By Cameron Clark
Spending time on the things that really matter is a challenge for nearly everyone in today’s fast paced society. In our haste to get things done we often focus on the things we can get repeatedly done quickly, and easily, with what’s left over sometimes getting only cursory attention in the time that remains.
It’s easy to adopt a similar approach during a safety audit, especially when they are often considered a tedious compliance exercise. This attitude can drive a “cookie cutter” or “one size fits all” approach, using pre-determined questions and checks so that the safety audit is over as soon as possible. But in doing so, you limit the potential for the safety audit to lead to fundamental improvements to your ability to prevent injury and illness.
To improve participants attitudes to safety audits, the “one size fits all” approach that enables efficient completion of audit evaluations has to be ditched in favour of one that is risk based. This already happens during the planning stages of an audit, with the type and frequency of hazards (OHS complexity) being used to assess the required audit duration. This risk-based approach needs to be extended to the audit plan and the time allocated to evaluate critical risk controls.
By not adopting a risk-based approach you are at risk of wasting the time, effort, and resources expended on your safety audit. The “buy-in” from audit participants can also be impacted if it is perceived that the audit is focusing on trivial or unimportant issues. Worse still, if your audit isn’t sufficiently targeted at risk, serious flaws in your critical control framework might not be identified and could continue to exposed people to significant risks.
To demonstrate, consider the two examples below:
Maintenance workshop – plant and equipment management
A regulator safety audit of a site that included a vehicle maintenance workshop identified a parts washing bath, that was no longer in use, but had not been tagged as “out of service.” The auditee believed they had effectively eliminated the risk because the bath had been emptied of its cleaning substance (a solvent), had been relocated to an area where the bath was impractical to use, and had been disconnected from its power supply. The employees had been instructed via a toolbox (with a written record) that the solvent bath was no longer to be used and the equipment was awaiting disposal off-site. There was no evidence that the parts washing bath had been used since the organization had implemented measures to take it out of service.
The regulator and the auditee spent considerable time debating whether the risk had been suitably controlled, with the regulator ultimately dismissing the argument of the auditee and issuing a nonconformance.
A subsequent internal audit was completed by a third-party auditor who adopted a more risk based approach and spent considerable time evaluating critical controls related to the many items of high-risk plant and equipment used by the workshop, including hydraulic vehicle lifts. The evaluation identified that there was no evidence to verify that repairs to vehicle lifts had been completed to address identified faults, or been checked as safe before being returned to service. If there were to be un-repaired faults to the lifts, they had the potential to cause the lifts, and its vehicle loads, to collapse upon workshop personnel.
Depot – emergency management
An organization had conducted a “pre-audit” of its depot operation in preparation for a formal audit by an independent third party. Due to time constraints the pre-audit had focused on items easily identified through visual inspection. A range of opportunities for improvement had been identified including display of the company’s health and safety policy, ensuring that minutes of health and safety committee meetings were available on noticeboards and providing a megaphone so that emergency announcements could be heard across the site.
When the independent auditor attended site to complete their audit, a range of key emergency risks were found to be insufficiently controlled. While some improvements around emergency communication had been implemented, the site had failed to identify that there was only one appointed warden even though the depot was a 24 hour, seven-day a week operation. The site had also failed to identify that electronic security access controls would not release locked doors in the event of an emergency and as a result, personnel within depot buildings may be trapped and unable to escape.
In each of the above cases, audit efforts focused on low priority items that offered little to reduce each organization’s risk profile, while high consequence risks, with the potential to cause significant harm, went insufficiently controlled. As a key objective of a safety audit is to evaluate whether a health and safety management system is effective at eliminating or reducing injury and illness, focusing on communication issues, as the two examples above did, likely provided a level of false comfort to those in management and control of the workplace that serious risks were being satisfactorily controlled. A risk-based approach adopted earlier would have enabled those with management and control greater opportunity to address fundamental areas of risk sooner and improve the organization’s control regime. In the end, the efforts expended on the first audits, by auditor and auditee, were wasted because a risk based approach was not adopted.
To adopt a risk based approach to your audit or audit program, consider your risk profile, the strength of the critical control framework in place, the time available for audit and ensure that suitable resources are directed at your most important risks. Once you understand where your key risks are, consider the use of bespoke audit tools that direct energies at specific hazards or controls, or consider focused “single issue” audits to really probe the strength of your critical control framework and ensure that each control layer is robust and performing as intended. Consider as well the experience of your auditor and ensure they come with a working knowledge of your risk profile and industry practices. Without the right knowledge and experience your auditor will find it more difficult to adopt a risk-based approach.
About the author
Cameron Clark is a health and safety professional with more than 17 years’ experience providing OHS consulting and auditing services to a range of large multinational organizations. He is currently a founder and Managing Director of Verus Australia and an Exemplar Global-certified Lead OHS Management Systems Auditor. Cameron can be contacted via cameron.clark@verus.com.au or via www.verus.com.au.