Kevin has been president of ECSI for over 25 years. His practice focuses on environmental and health and safety management systems training, consulting and auditing. He is an active member of the US Technical Advisory Committees to ISO 14001 and ISO 45001. He represents that USA at international meetings of these committees. He is also the lead developer of the CorrectTrack corrective action tracking app.
ISO committee TC 283 has begun a Systematic Review of ISO 45001 that is expected to be completed in early 2027. Clause 6 on Planning is one of the key areas of focus for the committee. Once the systematic review is complete a revision will be finalized and the current version of the standard (ISO 45001:2018) will be repealed.
The revision process offers the opportunity to incorporate changes to the ISO High Level Structure (HLS). It also provides an opportunity to review areas of the standard that have caused confusion for users since it was first published in 2018. One of these areas is Clause 6, the planning part of the management system standard. This section is currently over 1100 words and three pages long. User have complained about confusing terms including risk, opportunity, OHS hazard OHS risk, other risks and other opportunities.
Simplify and Clarify Clause 6
For some users, these confusing terms make it difficult to comprehend what the standard is supposed to be managing. It also duplicates of requirements in other parts of the ISO 45001 standard. One proposal to simplify and clarify clause 6 would reduce the number of words from 1100 to a little over 300. Comments from other committee members of this proposal rang from “this is great, all standards should be this concise” to “this goes way too far and should not be considered”.
Make a Fresh Start
The concept is to begin the review clause 6 revision process with an almost clean sheet of paper and build on the text from there. If committee members believe that additional text is needed they should justly the addition including:
Why the addition is needed in the requirement part of the standard and not as guidance in the annex part of the standard
A description of what evidence auditors should look for a conformance to the requirement
It does not duplicate another requirement somewhere else in the standard.
If the additional desired text is more guidance than requirement it should be placed in the annex of the standard, not in the requirements part or perhaps, in an entirely different document like ISO 45002.
Reduce Confusing Terms
The streamlining proposal also clarifies what ISO 45001 is supposed to be managing by eliminating some confusing terms in clause 6. Terms like “Risk and Opportunity, “other risk” and “other opportunity” and replacing them with the term “OHS Hazard Risk”. This proposal for streamlining and simplifying clause 6 is already controversial with some members. It is likely to be hotly debated over the next few months as the ISO 45001 revision process gathers momentum in committee meetings later this fall..
The 3 big ISO standards are now under revision. ISO 14001, 45001 and 9001 are being reviewed and revised simultaneously. Recently, ECSI attended meetings of the US Technical Advisory Groups (TAG) for both ISO 14001, and 9001 in Washington DC where the upcoming revisions were discussed. We have also been participating in the US TAG to ISO 45001 and in meetings discussing revisions to that standard.
The revised standards will be released in a few years when organizations will be need to conform with the revisions. The following is a brief discussion of what to expect for revisions to each standard.
ISO 14001
ISO 14001 was first published in 1996. Since then, it has been revised twice. Once in 2004 and again in 2015. The 2015 revision incorporated a major change. This change involved converting the entire standard to the ISO High Level Structure (HLS). Although the revision will not introduce new requirements, it may make changes to clarify some of the key requirements such as the relationship between risk and opportunity and significant environmental aspects.
The revision will integrate changes to the HLS and address concerns raised by users of the standard over the past 9 years. Initially the ISO 14001 revision committee considered issuing an amendment with the few HLS changes. The committee thought that this would be easier and take less time than a full revision. The committee was also concerned about opening the standard up to a broader revision that could result in additional requirements.
Recently however, the committee discovered that the amendment option has significant drawbacks making it an unlikely choice. The amendment route would have resulted in issuance of a separate 28 plus page document to be used with the current 2015 version of the standard. Users would have to reference 2 different documents when using the new amended standard. The committee is looking at other amendment options, but it appears the only way to avoid the 2 document problem is to do a full revision and then issue a single revision document.
If a full revision does occur, it provides more opportunity to address sections of the standard that have caused confusion for users. Additionally, it creates an opportunity to take advantage of changes in the HLS that offer flexibility when using the term “risk and opportunity” in the planning section of the standard.
ISO 45001
The committee revising ISO 45001 has decided to do a full revision instead of just a limited amendment. This option avoids the 2 document problem created by the amendment route and gives the committee greater flexibility in what can be changed. This includes clarifying and streamlining parts of the standard that users have found confusing and redundant.
