Nimonik has seen a wide variety of internal Health, Safety, Environmental and Quality (HSEQ) audit programs. They seem to come in all shapes and sizes! Each company tends to focus on different risks and controls.
Whether your organization conforms to ISO 19011 or another internal audit standard, re-focusing your internal audit program on your risks, controls, and operational reality is a key driver for operational excellence.
On March 14th, John Wolfe shared insights from over 20 years as a hands-on HSE Director and as the Sr. Director of Operations Integrity Audit for a global Oil & Gas company. John outlined the attributes of an outstanding Internal audit program. He showed you how you can build out a program tailored to your operations and add tremendous value to your business.
3. Webinar Objectives
y’s Objectives
Share Knowledge:
Health, Safety, Environment, and Quality
Internal Audit Program Best Practices
Agenda
• Program drivers
• HSEQ Management Systems and where audits and assessments fit in
• Compliance obligations and risk management inputs to the auditing process
• Internal audit business processes
• The audit planning processes
• Frequently asked questions
Webinar Objective
3
4. Safety & environmental performance
is a continuing business risk
Why is an Operationally
Excellent Program Needed?
Fatalities and serious injuries persist
Safety process & programs costs are increasing
4
5. • A well integrated HSEQ management system framework, and
safety culture are a required foundation
• An effective Internal Audit Program can help identify best
practices and operational weaknesses
You are a powerful agent of change!
So What can We Do to Improve these Trends?
5
6. Look at Your Data - Trends and Critical Controls
6
8. Management System Framework
Company-wide BU/Functions Facility/Asset
Policy
Standards, Guidelines
Procedures, Instructions,
Specifications & Tools
OEMS Audit Focuses on the “How”
implemented to accomplish the “What”
Management Systems Hierarchy
10. Element
16
E2 E3 E13
E9
E17
Elements that Element
16 is dependent upon
Elements dependent on
Element 16 delivery
Multiple cross references
E1
0
E2 – Risk Management
E3 – Legal Req. & Commit.
E9 – Ops. & Mtce. Controls
E10 – Contractor Mgmt.
E13 – Comm. & Stake. Relations
E17 – Corrective Actions
Audit and Assessments: Interdependencies
10
11. Assessments
Internal;
Client - Business
Audits
Independent;
Client - Corporate or
external
Other
Monitoring
&
Assurance
Activities
Element 16
Day-to-day management
of controls
e.g. Internal controls, Inspections,
Checklists,
Quality Reviews,
Workplace Observations
Business
managed evaluation
e.g. OEMS Self-
assessments,
compliance reviews,
M&R Assessments
OIA
IA
External
Other Elements
E.G. 9, 14
Where Audits and Assessments Fit
11
13. Lack of Coordination across Risk Functions Can
Create Overlap, Redundancy and Increased Costs
Internal
Audit
Risk
Management
Business
unit
Business
unit
Business
unit
Business
unit
Compliance
Internal
Control
Information
Technology
Legal and
Regulatory
External
Audit
Board/senior management oversight
Audit
committee
Risk
committee
Other
committees
Siloed risk functions reduce value, increase costs, and impact business performance
14. Each Element has its own PDCA cycle
Compliance Obligations Data Inputs -
Note Each Element has its Own PDCA Cycle -
15. The Risk Management Process Data Inputs
Risk Assessment Model (Adapted from the ISO Risk 31000 STD)
Communicate & Train
Communication
Reporting
Training
Risk Structure &
Accountability
Risk Roles & Responsibilities:
Executive Leadership Team
Chief Risk Officer
Business & Function Leaders
& Management
Mandate & Commitment
Policy
Standards
Procedures/Guidelines
Measure, Review & Improve
Control Assurance
Policy
Standards & Guidelines
KPI’s
KRI’s
Risk management information to action
- Risk Assurance - Risk Registers
- Treatment Plan - Reporting Templates
Strategic Process
(Framework continuous
improvement cycle)
Strategic Process
(Framework Implementation)
Strategic Process
(Framework Implementation)
Strategic Process
(Framework continuous improvement
cycle)
IV.
