internal audit best practices for safety, environment, and quality audits
TRANSCRIPT
By John Wolfe
Internal Audit Best Practices for
Safety, Environment,
and Quality Audits
Presenter
John WolfeCEO Management
Horizons
FacilitatorJessica Minhas
Marketing Manager Nimonik
Webinar Objectivesy’s Objectives
Share Knowledge: Health, Safety, Environment, and Quality
Internal Audit Program Best Practices
Agenda• Program drivers• HSEQ Management Systems and where audits and assessments fit in• Compliance obligations and risk management inputs to the auditing
process • Internal audit business processes • The audit planning processes• Frequently asked questions
Webinar Objective
3
Safety & environmental performance is a continuing business risk
Why is an Operationally Excellent Program Needed?
Fatalities and serious injuries persist
Safety process & programs costs are increasing
4
• A well integrated HSEQ management system framework, and safety culture are a required foundation
• An effective Internal Audit Program can help identify best practices and operational weaknesses
You are a powerful agent of change!
So What can We Do to Improve these Trends?
5
Look at Your Data - Trends and Critical Controls
6
HSEQ Management Systems Framework
7
Management System Framework
Company-wide BU/Functions
Facility/Asset
Policy
Standards, Guidelines
Procedures, Instructions, Specifications & Tools
OEMS Audit Focuses on the “How” implemented to accomplish the “What”
Management Systems Hierarchy
Having Controls Documented is Not EnoughDocumentation Is Not Enough
9
Element 16
E2 E3 E13
E9
E17
Elements that Element 16 is dependent upon
Elements dependent on Element 16 delivery
Multiple cross references
E10
E2 – Risk ManagementE3 – Legal Req. & Commit.E9 – Ops. & Mtce. ControlsE10 – Contractor Mgmt. E13 – Comm. & Stake. RelationsE17 – Corrective Actions
Audit and Assessments: Interdependencies
10
AssessmentsInternal;
Client - Business
AuditsIndependent;
Client - Corporate or external
Other Monitoring
& AssuranceActivities
Element 16
Day-to-day managementof controls
e.g. Internal controls, Inspections, Checklists,
Quality Reviews,Workplace Observations
Business managed evaluation
e.g. OEMS Self-assessments,
compliance reviews, M&R Assessments
OIAIA
External
Other ElementsE.G. 9, 14
Where Audits and Assessments Fit
11
EHS Management System Self Assessments & Maturity Roadmaps
12
Lack of Coordination across Risk Functions Can Create Overlap, Redundancy and
Increased Costs
InternalAudit
Risk Management
Businessunit
Businessunit
Businessunit
Businessunit
Compliance InternalControl
InformationTechnology
Legal and Regulatory
External Audit
Board/senior management oversightAudit
committeeRisk
committeeOther
committees
Siloed risk functions reduce value, increase costs, and impact business performance
Each Element has its own PDCA cycle
Compliance Obligations Data Inputs - Note Each Element has its Own PDCA Cycle -
The Risk Management Process Data InputsRisk Assessment Model (Adapted from the ISO Risk 31000 STD)
Communicate & Train
CommunicationReportingTraining
Risk Structure & Accountability
Risk Roles & Responsibilities:
Executive Leadership Team
Chief Risk OfficerBusiness & Function
Leaders & Management
Mandate & Commitment
PolicyStandards
Procedures/Guidelines
Measure, Review & Improve
Control Assurance Policy
Standards & GuidelinesKPI’sKRI’s
Risk management information to action
- Risk Assurance - Risk Registers- Treatment Plan - Reporting Templates
Strategic Process(Framework continuous
improvement cycle)
Strategic Process(Framework
Implementation)
Strategic Process(Framework Implementation)
Strategic Process(Framework continuous
improvement cycle)
IV.
I. II.
V.III.
Comm
unicate and consult
Establish the context
Identify risks
Analyze risks
Evaluate risks
Treat risks
Monitor and review
Tactical Process
Risk assessment
Process for Managing Risk
1.
2.2a.
2b.
2c.
3.
4. 5.
