The two factors need to continually challenge each other and be involved in both aspects of the process. Finding things wrong is easy, ask any consultant! Fixing things that are wrong so they can’t go wrong ever again (fool proofing) is the opportunity that needs to be embraced by all parties. Management teams should never accept a weak audit (except maybe by a regulator!) just as they won’t accept substandard work from a supplier. Audits if used properly should be able to add value to a business, if they are not then the audits are either weak or the managmeent team is keeping their head in the sand.

When I hear people say things like “We need to eliminate all risks” I like asking them how they plan on stopping people from sneezing while they drive to work. We need to assess risks and manage them accordingly based on the businesses we are in and the level of risk that is acceptable to the management team.

So on your next audit – do as Emerald Lagasse does “kick it up a notch”, put a little “bam” into it, dig a couple steps deeper, challenge the management team to identify and prevent the root cause from happenening again. Facilitate the entire audit process, not just the audit itself. Show your company the value of your audits.

The role of the auditor should be to understand the audit criteria, collect and review audit evidence against those criteria, make findings regarding conformity with the criteria based on the review of the evidence, and then draw audit conclusions about the effectiveness of the organizations management system to control the risks to a tolerable level.

This is becoming increasingly important in my opinion as I am frequently asked to help clients adapt their own internal RM methods/frameworks to be used by internal EHS staff. This also includes adapting risk assessment methods that are somewhat standardized for traditional risk management, such as Failure Mode Effect Analysis (FMEA) – a state of the art risk assessment process widely used in property risk assessment/insurance applications (and to a lesser extent in casualty risk).

Two fundamental aspects of EHS risk assessments that need to be addressed before launching such approaches are:
– defining the parameters/benchmarks for “severity” and “frequency” – what does “high” and “low” mean? What dollar values should be used? What other indicators might also apply?
– “gross risk” versus “net risk” – should the process quantify the risk profile assuming controls do not exist or will fail, thus indicating the worst case scenario? Or should the output reflect the existence and effectiveness of controls that are in place?

Of course, risk maps are extremely helpful and intuitive graphical devices to show the results of the assessment, as the article clearly shows. Typically, the first question posed is “How do we move the risks from the outer edges to the lower left hand corner of the map?” Again, using a frequency/severity structure can be instructive in answering the question. Consider a risk point that is high severity but low frequency (a Black Swan event like Fukushima). There may be no practical way to reduce the frequency, therefore a solution aimed at frequency reduction will provide little value. A more appropriate response is to reduce the severity of the event when (or if) it occurs. In this context, the more appropriate control may be a financial solution such as insurance. Conversely, low severity events that happen frequently (like first aid cases) would be better addressed through a management system solution (such as training or making additional PPE available) rather than a financial solution.

The integration of “risk” into EHS and sustainability is still a work in progress in our field. As I have espoused for a number of years, EHS staff not define risk on their own – but do so using existing benchmarks, standards and definitions that have been validated many times over within internal RM departments. EHS professionals should try to work with their company’s RM staff to achieve this, or engage external support with significant first hand experience in EHS and traditional risk management.

Great articles! Thanks for publishing.