I. II.
V.
III.
Communicateandconsult
Establish the context
Identify risks
Analyze risks
Evaluate risks
Treat risks
Monitorandreview
Tactical Process
Risk assessment
Process for Managing Risk
1.
2.
2a
.
2b.
2c
.
3.
4.
5
.
16. Integrated Risk Analysis Methods
• Brainstorming
• Field level risk assessment
• Job safety analysis
• What-if
• HAZOP – Hazard and Operability Study
• Failure Mode Effects Analysis
• Process Hazard Analysis
• Layers Of Protection Analysis etc.
Hazard Identification Methods
16
18. Dynamics of an Incident and the Hierarchy of Controls
System 1
System 2
System 3
System 4
System 5
System 6
System 7
“Hardware”
Defenses
- Process design
- Plant layout
- Protection systems
Engineering Controls:
Separate: The hazard
by guarding
Redesign: Reconfigure
equipment
Substitute: Materials
or processes
“Software”
Defenses
- Procedures
- Audits
- Management
systems
“Liveware”
Defenses
- Safety culture
- Training
- Alertness
Unusual conditions
Latent failures in
systems
19. The Quality of Risk and Control Data Can Be Improved Over
Time
• Use appropriate risk analysis techniques
• Utilize professional training and facilitators
• Garbage in = garbage out
• If you get this right – you will focus resources on the right risks
and opportunities.
What if Worksheet
20. Risk Registries as an Audit Planning Input
Business Area B Risk Inventory
•Unit 1+2+3 Risks
•Additional BU Risks
Business Area C Risk Registry
•Unit Risks
•Additional BU Risks
PHA Hazops,
LOPAs,
What Ifs
Unit 3 Risk Inventory
Business Unit Risk Registry - VP Level
•BA A+B+C Risks
•Additional BU Risks
Other BU
Risk Registries
PHA Hazops,
LOPAs,
What Ifs
Unit 2 Risk Inventory
PHA Hazops,
LOPAs,
What Ifs
Unit 1 Risk Inventory
Business Unit Principal Risk Registry
•Prioritized BU Risks
Principal Risk Registry
Other BU
Risk Registries
Other BU
Risk Registries
Other BU
Risk Registries
Corporate Risk Registry
Business Area A Risk Registry
•Unit Risks
•Additional BU Risks
20
21. Let’s Look at an Audit Process Flowchart
(ISO 19001 conformant)
21
22. Frequently Asked Questions
Where should the function report?
If the leadership team supports the audit’s independence, where
the function reports into is not important.
What should be the audit budget?
Budget adequate to complete the scheduled audits and employ
outside experts where required.
Frequently Asked Questions
22
23. Auditable Units
How Often Should I Audit ?
How often should one audit?
Audit frequency alters with:
• Compliance history
• Strength of Internal Compliance Program
• Potential risk from poor program performance
• Performance indicators
• Regulatory environment
• Special concerns - sensitive locations / complex operations
Frequently Asked Questions
23
24. Audit Planning Process
In-Year High Risk Requests
3 Year cycle
Embedded into OEMS Process
Audits
• Process Hazard Analysis
• Mechanical Integrity
• Quality Assurance
OEMS Audits – Hazardous Operations
• Annual Determination of
Targets
• Significant Risks / Critical
Controls
• Environmental
• Safety (Personnel and Process)
• Emerging Risks
• Business Process Effectiveness
• Compliance
Risk- Based Audits
Principal Risks
Company Strategy &
Value Drivers
Management
Consultations
Audit Plan
Idea Generation
& Project Scoping
Coverage Over Time
Resourcing
Risk, Value, OEMS Alignment
Prioritization
& Selection
Process Improvement Project
implementation
Continuous Improvement
Prior Audit Insights External Risks
• 5 Year Audit Plan Established
• Process Audit Approach
on Hazardous Operations / Functions
25. Bow-Tie Risk Analysis
“Bow-tie” – is a graphical representation of the development paths from a hazard to its various potential
consequences
25
26. AUDIT SCHEDULING
• Identify liaison
• Meeting Rooms - Data Access
• PPE
• Accommodations
• Special site requirements or rules
• Pre audit document and records request -site plans - org charts - relevant
standards, procedures and guidelines - process flows - prior audits
• Communication of audit criteria
