Sketching a robust audit and assurance management system

A. J. KHAN, Contributing Author, Riyadh, Saudi Arabia; and P. VERHULST, Contributing Author, Roosendaal, the Netherlands

Relying on a third party for safety assurance is like entrusting your gym instructor with your overall physical well-being. While we might think they are competent, sincere and loyal to our needs, their motivations are driven from an entirely different perspective: customer retention, customer satisfaction, etc. Hired support must maintain a metaphorical “optimum salt level” when it comes to honest feedback: too much and you spoil the dish (lose the contract), and too little and you can lose the taste (deemed incompetent). It is not their fault—their innate business drive impels them to tone down the real truth. The objective of this article is to support organizations in implementing and developing their assurance management system to positively impact their community and people, thus preventing major accident hazards (MAHs), fatalities and serious injuries.

The International Organization for Standardization ISO-19011: 2018(en) standard partially covers the subject by providing comprehensive guidance on auditing a management system.¹ This article seeks to supplement existing information and develop an over-arching system to develop the entire audit and assurance program. The information that is already available in ISO standards (conducting the audit, close-outs, etc.) is purposely omitted to prevent repetition.

If an organization is facing the symptoms listed below, the internal layers of assurance must be strengthened:

1. Repeat incidents
2. Occupational Safety and Health Administration (OSHA) citations/legal fines/bad publicity
3. Frequent errors in key deliverables of major functions
4. “Watermelon” effect (when performance metrics seem green or positive on the outside but are actually red or troublesome on the inside): Key performance indicators (KPIs) are not truly representing the actual state of barriers
5. Poor stewardship of long-lead, high-risk actions
6. Receding corporate memory and a decline in inter-site/cross-functional communication
7. Lack of appointing accountability: Where accountability is not clearly documented and exercised [lack of robust responsible, accountable, consulted and informed (RACI) matrices]
8. Functional blindness leading to wasted resources, unnecessary spending and lost efficiencies.

Safety professionals should liaise with other disciplines to strengthen their tool set for a changing corporate landscape.

Foundations. OSHA safety audits review safety programs and strategies, while an inspection evaluates current practices. Audits measure and collect information about the reliability and effectiveness of a safety program, determine if a company's stated goals are being met, and examine employee safety training and response efforts.

The safety management system used by the UK Civil Aviation Authority (CAA) defines assurance as identifying hazards before they result in occurrences, seeking out system weaknesses and challenging the effectiveness of risk controls using safety information that may indicate emerging safety risks.² It also involves continuously monitoring the operating environment to detect changes that may introduce emerging risks or degrade any existing safety risk controls.

The Institute of Chartered Accountants in England and Wales (ICAEW) defines assurance as an objective examination of evidence for the purpose of providing an independent assessment on governance, risk management and control processes for the organization.³

Therefore, an audit program verifies the effectiveness of risk mitigations, whereas an assurance program ensures that risk mitigation will do its intended job. While the former focuses on independent barriers separately, the latter ensures that all barriers are configured, aligned and robust enough to prevent the development and escalation of an initiating event to a disastrous outcome.

The discipline of enterprise risk management (ERM) defines risk appetite in a similar manner, as safety identifies as low as reasonably possible (ALARP). An important difference is that risk appetite is driven primarily by the financial wellbeing and governance of the organization, whereas ALARP is defined primarily by legislation and interpreted by a competent authority. An interesting tool that has been developed by the ERM discipline is assurance mapping, which is a structured way of identifying and mapping the main sources and types of assurance in an organization across the four lines of defense listed below,³ and coordinating them to best effect:

1. Management policies; control frameworks and controls; and management review processes
2. Control self-assessment mechanisms (i.e., independent of management review processes); risk reviews; compliance reviews; group legal; group insurance; and board review processes
3. Internal audits
4. External audits; and other independent assurance.

Developing a safety assurance program. A safety assurance program—based on published guidance related to assurance mapping—can be divided into three tiers, which can be named as per organizational geographical spread:

1. Tier 1—Internal audit conducted by a discipline expert or site-nominated representative
2. Tier 2—Divisional audit, conducted by a team of subject matter experts (SMEs) led by an organization-nominated technical authority
3. Tier 3—Shareholder/external audit, conducted by joint venture (JV) companies, business partners or interested third parties.

These tiers can help define the important barriers identified in a control of major accident hazard (COMAH) report, and ensure they remain robust on an evergreen basis. It is important to plan audits to provide adequate time for the closure of relevant lower tier audit actions. For example, a Tier 2 assessment should be conducted at least 6 mos–12 mos after a Tier 1 assessment, and so on.

