Pro Tips for Best EHS Audits (Part 3): EHS Audit Follow-up

The purpose of an EHS audit follow-up is to check that EHS risk, including risk of noncompliance, is managed to a level that the organization considers acceptable. Noncompliance with applicable government laws and other requirements are examples of EHS risk sources that need to be controlled. An EHS audit checks that risk controls are in place and effective.  Risk controls can be engineering controls like air pollution control devices, administrative controls like training and work instructions and others.

EHS Audit Findings

The results of an audit are called findings. These can either be positive findings that the controls are in place and effective, or negative. Negative findings are nonconformance’s. Positive findings are good news but not something the organization needs to act on. Positive findings confirm that “what should be is” and that “what should not be is not.

Negative findings however are actionable and create opportunities to improve EHS performance. In Part 2 of this EHS Compliance Audit series, we discussed how negative findings are written and communicated verbally at the end of the audit. As a follow-up to the active evidence gathering and verbal reporting, a written report should be prepared and distributed to document the results of the audit.

Preparing the EHS Audit Follow-Up Report

The audit report presents the results to the auditee and others and helps an organization gauge EHS performance. The report should be concise and to the point and the tone of the report should be factual and nonjudgmental.   

A key part of the EHS audit follow-up report are the negative findings that were made during the audit. The EHS audit follow-up report formalizes the findings in a way that the auditee can act on them. The reported negative findings need to include enough information so that they can be investigated and ultimately fixed in a way that they do not happen again.

Here is an example outline for an EHS audit follow-up report.

  • Executive Summary
  • Background Purpose and Scope
  • Findings
  • Conclusions
  • Recommendations
  • Discussion
  • Appendices

Correction and Corrective Action

Negative EHS audit findings point to EHS risks that need to be better controlled. They are the result of a potential noncompliance with a legal requirement or discovery of some other issue. If left uncorrected they can increase risk and lead to enhanced legal action by a regulatory agency (knowing and willful violation). To avoid exposure to these enhanced penalties, it is important that organizations have a good corrective action process in place.

There are 5 steps in an effective corrective action processes.

  1. Short Term Correction
  2. Investigate the Cause
  3. Identify a Corrective Action
  4. Implement the Corrective Action
  5. Verify the Corrective Action is Effective

The following is a brief description of these steps.

Short Term Correction

Findings that identify a potential serious risk need to be addressed as soon as possible. Continuing to operate equipment that exposes workers to injury after a finding is made is bad business. If a worker were to become injured after the nonconformance was reported the penalties and fines could escalate dramatically.  A correction to quickly reduce the risk from the nonconformance needs to be put in place as soon as practical.

Investigate THE Cause

Once the correction has been put in place a corrective action plan needs to be established. Responsibility to investigate the cause of an audit finding should be assigned to someone with knowledge of and experience with the corrective action process. This knowledge and experience will help identify the root cause of the finding. Once the root cause is established an appropriate corrective action can be proposed that prevents the problem from recurring in the future.

Knowledge and use of root cause analysis tools like “5 Why Cause Analysis” ensure the cause of the unacceptable risk level is identified. Here is an example a “5 Why Cause Analysis”.

This example is for an incident that happened at a roll calendar for polishing extruded plastics sheets. An employee was caught in an in running nip between the rolls and luckily only sustained a recordable injury. This incident could have easily been an amputation or a fatality.

roll calendar for polishing extruded plastics sheets
Why?Answer
Why was the OHS hazard of being caught in the nip on the calendar not addressed?The machine was new, and no one thought to do a Job Safety Analysis (JSA) before it was installed and operated.
Why did no one perform a JSA?Performing a JSA to review potential OHS hazards and risk are not part of the capital investment approval process.
Why was OHS hazard and risk review not part of the capital investment process?The manager of the extrusion department manager did not know that a JSA hazard and risk review should be undertaken for all new equipment as part of the purchase process.
Why was extrusion department manager unaware of the need to review hazards and risks for new equipment?An existing employee had recently been promoted to manager of the extrusion department and they had not been informed of the requirement.
Why had the new extrusion department manager not been informed?Our organization has not established a process to identify training needs and provide training to employees when they transfer to a new position within the company.
Table 1 – Example 5 why analysis

Identify a Corrective Action

Once the cause is established, a suitable corrective action can be identified to reduce the risk to an acceptable level. The effort needed to identify a suitable corrective action is proportional to the finding risk level. The higher the risk, the more effort needed to figure out the best way to address it. A finding that an emergency evacuation map could be hidden behind a door when it is opened, is much easier to correct than the finding of an ineffective control to treat wastewater discharge to a municipal sanitary sewer.  