Clause 6 (Planning) is one of the parts that has potential for improvement to make it more user friendly for small and medium sized organizations. Clause 6 of the standard in the current version was over 1100 words and three pages in length. One proposal being circulated for the revision by the committee would dramatically reduce the text by two thirds to only 318 words and 1 page.
There is also a proposal to refer to “OHS Hazard Risk” when describing what the OHSMS is supposed to be managing. It is thought that this may help reduce misuse of the terms “Risk” and “Hazard” interchangeably.
ISO 9001
The ISO 9001 committee has also chosen the full revision route. However, the committee is taking a more aggressive posture when deviating from the HLS. For over a decade ISO headquarters has insisted that it will not allow deviations from the HLS text for any of the standards. The ISO 9001 revision committee wants to exclude certain new requirements introduced by the updated HLS.
The committee believes the new HLS requirement about climate change is not applicable to a quality management system. Although the committee believes that climate change consideration is important, they believe including it as a requirement in 9001 is inappropriate.
Conclusion
The revision of the three big ISO standards is not expected to result in new significant or reorganization of the standards. The revisions are more likely to improve the standards by reducing unnecessary text and eliminating redundant requirements. Organizations who meet the requirements of the current ISO standards should not need to make big changes to their Environmental, Occupational Health and Safety (OHS) and Quality management systems. The revisions will also make these standards more accessible to small and medium sized businesses around the globe.
The terms OHS Hazards and OHS Risk have been in use for decades. But these terms are often misused by OHS professionals by casually interchanging them. This creates confusion about what an OHS management system is supposed to manage because there is a significant difference between an OHS Hazard and OHS Risk.
ISO 45001 defines the term “hazard” as a “source with a potential to cause injury and ill health”.
The standard also defines OHS risk as a “combination of the likelihood of occurrence of a work-related hazardous event(s) or exposure(s) and the severity of injury and ill health that can be caused by the event(s) or exposure(s)”. Using the terms hazard and risk interchangeably is a mistake. It is also confusing because a hazard is something that has the potential for harm. Risk is a measure of the likelihood and severity of harm from a hazard.
OHS hazards are identified using terms like burn, laceration, crush, struck by, over exposure, psychological harm and many others. To make sense in an OHS management system context, risk should be expressed as a value like high, medium or low risk.
In an OHS management system we identify hazards (hazard identification). We then assess the likelihood and severity of harm that could result from the hazard (risk assessment).
The term OHS Hazard Risk might be a better way to describe what ISO 45001 is supposed to manage. It may help stem the misuse of the terms hazard and risk in OHS management. The term OHS Hazard Risk also conveys the notion that OHS hazards are the source of risk. Additionally, it helps users of standards like ISO 45001 understand that OHS management is about addressing the risk (likelihood & severity) of harm. In an OHS management system we manage the risk not the hazard. Risk is managed by implementing controls to reduce the likelihood and/or the severity of the harm.
The Wisconsin Department of Natural Resources Green Tier program has requirements for participants to perform different types of audits of their Environmental Management Systems (EMS). Understanding these types of audits and who can perform them will help ensure compliance with Green Tier. The types of Green Tier audits are:
EMS Internal audits
EMS Outside Audits
Regulatory Compliance Audits
Types of Audits and Frequency
Type of Audit
Tier 1
Tier 2
Internal EMS
Annual
Annual;
Outside EMS
3 Years
Annual
Regulatory Compliance
NA
Annual
EMS Internal Audits
Internal audits can be performed by the participant themselves or by independent auditors. These audits are then used as part of the management review process to help leadership evaluate the performance of the EMS and to decide if any changes are needed to improve it. They must be documented, performed at least annually and conducted by competent objective auditors.
Outside Audits
Outside audits are performed by independent auditors that have been approved by WDNR to perform these audits. Tier 1 participants must perform these audit at least every 3 years. Tier 2 participants need to have an WDNR approved auditor perform these audits at least annually.
Compliance Audits
Compliance audits are different than the Outside Audit described above. These audits check that the organization is meeting the USEPA, WDNR and local legal requirements. These include requirements for emitting pollutants to the atmosphere, water, solid and hazardous waste disposal. Tier 2 participants need to perform compliance audits at least annually and report the results to WDNR. These audits can be internal audits or performed by other independent auditors.
Why Does Green Tier Require Audits?
