Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
By John Wolfe
Internal Audit
Best Practices for
Safety, Environment,
and Quality Audits
Presenter
John Wolfe
CEO Management
Horizons
Facilitator
Jessica Minhas
Marketing Manager
Nimonik
Webinar Objectives
y’s Objectives
Share Knowledge:
Health, Safety, Environment, and Quality
Internal Audit Program Best Pr...
Safety & environmental performance
is a continuing business risk
Why is an Operationally
Excellent Program Needed?
Fatalit...
• A well integrated HSEQ management system framework, and
safety culture are a required foundation
• An effective Internal...
Look at Your Data - Trends and Critical Controls
6
HSEQ Management Systems Framework
7
Management System Framework
Company-wide BU/Functions Facility/Asset
Policy
Standards, Guidelines
Procedures, Instructions...
Having Controls Documented is Not EnoughDocumentation Is Not Enough
9
Element
16
E2 E3 E13
E9
E17
Elements that Element
16 is dependent upon
Elements dependent on
Element 16 delivery
Multiple ...
Assessments
Internal;
Client - Business
Audits
Independent;
Client - Corporate or
external
Other
Monitoring
&
Assurance
Ac...
EHS Management System Self Assessments &
Maturity Roadmaps
12
Lack of Coordination across Risk Functions Can
Create Overlap, Redundancy and Increased Costs
Internal
Audit
Risk
Manageme...
Each Element has its own PDCA cycle
Compliance Obligations Data Inputs -
Note Each Element has its Own PDCA Cycle -
The Risk Management Process Data Inputs
Risk Assessment Model (Adapted from the ISO Risk 31000 STD)
Communicate & Train
Co...
Integrated Risk Analysis Methods
• Brainstorming
• Field level risk assessment
• Job safety analysis
• What-if
• HAZOP – H...
L6
Virtually
certain
L5
Probable
L4
Possible
L3
Unlikely
L2
Rare
L1
Remote
C1 C2 C3 C4 C5 C6
LikelihoodCategory
Increasing...
Dynamics of an Incident and the Hierarchy of Controls
System 1
System 2
System 3
System 4
System 5
System 6
System 7
“Hard...
The Quality of Risk and Control Data Can Be Improved Over
Time
• Use appropriate risk analysis techniques
• Utilize profes...
Risk Registries as an Audit Planning Input
Business Area B Risk Inventory
•Unit 1+2+3 Risks
•Additional BU Risks
Business ...
Let’s Look at an Audit Process Flowchart
(ISO 19001 conformant)
21
Frequently Asked Questions
Where should the function report?
If the leadership team supports the audit’s independence, whe...
Auditable Units
How Often Should I Audit ?
How often should one audit?
Audit frequency alters with:
• Compliance history
•...
Audit Planning Process
In-Year High Risk Requests
3 Year cycle
Embedded into OEMS Process
Audits
• Process Hazard Analysis...
Bow-Tie Risk Analysis
“Bow-tie” – is a graphical representation of the development paths from a hazard to its various pote...
AUDIT SCHEDULING
• Identify liaison
• Meeting Rooms - Data Access
• PPE
• Accommodations
• Special site requirements or ru...
OEMS Element - Audit Focus Example
Risk: Pipeline Leak Detection
CRITERIA AUDIT FOCUS LOOK FOR…
Element 2
Risk Management
...
AUDIT FINDING CLASSIFICATION MATRIX
Findings should be clear and focused on the non-compliance / non-conformance to defens...
Continual Improvement Philosophy
Causal Analysis, Recommendations, and
Corrective Actions
● To a nature and depth commensu...
Using Technology to assess and Improve
Process
30
• A great HSEQ management system framework
• Top down, bottom up leadership safety culture
• Efficient monitoring, measuri...
Cost/Benefit Analysis -In Conclusion - Management Must Make the
Call On Risk and Reward Trade-offs
32
For more information
www.nimonik.com
1-888-608-7511
info@nimonik.com
33
Upcoming SlideShare
Loading in …5
×

Internal Audit Best Practices for Safety, Environment, and Quality Audits

4,280 views

Published on

Nimonik has seen a wide variety of internal Health, Safety, Environmental and Quality (HSEQ) audit programs. They seem to come in all shapes and sizes! Each company tends to focus on different risks and controls.

