home Page

 

Tags: , , , , , , ,

7 Comments to “Using Risk Factors to Determine EHS Audit Frequency”

  1. […] L.B., “Using Risk Factors to Determine EHS Audit Frequency,” EHS Journal On-Line, April 23, […]

  2. […] Using Risk Factors to Determine EHS Audit Frequency (Cahill) […]

  3. […] Using Risk Factors to Determine EHS Audit Frequency (Cahill) […]

  4. […] Using Risk Factors to Determine EHS Audit Frequency (Cahill) […]

  5. […] Using Risk Factors to Determine EHS Audit Frequency   […]

  6. FAGBE Tubosun says:

    Appreciate the author’s view on audit frequency prescription and confirmation of non- prescription of Agency and professionals bodies on exact frequencies for EHS Audits, this I believe may be due to consideration given to other factors that may necessitate EHS Audit. Moreover, the article conclusion ‘business unit, including each subsidiary may elect to increase audit frequency’ is commendable as this addressed the situation where managers may hide under time specification in avoiding the process audit despite noted challenge accruable from other audit induced factors within a short period after the author’s suggested frequencies and far off from next audit prescription.
    To be candid, the Article is quite inspiring and resourceful for Audit planning and management.

  7. […] Using Risk Factors to Determine EHS Audit Frequency […]

Leave a Comment