The cause analysis process should have an approval step to confirm the cause analysis was performed with skill and that the corrective action is aligned with the identified cause of the finding. This review and approval can be done by the auditor who made the finding or others in the organization who can impartially review the cause and proposed corrective action.

If the cause and/or the proposed corrective action are found to be deficient during the review, the assignees should be consulted and asked to rethink the cause analysis and corrective action. The evaluation and approval of potential corrective actions requires striking a balance between risk and opportunity. It is not possible to reduce all risk levels to zero.

Some processes have hazards with risk that are difficult to control and the organization needs to think carefully about what level of risk it is willing to accept. In running nips on plastic extrusion rollers is a good example. It is very difficult to properly guard an in running nip on these machines. The guard would prevent the process from working properly.

As a result, the corrective action cannot be the elimination of the hazard or installation of a physical guard (engineering control).  Instead, there may need to be several independent controls such as installing a rope e-stop, providing training to employees on how to operate the process safely and even evaluating the operators competence to ensure they understand the hazard and the associated risk. 

Once both the cause and the corrective action(s) are approved the assignee should be authorized to implement the corrective action.

Implement the Corrective Action

The implementation of the chosen corrective action may take days, weeks or even months depending on what needs to be done. Moving an emergency evacuation sign to a better location can be done almost immediately while designing and installing an upgraded wastewater treatment process may take many months.

Verify the Corrective Action is Effective

Verification that the corrective action has been implemented and that it is effective is the last step in the process. It confirms that the problem causing risk, has reduced that risk. The verification can be done upon completion of the corrective action or during the next audit. When the corrective action is verified, it can be closed.

Tracking EHS Audit Corrective Action Progress

Historically, keeping track of progress toward completing corrective action was done with paper forms that went from in-basket to in-basket. Once complete they were placed in a file drawer for storage. Later, electronic methods including excel spreadsheets and other types of electronic documents were used with some success. However, these tracking methods require much effort and often lead to miscommunications or missed deadlines of incomplete corrective actions for findings. The result was the corrective action process was not successful in reducing risk in a timely fashion and increased risk to the organization. 

Within the last few years cloud-based applications have emerged that solved many of the problems with paper or spreadsheet corrective action tracking systems. These applications allow quick access to users and are readily accessible almost anywhere.

Modern corrective action application
Figure 1 – Modern Corrective Action Application

Cloud based database applications help organizations quickly find the status of any CA and drill down to details for each CA.

Figure 2 – Drill Down Corrective Actions Detail

Applications like CorrectTrack establish users permissions to view, change, verify and approve corrective actions. A permissions based peer review process also helps ensure that corrective actions are investigated thoroughly and verified before they are closed.

Other advantages of a cloud based app like CorrectTrack are:

  • Notify persons of status changes of a CA
  • Define a standard process for doing CA
  • At a glance dashboards for users
  • Provide notifications when CAs are coming due, or past due
  • Provide a record of who changed what, when and why
  • User permissions allow visibility of the CA system to leadership

Conclusion

Effective corrective action processes are powerful tools that help organizations improve EHS performance over time. Investing in, and continually improving the corrective action process will provide a significant short term and long term return.

This EHS Audit Follow-up post is part 3 of a three part article on EHS Auditing. Part 1 and 2 discussed how to plan an EHS audit and conduct an EHS audit. This concludes our three-part series on EHS audits.

We welcome and encourage feedback on this series. Contact us directly at kalehner@envcompsys.com and 262-949-2965, or visit us online for more information: ECSI or CorrectTrack.

Pro-Tips for Best EHS Audits (Part 2): Conducting an EHS Compliance Audit

Compliance audits confirm an organization’s compliance status with environmental and occupational health and safety regulations. Audits also help manage risk of violations and fines. Customers, boards of directors and others care about EHS regulatory compliance and use audit results to make important business decisions. EHS audits will become even more important in the future as more organizations seek independent verification of their EHS and ESG performance.

