Key performance indicator (KPI) is, arguably, one of the biggest buzzwords of the decade. If you want someone’s attention, mention KPIs. According to Investopedia, KPIs are “a set of quantifiable measures that a company or industry uses to gauge or compare performance in terms of meeting their strategic and operational goals.”

For some individual practices—financials, inventory, sales—KPIs are relatively standard. For example, a company may measure revenue growth year after year as a standard KPI. As we bridge into operational practices with varying numbers of employees and levels of risk, however, it can become more difficult to understand not only how to establish KPIs but also where to get the data.

Technology can help to create a pull-to-push methodology that puts site-specific leading KPIs at stakeholders’ fingertips.

Leading vs. Lagging Indicators

In order to understand how to use this pull-to-push methodology to create leading KPIs, it is important to first understand the concept of leading versus lagging indicators.

• Lagging indicators measure and help track how the company is performing in comparison to its goals. Lagging indicators are usually fairly easy to measure—but they can be hard to influence because what they are measuring has already happened or performance data already captured. In this way, lagging indicators are backward-focused. Many standard performance metrics are lagging. In safety, for example, the Recordable Incident Rate is a lagging indicator. Important information to know but hard to change.
• Leading indicators signify the direction performance is going. Because leading indicators come before a trend, they are often seen as business drivers and should be incorporated into the business strategy. The forward-looking nature of leading indicators may make them harder to measure and they may change quickly; however, leading indicators are generally easier to influence. A good example of a leading indicator in determining the most common causes of an incident before it happens to prevent future recurrence, thereby impacting performance.

Pull vs. Push Metrics

That brings us back to the pull-to-push methodology. Or, in essence, digging for metrics versus having KPIs sent directly to the appropriate stakeholders.

With a push approach, metrics are literally “pushed” to end-users, who then extract meaningful insights and take appropriate actions for themselves. Push metrics can have a number of components that trigger when (and who) metrics are sent to, including threshold, capacity, severity, and timing.

Conversely, with a pull approach, data is pulled in order to answer specific business questions. Pull metrics generally require someone with analytical skills to dig deeper into the data to identify the desired metrics.

While pull metrics may be more time consuming to identify and obtain, that doesn’t mean pull metrics aren’t important to have. In fact, organizations often need to pull data in order to create the push metrics that provide for standard KPIs. And push metrics may demand you circle back and pull further information. In reality, the process is cyclical: pull produces what should be pushed; push cycles back to pull in order to dig deeper into the details.

Creating Standard KPIs

How does an organization, then, get to the point of having standard KPIs that can be pushed when needed and that don’t require the time and investment associated with digging for information?

Technology can help to create that pull-to-push methodology for creating standard KPIs. This requires a number of things:

1. The program must be well-established and designed with the operational requirements, capacity, tools, and skills to effectively integrate the program itself and associated data with technology.
2. Assuming a program such as this is developed, initial reports can be pulled to check the program’s effectiveness based on a number of key attributes/metrics. This yields analyzable data.
3. This data should be explored in many different ways. This allows the company to start seeing the interaction between stakeholders and the data and, eventually, creates the “a-ha” moment of understanding as to what metrics are important and meaningful.
4. At this point, it becomes possible to begin comparing data and metrics on a periodic basis, while continuing to pull information from technology. Remembering what queries are effective will aid in establishing initial leading KPIs. This process also will yield improved understanding of how the data gathering process (e.g., incident investigation) needs to be improved and standardized for a more reliable pull of information.
5. This comparison of data should then be used to discover what data is beneficial and what information needs to be more granular to really hone in on the standard KPI.

Walking through this process and leveraging available technology makes it possible to effectively transition from pull methodology to push reporting—putting leading KPIs in the hands of decision-makers and identified stakeholders.

The FDA Food Safety Modernization Act (FSMA) originated in the mid-2000s when approximately 48 million people were getting sick, 128,000 were hospitalized, and 3,000 died annually from foodborne diseases, according to the Centers for Disease Control (CDC). This resulted in a significant public health burden that is largely preventable.

Signed into law by President Obama on January 4, 2011, FSMA aims to ensure that the food supply is safe—from responding to contamination to preventing it. The Act represents the most sweeping reform of our food safety laws in more than 70 years.

