EHS Audits – Have We Lost Our Way?
Jul 11th, 2010 | By Lawrence B. Cahill | Category: AuditingThe year 2010 has reminded us once again that management of environmental, health and safety (EHS) responsibilities can have a substantial impact on people, the environment, and a company’s bottom line. On April 5th of this year Massey Energy experienced an explosion in its West Virginia coal mine that killed 29 miners. That tragedy has been compounded by a drop in the company’s stock price of more than 40 percent over the subsequent two months. (See chart) Similarly, on April 20th BP experienced an explosion and oil spill at its Deepwater Horizon oil platform in the Gulf of Mexico that killed 11 workers. Since that event, BP’s stock price has dropped about 50 percent. (See chart) Also, the financial impacts (e.g., no quarterly BP stockholder dividend, the setting up of a USD 20 billion victims’ fund) go well beyond the drop in stock price and loss in market capitalization.
What impact might these catastrophic events have on EHS compliance and audit programs? A substantial impact, one would hope. Audit programs for decades have focused on achieving compliance with detailed administrative requirements. Particularly in the United States, this is not surprising. Currently, there are more than 25,000 pages of EHS regulations at the federal level (Titles 29 and 40 of the Code of Federal Regulations [CFR]) to say nothing of state and local requirements; the number of CFR pages has grown by 3,000 in the past 5 years alone. So the requirements are not only substantial but changing and becoming more stringent all the time. It is no wonder that audit programs focus on these regulatory requirements, with penalties as high as USD 25,000 per day or more per violation per occurrence.
Although assessing compliance with detailed regulatory requirements such as inspections, permits, plans, manifests, MSDSs, reports, written procedures and the like is important for achieving and maintaining compliance, recent events suggest that ignoring real EHS risks can truly affect a company’s bottom line. One would think that these potential impacts and outcomes should impact how audits are conducted now and in the future. In practice this would beg the question, should one be more concerned about
- A wastewater discharge that has had periodic, minor exceedances of pH or the fact that the underground sewers are 50 years old and have never been surveyed with a camera to determine their integrity.
- The exact height of the containment wall of an above ground storage tank that is two inches too short or the fact that the tank has not been tested for integrity in the last 40 years.
- The lack of an expiration date for a single confined space entry permit or the fact that attendants at an entry are not always focused on the entry itself.
- Failure to set the guarding on a seldom-used grinder in the maintenance shop to the precise gap defined by the regulations or the fact that operators on the production line are routinely clearing debris from working equipment without first shutting down the equipment.
In each of the cases posed above, most traditional compliance audits would focus on the former issue, not the latter, even though the latter in each case poses a higher risk. This is mostly because clear and precise requirements are associated with the first, but not so much with the second, scenario.
A New Approach to Auditing?
It might be time to take a hard look at the objectives and philosophies of our audit programs. Achieving compliance with regulations is quite important, especially in the United States, but identifying, assessing, and managing EHS risks should also be at the core of any audit program. Maybe one way to do this is not to rely so much on detailed compliance audit protocols containing thousands of questions but to identify potential high risk activities in each compliance area (e.g., air, water, confined space, lockout/tagout, etc.) that should be reviewed in detail on each and every audit, and to provide guidance on how that review should be conducted. For example, for a given audit one would identify up front any high risk activities (e.g., ammonia refrigeration, hazardous materials storage tanks and transfer systems, work areas where respirators are required, flammable storage buildings, high production areas requiring significant operator oversight, etc.) in need of special attention and then develop a specific audit plan on how to review that activity. This does not mean that the more mundane activities and operations are ignored. It simply means that there is a defined approach on how to audit individual high risk operations within the context of the larger audit.
After reviewing hundreds of audit reports over the years, I am personally dismayed that we might have lost our way. When I review a finding that tells me that “one weekly inspection of a hazardous waste accumulation point was missed in the past six months” or that “two of two hundred fire extinguishers did not have updated monthly inspections,” I truly wonder whether our audits are helping to protect people and the environment. This is not to say that a more risk-based audit approach would have prevented the Massey Energy or BP tragedies, but maybe it’s worth a try.
About the Author
Lawrence B. Cahill, CPEA, is a Technical Director at Environmental Resources Management in Exton, Pennsylvania, U.S.A.