Opening Meeting 

An EHS compliance audit can be intimidating for an organization. Conducting an opening meeting helps to: 

  • Explain the purpose, scope, and objective(s) of the audit.
  • Introduce the audit team, the auditee leadership and audit participants. 
  • Present the audit schedule.
  • Discuss who has authorized the performance of the audit and why.
  • Describe how evidence will be collected during the audit.
  • Review how audit results will be reported.

Participation of leadership at the opening meeting helps communicate support for the audit process and expectations for employee participation in the audit.

Collecting EHS Compliance Audit Evidence 

In Part 1 of this series, we discussed how to plan an EHS compliance audit focusing on what matters (materiality).  Auditors use the audit plan to develop audit trails that result in positive or negative evidence of compliance. A questions like “tell me about the processes operated in this department” is often a good starting point for developing audit trails. Here is an example follow-up questions an auditor could ask to further develop the compliance audit trails. 

Auditor: I see the metal parts grit blast process is operating today. What kind of parts are you blasting now.

Auditee: We are cleaning several hundred parts before they are electroplated.

Auditor: What are some of the important environmental aspects and OHS hazards you need to consider when operating the grit blaster and dust collector when cleaning stainless steel parts?

A well-prepared auditee will have identified the environmental and occupational health and safety regulations before the audit. Figure 1 is an example of a risk analysis tool that helps prepare for an audit and helps auditors identify important areas to audit. For more information about risk analysis watch this Risk Overview brief video.  Learn more about CorrectTrack app.

EHS risk analysis tool
Figure 1- EHS risk analysis tool

Tools like CorrectTrack provide a listing of environmental aspects and OHS hazards. The list helps quickly identify important aspects and hazards that are good candidates for improvement or for developing audit trails.  The highlighted row in Figure 1 is an example of an environmental aspect to check during an audit.  Clicking on Risk ID 803 link shows the risk detail page (Figure 2).

Grit Blast Dust Emission Environmental Risk Detail
Figure 2 – Grit Blast Dust Emission Environmental Risk Detail

This page shows important details about a dust emissions risk and provides links to other information like risk controls, applicable compliance obligations and related files. Clicking on the link under “Files” provides more detailed information (Figure 3). The red box in Figure 3 shows the specific requirements (risks) that need to be addressed or that are (audit criteria) an auditor can check.

Air Permit Audit Criteria for Dust Collector
Figure 3 – Air Permit Audit Criteria for Dust Collector

Collecting And Evaluating Evidence 

An audit checklist can help jog an auditor’s memory of the audit trails they want to follow. Checklists can be as needed. A good checklist points the auditor to what they are trying to prove true.  It should be more than a simple check the box yes or no checklist. Check the box checklists discourage looking for and recording evidence of conformity of compliance and should be avoided

The best checklists are prepared by the auditor before or during the onsite portion of the audit. They are specific to the process being audited and the requirement being assessed. The line of questioning can be spontaneous and not always needs to be documented. The questions can be recorded on the spot in the auditors notes along with any evidence observed. Often, audit questions will lead to another question as the auditor follows the audit trail trying to get to the ultimate evidence that a requirement is being met.

Auditor Notes

Auditors need to be able to take good notes during the audit. This helps them recall the details of the audit when preparing the audit report. Notes need to record the evidence the auditor observed during the audit. This can be evidence of conformity or not.  Being able to show what the auditor saw or heard during the audit is an important part of the audit process. Good note taking skills are one of the competencies auditors need to possess and continually develop.   

Preparing EHS Compliance Audit Findings 

Auditor notes are the evidence of conformity, but sometimes the audit shows things are not the way they are supposed to be.  Auditors call these nonconformance’s, or potential noncompliance findings. There are many formats for preparing these negative findings. One approach is to write the negative finding in three parts:

1. the requirement,
2. the finding and
3. the evidence that supports the finding

The requirement part of the finding describes the audit criteria the auditor was trying to prove true.  It can be a regulatory requirement or a requirement the organization has set for itself.  The finding part is a statement of what the problem was, and often refers to the requirements. The evidence part of the audit finding is a summary of what an auditor saw that led them to the conclusion there was a nonconformity.   

