Those of us who have been in EHS auditing for awhile have faced this question, either as internal corporate staff or as an outside auditor.
You know the situation – an EHS event occurs at a site, it gets reported up the management chain and the questions (and possible finger pointing) begin.
How could we have let this happen?
How come we didn’t know about this sooner?
What did the last audit find?
And finally….. Why wasn’t it found or addressed in the audit?
Most EHSS audit programs were built to address compliance or management systems conformance. Today, companies are beginning to approach these questions in a constructive manner, looking to develop risk-based EHSS audit frameworks. We at Elm are frequently asked how to incorporate the concept of “risk” into audit programs. For those wondering where to start, here are a few tips:
- Use existing risk benchmarks within the company. There is no need for EHSS risks to use separate definitions.
- Actively and aggressively coordinate with all aspects of the company. The business impacts of EHSS exposures are relevant to a surprising number of functions and actitivities.
- Conduct a thorough EHSS risk assessment. During this process, encourage and embrace discussions of “Black Swan” events.
- Generally a two-dimensional framework is effective to communicate risk likelihood and impact separately.
- Create a risk profile assuming controls will fail. Remember that at this point, you are identifying a “gross risk profile”. Effectiveness of controls should be evaluated in a separate step.
- Evaluate the risk profile for auditable topics and elements. Once the appropriate topics are identified, audit protocols can be developed. However, these protocols are typically beyond the scope with which traditional EHSS auditors are comfortable.
- Develop guidelines for appropriate corrective actions. For example, a risk that is high impact/low likelihood may be best treated with a financial solution to reduce the economic impact of a rare event. A management system approach to such a risk may not prove relevant or effective.
These ideas may help provide some guidance on how to move ahead, reduce real business risk and generate demonstrable economic value.