Numerous facets comprise the configuration of a successful program:

1. Management system. Audit and assurance programs work best with a comprehensive management system overseeing the entire effort and providing the proper authority, empowerment and accountability to the entire program's implementation. Major components of an audit and assurance management system include:

1. Purpose and objective
2. Major drivers [e.g., health, safety and environment management system (HSEMS), laws and legislations, best practices]
3. Organizational roles and responsibilities
4. Competency requirements
5. Organizational audit and assurance program
6. Preparation of an audit—terms of reference (TOR)
7. Conducting an audit
8. Actions preparation and follow-up
9. Utilization of corporate reliability, availability and maintainability (RAM) for consistent risk analysis of gaps across various functions
10. Data analytics to drive intelligence
11. Performance KPIs.

1. Effective assurance plan development. It is essential to select the relevant risk-based categories for any assurance program. The correct selection of categories will ensure the assurance program encapsulates the major potential incidents and injuries that the organization might be exposed to. Key sources for the development of these categories include:

1. MAH list
2. Incident database or incident analysis report
3. Leadership site visits and recurrent issues
4. Internal or external audit reports
5. Lessons learned (internal and external)
6. Continuous improvement programs focused towards enhancing hard or soft barriers
7. Blind spots highlighted in reputed journals and industry agencies (e.g., organizational change management, dead-legs, lightening arrestors, piping support, PSVs)
8. Benchmarking studies with industry peers.

A sample assurance program is illustrated in FIG. 1 for reference.

Coverage of assets. Renowned management consultant Peter Drucker remarked, “Only three things happen naturally in organizations: friction, confusion and under-performance. Everything else requires leadership.”

While it is expected that an organization should have similar systems across all assets, it is surprising to see this expectation fail repeatedly. All assets must be properly covered within the assurance plan. To maintain consistency, resources conducting Tier 1 internal audits should ideally go through a consistent training and evaluation by the corporate SME, while Tier 2 audits should ideally be conducted by a single team across all assets. Tier 3 teams can merge two or more barriers to manage the workload effectively (TABLE 1).

Competence. Competence is the single most important aspect of a robust assurance program. Average programs have been observed to effectively perform thanks to a team of competent resources and committed leadership. It is essential to set criteria for the selection of SMEs and technical authorities that can develop, review and add value to the assurance program as and when needed. Sample competence criteria include:

1. Educational background, relevant certifications and diplomas
2. Strong experience in oil and gas operators or project/consultant companies
3. Exposure to multiple organizations, and an acumen for keeping abreast of technical developments in relevant fields through committees, conferences, publications, etc.

Auditors are selected based on their competence and not on their availability. A formal recruitment process is advised—even if it is from within the organization—with official selection notifications. The team should include auditors-in-training to curate both a fresh perspective and put a succession plan in action. Select auditors for their knowledge and train them for the required skills. In general, audit training should manage the three major constructs of auditing discipline shown in TABLE 2.

Checklist development for reproducibility—review cycle and modification protocol. There is a lot of debate about the usefulness of checklists and how they can potentially inhibit creativity. The authors believe that checklists are necessary to ensure the reproducibility of results and help normalize the differences between different auditors with varied auditing skills. However, checklists are considered as a baseline only, and should not stop auditors from making observations over and above those mentioned in the checklist.

The development of checklists should be a joint concerted effort by a team of experts, encompassing design, project, operations safety and maintenance/mechanical interfaces. An effective assurance checklist will cover:

1. Major internal and external standards [OSHA, The International Association of Oil and Gas Producers (IOGP), Center for Chemical Process Safety (CCPS), best practices]
2. Statutory or regulatory requirements
3. Lessons learned
4. Technical authority for guidance/reviews/final verdicts
5. Cross links from different management systems/computerized maintenance management systems (CMMSs) existing within the organization (e.g., technical integrity, PSM, RBI, SAP, Maximo)
6. Recommendations from safety management system audits, incident investigations, management of change (MoC), pre-startup safety review (PSSR), quality assurance/quality control (QA/QC), etc.
7. Checklists are considered controlled documents and must be updated as per ISO 9001 defined frequencies.