The following is an example of a negative finding for potential noncompliance with a State issued Title V air emission permit. 

  • Requirement: [s. NR 439.055(2)(a), Wis. Adm. Code, 02-DCF-178] The pressure drop across the dust collector baghouse shall be measured and recorded once every 8 hours of operation or once per day, whichever yields more measurements.  
  • Finding:  Auditee not able to produce records of baghouse pressure drop readings
  • Evidence: No records of metal finishing baghouse pressure drop were able to be produced for 2nd & 3rd shift when baghouse was operating in May 2023. 

Communicating EHS Compliance Audit Findings

When a negative finding is made auditors should try to get consensus with auditee that the finding is valid. This will help avoid disagreement on the validity of a finding during the closing meeting. This also helps confirm the auditee has a clear understanding of what was wrong so they begin to fix the problem. Well written findings also help auditees identify appropriate corrective actions. A correction is a quick fix to “stop the bleeding”. A corrective action prevents the nonconformity from recurring.  

Closing Meeting

A closing meeting should be held for all EHS audits. During the closing meeting the audit team shares the results of the audit with the auditee. The closing meeting should include the following:

  • Audit findings
  • Audit conclusions
  • Audit recommendations (if appropriate)
  • Circumstances that affected confidence in the audit results
  • Audit report timing and distribution
  • Follow-up actions to be taken by the auditors and auditee
  • Process for appealing an audit finding or conclusion

Conclusion

This is Part 2 of a three-part article about environmental and health and safety (EHS) auditing. Part 1 discussed how to plan an EHS audit. In Part 3 of this series we will explore how to follow-up on an audit including preparing an audit report, approving corrective actions and verifying corrective action effectiveness during subsequent audits. 

ECSI provides auditing, consulting and training services to organizations interested in improving their EH&S performance. For more information, contact us.

Pro-Tips for Best EHS Audits (Part 1): Planning An EHS Compliance Audit

Introduction

Environmental Health and Safety (EHS) audits help organizations confirm that EHS risk is being managed to an acceptable level.  Processes for conducting EHS audits continue to evolve.  This three-part article will explore why and how EHS audits are performed.  The techniques are based on principles of auditing that have been used for many decades by financial accountants.  These techniques are now being adapted to audits of EHS performance.  EHS audits assess EHS regulatory compliance, management systems conformance and other important areas of EHS performance. This part of the three-part series explores best practices for planning effective EHS audits.

Part 1 – Planning an EHS Audit

Planning an EHS audit starts with understanding the purpose and objective of the audit.  Auditors need to understand who is requesting the audit (the audit client) and what the audit results will be used for.  This information helps auditors define the scope of the audit and what resources will be needed to achieve the audit objective.  Documenting and sharing the audit objective and scope early in the audit planning process helps ensure there is agreement between the auditor and the auditee.  Figure 1 is an example of how an auditor might document the audit Objective and Scope as part of developing and EHS audit plan.

Audit Objective and Scope statement in an audit plan

Figure 1 – Audit Objective and Scope statement in an audit plan

Determining EHS Audit Duration

With the objective and scope confirmed, an auditor can determine how much time will be required to perform the audit (audit duration). This includes estimating time to plan the audit, collect audit evidence, review the evidence and prepare a report of the audit findings and conclusions.  Sometimes the auditor needs to conduct a preliminary Stage 1 audit to help judge auditee readiness, gather additional information to determine the audit duration and confirm the audit is feasible. Differences between the duration proposed by the auditor and what the audit client is willing to pay, need to be resolved before the audit begins. Changing the scope of the audit can often help the auditor and auditee reach consensus on the duration of the audit.

Auditor Competence

The confidence that can be placed in the results of the audit are directly proportional to the auditors competence. Auditor competence includes knowledge of the regulatory requirements (the audit criteria) and the processes that are the subject of the audit. Audit team members should also have developed audit skills including, how to conduct interviews, how to follow audit trails and how to record audit evidence.  Auditor behaviors are also critical including maintaining confidentially and making the auditee feel at easy during the audit.