Integrated Risk Analysis Methods
• Brainstorming• Field level risk assessment• Job safety analysis• What-if• HAZOP – Hazard and Operability Study• Failure Mode Effects Analysis • Process Hazard Analysis • Layers Of Protection Analysis etc.
Hazard Identification Methods
16
L6Virtually certain
L5Probable
L4Possible
L3Unlikely
L2Rare
L1Remote
C1 C2 C3 C4 C5 C6
Likel
ihoo
d Ca
tego
ryIn
crea
sing
Likel
ihoo
d
Consequence CategoryIncreasing Consequence
Protracted
Operational
Outage^ Permit Approval
Risk ^
Environmental
Policy / Regulation Change ^
Resource Shortage
^
Environmental / Safety Incident ^
EH&S / Regulation
Non-Complianc
e ^Natural
Disaster / Business
Continuity Planning
Standardized Risk Matrix
17
Dynamics of an Incident and the Hierarchy of Controls
System 1
System 2
System 3
System 4
System 5
System 6
System 7
“Hardware” Defenses- Process design- Plant layout- Protection systemsEngineering Controls:
Separate: The hazard by guarding
Redesign: Reconfigure equipment
Substitute: Materials or processes
“Software” Defenses- Procedures- Audits- Management systems
“Liveware” Defenses- Safety culture- Training- Alertness
Unusual conditions
Latent failures in systems
The Quality of Risk and Control Data Can Be Improved Over Time
• Use appropriate risk analysis techniques
• Utilize professional training and facilitators
• Garbage in = garbage out
• If you get this right – you will focus resources on the right risks and opportunities.
What if Worksheet
Risk Registries as an Audit Planning Input
Business Area B Risk Inventory•Unit 1+2+3 Risks•Additional BU Risks
Business Area C Risk Registry•Unit Risks•Additional BU Risks
PHA Hazops,
LOPAs,What Ifs
Unit 3 Risk Inventory
Business Unit Risk Registry - VP Level•BA A+B+C Risks•Additional BU Risks
Other BU Risk Registries
PHA Hazops,
LOPAs,What Ifs
Unit 2 Risk InventoryPHA
Hazops, LOPAs,What Ifs
Unit 1 Risk Inventory
Business Unit Principal Risk Registry•Prioritized BU Risks
Principal Risk Registry
Other BU Risk Registries
Other BU Risk Registries
Other BU Risk Registries
Corporate Risk Registry
Business Area A Risk Registry•Unit Risks•Additional BU Risks
20
Let’s Look at an Audit Process Flowchart (ISO 19001 conformant)
21
Frequently Asked Questions
Where should the function report?
If the leadership team supports the audit’s independence, where the function reports into is not important.
What should be the audit budget?Budget adequate to complete the scheduled audits and employ outside experts where required.
Frequently Asked Questions
22
Auditable UnitsHow Often Should I Audit ?
How often should one audit?