The Green Tier Law is based on the requirements of ISO 14001 which also requires periodic audits of the EMS. ISO 14001 is itself based on the principals of continual improvement (PDCA). Audits are the checking part of the PDCA cycle.
Who is Qualified to Perfrom External Audits
Only WDNR approved Green Tier auditors are qualified to perform external audits. Green Tier participants should confirm that their auditor is on this approved list. Participants should do this even if they are using an ANAB accredited ISO 14001 certification body to perform their external audits. If you have any questions about Green Tier audits, who is qualified to do audits or want to know how to get the most out of your audit contact us for at kalehner@envcompsys.com or use the form below.
A proposed Assembly Bill (AB 1059) would repeal the 20 year old Wisconsin Department of Natural Resources Green Tier program. Although the bill is a long way from passage, the new law would likely eliminate the Green Tier program. This article explores potential options Green Tier participants might consider if the Green Tier law is repealed.
The table below compares Green Tier with a few other popular alternatives for organizations wishing to communicate their superior environmental performance to others. On the left, are the names of the programs including Green Tier. The top row shows the characteristics of each of the program types. A discussion of both the program types and the characteristics is below the table.
Program Type Characteristics
Program Type
PDCA
Assurance
Global
Integration
Message Recognition
Cost to Implement
Green Tier
X
Strong
X
Medium
Low
Green Masters
Some
Medium
Low
ISO 14001
X
Strong
X
X
High
Medium
EMAS
X
Strong
X
Medium
High
CSR
None
X
Medium
Low -Medium
CSR Verified
Strong
X
High
High
Table showing comparison of Green Tier with other popular options.
Program Characteristics
PDCA – Plan Do Check Act continual improvement cycle? Most ISO type management systems are based on the PDCA model.
Assurance – Can the information be verified by an independent third party?
Global – Is this type of program globally recognized?
Integration – Does this program type integrate well with other protocols including ISO 9001, 45001 etc.?
Message Recognition – Are interested parties familiar with this type of program and messaging?
Cost – What is the cost to implement and operate this type of program?
Program types
Green Tier – A voluntary program modeled on the requirements of ISO 14001. Green Tier was passed into law in April 16, 2004 to help Wisconsin businesses communicate their superior environmental performance to interested parties. Green Tier is based on the principles of continual improvement that help organizations continually improve performance in many different areas. Green Tier also has an assurance component requiring participants perform periodic audits by an outside auditor of the organizations Environmental Management System (EMS). A Green Tier EMS can be easily integrated with quality and occupational health and safety management systems into the organizations overall business management system. Once accepted into the program, participants can communicate a strong message of superior environmental performance. Participants have up to one year to implement their EMS making this a relatively low-cost investment to implement the management system.
Green Masters – The Green Master’s Program helps businesses focus on sustainability issues important to them while contributing to bottom line and top line growth. The program also provides a framework to develop, integrate, and grow sustainable practices. It also helps record and track progress in the sustainability action areas. Participants in the Green Master program declare that they meet criteria established by the program. Green Master participants are recognized in four status levels.
ISO 14001 – A globally recognized international standard based on the principles of continual improvement. The International Accreditation Forum has established a robust accreditation and certification program that sends a strong message of superior environmental performance to interested parties. ISO 14001 can also be easily integrated with other ISO management systems including ISO 9001 for quality management and ISO 45001 for Occupational Health and Safety Management Systems.
Eco-Management and Audit Scheme (EMAS) – EMAS is very similar to the Green Tier program for organizations in the European Union countries. It is a voluntary environmental management instrument, which was developed in 1993 by the European Commission. It incorporates ISO 14001 as a fundamental component and enables organizations to assess, manage and continuously improve their environmental performance. The scheme is globally applicable and open to all types of private and public organizations. In order to register with EMAS, organizations must meet the requirements of the EU EMAS-Regulation. Currently, more than 4,000 organizations and more than 12,700 sites are EMAS registered
Corporate Sustainability Reporting (CSR) – Sustainability reporting has emerged as a cornerstone of corporate responsibility. Reporting can help businesses demonstrate their commitment to sustainable practices and transparency. The CSR trend is fueled by, government regulations, heightened stakeholder scrutiny, and a growing recognition of the significance of ESG performance for long-term business success. There are several popular CSR reporting standards each having their pros and cons. Here is a list of some most recognized:
CSR reports are not based on a management system standard. Instead, they are categories or areas of sustainability that the organizations report. Organizations are not required to seek independent verification of the sustainability claims being made. This has led to criticism by users of the reports that the information is not reliable and may be considered “greenwashing”.