Mr. Cahill has over 30 years of professional EH&S experience with industry and consulting. He is the principal author of the widely used text, Environmental, Health and Safety Audits, published by Government Institutes, Inc. and now in its 8th Edition. He contributed four chapters in the 1995 book Auditing for Environmental Quality Leadership, published by John Wiley & Sons, Inc. Mr. Cahill has published over 50 articles and has been quoted in numerous publications including the New York Times and the Wall Street Journal.
Images: Provided by Lawrence Cahill.
Return to the EHS Journal Home Page.
[…] July 11, 2010, an article was published in the EHS Journal titled “EHS Audits – Have We Lost Our Way?” That article was followed a year later by a sequel that explored the topic more fully. The […]
[…] EHS Audits – Have We Lost Our Way? (Cahill) […]
[…] EHS Audits – Have We Lost Our Way? (Cahill) […]
[…] EHS Audits – Have We Lost Our Way? […]
For a truly responsible auditor, it should be a professional practice to highlight any major concerns or potential disastrous risk that may occur for any of the site assessed. Regardless of what type of audit, compliance or any other specific evaluation, it should always be in the mind of a responsible good auditor to be on the look out, observe, or identify, events that may result in substantial impact to the company.
Even it is not in the auditing programs or scope, possible major catastrophical events like solvent or dust explosion, long term or immediate environmental pollution or contamination, delay or long term accumulative effect on human health etc., the auditor should at the first opportunity, bring it to the attention of the site owner for his/her consideration for any further actions, where appropriate.
[…] July 11, 2010, an article titled “EHS Audits—Have We Lost Our Way?” was published in EHS Journal.[1] It has since elicited a number of quite thoughtful and extensive […]
[…] EHS Audits – Have We Lost Our Way? […]
Great, thought-provoking article, Larry. Good comments, Lawrence.
A primary driver to do Auditing is to provide assurance - cover your……self, if you will. It stands to reason that Auditing would also be undertaken to provide cover. Contracts being what they are (and the risk/ consequence of dissatisfaction or litigation being what it is), they are also written to provide cover. In auditing, it’s all about the procedures, documentation, and reporting on everything that was done. I supported financial audit procedures for a Big 4 accounting firm for ~6 years. These folks know procedures! If the procedures call for looking through fire extinguisher and waste accumulation areas, then that’s’ what you’ll get. If you find two gaps out of two hundred, the auditor is duty-bound to report them.
I like Larry’s four examples, and would expand on his other two audit findings. Fire extinguishers are perhaps my favorite litmus test of a company’s EHS program. I’m always amazed at the inspection tags being up to date - but the fire extinguishers are obstructed, used as a coat hook, or placed directly over the stove so you would have to stick your arms through flames in order to retrieve it. Or that 80% of the people in the area don’t know where they are (ever notice those red arrows?) and nobody has the foggiest idea how to use one. The area coordinator has dutifully completed 25 of 26 inspections. Does s/he know what s/he is looking for? Could these inspections be combined with three other inspections done in this area to reduce costs?
If it’s not “compliance”, it doesn’t make the scope. If it’s not amenable to repeatable procedures, it doesn’t get audited. This is where we sell ourselves and our profession short. The examples show shortcomings, and the need to avoid the obsession on compliance. the examples illustrate how useful it would be to add elements of performance, operations, business continuity, efficiency/ effectiveness, and risk management. And good old-fashioned common sense (which isn’t all that common!). These business advisory perspectives are at least as valuable to clients as detailed compliance audits.
In the case of outsourced audits, the folly often begins with the RFP. Selection criteria is driven by detailed scopes of work, standardized/ detailed output, and unit costs per auditor or per audit. Cost-cutting reigns supreme - and not just in the EHS auditing world. Savvy auditors often make the kind of observations that are “missing in action” in the examples above - but the framework of the report can limit or prohibit the auditor from telling the client. I’ve been in meetings where Legal would advise “that observation is out of scope. if you tell the client ONE observation like this, they could make the case that you were looking for EVERYTHING with this type of risk….. and did you? were we paid to? what if something else happens that you DIDN’T tell them about - we’ll get sued. So stick to the audit finding about those two fire extinguishers”
The skill sets that are necessary to assess a broader array of risks and opportunities are a suite of business advisory techniques that cannot be fully conveyed in a proposal, and for which there is no standardized unit cost. The qualifications can’t be cut from one proposer, given to a lower-cost provider with the instruction to “do it like this person” - even with another $hundreds per audit.