Close-out engagement workshops. An auditor’s role is to point out the gaps with a risk rating only—it is the responsibility of the action parties to determine the best way to resolve those problems. Corporate actions are often seen but are not beneficial for all sites due to different organizational structures, access to resources and dissimilar procedures. It is recommended that either the auditors or site audit representatives present the findings and then let the action parties decide the best actions/breakdown of actions and target dates to resolve the findings. Experience has shown the best results are achieved in a follow-up audit where close-out engagement workshops were conducted, rather than generic corporate-generated actions.

Audit data intelligence. Databases should be designed to drive intelligence and are often very useful in supporting an effective assurance system. Databases must be designed to ensure:

1. Audit sheets can be easily uploaded, with all relevant data and evidences
2. Actions cannot be closed without supporting evidence (e.g., training attendance, procedures, pictures of improvement, lab results)
3. Automated reminders to action parties, with red flags for asset owners
4. High-risk actions should be updated monthly/quarterly by the action party to provide assurance to leadership regarding the execution of intended plans
5. Strict control of action target date extensions, with every date increment going up a notch in the organizational ladder
6. Configured to report KPIs aligned with corporate plans, and capable of performing analysis by audit type, site, risk category, target date, major root causes, repeat observations, etc.
7. Closure of actions to be randomly audited by internal audit/assigned functions. High-risk actions closure should be recycled with the audit team leader/designate to ensure compliance with the intended outcome
8. Managed by an independent function within the organization.

Leadership oversight. Leadership oversight is necessary to enhance visibility, organizational engagement and safety culture. Business intelligence dashboards, like the ones shown in FIGS. 2 and 3, should be capable of putting the puzzle pieces together and building a real-time assurance dashboard for selected hard and soft barriers. Such dashboards can help leaders be mindful and assertive during decision-making, field visits and employee engagement opportunities. They can also provide vital information to plan proactive interventions that will strengthen weak barriers. Organizations can enhance situational awareness and prioritize resources to enhance the resilience of controls.

Site leaders can learn from each other using these dashboards related to best practices, lessons learned and optimum approaches toward achieving objectives. The authors have frequently observed audit data that are kept confidential between different sites of the same organization. Leadership should encourage openness and utilize audit reports as an opportunity to trigger debates at functional levels, have multi-functional teams examine audit findings and implement actions globally if an opportunity is warranted. Technical authorities and SMEs can play a pivotal role only if they are involved appropriately in the process.

Takeaway. An assurance management system can help provide leadership a real-time snapshot of the robustness of various barriers, enabling them to plan, decide, intervene and act in the best possible manner. If used well, such a system can empower the organization to capitalize on integrative intelligence and eventually transform into a learning organization capable of consistent innovation, safe operations and long-term competitiveness. HP

LITERATURE CITED

1. The International Organization for Standardization ISO-19011: 2018(en), “Guidelines for auditing management systems,” 2018, online: ISO 19011:2018(en), Guidelines for auditing management systems
2. UK Civil Aviation Authority, “Safety management systems: Information for organisations regarding safety management systems,” online: https://www.caa.co.uk/safety-initiatives-and-resources/working-with-industry/safety-management-systems/safety-management-systems/#:~:text=A%20Safety%20Management%20System%20(SMS,risk%20assessments%20and%20risk%20mitigation
3. The Institute of Chartered Accountants in England and Wales (ICAEW), “Audit and assurance faculty help sheet—The four lines of defence,” September 2018, online: https://www.icaew.com/-/media/corporate/files/technical/audit-and-assurance/assurance/the-four-lines-of-defence-helpsheet.ashx

AAMISH J. KHAN is an Operational Safety Consultant who has been supporting various renowned companies in the oil and gas, petrochemical and utilities sectors in their safety culture enhancement journeys for more than two decades. His multifaceted exposure to operations leadership, occupational safety, process safety management, integrity assurance, process design and auditing enables him to identify, analyze and treat risk effectively throughout an asset’s lifecycle. He is co-authoring the “CCPS Safe Work Practices Guidelines,” with the objective of enhancing the sharing of lessons learned across global industry and softening the safety impact on workers lives. Khan is a graduate chemical engineer and holds an MS degree in enterprise risk management from Boston University.

PETER VERHULST worked for 42 yr for Royal Dutch Shell Companies and has extensive refinery and gas plant experience from both operational and technological standpoints. His expertise ranges from customer relations and service management to governance of JV interests, business performance improvement through the application of balanced score cards, and the implementation of ERM from scratch. In his last assignment, he led the implementation of an ERM system coupled to an internal audit management system and action tracking system, a first in the oil and gas industry in the Middle East. Verhulst is a graduate of Delft Technical University, the Netherlands, and earned an MS degree in chemical engineering.