IASSB and ISO 14019 Sustainability Assurance
Criticism of unverified CSR reporting has lead to development of new standards for verification of sustainability claims in CSR reports. International Auditing and Assurance Standards Board (IAASB) has recently issued ISSA 5000 to help provide assurance to users of CSR information. The International Organization for Standardization (ISO) is also developing ISO 14019 for sustainability information verification and validation (VV). The ISO standards include a pathway for accreditation of VV bodies under ISO 17029.
Although Green Tier is unlikely to be repealed soon, we hope this information gives Green Tier participants a broader picture of ways to communicate sustainability information to those interested in your performance. For more information check out or Green Tier Services or you can contact us here or email us kalehner@envcompsys.com.
ISO recently amended all ISO management system standards (MSS) to include requirements for organizations to consider the effects of climate change. If your organization holds a current certification to ISO 9001, 14001 or 45001 you can expect to be asked “has your organization determined whether climate change is a relevant issue?” during your next certification audit.
This new requirement is the result of a change to the ISO Harmonized Structure (Appendix 2 of the Annex SL in the ISO/IEC Directives Part 1 Consolidated ISO Supplement). Here is more background on the Harmonized Structure also referred to as the High Level Structure and Annex SL.
ISO announced the new requirement in an IAF/ISO Joint Communique indicating the climate change text highlighted below is effective immediately for all MSS.
ISO HLS revised requirements for context determination
Most organizations certified to ISO 14001 should be able to answer auditors questions about climate change relevance. Other organizations with current certification to ISO 9001 and/or 45001 might find it more difficult to avoid a nonconformity to these new requirements if they don’t act soon. Each organizations context is different and will influence how they address climate change in their MSS
Contact us if you have questions about how these new requirements might effect your organization ISO certification status.
Corporate Sustainability Reporting (CSR) began over 25 years ago with the Global Report Initiative (GRI). Since then, use of CSR information by investors and potential customers has increased. Unlike financial reporting, the accuracy and truthfulness of sustainability information has been mostly unregulated leading to abundant misstatements aka, greenwash in CSR and other sustainability reports. Stakeholders, including investors, customers and others are increasingly requesting robust qualitative and quantitative sustainability data and information to base their economic decisions on. These stakeholders are looking for assurance from competent providers to help them confirm the information they are using is true. Assurance service providers now have several protocol they can follow when verifying sustainability information.
The following is a brief description of some of the protocol being developed to perform assurance of sustainability information.
ISO 14019 Series – Validation and Verification of Sustainability Information
ISO is developing standards in the ISO 14019 series titled Validation and Verification of Sustainability Information. This series is designed to cover all types of sustainability information including Environmental, Social and Governance (ESG). Green house gas emission information is one example of the types of information these standards will cover. Other types of information will include information and claims about:
amount of waste sent to a landfill,
water the organizations uses and discharges as waste water.
emission of other toxic pollutant to the atmosphere,
assertions about occupational health and safety performance.
The series will include:
14019-1 General principles and requirements for validation and verification 14019-2 Principles and requirements for verification processes 14019-3 Principles and requirements for validation processes 14019-4 Principles and requirements for bodies validating and verifying sustainability information.
The United States Security and Exchange Commission (SEC)
Recently the SEC took action against organizations using misleading sustainability information to market their financial products. SEC is also enhancing its authority to further regulate misstatements with issuance of the long anticipatedClimate Disclosure Rule. The SEC climate disclosure rule issued now include requiring verification of GHG information by an independent verification service provider.
International Audit and Assurance Standards Board (IAASB)
IAASB is also about to issue standards that will cover assurance of all types of sustainability information. ISSA 5000 is titled General Requirements for Sustainability Assurance Engagements. This protocol will likely be preferred by Certified Public Account firms because this protocell has been developed largely by the financial accounting profession.
What’s Next?
There are many questions about which if any of these new verification standards will be broadly accepted and by whom. ISO 14019 series may be more acceptable to non-CPAs including sustainability consultants. Other questions include who, if anyone will accredit the assurance bodies. This field of practice is developing quickly so stay tuned. We should have answers to these questions soon. If you have any questions contact us here.