The freedom to set sights higher can begin with the Auditing Program Manager. S/he may need support in conveying the value of this new approach to senior management - and the risks of taking the same old same old approach. In scoping audits (should we use another word?) and selecting resources, s/he should build in flexibility and contingent budget. RFPs should be issued, and contracts written to encourage this perspective, and the open, trusting relationship that fosters thoughtful procedures and communications. Furthermore, the Auditing Program Manager should be agile (see EHS Journal article on this - another good one) as to what elements of the report get communicated to whom, and how.
In sum, I agree with Larry Cahill’s premise that, in some ways, EHS auditors have lost our way. But we didn’t get their by ourselves. As any EMS or Enterprise Risk Management framework would say, it all begins with tone at the top. “The Top” may only know what we tell them. Let’s all work on it.
Early in my career as an engineering geologist I was asked to evaluate hazards and risks from natural and manmade hazards for Los Angeles County. Earthquake risk to buildings and structures, flood risk from everything from debris flows to failed dams, risks from wild land fire and even the petroleum processing facilities built adacent to active or potentially active faults. The objective was to evaluate planning controls, current building codes and disaster planning. Then, as now as an ES&H auditor, raising issues of deeper risks than compliance is easier than getting the audit client to accept conclusions of a study or a preliminary finding result. With no regulatory requirement, I pointed out 25 years ago that a fault under a populated area in San Fernando Valley posed a threat but could not prove the fault was active because development had removed the ability to test whether it had moved in 10,000 years. The “study” client assumed innocent until proven guilty. The Northridge fault turned out to be active in 1994. Now, as an auditor, I recenly noted that a 300,000 gallon tank filled with motor oil for experiments that involve explosive shocks had oil leaking on the floor. Turns out everybody’s known about the cause: a growing crack in the tank wall. Raised as an issue, the audit client explains away the problem: the costly solution seemed to bolster their belief that it was not a risk. My manager stated there is no requirement, so the issue became only an observation in the audit report. At about the same time, an accident occurred on an experimental sled track nearly severing the leg of an operator when a missle pre-ignited. A very heavily audited organization, turns out one of the causes of the accident was a short-circuit caused by excessive rust on the track. Had any auditor ever brought up the rust? I don’t know, but do know that the auditors frequently gave the operation best practices for work controls. Point number one: auditors may bring up fundamental risks, but if the culture of the audit client is innocent until proven guilty, the auditor (or investigator) will have no effect accept to raise the issue. Number two: As an auditor, I may not have even realized the risk posed by the rust on the tracks in forsight. Number three: the reality is that the organization’s culture is ultimately responsible for questioning and taking action on “soft” risks. Perhaps the auditor could be convincing with a cost-benefit argument but is that realistic given the audit scope and budget? In conclusion, the audit program must not abandon risk-based auditing during compliance or performance audits, but recognize the realitiy that until audit clients are convinced by intensive studies of what’s in it for them, we walk a lonely road.
Risk in hindsight is obvious, while looking forward and raising potential issues can cause an auditor to be labeled ‘Henny-Penny.’ This unfortunate reality can cause internal or consultant auditors to focus on black and white findings (e.g., administrivia) at the expense focusing on real issues - after all, that is what agency auditors tend to look for and issue penalties for. Compliance audits have tended to be administrative audits more than most professionals would like to admit, and the commoditization of audits has only reinforced the trend.
The major food label who proudly shaved the cost of audits of subcontract food processor to $1,500/ea realized that $1,500/ea was wasted when a salmonella outbreak (at a recently audit subcontractor) resulted in a national product recall and a PR disaster for the food label. Rat and pigeon droppings observed in the rafters didn’t register as a black and white risk to the peanut processing line below, so the auditor decided against raising such a Henny-Penny finding.
Company executives and board members should reconsider whether their compliance audit programs are capable of delivering information of suitable quality to assess whether risks (beyond the administrative) are managed within acceptable limits. What are the top 10 EHS risks to the corporate enterprise? Is the audit program designed to probe these issues? Are professionals capable of assessing those risks involved in the process and signatories to audit reports? If the answers to these questions aren’t known, the audit program may have lost its way.
[…] EHS Audits – Have We Lost Our Way? […]
By way of full disclosure I know both Lawrence Cahill and Lawrence Heim. I’ll say upfront that I agree with Mr.Cahill’s article. I’ll mention one of the key drivers of this issue - federal sentencing guidelines and by extension EPA’s Audit Policy. Internal audit programs are set up to meet the requirements of those programs and the result is usually a focus on paperwork. Even EPA has expressed surprise that the majority of Audit Policy disclosures have been for late or missing reports. For many years our internal auditors have expressed frustration that they were doing a paperwork audit; rather than talking to operators and generally getting to see how things work.