Audit frequency alters with:
• Compliance history
• Strength of Internal Compliance Program
• Potential risk from poor program performance
• Performance indicators
• Regulatory environment
• Special concerns - sensitive locations / complex operations
Frequently Asked Questions
23
Audit Planning Process
In-Year High Risk Requests
3 Year cycle Embedded into OEMS Process Audits
• Process Hazard Analysis• Mechanical Integrity• Quality Assurance
OEMS Audits – Hazardous Operations
• Annual Determination of Targets
• Significant Risks / Critical Controls
• Environmental• Safety (Personnel and Process)• Emerging Risks• Business Process Effectiveness• Compliance
Risk- Based Audits
Principal Risks Company Strategy & Value Drivers
Management Consultations
Audit Plan
Idea Generation& Project Scoping
Coverage Over Time
Resourcing
Risk, Value, OEMS AlignmentPrioritization& Selection
Process Improvement Project
implementationContinuous Improvement
Prior Audit Insights External Risks
• 5 Year Audit Plan Established
• Process Audit Approach
OEMS Audits – Non Hazardous Operations / Functions
Bow-Tie Risk Analysis
“Bow-tie” – is a graphical representation of the development paths from a hazard to its various potential consequences
25
AUDIT SCHEDULING• Identify liaison
• Meeting Rooms - Data Access• PPE • Accommodations• Special site requirements or rules • Pre audit document and records request -site plans - org charts -
relevant standards, procedures and guidelines - process flows - prior audits
• Communication of audit criteria
• Develop a detailed Audit Interview Schedule in consultation with Audit Team Leader (ATL)
• Assign individuals who will participate directly
• Audits usually take 1 and ½ weeks with three or more auditors
• Schedule should be flexible to follow leads
Audit Scheduling
26
OEMS Element - Audit Focus ExampleRisk: Pipeline Leak Detection
CRITERIA AUDIT FOCUS LOOK FOR…
Element 2 Risk Management
Process for the identification and assessment of risks
Risk Registries•Normal•Abnormal•Emergency
Element 3Legal and Other Requirements
Provincial Pipeline Act / RegulationsReg 91/05CSAZ662 and AnnexesApproval Conditions
Legal RegistryESS Compliance TasksControls (as per Element 9)
Element 7Learning and Competence
Critical PositionsCompetency RequirementsTraining ProgramsRelevant Legal RequirementsE.5.1 Training Requirements“Personnel responsible for interpreting and responding to the results of leak detection systems shall be knowledgeable about and receive training in…
Critical Positions defined (as per Element 6)Role Descriptions (as per Element 6)Competency DocumentationTraining Requirements Records of trainingOperator – Interpreting and responding to results of leak detection system.
Element 9Operations and Maintenance Controls
Leak Detection ProcessesE. 5.2 Leak Detection ManualOperating companies shall have a leak detection manual…Control System - SCADA designMaterial Balance – Persistent small leak detectionInstruments and Systems – Process/ProceduresRight of Way Inspections
Leak Detection Protocols / ManualOperator - SCADA knowledgeMaterial Balance Results (daily, weekly, monthly)Operator - Instrument Readings and ResponseInspection Records
Element 15Incident Management
Protocol for responseHistorical Leaks – Response and Root Cause Analysis
Incidents Corrective Actions (as per Element 17)
Element 12Emergency Management
TestingExercisesEmergency Preparedness and Response
PM Programs for Emergency EquipmentTesting ResultsCorrective Actions (as per Element 17)Drills and ExercisesERP Plans
AUDIT FINDING CLASSIFICATION MATRIXFindings should be clear and focused on the non-compliance / non-conformance to
defensible criteria
Audit Classificatio
nLevel Of Response Management Involvement
Unacceptable Grave concern
The Senior Vice President (EVP) shall:● Resolve findings● Provide detailed quarterly reports to the Operations
Committee on the activities and action plans to raise the local controls
Not Satisfactory Concern
The responsible VP shall :● Resolve findings● Provide detailed semi-annual reports to the
Operations Committee
Satisfactory Scope for enhancement
The responsible leader shall :● Resolve findings● Take action to ensure that controls are raised
Good SpecificThe responsible leader should:
● Resolve findings● Continue general improvement in controls
Audit Finding Classification Matrix
28
Continual Improvement PhilosophyCausal Analysis, Recommendations, and
Corrective Actions
● To a nature and depth commensurate with the potential consequences of the finding
● Focus on system failures not individuals or equipment● Do not provide recommendations ● Reject inadequate corrective and preventive actions● Ensure systemic issues are addressed● Follow-up on the efficacy of closed corrective actions
29
Using Technology to assess and Improve Process
30
• A great HSEQ management system framework • Top down, bottom up leadership safety culture• Efficient monitoring, measuring and self-assessment
programs • Independent internal audit function • Auditor training and quality check business process • Hire outside experts • Data analytics and automation• A risk-based audit program design • Effective reporting to senior management • Good incident management / causal analysis programs• Collaborative partner• Feedback on performance
How to Improve Your Internal Audit Program?
31
Cost/Benefit Analysis - In Conclusion - Management Must Make the Call On Risk and Reward Trade-offs
32