Whether your organization conforms to ISO 19011 or another internal audit standard, re-focusing your internal audit program on your risks, controls, and operational reality is a key driver for operational excellence.

On March 14th, John Wolfe shared insights from over 20 years as a hands-on HSE Director and as the Sr. Director of Operations Integrity Audit for a global Oil & Gas company. John outlined the attributes of an outstanding Internal audit program. He showed you how you can build out a program tailored to your operations and add tremendous value to your business.

Published in: Education

Internal Audit Best Practices for Safety, Environment, and Quality Audits

  1. 1. By John Wolfe Internal Audit Best Practices for Safety, Environment, and Quality Audits
  2. 2. Presenter John Wolfe CEO Management Horizons Facilitator Jessica Minhas Marketing Manager Nimonik
  3. 3. Webinar Objectives y’s Objectives Share Knowledge: Health, Safety, Environment, and Quality Internal Audit Program Best Practices Agenda • Program drivers • HSEQ Management Systems and where audits and assessments fit in • Compliance obligations and risk management inputs to the auditing process • Internal audit business processes • The audit planning processes • Frequently asked questions Webinar Objective 3
  4. 4. Safety & environmental performance is a continuing business risk Why is an Operationally Excellent Program Needed? Fatalities and serious injuries persist Safety process & programs costs are increasing 4
  5. 5. • A well integrated HSEQ management system framework, and safety culture are a required foundation • An effective Internal Audit Program can help identify best practices and operational weaknesses You are a powerful agent of change! So What can We Do to Improve these Trends? 5
  6. 6. Look at Your Data - Trends and Critical Controls 6
  7. 7. HSEQ Management Systems Framework 7
  8. 8. Management System Framework Company-wide BU/Functions Facility/Asset Policy Standards, Guidelines Procedures, Instructions, Specifications & Tools OEMS Audit Focuses on the “How” implemented to accomplish the “What” Management Systems Hierarchy
  9. 9. Having Controls Documented is Not EnoughDocumentation Is Not Enough 9
  10. 10. Element 16 E2 E3 E13 E9 E17 Elements that Element 16 is dependent upon Elements dependent on Element 16 delivery Multiple cross references E1 0 E2 – Risk Management E3 – Legal Req. & Commit. E9 – Ops. & Mtce. Controls E10 – Contractor Mgmt. E13 – Comm. & Stake. Relations E17 – Corrective Actions Audit and Assessments: Interdependencies 10
  11. 11. Assessments Internal; Client - Business Audits Independent; Client - Corporate or external Other Monitoring & Assurance Activities Element 16 Day-to-day management of controls e.g. Internal controls, Inspections, Checklists, Quality Reviews, Workplace Observations Business managed evaluation e.g. OEMS Self- assessments, compliance reviews, M&R Assessments OIA IA External Other Elements E.G. 9, 14 Where Audits and Assessments Fit 11
  12. 12. EHS Management System Self Assessments & Maturity Roadmaps 12
  13. 13. Lack of Coordination across Risk Functions Can Create Overlap, Redundancy and Increased Costs Internal Audit Risk Management Business unit Business unit Business unit Business unit Compliance Internal Control Information Technology Legal and Regulatory External Audit Board/senior management oversight Audit committee Risk committee Other committees Siloed risk functions reduce value, increase costs, and impact business performance
  14. 14. Each Element has its own PDCA cycle Compliance Obligations Data Inputs - Note Each Element has its Own PDCA Cycle -
  15. 15. The Risk Management Process Data Inputs Risk Assessment Model (Adapted from the ISO Risk 31000 STD) Communicate & Train Communication Reporting Training Risk Structure & Accountability Risk Roles & Responsibilities: Executive Leadership Team Chief Risk Officer Business & Function Leaders & Management Mandate & Commitment Policy Standards Procedures/Guidelines Measure, Review & Improve Control Assurance Policy Standards & Guidelines KPI’s KRI’s Risk management information to action - Risk Assurance - Risk Registers - Treatment Plan - Reporting Templates Strategic Process (Framework continuous improvement cycle) Strategic Process (Framework Implementation) Strategic Process (Framework Implementation) Strategic Process (Framework continuous improvement cycle) IV. I. II. V. III. Communicateandconsult Establish the context Identify risks Analyze risks Evaluate risks Treat risks Monitorandreview Tactical Process Risk assessment Process for Managing Risk 1. 2. 2a . 2b. 2c . 3. 4. 5 .