EHS auditing in the 21st Century needs to measure EHS management effectiveness through group, role and individual behaviours. Assessment techniques have already been developed to meet this realisation and demand using online behavioural based assessment methodologies. This is against the backdrop of the shortcomings of traditional audit methods that have been identified in the article, especially when put in the context of increased legislation and standards, requiring Directors and Managers to manage their risks effectively, not just their compliance. This is of course, equally as applicable in EHS as it is with other areas of organisational risk. Managers need to understand the impact of behaviours across their organisations as well as suppliers that may also be creating these risks.
Uniquely, online tools assess / test the behaviours which actually drive activity, and hence outcomes, and then report results as risk profiles against EHS values, objectives and the elements that drive performance, rather than just looking at compliance and actual events. The behaviours being demonstrated and experienced by a very broad section of those involved in an organisation are in turn related to the level of risk to the key things that drive the required performance.
The inescapable fact is that it is the behaviours that are exhibited within any organisation that drive the outcomes, including catastrophic events. Behaviours of leaders who create the culture, behaviour of the managers who look after the day-to-day implementation of objectives and behaviours of staff, who are the group who actually make things happen. Add to this the reliance on the supply chain (with their own sets of behaviours) and other stakeholders (yet another dynamic) and the way that these all interact have a profound effect on EHS management and business performance and social/environmental impacts.
These new tools, which assess and analyse these issues in a consistent manner are becoming essential differentiators for corporations to demonstrate that they are effectively managing stakeholder issues, including EHS issues. Applying the traditional auditing methods of the past, (with associated significant carbon footprint), will not be sufficient to demonstrate effective management of these risks.
Both Lawrences are correct - the sooner auditing takes a truly risk-based approach the better. Like both, I am not saying that we should ignore compliance, just that there needs to be auditing programmes that create a balance between risk (and I mean business risk) and compliance. There is no unlimited audit resource to achieve this, far from it and getting more so every day, so we need to get much smarter and use different tools to help achieve this aim.
Also, we should not try to ‘take over’ the existing risk management structures in the organisation, i.e. the formal identification of key risk areas in the business and creation and implementation of of risk strategies to address them. Auditing needs to supplement them with audit tools and approaches that provide greater intelligence of the risks that are still there despite such actions - or the lack of such actions where risks have not been identified. Most implementations of risk strategies are about putting in place equipment, policies, processes and procedures to address the risks identified, however, this still leaves one big variable - the behaviours happening within the organisation to use and apply these effectively. Quite often risk strategies have been ‘implemented’, but not really applied, whatever the documentation may indicate ……
This is where auditing needs to create a new dynamic, by auditing the behaviours happening within the organisation, as these are the really powerful lead indicators of risk and performance. We could be compliant ans apparently safe today, but if the complex mix of behaviours are not appropriate, there is likely to be a time bomb ticking. Health & Safety has recognised that behaviours are critical, but this is true for all other areas of risk and performance. Tools to do this have been developed that do not add auditor time - they can even reduce it - so it’s high time we as auditors accepted the need to change and start behaving differently ourselves !
I fully agree that the context of need for EHS audits has evolved, while the actual practice has not. From my perspective, I began to get this sense close to 10 years ago. But in the US especially basic regulatory compliance audits/findings continue to be a necessity due to the regulatory agency enforcement actions (and their own performance metrics). In the past 5 years, we have seen “risk” become the newest EHS buzzword, which is a step in the right direction. What concerns me, however, is that EHS functions tend to define “risk” and related benchmarks/parameters in terms different from how the company defines that in other functions. This undermines the credibility of the EHS function within the organization, which ultimately paralyzes its ability to be effective. Therefore it is critical to ensure that EHS defines “risk” in the correct way for the organization overall.
As a corollary, EHS audit programs moving towards a risk-based framework should thoroughly assess exposures in light of control failures, or “gross risk”. The Massey mine disaster and the Gulf oil spill are the most recent events showing the impact of - and arguably, the failure to consider - failed controls. There tends to be a general sense of “that won’t happen” in many current EHS risk-based programs I am familiar with. This could be considered analogous to the “too big to fail” attitude that was pervasive on Wall Street, leading to the economic collapse of the past two years. EHS programs must realize that the events “that won’t happen” are likely to have major to catastrophic business impacts if they do happen. Critical evaluation and assessment of gross risk profiles will greatly assist management in contingency/disaster planning.