Environment, Health and Safety (EHS) auditing provides confidence to organizations that operational risks are measured through effective identification, control, monitoring and governance. Audits are conducted to gain better understanding of the management system and to evaluate the level of compliance with internal requirements and external regulations. Such audits utilize protocols to seek understanding of problems in an attempt to correct any deficiency before loss or a compliance issue is experienced.
EHS auditing is usually conducted for the following reasons:
- Ensuring compliance to the requirements of internal, international and industry standards and regulations, and customer requirements,
- To assess and determine the effectiveness of an implemented system in meeting specified objectives,
- To explore opportunities for improvement,
- To meet statutory and regulatory requirements,
- To determine the management system risks, and,
- To provide feedback to senior management.
There are two main schools of thought when it comes to EHS auditing. Most professionals are familiar with a traditional compliance-based approach where documentation is reviewed to ensure that controls and procedures meet governmental requirements and operational instructions are performed as desired. A significant drawback to this approach is that it’s mostly a paper exercise of reviewing rules and procedures and taking samples in the field to qualify what was viewed on paper. Traditional auditing ensures programs are compliant on paper. It does not, however, mean that the EHS management system is effective.
Risk-based auditing on the other hand, focuses on areas where most EHS risk is present within the management system. This is not to say that you shouldn’t pay attention to regulatory requirements or disregard compliance, but a good risk-based audit looks at the specific areas of a management system that create the most concern. It focuses on higher-risk activities that are of significance to the organization. Concentrating on threats rather than just controls is often more efficient than traditional approaches.
A best-practice approach to auditing should consider the ISO standards as a starting point. The long-anticipated ISO 45001 Occupational Health and Safety Standard was released in 2018. This standard, along with 14001 (Environment), follows the same structured approach in application. The ISO standards themselves serve as audit protocol in understanding risks within the management system while also delivering a compliance profile in meeting governmental requirements.
With a best-practice approach to auditing, it’s critical to consider the following:
- Focus on the system in its entirety to determine all the risks that compromise success. These should include compliance requirements from all authoritative agencies that have impact on the EHSQ program as well as general risk impacting the local and/or enterprise EHS program.
- Analyze your management system risks by reviewing documentation, past loss control reports, completed inspections, near-miss or found hazard reports, auditing and interviews with employees, contractors and visitors to understand the depth of auditing required. ISO Standards provide a clear path of understanding potential risks and their possible effects.
- Ensure audit protocol covers gaps you have discovered from your risk determination and analysis exercise.
- Spend ample time in the field, in the areas where work is done, to validate your understanding of written documentation.
- Don’t limit yourself to the EHS system. Management systems impact each other, and one part of the system should not be audited in isolation from the others.
- Once compliance issues and management system gaps are documented, make sure actions are taken to close them.
- Monitor actions to ensure closure within a defined period. This should be done with an understanding of the level of risk to the EHSQ program.
- Set an audit schedule to ensure continuous improvement over time and sustainability of the audit process.
An EHS audit is the detailed examination of your company’s management system to make sure your programs and activities are working according to plan and are helping to meet your company’s EHS goals. Taking a risk-based approach to auditing is an exercise ensuring overall robustness of the EHSQ program. A risk-based method of auditing allows the discovery of compliance and the detection of gaps in the management system that pose the greatest risk, before the potential of loss is experienced.
More importantly, risk-based auditing elevates conversation between auditors and others in an effort to adequately measure and control risks that pose the greatest threat. This activity ensures the building of risk understanding and competence, that if done well, extends learning deep in the organization.
The more comprehensive and inclusive the assessment, the greater the chance of limiting exposure that threatens our ability to protect natural resources and workers who could experience harm.
Scott Gaddis leads the integration of the Intelex EHSQ Alliance in thought leadership and building partnerships with top influencers in EHS, working with professionals across the globe to deliver a platform for sharing information and collectively driving solutions that mitigate workplace loss. Scott has more than 25 years in EHS leadership experience in heavy manufacturing, pharmaceuticals and packaging. Before joining Intelex, Scott served as Vice President, EHS for Coveris High Performance Packaging, Executive Director of EHS at Bristol-Myers Squibb, and Global Leader for Occupational Safety and Health at Kimberly-Clark Corporation.