  16. 16. Integrated Risk Analysis Methods • Brainstorming • Field level risk assessment • Job safety analysis • What-if • HAZOP – Hazard and Operability Study • Failure Mode Effects Analysis • Process Hazard Analysis • Layers Of Protection Analysis etc. Hazard Identification Methods 16
  17. 17. L6 Virtually certain L5 Probable L4 Possible L3 Unlikely L2 Rare L1 Remote C1 C2 C3 C4 C5 C6 LikelihoodCategory IncreasingLikelihood Consequence Category Increasing Consequence Protracted Operational Outage^ Permit Approval Risk ^ Environment al Policy / Regulation Change ^ Resource Shortage ^ Environmenta l / Safety Incident ^ EH&S / Regulation Non- Compliance ^ Natural Disaster / Business Continuity Planning Standardized Risk Matrix 17
  18. 18. Dynamics of an Incident and the Hierarchy of Controls System 1 System 2 System 3 System 4 System 5 System 6 System 7 “Hardware” Defenses - Process design - Plant layout - Protection systems Engineering Controls: Separate: The hazard by guarding Redesign: Reconfigure equipment Substitute: Materials or processes “Software” Defenses - Procedures - Audits - Management systems “Liveware” Defenses - Safety culture - Training - Alertness Unusual conditions Latent failures in systems
  19. 19. The Quality of Risk and Control Data Can Be Improved Over Time • Use appropriate risk analysis techniques • Utilize professional training and facilitators • Garbage in = garbage out • If you get this right – you will focus resources on the right risks and opportunities. What if Worksheet
  20. 20. Risk Registries as an Audit Planning Input Business Area B Risk Inventory •Unit 1+2+3 Risks •Additional BU Risks Business Area C Risk Registry •Unit Risks •Additional BU Risks PHA Hazops, LOPAs, What Ifs Unit 3 Risk Inventory Business Unit Risk Registry - VP Level •BA A+B+C Risks •Additional BU Risks Other BU Risk Registries PHA Hazops, LOPAs, What Ifs Unit 2 Risk Inventory PHA Hazops, LOPAs, What Ifs Unit 1 Risk Inventory Business Unit Principal Risk Registry •Prioritized BU Risks Principal Risk Registry Other BU Risk Registries Other BU Risk Registries Other BU Risk Registries Corporate Risk Registry Business Area A Risk Registry •Unit Risks •Additional BU Risks 20
  21. 21. Let’s Look at an Audit Process Flowchart (ISO 19001 conformant) 21
  22. 22. Frequently Asked Questions Where should the function report? If the leadership team supports the audit’s independence, where the function reports into is not important. What should be the audit budget? Budget adequate to complete the scheduled audits and employ outside experts where required. Frequently Asked Questions 22
  23. 23. Auditable Units How Often Should I Audit ? How often should one audit? Audit frequency alters with: • Compliance history • Strength of Internal Compliance Program • Potential risk from poor program performance • Performance indicators • Regulatory environment • Special concerns - sensitive locations / complex operations Frequently Asked Questions 23
  24. 24. Audit Planning Process In-Year High Risk Requests 3 Year cycle Embedded into OEMS Process Audits • Process Hazard Analysis • Mechanical Integrity • Quality Assurance OEMS Audits – Hazardous Operations • Annual Determination of Targets • Significant Risks / Critical Controls • Environmental • Safety (Personnel and Process) • Emerging Risks • Business Process Effectiveness • Compliance Risk- Based Audits Principal Risks Company Strategy & Value Drivers Management Consultations Audit Plan Idea Generation & Project Scoping Coverage Over Time Resourcing Risk, Value, OEMS Alignment Prioritization & Selection Process Improvement Project implementation Continuous Improvement Prior Audit Insights External Risks • 5 Year Audit Plan Established • Process Audit Approach on Hazardous Operations / Functions
  25. 25. Bow-Tie Risk Analysis “Bow-tie” – is a graphical representation of the development paths from a hazard to its various potential consequences 25