New Rulemaking

Since its passage, food-related industries have been waiting for a number of new rules to be published under FSMA. The new rules being published for enforcement will complement the existing rules in place prior to 2011 and rules that were enforceable at the signing of FSMA, including meeting all of the established requirements under 21 CFR Section 110. These include Inspection of Records; Registration of Food Facilities; FDA Performance Standards; and Authority to Collect Fees, Mandatory Recall Authority, and Administrative Detention.

After numerous delays in rulemaking, court-ordered deadlines for finalizing and publishing seven foundational new rules were established for 2015/2016. Not surprisingly, the FDA declared 2015 “the year of FSMA” at their FSMA Kickoff Meeting for industry stakeholders on April 23, 2015. The new rules include the following final and pending dates:

*Later dates or applicability may be provided for very small companies 
**Dates may be subject to change
***cGMP refers to Current GMPs under FSMA or ones that are current and updated within the past two years

Enforcement

With these new FSMA rules, all issues related to the processing and distribution of safe food will be enforceable by the FDA. This broad authority includes the use of other agencies for enforcement and eliminates the need for the FDA to require judicial approval for investigations, access to information, issuing recalls, ordering the detention of product, suspending business registrations, levying fines, and controlling the food supply chain to ensure the safety of food for the public.

Compliance Requirements

Establishing the rulemaking deadlines is the first step toward implementing the law. Compliance dates—up to one year or longer after publication—require companies to then develop the appropriate programs to meet FDA Guidance Documents pending release. These Guidance Documents are intended to assist industry in program development; however, there is little confidence that these will be issued in a timely manner. Thus, with compliance commencing by September, companies must establish their own programs and use Guidance Documents for eventual comparison.

As the new FSMA rules are published, companies must determine their compliance requirements to ensure the distribution of only pure and unadulterated food product. Each company must assess all aspects of FSMA to first determine which rules are specific to them, their business, and their supply chain and, second, how to best comply. This is challenging, as these programs will be new and not previously tested for compliance. A gap assessment will help companies determine requirements and then develop the required compliance programs by the established dates.

Food Defense and Safety Plan

There is one common need across all FSMA rules that companies should consider: proactively creating a Food Defense and Safety Plan—or updating a current one. Taking a proactive approach to food defense will not only make FSMA adherence less daunting for organizations, but it will also ensure that they are working to avoid the risks associated with food adulteration and contamination.

This also aligns with other existing laws already in place, as site food defense is an imperative required by other laws. Security programs must be established if they are not already implemented. FSMA rules include one against deliberate contamination of food. The FDA and other authorized agencies will look to see if programs are established and that the company has assessed risks, controls access, has an alert system, and has an audit program that is functioning to plan.

Companies must take action to include these within their Food Defense and Safety Plan:

• Ensure the building, premises, and processes meet existing physical and defense requirements
• Verify employees understand the company’s FDA/FSMA requirements with visible evidence
• Assess and audit the written Food Safety Plans and look for gaps/areas to close
• Ensure the integrity of the internal audit program to FDA/FSMA and food safety requirements
• Confirm that the company is prepared to provide documentation in 24 hours if requested by the FDA
• Ensure that all suppliers and indemnity are effectively tracked, monitored, and evaluated
• Prove traceability and maintain a mock recall program for any recall circumstance

Food Safety Management System (FSMS)

Based on the complexity and broad nature of the FSMA rules, it is also recommended that companies move forward with updates to their Food Safety Management Systems (FSMS), which can be adjusted when the final rules are issued. Certification to one of the Global Food Safety Initiative’s (GFSI) benchmarked standards provides some level of compliance, including security and defense.

Preventive Controls

Preventive controls require a final processor or distributor to ensure that the supply chain has effective programs. Preventive controls must go back to the origin of each material. Ultimately, all food ingredients and materials must be included to meet preventive control requirements.

FDA seeks for companies to assess risks and implement preventive controls in their supply chain. For this, companies must understand where the risks are and if appropriate controls are implemented. A key issue to consider is how regulators and suppliers have different senses of what appropriate controls really are for this important goal of FSMA.

