Rainer Ochsenkuehn

First Environment, Inc.

As risk management has evolved in organizations, so has the audit strategy. Assessments of internal control structures are common, and more organizations are moving

33From CCPA website, http://www.ccpa.ca/print/ResponsibleCare/verification.aspx.

From CIA website, http://www.cia.org.uk/newsite/responsible_care/iop.htm.

towards management system auditing instead of the more traditional compliance audits. Traditional internal auditing involves identifying the main risks in a business unit and developing audit programs to test controls that mitigate those risks. Compliance audits are still conducted, but now they are part of a more overarching audit including all elements of a management system. Management system auditing has become more popular with CEOs and the Board of Directors since the Sarbanes-Oxley Act is also applicable to environment, health and safety (EHS).

There are lots of good advice, articles, how to books, directions, and so on about "Audit strategy and how to perform a management system audit," but they focus mostly on audit techniques and approaches; rarely are they addressing the essentials to an environmental, health and safety management system, and the audit of such a system. As with most corrective actions that we see as auditing professionals, the current management systems deal mostly with the symptoms, not the real root cause of the situation, AWARENESS, ATTITUDE, and COMMITMENT. This means the employee awareness related to EHS issues, the organization's EHS attitude, and top management commitment.

So, what are the conclusions looking at established management system audit results such as ISO 14001, new approaches, and even the inclusion of security as part of the recent certification audits to the American Chemical Council's (ACC) Responsible Care Management System (RCMS) and RC14001 Technical Specifications?

First of all, an internal audit on one's own management system needs to be a solid and comprehensive approach in order to determine the effectiveness of management systems. Currently, the development shows an increased mismatch between the maturity of management systems and the stagnation of audit programs put in place to verify the system implementation, maintenance and effectiveness, thus not leading to any value-added auditing and even worse not to be able to address potential nonconformances.

An example is Organization A, which had utilized their initial questions originally developed for a gap analysis in their internal audit program. These questions are completely useless. After the system is implemented, it is not giving them any value to ask something like "Is the policy documented? Yes/No." On top of it, the audit checklist is only reflecting checks and no comments whatsoever to indicate what and who was audited in the first place. This ineffective audit leaves Organization A fairly blind - not being able to evaluate the actual system, but merely its surface. Why is this not detected? This may be because the audit of the audit program is often just limited to the existence of an audit schedule and whether this schedule is met. What is missed is to evaluate the ability of the audit program to ensure that the system is working properly and that the changes to the organization, processes, and/or products are incorporated into the system.

This is also related to the second issue found frequently - the root causes of non-conformances are not always determined correctly or, in other words, a formal problem solving of any kind is not existent. Instead of coming up with the real issues leading to the problem, organizations blame individuals (operator error) or training for most of the problems identified. It is not required to come up with a root cause analysis for each and every problem; however, where it is deemed necessary by the organization, it has to be done correctly and not just as a cursory exercise. If the root cause was relating the nonconformance back to the underlying problem, the preventive action is a breeze, ensuring that the problem does not come up again.

Auditing as a company fear factor is usually based on company culture in the form of a traditional command and control approach to EHS. Companies with no previous experience in management systems tend to show the same attitude performing management system audits as for regulatory-driven compliance audits or, even worse, the typical command and control attitude "I'm here to getcha!" It takes training, an open mind, and quite some time for auditors who are used to this regulatory approach to see and understand the difference in the approaches. The emphasis in performing a management system audit is to establish objective evidence that the system is implemented, maintained, and effective. Unfortunately, some auditors still think they need to find nonconformances in order to justify their job. The sum total of the audit should be to provide the organization with a value-added audit that includes the evaluation of the strength of the organization's management system, commitment to EHS compliance, and most importantly a prediction of the ability of the organization to continually improve. On the other side, management makes the mistake of judging the performance of the management system based on the number of negative audit findings, without looking behind the scenes. The part of evaluating the management system by the number of non-conformances is really insignificant and these numbers can be highly misleading to management. Compared audits might have had different scope and emphasis. Furthermore, the number of audit findings is subjective based on who performed the audit, in what area, and related to what elements of the management systems. Remember, an audit is a sample. It is not a complete assessment of the management system in all its details.

0 0

Post a comment