Kevin Lehner is the Chair of the US Technical Advisory Group Sub TAG that is developing the ISO 14019 series. He is also the Vice Chair of the US Technical Advisory Group to TC 283 and represents the American National Standards Group international for the development of ISO 45000 series of standards on occupational health and safety. His practice includes performing certification audits, training auditors and help organizations integrate ISO 14001 and 45001 into their other business management systems.
The purpose of an EHS audit follow-up is to check that EHS risk, including risk of noncompliance, is managed to a level that the organization considers acceptable. Noncompliance with applicable government laws and other requirements are examples of EHS risk sources that need to be controlled. An EHS audit checks that risk controls are in place and effective. Risk controls can be engineering controls like air pollution control devices, administrative controls like training and work instructions and others.
EHS Audit Findings
The results of an audit are called findings. These can either be positive findings that the controls are in place and effective, or negative. Negative findings are nonconformance’s. Positive findings are good news but not something the organization needs to act on. Positive findings confirm that “what should be is” and that “what should not be is not.
Negative findings however are actionable and create opportunities to improve EHS performance. In Part 2 of this EHS Compliance Audit series, we discussed how negative findings are written and communicated verbally at the end of the audit. As a follow-up to the active evidence gathering and verbal reporting, a written report should be prepared and distributed to document the results of the audit.
Preparing the EHS Audit Follow-Up Report
The audit report presents the results to the auditee and others and helps an organization gauge EHS performance. The report should be concise and to the point and the tone of the report should be factual and nonjudgmental.
A key part of the EHS audit follow-up report are the negative findings that were made during the audit. The EHS audit follow-up report formalizes the findings in a way that the auditee can act on them. The reported negative findings need to include enough information so that they can be investigated and ultimately fixed in a way that they do not happen again.
Here is an example outline for an EHS audit follow-up report.
Executive Summary
Background Purpose and Scope
Findings
Conclusions
Recommendations
Discussion
Appendices
Correction and Corrective Action
Negative EHS audit findings point to EHS risks that need to be better controlled. They are the result of a potential noncompliance with a legal requirement or discovery of some other issue. If left uncorrected they can increase risk and lead to enhanced legal action by a regulatory agency (knowing and willful violation). To avoid exposure to these enhanced penalties, it is important that organizations have a good corrective action process in place.
There are 5 steps in an effective corrective action processes.
Short Term Correction
Investigate the Cause
Identify a Corrective Action
Implement the Corrective Action
Verify the Corrective Action is Effective
The following is a brief description of these steps.
Short Term Correction
Findings that identify a potential serious risk need to be addressed as soon as possible. Continuing to operate equipment that exposes workers to injury after a finding is made is bad business. If a worker were to become injured after the nonconformance was reported the penalties and fines could escalate dramatically. A correction to quickly reduce the risk from the nonconformance needs to be put in place as soon as practical.
Investigate THE Cause
Once the correction has been put in place a corrective action plan needs to be established. Responsibility to investigate the cause of an audit finding should be assigned to someone with knowledge of and experience with the corrective action process. This knowledge and experience will help identify the root cause of the finding. Once the root cause is established an appropriate corrective action can be proposed that prevents the problem from recurring in the future.
Knowledge and use of root cause analysis tools like “5 Why Cause Analysis” ensure the cause of the unacceptable risk level is identified. Here is an example a “5 Why Cause Analysis”.
This example is for an incident that happened at a roll calendar for polishing extruded plastics sheets. An employee was caught in an in running nip between the rolls and luckily only sustained a recordable injury. This incident could have easily been an amputation or a fatality.
Why?
Answer
Why was the OHS hazard of being caught in the nip on the calendar not addressed?
The machine was new, and no one thought to do a Job Safety Analysis (JSA) before it was installed and operated.
Why did no one perform a JSA?
Performing a JSA to review potential OHS hazards and risk are not part of the capital investment approval process.
Why was OHS hazard and risk review not part of the capital investment process?
The manager of the extrusion department manager did not know that a JSA hazard and risk review should be undertaken for all new equipment as part of the purchase process.
Why was extrusion department manager unaware of the need to review hazards and risks for new equipment?
An existing employee had recently been promoted to manager of the extrusion department and they had not been informed of the requirement.
Why had the new extrusion department manager not been informed?
Our organization has not established a process to identify training needs and provide training to employees when they transfer to a new position within the company.
Table 1 – Example 5 why analysis
Identify a Corrective Action
Once the cause is established, a suitable corrective action can be identified to reduce the risk to an acceptable level. The effort needed to identify a suitable corrective action is proportional to the finding risk level. The higher the risk, the more effort needed to figure out the best way to address it. A finding that an emergency evacuation map could be hidden behind a door when it is opened, is much easier to correct than the finding of an ineffective control to treat wastewater discharge to a municipal sanitary sewer.
The cause analysis process should have an approval step to confirm the cause analysis was performed with skill and that the corrective action is aligned with the identified cause of the finding. This review and approval can be done by the auditor who made the finding or others in the organization who can impartially review the cause and proposed corrective action.
If the cause and/or the proposed corrective action are found to be deficient during the review, the assignees should be consulted and asked to rethink the cause analysis and corrective action. The evaluation and approval of potential corrective actions requires striking a balance between risk and opportunity. It is not possible to reduce all risk levels to zero.
Some processes have hazards with risk that are difficult to control and the organization needs to think carefully about what level of risk it is willing to accept. In running nips on plastic extrusion rollers is a good example. It is very difficult to properly guard an in running nip on these machines. The guard would prevent the process from working properly.
As a result, the corrective action cannot be the elimination of the hazard or installation of a physical guard (engineering control). Instead, there may need to be several independent controls such as installing a rope e-stop, providing training to employees on how to operate the process safely and even evaluating the operators competence to ensure they understand the hazard and the associated risk.
Once both the cause and the corrective action(s) are approved the assignee should be authorized to implement the corrective action.
Implement the Corrective Action
The implementation of the chosen corrective action may take days, weeks or even months depending on what needs to be done. Moving an emergency evacuation sign to a better location can be done almost immediately while designing and installing an upgraded wastewater treatment process may take many months.
Verify the Corrective Action is Effective
Verification that the corrective action has been implemented and that it is effective is the last step in the process. It confirms that the problem causing risk, has reduced that risk. The verification can be done upon completion of the corrective action or during the next audit. When the corrective action is verified, it can be closed.
Tracking EHS Audit Corrective Action Progress
Historically, keeping track of progress toward completing corrective action was done with paper forms that went from in-basket to in-basket. Once complete they were placed in a file drawer for storage. Later, electronic methods including excel spreadsheets and other types of electronic documents were used with some success. However, these tracking methods require much effort and often lead to miscommunications or missed deadlines of incomplete corrective actions for findings. The result was the corrective action process was not successful in reducing risk in a timely fashion and increased risk to the organization.
Within the last few years cloud-based applications have emerged that solved many of the problems with paper or spreadsheet corrective action tracking systems. These applications allow quick access to users and are readily accessible almost anywhere.
Applications like CorrectTrack establish users permissions to view, change, verify and approve corrective actions. A permissions based peer review process also helps ensure that corrective actions are investigated thoroughly and verified before they are closed.
Other advantages of a cloud based app like CorrectTrack are:
Notify persons of status changes of a CA
Define a standard process for doing CA
At a glance dashboards for users
Provide notifications when CAs are coming due, or past due
Provide a record of who changed what, when and why
User permissions allow visibility of the CA system to leadership
Conclusion
Effective corrective action processes are powerful tools that help organizations improve EHS performance over time. Investing in, and continually improving the corrective action process will provide a significant short term and long term return.
This EHS Audit Follow-up post is part 3 of a three part article on EHS Auditing. Part 1 and 2 discussed how to plan an EHS audit and conduct an EHS audit. This concludes our three-part series on EHS audits.
We welcome and encourage feedback on this series. Contact us directly at kalehner@envcompsys.com and 262-949-2965, or visit us online for more information: ECSI or CorrectTrack.
Compliance audits confirm an organization’s compliance status with environmental and occupational health and safety regulations. Audits also help manage risk of violations and fines. Customers, boards of directors and others care about EHS regulatory compliance and use audit results to make important business decisions. EHS audits will become even more important in the future as more organizations seek independent verification of their EHS and ESG performance.
Opening Meeting
An EHS compliance audit can be intimidating for an organization. Conducting an opening meeting helps to:
Explain the purpose, scope, and objective(s) of the audit.
Introduce the audit team, the auditee leadership and audit participants.
Present the audit schedule.
Discuss who has authorized the performance of the audit and why.