Qualified Individuals

Another key aspect of FSMA and a change to past FDA requirements is to establish and maintain Qualified Individuals and Food Safety Lead/Teams to ensure that each location’s food safety system is adequately managed. Key requirements include the following:

• Identify a qualified lead food site operator at all times
• Be ready for an inspection with a well-scripted inspection program
• Keep the communication list within the company current, including regulatory service providers
• Food Safety Lead must be present during food operations for release of safe food
• Qualified back-ups must be established for the primary Food Safety Qualified Individual or Lead

Actions to Take

Any company that produces or distributes food product or material needs to determine compliance requirements to implement the appropriate FSMA programs. The best method for determining program development needs is to conduct an action-oriented gap assessment of current programs to FSMA requirements. Due to the Act’s complexity, this process should begin well in advance of final compliance dates. If programs are not currently in development, they must be short to avoid the potential of non-compliance to FDA, customers, and the supply chain.

Since President Obama issued Executive Order (EO) 13650, Improving Chemical Facility Safety and Security, in August 2013, Kestrel has been following the USEPA’s efforts to carry out the EO, specifically as it relates to the Risk Management Plan (RMP) rule.

After extensive information gathering over the past two years, including issuing a Request for Information (RFI) and conducting Small Business Advocacy Review (SBAR) panels, the USEPA announced its proposed revisions to the RMP regulations on February 25, 2016.

Why RMP?

While chemicals are obviously an important part of so many aspects of our lives, improper handling and management can result in catastrophic releases that have severe and lasting impacts—loss of life, injury, property damage, community disruption.

The RMP Rule implements Section 112(r) of the Clean Air Act Amendments, and is aimed at preventing and/or reducing the severity of accidental chemical releases. RMP applies to all stationary sources with processes that contain more than a threshold quantity (TQ) of a regulated substance (based on toxicity, volatility, and flammability criteria). These sources must comply with the RMP regulations by taking defined steps to prevent accidents and by preparing and submitting an RMP to USEPA at least every five years.

Despite the RMP Rule, according to the February 25 USEPA press release referenced above, “While numerous chemical plants are operated safely, in the last 10 years more than 1,500 accidents were reported by RMP facilities. These accidents are responsible for causing nearly 60 deaths, some 17,000 people being injured or seeking medical treatment, almost 500,000 people being evacuated or sheltered-in-place, and costing more than $2 billion in property damages.”

These impacts—amongst other things—reinforce the EO and highlight the importance of modernizing the existing RMP Rule to:

• Improve chemical process safety
• Assist authorities in planning for and responding to accidents
• Improve public awareness of chemical hazards at regulated sources

Proposed Rule

The proposed amendments, as outlined in the table below, are intended to improve the requirements to enhance chemical safety at RMP facilities. Of important note, the USEPA is not proposing any revisions to the list of regulated substances under RMP at this time; however, the Agency may propose additions to this list in a separate action.

Things to Consider

There are a number of alternatives that the USEPA is still considering the proposed changes outlined above. The Agency plans to hold a public meeting to allow stakeholders to comment on the proposed rule; written comments may also be submitted within 60 days after the proposed rule is published in the Federal Register.

In reviewing and commenting on the proposed rule, it is important to consider the following:

• How might the proposed amendments impact your business?
• What additional and/or different criteria for third-party auditors should be required?
• What clarification may be required to effectively coordinate with LEPCs?
• What information is appropriate to share to improve emergency coordination with local responders and the community?
• What issues does your facility foresee with rule compliance?

Again, the proposed changes to the RMP Rule represent just one of the actions that the U.S. government is undertaking to improve chemical safety and security. Kestrel will continue to track these amendments, as well as other actions and decisions that may impact chemical facility operations.

Join Kestrel at the AFPM Annual Meeting to hear William Brokaw present his paper, Using a Data-Driven Method of Accident Analysis: A Case Study of the Human Performance Reliability (HPR) Process.

AFPM 2016 Annual Meeting
March 13-15, 2016
Kestrel Presentation: March 14 at 3:30 p.m.
Hilton San Francisco Union Square
San Francisco, CA

The Role of Human Error in Occupational Incidents

The concept of human error and its contribution to occupational accidents and incidents have received considerable research attention in recent years. When an accident/incident occurs, investigation and analysis of the human error that led to the incident often reveals vulnerabilities in an organization’s management system.

This recent emphasis on human error has resulted in an expansion of knowledge related to human error and the most common factors contributing to incidents. Kestrel’s Human Performance Reliability (HPR) process helps to classify human error—with the additional step of associating the control(s) that failed to prevent the incident from occurring. This process allows organizations to identify how and where to focus resources to drive safety performance improvements.

In this presentation, Will describes Kestrel’s method for identifying the most frequent human errors and most problematic controls and presents a case study wherein HPR was applied to a large petroleum refining company.

Catch Up with Kestrel

In addition to the presentation on March 14, Kestrel’s experts will also be on hand throughout the Annual Meeting to talk with you. We welcome the opportunity to learn more about your needs and to discuss how we help our chemical and oil & gas clients manage environmental, safety, and quality risks; improve safety performance, and achieve regulatory compliance assurance

Every food product and service company has an obligation to its customers to provide safe and quality food. A well-designed and well-executed food safety auditing program—with data trend analysis—provides an important tool for ensuring food safety. Auditing captures compliance status, Food Safety Management System conformance, adequacy of internal controls, potential risks, and best practices.

Combining effective auditing program design, standardized procedures, trained/knowledgeable auditors, and information technology systems and tools helps to ensure that food companies have the resources needed to get the most out of their food safety audits.

These resources may include:

• A reliable tool for conducting certification audits
• A systematic method of tracking audit status, schedule, and auditor capabilities
• Detailed audit and nonconformance data trending to help focus on risk areas for improvement
• Tracking of corrective actions
• Reports on performance metrics that allow the company to demonstrate compliance with regulatory requirements, evaluate trends, and make management decisions

The goal should be to effectively capture and analyze audit data and then use that information to improve food safety and quality, achieve certification requirements, and enhance overall business performance.

Technology Integration: Case Study

The following case study shows how integrating information technology into the auditing process can enhance data collection, analysis, and reporting capabilities.

This food manufacturer wanted to better track and manage its audit status and use the data collected to help focus on risk areas for improvement. Working with Kestrel’s food safety and IT experts, the company decided to use dynaQ™, Kestrel’s web-based assessment tool.

Kestrel took the following project approach to ensure that the company would be able to efficiently conduct its audits and, just as important, analyze audit data to uncover areas of nonconformance and opportunities to improve performance and reduce business risks.

Part 1: Project Kickoff – Identify and define initial dynaQ™ configuration, customization, training, and implementation scopes. Kestrel customized the existing platform to create nearly custom software to meet the organization’s needs.

Part 2: Project Launch and Training – Provide intensive training to ensure key staff knows how to conduct relevant inspections and are versed on reporting and data trends. At the end of the training session, staff was ready to work independently with dynaQ™.

Part 3: Implementation and Project Support – Continue training users on the dynaQ™ auditing process and provide ongoing support. The key factor in any audit program’s success is staff adoption. Ongoing support ensures that the company realizes maximum benefit.

Implementation has involved using dynaQ™ to facilitate a number of activities:

• Collect and analyze data from:
  • Daily pre-op and ATP inspections
  • Monthly GMP and glass & brittle plastic inspections
  • Twice daily operations inspections
  • ISO 22000 conformance audits under FSSC22000
  • ISO/TS22002-1 conformance audits
• Create a new form and process to facilitate the nature of quality evaluations, using dynaQ™ to compile the results
• Track noncompliance records (NRs) as the plant is notified

By integrating information technology into the auditing process, this two-month pilot project has resulted in the following benefits to the company:

• More effective pre-op
• Increased line utilization
• Immediate QA evaluation capability
• Improved efficiency and speed of data collection and report generation
• Enhanced ability to demonstrate compliance with regulatory requirements, evaluate trends, and make management decisions
• Improved data security

In simplest terms, a “database” is a collection of records. To many, databases are simply a technological representation of linear tasks that provide the benefits of electronic storage, security, time savings, etc. Linear databases basically replicate a standard file folder structure that we are familiar with when working in a program like Windows Explorer. These are all great benefits to any organization.

As our desire and ability to access information has changed, however, the linear database model has its shortcomings.

The Birth of Relational Databases

Databases really began to evolve and provide the ability to extract desired information with the birth of the relational database model, as first proposed by E.F. Codd in 1970.

A relational database stores records according to how they relate to each other, making it multi-dimensional. With a relational database, you can quickly compare information because of the arrangement of data. Using the relationship of similar data increases the speed and versatility of the database.

The benefits of a relational database become very apparent when applied on a larger scale. Take Amazon as a prime example of a relational database. If you were buying socks from Amazon, sorting through a linear file structure to find the pair you want would take an exceedingly long time. There would be folders filled with different options based on size, color, pattern, etc. With a relational database, you are able to search on multiple dimensions and effectively filter your results. Relational databases help the user find what they want and the owner better understands user behavior.

