EHS Auditing: How self-auditing improves performance and reduces punishment

How well is your company complying with federal, state and local environmental, health and safety (EHS) regulatory requirements? How well is it complying with its own internal EHS standards and documented procedures?

These are questions EHS auditors assess when conducting an EHS audit, which most companies, regardless of size, have as an important, ingrained business practice.

Results of EHS audits provide a measure of the effectiveness of the overall EHS Management System to local and corporate leadership and other stakeholders and assist in identifying priorities for risk reduction and resource planning, process improvement, business continuity planning, and advancing the sustainability of the EHS function.

EHS auditing is not without risk, as the audited entity must be prepared to act on what may be discovered.  Both the U.S. Environmental Protection Agency (EPA) and Occupational Safety and Health Administration (OSHA) recognize this and understand that promoting self-auditing helps reach much farther and deeper than their own enforcement audit processes are capable.

Self-Policing Improves Environmental Performance and Reduces Punishment

During the 1990s, many attempts were made to reorient regulatory programs away from traditional “command-and-control structures” to more flexible forms of environmental regulation that emphasized collaboration and cooperation between regulating and regulated communities.  Out of this came the U.S. EPA's “Incentives for Self-Policing: Discovery, Disclosure, Correction, and Prevention of Violations,” commonly referred to as the Audit Policy in 1995. The intent of the Audit Policy was to improve environmental performance by encouraging more self-assessment and reducing punishment for companies that engage in proactive self-policing.

There are four provisions to take advantage of in the Audit Policy.

• The company must disclose to the U.S. EPA that a violation has, or may have, occurred within 21 days of the self-discovery of that violation.
• The discovery cannot be the result of a legally required monitoring, sampling, or auditing procedure (for example, as part of a required self-audit and self-disclosure process).
• Violations did not result in serious actual harm to the environment.
• The company must correct the discovered violation within 60 days of its discovery.

What about Repeat Violations?

The EPA Audit Policy cannot be used for repeat violations. A repeat violation consists of similar violations that have occurred at the same facility within the past three years or similar violations that have occurred as part of a pattern of violations at other of the company's facilities over the past five years.  In 2018 U.S. EPA re-emphasized the self-disclosure violation policy, including expanding to new company owners to self-disclose violations at recently acquired facilities.

Voluntary Self-Audits are Evidence of Good Faith, Not Evidence of Willful Violation

Federal OSHA implemented a similar Final Policy Concerning the Occupational Safety and Health Administration's Treatment of Voluntary Employer Safety and Health Self-Audits, minus the self-disclosure portion, in 2000.  The policy provides that the Agency will not routinely request self-audit reports at the initiation of an inspection, and the Agency will not use self-audit reports as a means of identifying hazards upon which to focus during an inspection. In addition, where a voluntary self-audit identifies a hazardous condition, and the employer has corrected the violative condition prior to the initiation of an inspection (or a related accident, illness, or injury that triggers the OSHA inspection) and has taken appropriate steps to prevent the recurrence of the condition, the Agency will refrain from issuing a citation, even if the violative condition existed within the six month limitations period during which OSHA is authorized to issue citations. Where a voluntary self-audit identifies a hazardous condition, and the employer promptly undertakes appropriate measures to correct that condition and to provide interim employee protection, but has not completely corrected the violative condition when an OSHA inspection occurs, the Agency will treat the audit report as evidence of good faith, and not as evidence of a willful violation of the Act.

ISO Standards Provide Structure for Internal Audit Programs

The International Organization for Standardization, commonly known as ISO, provides EHS Management Systems standards, including ISO 14001:2015 Environmental Management Systems and ISO 45001:2018 Occupational Health and Safety Management Systems.  For non-US based companies, registration to the ISO standards may be an extension of regulatory compliance, while some companies seek standardized sustainable processes to drive continuous improvement and demonstrate to customers a robust EHS Management System.

Both ISO 14001 and 45001 have specific requirements in Clause 9, Performance Evaluation, to “establish and maintain a process(es) for monitoring, measurement, analysis and performance evaluation”.  Both standards specify to include assessment of legal and other requirements, including:

• determining the frequency and method(s) for evaluation of compliance
• evaluating compliance and taking action as needed
• maintaining knowledge and understanding of (it’s) compliance status with legal requirements or other requirements

Internal vs. External Auditors: The Pros and Cons

Once you decide to implement a self-assessment process, identifying the right auditors is key.  Audits may be conduct by three types of auditors:

1. First-party internal auditors are those who are auditing their own work and operations.
2. Second-party internal auditors are within the organization but external to the operation/facility being audited.
3. Third-party external auditors are independent professional auditors.

First-party auditors will inevitably be somewhat less objective as they are assessing what they see every day, with the knowledge and understanding of requirements that initially established the current processes.  First- and second-party auditors may face political pressure to minimize negative findings, particularly high-risk findings.  Additionally, first- and second-party auditors may have difficulty dedicating uninterrupted time to conduct the audit.

Third-party independent auditors are typically “audit professionals” with specific technical or legal knowledge and/or experience who can bring a “fresh eyes” and a neutral perspective to the assessment process.  Third-party auditors have the ability to be more honest and objective and are typically able to dive deeper into the fine details of compliance during what is typically a scheduled audit event, with site resources dedicated to supporting the audit in a timely manner.

EnSafe auditors such as Glenn Bianchi have been on both sides of the auditor conundrum, conducting first-, second-, and third-party audits throughout their careers. Having spent the last 12 years of a 30+ career as an EHS expert, here are some benefits Glen suggests for selecting a third-party auditor:

• A fresh set of eyes, by technical experts, keeps the site staff “on their toes” from a technical standpoint.
• Being audited by a third party, sharpens everyone’s perspective on the relative strengths and weaknesses of the EHS Management System.
• There is substantial value in a “little or no findings result” from independent auditors to validate and boost the credibility of your EHS staff.
• If an organization suspects that their level of compliance is not quite what it should be, sometimes it’s more palatable to hear from an outside entity “what we already think we know”.

Whatever your motivation, a robust self-audit process is a key element of any EHS Management System to drive continuous improvement.

Whether you’re interested in strengthening your internal auditors’ capabilities through training or obtaining a third-party auditor, EnSafe can help.