Preparing an EHS Audit Schedule

With the audit duration established competent auditors can now develop and document a plan to conduct the active evidence gathering part of the audit.  The plan should identify where the auditor plans to audit, when they plan to be there and what evidence they will be evaluating.  It can also include who the auditors intend to interview during the audit.  This helps the auditee schedule meetings with the auditor and avoid delays in the audit due to interviewee being unavailable when the auditor desires to conduct the interview.   

Confirming the Audit Schedule

Once the audit plan is established it should be shared with the audit client and the auditee to ensure agreement on when, where, and how the audit will be conducted.  When agreement is reached the auditor can begin to make plans for travel and accommodations during the onsite portion of the audit.  Figure 2 is an example audit schedule for a hypothetical metal parts manufacturing facility that also has an electroplating process.

Example EHS Compliance Audit Plan

Figure 2 – Example EHS Compliance Audit Plan

Summary

In this part of the 3-part compliance audit series we explored how to plan an EHS audit.  In Part 2 of the series, we will explore how to conduct an EHS audit by following audit trails and recording audit evidence.  In part 3 we will explore processes for reporting and following up on the results of an EHS audit.

ECSI provides auditing, consulting and training services to organizations interested in improving their EH&S performance. For more information, contact us.

This is the first of a three-part article that describes best practices for planning, conducting, and following up on environmental and occupational health and safety regulatory compliance audits.

This three-part series we will consider best practices for:

  • Part 1 – Planning audits
  • Part 2 – Conducting audits
  • Part 3 – Following up on audit results

RDO Equipment Co. Achieves ISO 45001 Certification

RDO Equipment Co. Founded in 1968, RDO Equipment Co. sells and supports agriculture, construction, environmental, irrigation, positioning, and surveying equipment from leading manufacturers, including John Deere, Vermeer, and Topcon. RDO Equipment Co. is a total solutions provider with more than 75 locations across the United States and partnerships in Africa, Australia, Mexico and Ukraine. RDO contacted ECSI for assistance in developing an Occupational Health and Safety Management System to help improve its OHS performance.

RDO also wanted to show its business partners, customers and employees, their commitment to keeping employees safe. RDO chose to align the OHS management system with ISO 45001. They also decided to initially seek certification from an accredited certification body for their corporate headquarters and one of the company stores. Their intention is to certify the remaining 42 stores over the year or so. ECSI conducted an initial gap assessment that helped RDO identify gaps that needed to be filled before getting certified.

Gaps were entered into a database application tool (CorrectTrack) and assigned to the OHSMS implementation team for follow-up. One of the gaps identified was the need for a comprehensive Job Hazard/Job Safety analysis. ECSI helped develop process maps that supported JHA/JSA development at one of the RDO maintenance facilities. Below is an example of how the results of the JHA/JSA risk analysis were recorded.

This tool helped RDO evaluate the effectiveness of existing risk controls and identify priority hazards for additional risk reduction. The tool also helped internal auditors identify what material risks need to be audited during the internal audit process.

ECSI also helped RDO train its internal auditors in performing audits to the ISO 45001 standard. This was done in a three day combined internal audit training and actual audit at the corporate headquarters and one of the RDO maintenance facilities. ECSI assisted RDO in preparing for several management review meetings that were conducted prior to the Stage 1 and Stage 2 audits by an accredited certification body. Congratulations RDO on a successful outcome to the ISO 45001 implementation and certification process.

ISO 45001 Webinar – FREE!

ISO 45001 is an international standard that helps organizations improve Occupational Health and Safety (OHS) performance.  The ISO 45001 standard can be used to ensure workers are safe by protecting them from workplace injury and ill health.  As the Vice Chair of the US Technical Advisory Group to ISO 45001, I have been seeing a significant rise in awareness of ISO 45001 benefits.  Environmental Compliance Systems, Inc has also helped many organizations plan, implement and integrate an ISO 45001 OHSMS with their other business management systems.   A recent webinar produced with ASSP describes the many benefits of an ISO 45001 OHSMS.  Here is a link to free ASSP webinar: https://player.vimeo.com/video/844292169?. Please watch if you are interested in improving your organizations OHS performance.

CorrectTrack 2.0 Release Soon

Environmental Compliance Systems, Inc. (ECSI) is pleased to announce the release of CorrectTrack 2.0 soon.  CorrectTrack 2.0 marks a significant improvement in the applications ability to provide important ISO management system performance information quickly to users.

