How best to carry out compliance self-assessments or audits at your facilities
We will examine the challenge of determining how often you should carry out EHS regulatory compliance self-assessments and/or verification audits at your facilities.
We have already discussed the best practice approach to managing compliance on an ongoing basis. Taking such an approach should streamline your compliance program and make it more robust and ingrained in your organization. It should also require less time and money in order to audit and verify compliance status at your sites. Despite this, it will still be necessary to exercise an element of control and oversight on your sites, to verify their performance. But how often should you do this?
- Onsite EHS professionals have a multitude of different tasks – managing compliance with ever-changing EHS laws is simply one responsibility on a long list. There are also many different types of audits that EHS departments face from many parties (for example, actors in the supply chain, consumer groups, corporate, third party, etc). Each of these involve preparation and onsite time which could otherwise be spent managing other things.
- Carrying out a full-compliance self-assessment and following up with a corporate verification audit can be a lengthy and expensive process that requires valuable resources.
- Too many or too stringent expectations can have a negative impact on morale and performance.
- Not enough assessments, or reviews/audits can lead to compliance gaps appearing.
- Inconsistent, non-standardized audit tools and reporting structures can lead to unreliable data.
- The “snapshot” of compliance that an audit provides may not reflect day-to-day management.
The overall challenge seems to be one of cost-effectiveness: How can I achieve the results and overview I need without wasting valuable time and resources?
If you are able to carry out fewer EHS compliance audits while maintaining excellent compliance levels, this is a win-win for all concerned. Getting to this point requires a careful balancing of resources, provision of appropriate tools and services and engagement of site and regional EHS personnel.
In Enhesa’s specific experience working with the world’s largest companies, best practice compliance verification follows the following steps:
- Give sites and supervisors a consistent, quality solution (that can be used for both site self-assessments and verification audits); make it a corporate requirement for the sites in question to use it.
- Ensure that the solution you provide is tailored to each jurisdiction and available in both English and local language so that sites can adopt, learn from and trust the tool.
- Needless to say, it can greatly speed up and encourage uptake of the tool if it is financed centrally by corporate. This allows sites to free up budget for other things as their own local compliance tool will (potentially) no long be required.
- As a practical starting point, once an appropriate company-wide tool/service is in place, make sure that each site has undertaken an applicability assessment of the regulations and requirements that it needs to adhere to. This can be facilitated by creating site-type profiles that can be easily replicated across sites. Simple applicability questionnaires speed up this process and make it painless, but it also can help to have 3rd party expert support available on demand for this process.
- Best-in-class companies will generally start by doing an initial self-assessment at the launch of their program. This initial effort will provide a solid baseline and ensure efficiencies down the road. Depending on available resources, it can be best-practice to have a 3rd party provide support for this initial assessment phase.
- On an ongoing basis, site personnel can use regulatory change alerts to manage compliance as and when things change. Time is saved by focusing only on regulatory changes – and by not having to look out for changes themselves. This means an ongoing approach only needs to take a few hours per month, rather than several hours per week.
- If there is a change in work processes (e.g. new work equipment), review the applicability screening to see if anything changes for your regulatory obligations. Again, this would be a quick process due to the logical structure of the applicability question structure.
- If and when considered necessary, companies still use 2nd and/or 3rd party verification audits to review compliance status – but as compliance status will be more continuously and transparently managed, this should only be required in cases of high-risk or repeated failings. This might be annually in some cases, but could even be every two, three or five years in others. In essence, with a global company-wide solution it facilitates a risk-based approach that can save on the numbers of expensive audits you will need to carry out – and focus on clear pain points in specific locations.
So how often should you self-assess and audit? Well, each company (and even different sites within a company) will require different approaches based on their respective risk profile. However, to enable a risk-based approach you need a baseline from which to identify areas of higher compliance risks. For example, you may require your manufacturing sites to self-assess annually, giving you a vision on where things stand. Based on these results (or lack of them), you may then decide to carry out streamlined audits on specific sites every one, two, three or even five years…rather than audit each site every year or two. Placing a level of trust in sites for their own compliance performance can also encourage ownership and responsibility – especially when sites know that they can be measured against others.
To conclude, it is worth referring to the words of corporate EHS Directors who have adopted a best-practice approach to compliance self-assessments and audits.
Jay Jayaraman of Jabil: “It is an annual requirement that each site needs to have completed by the end of June every year. This is a corporate requirement. It will be the site level EHS person (or the site team, depending on the site) who is responsible for this. It is the Enhesa Compliance Dashboard which is used for this. They can do the self-assessment more frequently than annually, depending on specific site findings or circumstances, but they need to have completed the whole checklist by end of June. As they are able to do this assessment on-line I can then export data to do calculations and examine gaps.
We will audit each site once every three years. The audit team will be corporate EHS folks, usually three people for one whole week, and we will also be accompanied by a site EHS person. The audits are two-pronged; first we examine the management system maturity model. Second we then look at compliance with local regulations as well as Jabil’s own requirements – our corporate standards”.
Jeff Reddick of Johnson Controls says “We see compliance assurance very much as an ongoing process – where sites are required to self-assess through Enhesa Scorecards. We then follow that up with audits to validate those assessments. Our approach is that we get a second or third party to audit each site every three years. Whether it is a second party (JCI person from outside the site in question) or third party can depend on the funding we have available from year to year.”