Who Is Auditing Your Safety Auditors?

Thanks in part to Sarbanes-Oxley, a growing number of companies rely on safety audits to ensure regulatory compliance and prevent injuries. But are these audits actually improving safety performance?

Business success for Boston-based insurance provider Liberty Mutual depends, to some extent, on effective safety audits. John Neil, the practice leader for Liberty's national loss prevention department, says his group performs audits to determine "if we want a client." In addition, Liberty's underwriting department looks at existing clients' own safety audits to determine risk.

Neil says up to 95 percent of Fortune 2000 companies now perform safety audits. How many does he think are doing them correctly and achieving continuous safety improvement?

"I would say just over a third would be in that category."

Do Audits Improve Safety?

While Neil's experience casts doubt on the quality of most audit practices, Dan Petersen's recent book Measurement of Safety Performance, published by the American Society of Safety Engineers (ASSE), raises a more fundamental question about the validity of the audit concept itself. He refers in his book to studies dating back to the 1970s that attempted to correlate audit results with accident statistics. "The results usually show little or no correlation," writes Petersen. "In light of today's management thinking and research, the audit concept has become suspect."

Petersen cites a number of factors to explain the problems with many safety audits:

  • Audit systems give equal weight to all elements having the right books on the library shelf counted as much as holding supervisors accountable for safety;
  • The use of packaged audit systems, rather than developing a program suited to the risks of the operation;
  • Little effort to correlate audit results to the accident record.

"The audit can be an effective metric," Petersen concludes, "once an organization is sure that the audit elements will lead to real results."

Audit the Audit

Neither OSHA nor any American voluntary consensus organization has produced a standard for the performance of safety audits, but other standards and guidance do exist on how to conduct an audit (see sidebar).

The key to success, according to the experts we interviewed, is ensuring that auditors understand the audit objectives. Conversely, the absence of clear goals is the most common reason audits fail to improve safety.

"You need to make sure people conducting the audit really know the criteria you are auditing against, and enough about the industry to evaluate competently if they are in compliance," says Barbara Jo Ruble, president of the Auditing Roundtable Inc., a non-profit organization based in Scottsdale, Ariz. Ruble also is the principal at Specialty Technical Consultants, a national consulting firm based in Baltimore.

"The audit needs to tie back to the goal of safety performance measurement, or it's not worth doing and you're wasting your time," asserts Neil.

The audit program should be assessed against "generally accepted standards of practice and the extent to which it is fulfilling the objectives of senior management," according to the guidance document issued by the Auditing Roundtable. The organization recommends having a party independent of the audit team perform this validation, in effect an "audit of the audit."

Compliance or Management System?

Two basic goals underlying most EHS audits are to determine compliance with the applicable regulations and to measure conformity with an organization's own management system. This distinction explains why audit experts often speak of two different types of EHS audits: compliance audits and management system audits.

Edwin "Brownie" Petersen, safety engineer at ATK Thiokol Inc. and a vice chair of ASSE, explains the difference. "If you find 98 percent compliance with the wearing of PPE (personal protective equipment) you go the compliance route for corrective action. If your compliance is 70 percent, you know the [management] system is broken."

Petersen adds that it is not necessarily an either/or proposition: An audit can address both compliance and systems at the same time.

But less ambitious audits may limit themselves to measuring mere regulatory compliance. The result, according to Ruble, could be less attention to preventive measures.

"What we may do if we're evaluating a management system rather than just compliance," Ruble explains, "is begin to look for injury patterns, root causes and opportunities to implement preventive action."

Even the best management system in the world, however, doesn't guarantee compliance, according to Halley Moriyama, vice president with ENSR International, an EHS consulting and engineering firm headquartered in Westford, Mass. "I sometimes hear this from companies: 'I'm beyond compliance I've jumped to a management system.' Well, Enron had a management system too, and yet there were gross compliance failures." No system will work unless people follow it, Moriyama adds.

Independence

Auditor independence is a second crucial element for a successful audit.

"The independence of the auditor is a question that every corporation struggles with," says Moriyama. One way to ensure independence from both the safety and operations departments is to hire outside consultants. A second option is to have an internal auditing department separate from safety and operations that reports directly to the president and board of directors.

"Our audit manager reports directly to the president, not to accounting, not to safety, not to operations," says Petersen. "That's the only way you can have an independent audit organization." ATK Thiokol is a diversified high-technology manufacturing company. Petersen works at Thiokol's aerospace division in Utah where the solid rocket boosters for the space shuttle are built.

In Ruble's experience, the most likely kind of conflict of interest arises when the person doing the audit has in some way shaped the program or practice being reviewed. "Someone responsible for air quality permitting could be tapped to audit where he or she wrote the permit application," she says. "That's why Sarbanes-Oxley exists."

The "Standards for the Professional Practice of Environmental, Health and Safety Auditing" issued by the Board of Environmental, Health & Safety Auditor Certifications makes the following points about auditor independence:

  • EHS auditors should be free from personal or organizational bias, and internal or external influences on their judgment or authority, whether implied or direct.
  • Conflicts of interest should be communicated to the appropriate personnel.
  • Objective auditors should base findings on observed, measurable and verifiable evidence.
  • Internal EHS audit functions should have a reporting relationship to the board of directors that is independent of the "auditee."

Seeing Fresh Paint

Beyond all the technical knowledge an EHS auditor must have under his or her belt to be successful, Ruble emphasizes the importance of subtle interpersonal skills as well.

The ability to listen and communicate effectively is essential both in conducting the audit and in presenting the findings. But sometimes finding the truth involves more than listening to what is being said.

For Ruble, part of the art of auditing is being able to read between the lines the Latin root meaning of "intelligence."

"There's very little about an audit that isn't an abnormal situation," she says. "So to be successful, you have to learn to see fresh paint and listen to what people aren't telling you."

Moriyama believes more and more companies are now performing EHS audits. While OSHA fines are insignificant for most large companies, they do care a lot about their corporate reputations. A health and safety disaster can have a huge impact on a company's public image.

A second factor Moriyama mentions is Sarbanes-Oxley. Although it's largely a financial regulation, EHS regulatory failures can affect a company financially and Sarbanes-Oxley is about transparencies in reporting liabilities, according to Moriyama. "Corporate CEOs have to sign off on financial statements and they need to know there are no ticking time bombs."

Intelligent CEOs have learned that EHS time bombs could be anywhere, and need not be tied to compliance failures. Asked to cite an example, Moriyama has just one word to say: "Asbestos."

Sidebar: "Brownie's" 4 Steps For a Successful Audit

Edwin "Brownie" Petersen, safety engineer at ATK Thiokol Inc. has identified four basic steps he believes will ensure audit results that are based on fact and conclusions that are accurate.

Petersen, who has more than 30 years of auditing experience, works at Thiokol's aerospace division in Utah. He says effective audits are especially important at ATK Thiokol because of the risks inherent in its operations: The company is the world's largest supplier of rocket fuel.

  • Step One: Plan the audit determine what you want to audit based on a risk analysis; define objectives; develop audit scope; and prepare an audit plan or protocol.
  • Step Two: Conduct the audit communicate with management; test systems and processes; interview personnel; review documentation; and observe practices.
  • Step Three: Reporting and documentation communicate results and conclusions in a final report.
  • Step Four: Findings and corrective action includes management response; commitment to corrective action; and follow-up verification to ensure the corrective action has taken place.
TAGS: Archive
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish