Safety Audits: Take a Risk Based Approach
Spending time on the things that really matter is a challenge for nearly everyone in today's fast paced society. In our haste to get things done we often focus on the things we can get repeatedly done quickly, and easily, with what's left over sometimes getting only cursory attention in the time that remains.
It's easy to adopt a similar approach during a Safety Audit, especially when they are often considered a tedious compliance exercise. This attitude can drive a 'cookie cutter' or 'one size fits all' approach, using pre-determined questions and checks, so that the Safety Audit is over as soon as possible. But in doing so, you limit the potential for the Safety Audit to lead to fundamental improvements to your ability to prevent injury and illness.
To improve participants attitudes to Safety Audits the 'one size fits all' approach that enables efficient completion of audit evaluations has to be ditched in favour of one that is risk based. This already happens during the planning stages of an audit, with the type and frequency of hazards (OHS Complexity) being used to assess the required audit duration. This risk based approach needs to be extended to the audit plan and the time allocated to evaluate critical risk controls.
By not adopting a risk based approach you are at risk of wasting the time, effort and resources expended on your Safety Audit. The 'buy-in' from audit participants can also be impacted if it is perceived that the audit is focussing on trivial or unimportant issues. Worse still, if your audit isn't sufficiently targeted at risk, serious flaws in your critical control framework might not be identified and could continue to exposed people to significant risks.
To demonstrate, consider the two examples below:
Maintenance Workshop – Plant & Equipment Management
A regulator safety audit of a site, that included a vehicle maintenance workshop, identified a parts washing bath, that was no longer in use, but had not been tagged as "Out of Service". The Auditee believed they had effectively eliminated the risk because the bath had been emptied of its cleaning substance (a solvent), had been relocated to an area where the bath was impractical to use, had been disconnected from its power supply. The employees had been instructed via a toolbox (with a written record) that the solvent bath was no longer to be used and the equipment was awaiting disposal off-site. There was no evidence that the parts washing bath had been used since the organisation had implemented measures to take it out of service.
The regulator and the auditee spent considerable time debating whether the risk had been suitably controlled, with the Regulator ultimately dismissing the argument of the Auditee and issuing a Non-Conformance.
A subsequent internal audit, completed by 3rd party auditor, who adopted a more risk based approach, spent considerable time evaluating critical controls related to the many items of high risk plant and equipment used by the workshop, including hydraulic vehicle lifts. The evaluation identified that there was no evidence to verify that repairs to vehicle lifts had been completed to address identified faults, or been checked as safe before being returned to service. If there were to be unrepaired faults to the lifts, they had the potential to cause the lifts, and its vehicle loads, to collapse upon workshop personnel.
Depot – Emergency Management
An organisation had conducted a 'pre-audit' of its depot operation in preparation for a formal audit by an independent third party. Due to time constraints the pre-audit had focussed on those items easily identified through visual inspection. A range of opportunities for improvement had been identified including display of the company's health and safety policy, ensuring that minutes of health and safety committee meetings were available on noticeboards and providing a megaphone so that emergency announcements could be heard across the site.
When the independent auditor attended site to complete their audit, a range of key emergency risks were found to be insufficiently controlled. Whilst some improvements around emergency communication had been implemented, the site had failed to identify that there was only one appointed warden even though the depot was a 24 hour, 7-day a week operation. The site had also failed to identify that electronic security access controls would not release locked doors in the event of an emergency and as a result, personnel within depot buildings may be trapped and unable to escape.
In each of the above cases, audit efforts focussed on low priority items that offered little to reduce each organisation's risk profile, whilst high consequence risks, with the potential to cause significant harm, went insufficiently controlled. As a key objective of a Safety Audit is to evaluate whether a health and safety management system is effective at eliminating or reducing injury and illness, focussing on communication issues, as the two examples above did, likely provided a level of false comfort to those in management and control of the workplace that serious risks were being satisfactorily controlled. A risk based approach adopted earlier would have enabled those with management and control greater opportunity to address fundamental areas of risk sooner and improve the organisation's control regime.In the end, the efforts expended on the first audits, by auditor and auditee, were wasted because a risk based approach was not adopted.
To adopt a risk based approach to your audit or audit program, consider your risk profile, the strength of the critical control framework in place, the time available for audit and ensure that suitable resources are directed at your most important risks. Once you understand where your key risks are, consider the use of bespoke audit tools that direct energies at specific hazards or controls, or consider focussed 'single issue' audits to really probe the strength of your critical control framework and ensure that each control layer is robust and performing as intended. Consider as well the experience of your auditor and ensure they come with a working knowledge of your risk profile and industry practices. Without the right knowledge and experience your auditor will find it more difficult to adopt a risk based approach.
If your Audit Program isn't giving you the results you would like, or if you are looking for a Safety Auditor with the right experience in your industry, Contact Verus today. Verus has designed and delivered risk based audit programs for some of Australia's most well-known organisations and Verus Auditors have experience across a wide range of industry sectors.
If you're interested in more ways to improve your Safety Audits, join our community by subscribing and over the coming weeks, we will outline common Safety Audit pitfalls and practical ways to avoid them. Next up: Don't Hide or Conceal Evidence.