• Develop a detailed Audit Interview Schedule in consultation
with Audit Team Leader (ATL)
• Assign individuals who will participate directly
• Audits usually take 1 and ½ weeks with three or more auditors
• Schedule should be flexible to follow leads
Audit Scheduling
26
27. OEMS Element - Audit Focus Example
Risk: Pipeline Leak Detection
CRITERIA AUDIT FOCUS LOOK FOR…
Element 2
Risk Management
Process for the identification and assessment of risks Risk Registries
•Normal
•Abnormal
•Emergency
Element 3
Legal and Other
Requirements
Provincial Pipeline Act / Regulations
Reg 91/05
CSAZ662 and Annexes
Approval Conditions
Legal Registry
ESS Compliance Tasks
Controls (as per Element 9)
Element 7
Learning and Competence
Critical Positions
Competency Requirements
Training Programs
Relevant Legal Requirements
E.5.1 Training Requirements
“Personnel responsible for interpreting and responding to
the results of leak detection systems shall be
knowledgeable about and receive training in…
Critical Positions defined (as per Element 6)
Role Descriptions (as per Element 6)
Competency Documentation
Training Requirements
Records of training
Operator – Interpreting and responding to results
of leak detection system.
Element 9
Operations and
Maintenance Controls
Leak Detection Processes
E. 5.2 Leak Detection Manual
Operating companies shall have a leak detection manual…
Control System - SCADA design
Material Balance – Persistent small leak detection
Instruments and Systems – Process/Procedures
Right of Way Inspections
Leak Detection Protocols / Manual
Operator - SCADA knowledge
Material Balance Results (daily, weekly, monthly)
Operator - Instrument Readings and Response
Inspection Records
Element 15
Incident Management
Protocol for response
Historical Leaks – Response and Root Cause Analysis
Incidents
Corrective Actions (as per Element 17)
Element 12
Emergency Management
Testing
Exercises
Emergency Preparedness and Response
PM Programs for Emergency Equipment
Testing Results
Corrective Actions (as per Element 17)
Drills and Exercises
ERP Plans
28. AUDIT FINDING CLASSIFICATION MATRIX
Findings should be clear and focused on the non-compliance / non-conformance to defensible criteria
Audit
Classification
Level Of Response Management Involvement
Unacceptable Grave concern
The Senior Vice President (EVP) shall:
● Resolve findings
● Provide detailed quarterly reports to the Operations
Committee on the activities and action plans to raise the local
controls
Not Satisfactory Concern
The responsible VP shall :
● Resolve findings
● Provide detailed semi-annual reports to the Operations
Committee
Satisfactory
Scope for
enhancement
The responsible leader shall :
● Resolve findings
● Take action to ensure that controls are raised
Good Specific
The responsible leader should:
● Resolve findings
● Continue general improvement in controls
Audit Finding Classification Matrix
28
29. Continual Improvement Philosophy
Causal Analysis, Recommendations, and
Corrective Actions
● To a nature and depth commensurate with the potential
consequences of the finding
● Focus on system failures not individuals or equipment
● Do not provide recommendations
● Reject inadequate corrective and preventive actions
● Ensure systemic issues are addressed
● Follow-up on the efficacy of closed corrective actions
29
31. • A great HSEQ management system framework
• Top down, bottom up leadership safety culture
• Efficient monitoring, measuring and self-assessment programs
• Independent internal audit function
• Auditor training and quality check business process
• Hire outside experts
• Data analytics and automation
• A risk-based audit program design
• Effective reporting to senior management
• Good incident management / causal analysis programs
• Collaborative partner
• Feedback on performance
How to Improve Your Internal Audit Program?
31
32. Cost/Benefit Analysis -In Conclusion - Management Must Make the
Call On Risk and Reward Trade-offs
32