Describe how evidence will be collected during the audit.
Review how audit results will be reported.
Participation of leadership at the opening meeting helps communicate support for the audit process and expectations for employee participation in the audit.
Collecting EHS Compliance Audit Evidence
In Part 1 of this series, we discussed how to plan an EHS compliance audit focusing on what matters (materiality). Auditors use the audit plan to develop audit trails that result in positive or negative evidence of compliance. A questions like “tell me about the processes operated in this department” is often a good starting point for developing audit trails. Here is an example follow-up questions an auditor could ask to further develop the compliance audit trails.
Auditor: I see the metal parts grit blast process is operating today. What kind of parts are you blasting now.
Auditee: We are cleaning several hundred parts before they are electroplated.
Auditor: What are some of the important environmental aspects and OHS hazards you need to consider when operating the grit blaster and dust collector when cleaning stainless steel parts?
A well-prepared auditee will have identified the environmental and occupational health and safety regulations before the audit. Figure 1 is an example of a risk analysis tool that helps prepare for an audit and helps auditors identify important areas to audit. For more information about risk analysis watch this Risk Overview brief video. Learn more about CorrectTrack app.
Figure 1- EHS risk analysis tool
Tools like CorrectTrack provide a listing of environmental aspects and OHS hazards. The list helps quickly identify important aspects and hazards that are good candidates for improvement or for developing audit trails. The highlighted row in Figure 1 is an example of an environmental aspect to check during an audit. Clicking on Risk ID 803 link shows the risk detail page (Figure 2).
This page shows important details about a dust emissions risk and provides links to other information like risk controls, applicable compliance obligations and related files. Clicking on the link under “Files” provides more detailed information (Figure 3). The red box in Figure 3 shows the specific requirements (risks) that need to be addressed or that are (audit criteria) an auditor can check.
Figure 3 – Air Permit Audit Criteria for Dust Collector
Collecting And Evaluating Evidence
An audit checklist can help jog an auditor’s memory of the audit trails they want to follow. Checklists can be as needed. A good checklist points the auditor to what they are trying to prove true. It should be more than a simple check the box yes or no checklist. Check the box checklists discourage looking for and recording evidence of conformity of compliance and should be avoided
The best checklists are prepared by the auditor before or during the onsite portion of the audit. They are specific to the process being audited and the requirement being assessed. The line of questioning can be spontaneous and not always needs to be documented. The questions can be recorded on the spot in the auditors notes along with any evidence observed. Often, audit questions will lead to another question as the auditor follows the audit trail trying to get to the ultimate evidence that a requirement is being met.
Auditor Notes
Auditors need to be able to take good notes during the audit. This helps them recall the details of the audit when preparing the audit report. Notes need to record the evidence the auditor observed during the audit. This can be evidence of conformity or not. Being able to show what the auditor saw or heard during the audit is an important part of the audit process. Good note taking skills are one of the competencies auditors need to possess and continually develop.
Preparing EHS Compliance Audit Findings
Auditor notes are the evidence of conformity, but sometimes the audit shows things are not the way they are supposed to be. Auditors call these nonconformance’s, or potential noncompliance findings. There are many formats for preparing these negative findings. One approach is to write the negative finding in three parts:
1. the requirement, 2. the finding and 3. the evidence that supports the finding
The requirement part of the finding describes the audit criteria the auditor was trying to prove true. It can be a regulatory requirement or a requirement the organization has set for itself. The finding part is a statement of what the problem was, and often refers to the requirements. The evidence part of the audit finding is a summary of what an auditor saw that led them to the conclusion there was a nonconformity.
The following is an example of a negative finding for potential noncompliance with a State issued Title V air emission permit.
Requirement: [s. NR 439.055(2)(a), Wis. Adm. Code, 02-DCF-178] The pressure drop across the dust collector baghouse shall be measured and recorded once every 8 hours of operation or once per day, whichever yields more measurements.
Finding: Auditee not able to produce records of baghouse pressure drop readings
Evidence: No records of metal finishing baghouse pressure drop were able to be produced for 2nd & 3rd shift when baghouse was operating in May 2023.
Communicating EHS Compliance Audit Findings
When a negative finding is made auditors should try to get consensus with auditee that the finding is valid. This will help avoid disagreement on the validity of a finding during the closing meeting. This also helps confirm the auditee has a clear understanding of what was wrong so they begin to fix the problem. Well written findings also help auditees identify appropriate corrective actions. A correction is a quick fix to “stop the bleeding”. A corrective action prevents the nonconformity from recurring.