Keeping Up with Operational Tempo

As relational database technology is being applied more and more in every facet of life, the expectation for all software to perform as a relational database is starting to overstep most current business practices and legacy IT systems.

The majority of business applications fall into a linear (i.e., folder, Excel spreadsheet) system because this is easily understood. In essence, these linear systems are an electronic replication of the typical management system three-ring binder. Pertinent information is there but is not easily usable. Unfortunately, systems such as these don’t often align with operational tempo, which, in reality, requires a relational model to create better access and utilization, as well as ease of use.

Case Study: Code &Compliance Elite

Code & Compliance Elite (CCE) is one example of a relational database that Kestrel recently developed and is deploying to help chemical distributors meet and manage Responsible Distribution management system requirements. The Responsible Distribution Codes of Management Practice, compliance programs, and related documents are all housed in CCE to allow for efficient tracking and documentation.

To enable ongoing compliance management, Kestrel also develops and maintains a number of tools tailored to Responsible Distribution in CCE, including:

• Document management – storage, access, and control
• Internal audit
• Corrective and Preventive Action (CPAR/CAPA)
• Task and action management

CCE employs a relational database structure with linear attributes (such as folders), where necessary. Even these folders, however, link to associated documents and owners to connect all applicable parts and procedures without requiring the user to dig through files.

Understanding and being able to evaluate components of an existing management system is key to extracting those pieces that lend themselves to relational use. When companies are able to do this, the end product is an operational management system that integrates technology with operations and meets the operational tempo of the business.

The concept of human error and its contribution to occupational accidents and incidents have received considerable research attention in recent years. As mechanical systems become safer and more reliable, human error is more frequently being identified as the root cause of or a contributing factor to an incident (Health and Safety Executive, 1999). In order to effectively manage human error, companies must understand not only human error but also the factors contributing to it.

Kestrel has found that a multi-pronged improvement plan can help companies reduce the risks associated with employee and contractor behavior and, as a result, improve the safety performance of the organization. The three primary components of this approach include the following:

1. Incident investigation and analysis – adapted from the Human Factors Analysis and Classification System (HFACS)
2. Human Reliability Analysis (HRA) – based on the Cognitive Reliability and Error Analysis Method (CREAM)
3. Comprehensive safety culture assessment and improvement initiative

Incident Investigation

Incident investigation and analysis is based on the premise that employee and contractor performance is a significant source of risk within any organization. The majority of accidents and other unintended events are, at least in part, the result of human error. Companies manage risks associated with employee and contractor behavior through a variety of controls (i.e., policies, standards, procedures) that address employee selection, training, supervision, operating practices, corrective and preventive actions, etc. Accidents occur when there is a failure in one or more of these controls.

The Human Factors Analysis and Classification System (HFACS; Wiegmann & Shappell, 2003) is very helpful for identifying human errors that contribute to a single incident and for helping to guide the appropriate corrective action. However, it doesn’t help companies identify the controls (e.g., engineered, administrative, PPE) that are most often failing to prevent incidents. Additionally, it is not designed for the aggregation of multiple incident analyses for the purposes of analyzing trends, similarities, and the statistical significance of the results.

So while the HFACS framework can be used to identify and classify human error(s) that contributed to the incident in question, the next steps are to 1.) identify and document the control(s) that failed to prevent each human error and 2.) describe the unique circumstances of the incident that were classified into that HFACS category. When aggregated, an incident analysis results in:

• A list of the most frequently occurring human factors, which are ranked according to their statistical significance
• Identification of the controls that are most frequently identified as failing to prevent the incidents in question
• A list of the specific circumstances associated with each error identification, to look for commonalities when planning systemic, rather than local, corrective action

This provides the company with the ability to identify where to focus corrective resources and how to best deploy those resources.

Human Reliability Analysis (HRA) and CREAM

There may be times when it is still difficult to create action plans to address the problematic controls; subsequently, a deeper analysis of the control is necessary in order to improve it. When this happens, Human Reliability Analysis (HRA) methods, specifically CREAM, help to further analyze the control.

HRA methods provide a detailed analysis of the potential for human error within a given process by observing the process step-by-step and evaluating the type(s) and the likelihood of error(s) that could occur at each step. The CREAM methodology, developed by Erik Hollnagel, focuses on the importance of cognition when attempting to identify, evaluate, and interpret potential human error.