Over a decade ago ECSI began to explore digital tools to enhance our ISO consulting, auditing, and training practice.  We were looking for a cloud-based application that helps our clients and others implement and operate ISO continual improvement management systems.   Being unable to find a suitable off the shelf solution we began adapting available open-source bug tracking software.  The objective was to provide a systematic corrective action tracking process that was superior to existing Microsoft access database and excel spreadsheet solutions. The list of organizations using CorrectTrack has now grown to over 40 organizations and 450 individual users.  To our knowledge CorrectTrack continues to be the only cloud-based application designed exclusively for ISO 14001, 45001, and 9001 management systems.

CorrectTrack 2.0 has better dashboard user experience and more flexibility to let users configure it to their specific needs.  Users will have access to all the application features including:

  • Permissions based user access and functionality.
  • Approval gate process for corrective action investigation, verification, and closure
  • Risk management module for all ISO management system standards including 9001, 14001 and 45001.
  • Internal audit planning and follow-up.
CorrectTrack 2.0 Dashboard and Landing Page

As part of the CorrectTrack 2.0 rollout we are offering a free consultation to ISO management system experts and representative to explore how the application can benefit you ISO management system and improve your organizations occupational health and safety, environmental and even quality performance. 

Contact us for more information on how CorrectTrack 2.0 can help your organization’s ISO management system performance.  If you like what you see, we will help you get started with a free application trial period without any obligations or fees.

Join US at the 2022 ASSP Risk, Health & Safety for All Conference.

We are looking forward to seeing you at the 2022 ASSP Risk, Health & Safety for All Conference Thursday, September 29 & Friday, September 30, 2022 at The Ingleside Hotel in Pewaukee, Wisconsin. With two days of educational sessions, workshops, and panel discussions, this event is full of super rich networking and collaboration opportunities. More

Preview our Presentation

Please be sure to come see us at session #12 where we will be sharing information on Semi-quantitative Risk Analysis – An OHS Leading Indicator. Here is a description of the presentation:

OHS Managers need to find good ways to predict and influence future OHS
performance. These predictors of OHS performance are referred to as “leading indicators”. Semi-quantitative OHS risk analysis is now being recognized as a good leading indicator of OHS performance. This session describes how semiquantitative risk analysis is used as a leading indicator of OHS performance

Come see us at our booth at the show to say hello  or for a quick demo of the CorrectTrack app.. Be sure to put your name into our raffle that will award a lucky winner at our ever-popular beer tasting on Thursday evening and taste premium beers with one of the Tyranena brewers..

US Securities and Exchange Commission Issues Proposed GHG Risk Disclosure Rules

The Securities and Exchange Commission (“Commission”) is proposing for public comment amendments to its rules under the Securities Act of 1933 (“Securities Act”) and Securities Exchange Act of 1934 (“Exchange Act”) that would require registrants to provide certain climate-related information in their registration statements and annual reports. The comment period closed May 22, 2022. 

The proposed rules would require information about a registrant’s climate-related risks that are reasonably likely to have a material impact on its business, results of operations, or financial condition. The required information about climate-related risks would also include disclosure of a registrant’s greenhouse gas emissions, which have become a commonly used metric to assess a registrant’s exposure to such risks. In addition, under the proposed rules, certain climate-related financial metrics would be required in a registrant’s audited financial statements.

The first 465 pages of the document are the SEC response to comments provided during the development phase of the proposed rules last year.  The proposed new rules begin on page 465.  There is some interesting stuff on what SEC is looking for regarding how registrants assess climate related risk (see § 229.1503 (Item 1503) Risk management starting on page 482).

Contact me with any question or comments.

Posted in GHG

We are Presenting at Wisconsin Safety Council Safety 2022

Join us at the conference. We are presenting on E-Tools for OHS Risk Management. Learn about how cloud based app and relational database are emerging as essential tools for EHS Managers. We will cover how to use these tools to:

  • Use a database to record the results of a JHA
  • Preform hazard risk reduction tasks
  • Perform audits of risk controls
  • Use e-tools to perform corrective actions
  • Communicate to leadership on EHS performance