Closing Meeting
A closing meeting should be held for all EHS audits. During the closing meeting the audit team shares the results of the audit with the auditee. The closing meeting should include the following:
Audit findings
Audit conclusions
Audit recommendations (if appropriate)
Circumstances that affected confidence in the audit results
Audit report timing and distribution
Follow-up actions to be taken by the auditors and auditee
Process for appealing an audit finding or conclusion
Conclusion
This is Part 2 of a three-part article about environmental and health and safety (EHS) auditing. Part 1 discussed how to plan an EHS audit. In Part 3 of this series we will explore how to follow-up on an audit including preparing an audit report, approving corrective actions and verifying corrective action effectiveness during subsequent audits.
ECSI provides auditing, consulting and training services to organizations interested in improving their EH&S performance. For more information, contact us.
Environmental Health and Safety (EHS) audits help organizations confirm that EHS risk is being managed to an acceptable level. Processes for conducting EHS audits continue to evolve. This three-part article will explore why and how EHS audits are performed. The techniques are based on principles of auditing that have been used for many decades by financial accountants. These techniques are now being adapted to audits of EHS performance. EHS audits assess EHS regulatory compliance, management systems conformance and other important areas of EHS performance. This part of the three-part series explores best practices for planning effective EHS audits.
Part 1 – Planning an EHS Audit
Planning an EHS audit starts with understanding the purpose and objective of the audit. Auditors need to understand who is requesting the audit (the audit client) and what the audit results will be used for. This information helps auditors define the scope of the audit and what resources will be needed to achieve the audit objective. Documenting and sharing the audit objective and scope early in the audit planning process helps ensure there is agreement between the auditor and the auditee. Figure 1 is an example of how an auditor might document the audit Objective and Scope as part of developing and EHS audit plan.
Figure 1 – Audit Objective and Scope statement in an audit plan
Determining EHS Audit Duration
With the objective and scope confirmed, an auditor can determine how much time will be required to perform the audit (audit duration). This includes estimating time to plan the audit, collect audit evidence, review the evidence and prepare a report of the audit findings and conclusions. Sometimes the auditor needs to conduct a preliminary Stage 1 audit to help judge auditee readiness, gather additional information to determine the audit duration and confirm the audit is feasible. Differences between the duration proposed by the auditor and what the audit client is willing to pay, need to be resolved before the audit begins. Changing the scope of the audit can often help the auditor and auditee reach consensus on the duration of the audit.
Auditor Competence
The confidence that can be placed in the results of the audit are directly proportional to the auditors competence. Auditor competence includes knowledge of the regulatory requirements (the audit criteria) and the processes that are the subject of the audit. Audit team members should also have developed audit skills including, how to conduct interviews, how to follow audit trails and how to record audit evidence. Auditor behaviors are also critical including maintaining confidentially and making the auditee feel at easy during the audit.
Preparing an EHS Audit Schedule
With the audit duration established competent auditors can now develop and document a plan to conduct the active evidence gathering part of the audit. The plan should identify where the auditor plans to audit, when they plan to be there and what evidence they will be evaluating. It can also include who the auditors intend to interview during the audit. This helps the auditee schedule meetings with the auditor and avoid delays in the audit due to interviewee being unavailable when the auditor desires to conduct the interview.
Confirming the Audit Schedule
Once the audit plan is established it should be shared with the audit client and the auditee to ensure agreement on when, where, and how the audit will be conducted. When agreement is reached the auditor can begin to make plans for travel and accommodations during the onsite portion of the audit. Figure 2 is an example audit schedule for a hypothetical metal parts manufacturing facility that also has an electroplating process.
Figure 2 – Example EHS Compliance Audit Plan
Summary
In this part of the 3-part compliance audit series we explored how to plan an EHS audit. In Part 2 of the series, we will explore how to conduct an EHS audit by following audit trails and recording audit evidence. In part 3 we will explore processes for reporting and following up on the results of an EHS audit.
ECSI provides auditing, consulting and training services to organizations interested in improving their EH&S performance. For more information, contact us.
This is the first of a three-part article that describes best practices for planning, conducting, and following up on environmental and occupational health and safety regulatory compliance audits.
This three-part series we will consider best practices for:
