How Best to Carry Out EHS Regulatory Compliance Self-Assessments or Audits at Your Facilities?

This article was first published on the Enhesa blog on 24th January 2019

Introduction

The best practice approach to managing compliance on an ongoing basis has already been discussed. Taking such an approach should streamline your compliance program and make it more robust and ingrained in your organization. It should also require less time and money in order to audit and verify compliance status at your sites. Despite this, it will still be necessary to exercise an element of control and oversight on your sites, to verify their performance. But how often should you do this?

Challenges

• Onsite EHS professionals have a multitude of different tasks – managing compliance with ever-changing EHS laws is simply one responsibility on a long list. There are also many different types of audits that EHS departments face from many parties (for example, actors in the supply chain, consumer groups, corporate, third party, etc). Each of these involve preparation and onsite time which could otherwise be spent managing other things.
• Carrying out a full-compliance self-assessment and following up with a corporate verification audit can be a lengthy and expensive process that requires valuable resources.
• Too many or too stringent expectations can have a negative impact on morale and performance.
• Not enough assessments, or reviews/audits can lead to compliance gaps appearing.
• Inconsistent, non-standardized audit tools and reporting structures can lead to unreliable data.
• The “snapshot” of compliance that an audit provides may not reflect day-to-day management.

The overall challenge seems to be one of cost-effectiveness: How can I achieve the results and overview I need without wasting valuable time and resources?

Best Practice:

If you are able to carry out fewer EHS compliance audits while maintaining excellent compliance levels, this is a win-win for all concerned. Getting to this point requires a careful balancing of resources, provision of appropriate tools and services and engagement of site and regional EHS personnel.

From experience working with some of the world’s largest companies, best practice compliance verification typically follows the following steps:

• Give sites and supervisors a consistent, quality solution (that can be used for both site self-assessments and verification audits); make it a corporate requirement for the sites in question to use it.
• Ensure that the solution you provide is tailored to each jurisdiction and available in both English and local language so that sites can adopt, learn from and trust the tool.
• Needless to say, it can greatly speed up and encourage uptake of the tool if it is financed centrally by corporate. This allows sites to free up budget for other things as their own local compliance tool will (potentially) no long be required.
• As a practical starting point, once an appropriate company-wide tool/service is in place, make sure that each site has undertaken an applicability assessment of the regulations and requirements that it needs to adhere to. This can be facilitated by creating site-type profiles that can be easily replicated across sites. Simple applicability questionnaires speed up this process and make it painless, but it also can help to have 3rd party expert support available on demand for this process.
• Best-in-class companies will generally start by doing an initial self-assessment at the launch of their program. This initial effort will provide a solid baseline and ensure efficiencies down the road. Depending on available resources, it can be best-practice to have a 3rd party provide support for this initial assessment phase.
• On an ongoing basis, site personnel can use regulatory change alerts to manage compliance as and when things change. Time is saved by focusing only on regulatory changes – and by not having to look out for changes themselves. This means an ongoing approach only needs to take a few hours per month, rather than several hours per week.
• If there is a change in work processes (e.g. new work equipment), review the applicability screening to see if anything changes for your regulatory obligations. Again, this would be a quick process due to the logical structure of the applicability question structure.
• If and when considered necessary, companies still use 2nd and/or 3rd party verification audits to review compliance status – but as compliance status will be more continuously and transparently managed, this should only be required in cases of high-risk or repeated failings. This might be annually in some cases, but could even be every two, three or five years in others. In essence, with a global company-wide solution it facilitates a risk-based approach that can save on the numbers of expensive audits you will need to carry out – and focus on clear pain points in specific locations.

Conclusion:

So how often should you self-assess and audit? Well, each company (and even different sites within a company) will require different approaches based on their respective risk profile. However, to enable a risk-based approach you need a baseline from which to identify areas of higher compliance risks. For example, you may require your manufacturing sites to self-assess annually, giving you a vision on where things stand. Based on these results (or lack of them), you may then decide to carry out streamlined audits on specific sites every one, two, three or even five years…rather than audit each site every year or two. Placing a level of trust in sites for their own compliance performance can also encourage ownership and responsibility – especially when sites know that they can be measured against others.