  26. 26. AUDIT SCHEDULING • Identify liaison • Meeting Rooms - Data Access • PPE • Accommodations • Special site requirements or rules • Pre audit document and records request -site plans - org charts - relevant standards, procedures and guidelines - process flows - prior audits • Communication of audit criteria • Develop a detailed Audit Interview Schedule in consultation with Audit Team Leader (ATL) • Assign individuals who will participate directly • Audits usually take 1 and ½ weeks with three or more auditors • Schedule should be flexible to follow leads Audit Scheduling 26
  27. 27. OEMS Element - Audit Focus Example Risk: Pipeline Leak Detection CRITERIA AUDIT FOCUS LOOK FOR… Element 2 Risk Management Process for the identification and assessment of risks Risk Registries •Normal •Abnormal •Emergency Element 3 Legal and Other Requirements Provincial Pipeline Act / Regulations Reg 91/05 CSAZ662 and Annexes Approval Conditions Legal Registry ESS Compliance Tasks Controls (as per Element 9) Element 7 Learning and Competence Critical Positions Competency Requirements Training Programs Relevant Legal Requirements E.5.1 Training Requirements “Personnel responsible for interpreting and responding to the results of leak detection systems shall be knowledgeable about and receive training in… Critical Positions defined (as per Element 6) Role Descriptions (as per Element 6) Competency Documentation Training Requirements Records of training Operator – Interpreting and responding to results of leak detection system. Element 9 Operations and Maintenance Controls Leak Detection Processes E. 5.2 Leak Detection Manual Operating companies shall have a leak detection manual… Control System - SCADA design Material Balance – Persistent small leak detection Instruments and Systems – Process/Procedures Right of Way Inspections Leak Detection Protocols / Manual Operator - SCADA knowledge Material Balance Results (daily, weekly, monthly) Operator - Instrument Readings and Response Inspection Records Element 15 Incident Management Protocol for response Historical Leaks – Response and Root Cause Analysis Incidents Corrective Actions (as per Element 17) Element 12 Emergency Management Testing Exercises Emergency Preparedness and Response PM Programs for Emergency Equipment Testing Results Corrective Actions (as per Element 17) Drills and Exercises ERP Plans
  28. 28. AUDIT FINDING CLASSIFICATION MATRIX Findings should be clear and focused on the non-compliance / non-conformance to defensible criteria Audit Classification Level Of Response Management Involvement Unacceptable Grave concern The Senior Vice President (EVP) shall: ● Resolve findings ● Provide detailed quarterly reports to the Operations Committee on the activities and action plans to raise the local controls Not Satisfactory Concern The responsible VP shall : ● Resolve findings ● Provide detailed semi-annual reports to the Operations Committee Satisfactory Scope for enhancement The responsible leader shall : ● Resolve findings ● Take action to ensure that controls are raised Good Specific The responsible leader should: ● Resolve findings ● Continue general improvement in controls Audit Finding Classification Matrix 28
  29. 29. Continual Improvement Philosophy Causal Analysis, Recommendations, and Corrective Actions ● To a nature and depth commensurate with the potential consequences of the finding ● Focus on system failures not individuals or equipment ● Do not provide recommendations ● Reject inadequate corrective and preventive actions ● Ensure systemic issues are addressed ● Follow-up on the efficacy of closed corrective actions 29
  30. 30. Using Technology to assess and Improve Process 30
  31. 31. • A great HSEQ management system framework • Top down, bottom up leadership safety culture • Efficient monitoring, measuring and self-assessment programs • Independent internal audit function • Auditor training and quality check business process • Hire outside experts • Data analytics and automation • A risk-based audit program design • Effective reporting to senior management • Good incident management / causal analysis programs • Collaborative partner • Feedback on performance How to Improve Your Internal Audit Program? 31
  32. 32. Cost/Benefit Analysis -In Conclusion - Management Must Make the Call On Risk and Reward Trade-offs 32
  33. 33. For more information www.nimonik.com 1-888-608-7511 info@nimonik.com 33

×