Specifically, the CREAM method provides a framework for:

1. Identifying the potential for human error in a process
2. Describing the likelihood and nature of that error
3. Evaluating if the potential for error requires action or if the existing risk is at an acceptable level

When the analysis is complete, it becomes possible to discuss viable options for deploying corrective action to improve the process (if necessary). These corrective actions can focus on the person, the operating environment, and/or the equipment involved in the process.

Safety Culture

Effective incident investigation and analysis and HRA function most effectively when a company exhibits an excellent safety culture. A strong safety culture has a number of characteristics in common. Kestrel’s research into the topic of safety culture has identified two traits that are particularly important to an effective safety culture: leadership and employee engagement. Best-in-class safety cultures have robust systems in place to ensure that each of these traits, among others, is mature, well-functioning, and fully ingrained into the standard practices of the organization.

Assessing safety culture can be done by administering a safety culture survey, conducting interviews of key leadership and safety personnel, and leading focus groups with front-line employees and supervisors. The mix of quantitative data (survey) and qualitative information (interviews and focus groups) provides data that can then be statistically analyzed, as well as a rich context for the results of the statistical analysis.

Performing a safety culture survey also provides an “as-is” benchmark for comparing future survey results to determine if improvement efforts have been effective and have fully permeated into all levels and units across the organization.

Realizing the Richest Benefit

While the individual components discussed above can be very helpful to a company, deploying them in tandem provides the richest and most comprehensive benefit to company safety performance.

That is because the three components are inherently complementary. Each improves the effectiveness of the others. For example, safety culture improvements, specifically, improvements in mutual trust and respect between levels of the organization, lead to better incident investigation data. This is because employees feel free to provide honest and complete narratives of the incident since they know they will not be unfairly disciplined for what happened. As a result, incident investigation and analysis is better able to identify the human errors and, most importantly, the controls that are most often involved in incidents.

All of this then allows the company to identify the processes and procedures that may be appropriate candidates for HRA. Subsequently, corrective actions that result from both incident investigation/analysis and HRA demonstrate to employees that management is committed to continuous safety improvement, which further improves safety culture.

All types of business and operational processes demand a variety of audits and inspections to evaluate compliance with standards—ranging from government regulations, to industry codes, to system standards (e.g., ISO), to internal corporate requirements. Audits offer a systematic, objective tool to assess compliance across the workplace and to identify any opportunities for improvement.

Routine internal audits are becoming a larger part of organizational learning and development. They provide a valuable way to communicate performance to decision makers and key stakeholders. Even more importantly, audits help companies identify areas of noncompliance and opportunities for improvement.

For some audits, a company may work with a third-party auditor. This can be valuable in getting an objective assessment of overall compliance status if executed effectively. Here are some best practice tips to help prepare for an internal audit—and ensure that it goes smoothly:

1. Audit scope: Make sure that the scope of the audit is well defined and documented (i.e., regulations, management system standards, company policies). This also involves identifying which areas and functions onsite are included. For example, if contractors are leasing space, are their areas in scope or out? What about other onsite lessees, if any?
2. Documents, plans, and records: Prior to the audit, ask the auditor for a list of documents they may be looking for (e.g., OSHA logs, past audit findings). Depending on the nature of the audit, it can be an extensive list and knowing ahead of time will save time and money. If possible, collect all records in advance and have them easily accessible. If corporate policy allows, it is often advisable to send current versions of all facility-specific plans, permits, and other documents to the auditor in advance of the audit to aid in preparation and create a more efficient use of time onsite. When the auditor arrives, make sure you know where relevant records are and that they are available to the auditor (i.e., not locked up in someone else’s office). Records should be organized by type in separate folders and sorted by date. Not only does that save time, it creates less likelihood of a record being overlooked. In most cases, electronic versions of records are sufficient, as long as they can be easily retrieved and viewed on the computer.
3. Interviews: Advise individuals who may be interviewed during the audit about the purpose of the audit. Communicate well in advance of the audit so that employees aren’t caught off guard when they see an individual walking around taking notes and pictures. Prepare your employees; encourage them to cooperate and provide helpful information when asked. Every employee should:
   • Be aware of the company quality/environmental/safety/food safety policy and able to state it in their own words.
   • Be aware of the quality/environmental/safety/food safety objectives the company has set for the current time period (i.e., what the company is working on to improve the current “state”).
   • Understand how they “make a difference” (i.e., how just by doing their jobs, they are following company policy and objectives and impacting performance).
   • Be knowledgeable about the procedures and practices required for doing their job properly.
4. Schedule: Ask for an audit schedule. This can help you plan for when certain “in-the-know” people need to be available. This can save valuable time—especially for those individuals—and help ensure that those you absolutely need for the audit are available when you need them.
5. Be available: Questions often arise during an audit. It is helpful to assure that qualified and knowledgeable personnel are available to answer questions and clarify information during the audit, in addition to being present during the audit debriefing.
6. Housekeeping: Good housekeeping puts auditors at ease. Conversely, lax housekeeping is often a harbinger of compliance issues and may put auditors on heightened alert.
7. Care of a third-party auditor: Make sure there is adequate work space available for the auditor to review records and other documents—with power, a desk or table, good lighting, and access to internet/email to exchange documents during the audit.
8. Confidentiality: If the audit scope involves regulatory compliance and the company has elected to employ audit privilege mechanisms, make sure that all parties are aware of the means to be taken to ensure that audit privilege is preserved (e.g., marking notes and documents, limiting distribution of output, adhering to state-specific requirements).

