Compliance or Risk-Based Safety Audits? Is there a Best Practice Approach?
Sponsored Article by Scott Gaddis
Safety program auditing provides confidence to organizations that operational risks are measured through sufficient identification, control, monitoring, and governance. Audits are conducted to better understand the management system and evaluate the level of compliance with internal requirements and external regulations. Such audits utilize audit protocols to understand problems to correct any deficiency before a loss, or a compliance issue is experienced.
Safety auditing is conducted usually for the following reasons:
- Ensuring compliance to the requirements of internal, international, and industry standards & regulations, and customer requirements
- To determine the effectiveness of the implemented system in meeting specified objectives (quality, environmental, financial)
- To explore opportunities for improvement
- To meet statutory and regulatory requirements
- To provide feedback to senior management
There are two main channels of thought when it comes to Safety Program auditing. Most of us are familiar with the traditional compliance-based approach, where documentation is reviewed to ensure that controls and procedures meet governmental requirements and operational instructions are performed as desired. This approach's significant drawbacks are that it's a paper exercise of reviewing rules and procedures and taking samples in the field to qualify what was viewed on paper. Traditional auditing ensures that programs are compliant on paper; however, it does not mean that the Safety Management System (SMS) is effective.
On the other hand, risk-based auditing focuses on areas where most safety risk is present within the management system. This is not to say that you don't pay attention to regulatory requirements or disregard compliance. Still, a good risk-based audit looks at the management system's specific areas that create the most concern. It focuses on higher-risk activities that are of significance to the organization. By concentrating on threats rather than just controls, it is often more efficient than traditional approaches.
A best-practice approach to auditing may be to consider the ISO 45001 standard as a starting point. This standard follows a structured approach in the application. It can serve as an audit protocol in understanding risks within the management system while also delivering a compliance profile in meeting governmental requirements.
With a best-practice approach to auditing, it's critical to consider the following:
- Determine all risks that compromise success. These should include compliance requirements from all governmental agencies that have an impact on the safety program. Also, it is important to understand general risks; these are the risks that could happen that may affect the program's success. Once this is done;
- Analyze management system risks by reviewing documentation, past loss control reports, completed inspections, near-miss, or found hazard reports, auditing, and interviews with employees, contractors, and visitors to understand the depth of auditing required. ISO Standards provide a clear path of understanding potential risks and their possible effects.
- Ensure audit protocol covers any gaps you have discovered from your risk determination and analysis exercise.
- Once compliance issues and management system gaps are documented, ensure that actions are taken to close within a timeframe based on priority.
- Monitor actions to ensure closure within a defined period. This should be done with an understanding of the level of risk to the EHSQ program.
Taking a risk-based approach to auditing is an exercise necessary to ensure the safety program's overall robustness. This auditing method allows the discovery of compliance and the management system gaps that pose a risk before the potential of future loss is experienced. Most importantly, this approach requires conversation and living within the mindset of understanding the safety system and its demonstrated in the organization. In essence, organizations are looking to understand the potential risks to the organization versus simply understanding documentation and building controls.