According to the UK Health & Safety Commission, a safety culture is “the product of individual and group values, attitudes, perceptions, competencies, and patterns of behavior that determine the commitment to, and the style and proficiency of, an organization’s health and safety management.”

An organization’s safety culture is ultimately reflected in the way that safety is managed in the workplace. A strong safety culture has a number of characteristics in common:

1. Communication. Communication is most effective when it comprises a combination of top-down and bottom-up interaction. Senior management sets the strategic goals and vision for the company’s safety program. It is vital that all levels of management (senior, middle, supervisory) communicate the strategy clearly to the workers who have to carry out the company’s mission. It is equally important that workers provide feedback on a practical level about what’s working and what’s not. Management needs to listen, take that feedback seriously, and act on it—or workers will stop giving it.
2. Commitment. It is one thing to say that safety is a priority; it is another thing to show that it is. When it comes to safety, actions truly speak louder than words. A lack of commitment, as demonstrated by action (or lack thereof), comes across loud and clear to staff. For example, requiring staff to work excessive hours to meet productivity goals, which may result in fatigue and increased likelihood of an accident, sends a clear message that productivity is more important than employee safety.
3. Caring. Caring takes commitment a step further. It involves showing concern for the personal safety of individuals, not just making a commitment to the overall idea of safety. Caring is about doing whatever is necessary to ensure employees return home safely every night. Again, how employees are treated is a much stronger indicator of caring than what the company says.
4. Cooperation. Safety works best if management and workers feel like they are on the same team. Cooperation means working together to develop a strong safety program (e.g., management involving line workers in creating safety policies and procedures). It means that management seeks feedback from workers about safety issues—and uses that feedback to make improvements. And it means that there is no blame when incidents occur. Incident investigations focus on fact finding, not fault finding.
5. Coaching. It is difficult for everyone to remember everything required to maintain a safe working environment. Coaching each other—peer to peer, supervisor to employee, even employee to management— is an important way to keep everyone on track. Coaching involves non-judgmentally providing feedback for improvements and, correspondingly, accepting and incorporating that feedback as constructive criticism. Disciplinary actions are sometimes necessary for repeated rule violations, but punishment is not the first management action in a strong coaching culture.
6. Procedures. There should be documented, clear procedures for every task. This not only prevents disagreement about what is required, it also shows commitment when things are put in writing. Procedures should be designed jointly by management and workers for practicality and to encourage improved cooperation, communication, and buy-in. Procedures should be reviewed periodically and updated, as needed.
7. Training. Training is a more formal, documented process for ensuring that employees follow safety processes and procedures. Management can demonstrate its commitment to safety training by creating formal, written training materials; tracking employee training; and checking for employee understanding. Formal training should happen frequently enough for employees to feel prepared to safely do their jobs.
8. Tools. All equipment and tools should be in good repair, free of debris, and functioning as designed. Inadequate tools directly impact safety/protection and indirectly impact perception of management commitment. For example, if the company doesn’t invest in appropriate PPE, good housekeeping practices, or equipment maintenance, it sends a clear message that employee safety isn’t important.
9. Personnel. There must be enough workers to do each task safely. The company should not sacrifice individual safety because of being understaffed (i.e., requiring shortcuts/overtime to meet production goals). In addition, the company should have safety experts on staff that employees can go to with safety-related questions.
10. Trust. Trust in the safety program, in senior management, and in each other is built when each of these characteristics is present and treated as a company-wide priority.

Benefits of a Best-in-Class Safety Culture

Strong safety performance is a cornerstone of any business. When all of these characteristics come together to create a best-in-class safety culture, everyone wins:

• Fewer accidents, losses, and disruptions
• Improved employee morale
• Increased productivity
• Lower workers compensation and insurance claims
• Improved compliance with OSHA regulations
• Improved reputation to attract new customers and employees and retain existing ones
• Better brand and shareholder value

Virtually every regulatory program—environmental, health & safety, security, food safety—has compliance requirements that call for companies to fulfill a number of common compliance activities. Addressing all (or those specified in the applicable regulation) of the eight compliance functions outlined below can be instrumental in establishing or improving a company’s capability to comply.

1. Inventory means taking stock of what you have. For compliance purposes, the inventory is quite extensive, including (but not limited to) the following:
   • Activities and operations (i.e., what you do – raw material handling, storage, production processes, fueling, maintenance, etc.)
   • Human resources (i.e., who does what)
   • Emissions
   • Wastes
   • Hazardous materials
   • Discharges (operational and stormwater-related)

The outcome of a compliance inventory is an operational and EHS profile of the company’s operations and sites. In essence, the inventory is the top filter that determines the applicability of regulatory requirements and guides compliance plans, programs, and activities.

2. Authorizations, permits & certifications provide a “license to construct, install, or operate.” Most companies are subject to authorizations/permits at the federal, state, and local levels. Common examples include air permits, operating permits, Title V permits, safe work permits, tank certifications, construction authorization. In addition, there may be required fire and building codes and operator certifications. Once the required authorizations, permits, and/or certifications are in place, some regulatory requirements lead companies to the preparation and updating of plans as associated steps.
3. Plans are required by a number of regulations. These plans typically outline compliance tasks, responsibilities, reporting requirements, schedule, and best management practices to comply with the related permits. Common compliance-related plans may include SPCC, SWPPP, SWMP, contingency, food safety management, and security plans.
4. Training follows once you have your permits and plans in place. It is crucial to train employees to follow the plans so they can effectively execute their responsibilities and protect themselves and the community. Training should cover operations, safety, security, and environment.
5. Practices in place involve doing what is required to follow the terms of the permits and related plans. These are the day-to-day actions (regulatory, best management practices, planned procedures, SOPs, and work instructions) that are essential for following the required process.
6. Monitoring & inspections provide compliance checks to ensure that the site is operating within the required limits/parameters and that the company is achieving operational effectiveness and performance expectations. This step may include some physical monitoring, sampling, and testing (e.g., emissions, wastewater). There are also certain regulatory compliance requirements for the frequency and types of inspections that must be conducted (e.g., forklift, tanks, secondary containment, outfalls). Beyond regulatory requirements, many companies have internal monitoring/inspection requirements for things like housekeeping and process efficiency.
7. Records provide documentation of what has been done related to compliance—current inventories, plans, training, inspections, and monitoring required for a given compliance program. Each program typically has recordkeeping, records maintenance, and retention requirements specified by type. Having a good records management system is essential for maintaining the vast number of documents required by regulations, particularly since some, like OSHA, have retention cycles for as long as 30 years.
8. Reports are a product of the above compliance functions. Reports from ongoing implementation of compliance activities often are required to be filed with the regulatory agency on a regular basis (e.g., monthly, quarterly, semi-annually, annually), depending on the regulation. Reports also may be required when there is an incident, emergency, or spill.

Reliable Compliance Performance

Documenting procedures on how to execute these eight functions, along with management oversight and continual review and improvement, are what eventually get integrated into an overarching management system (e.g., environmental, health & safety, food safety, security, quality). This documentation helps create process standardization and, subsequently, consistent and reliable compliance performance.

In addition, completing and organizing/documenting these eight functions of compliance provides the following benefits:

• Helps improve the company’s capability to comply on an ongoing basis
• Enhances confidence in compliance practices by others, providing an indication of commitment, capability, and reliability
• Creates a strong foundation to answer auditors’ questions (agencies, customers, certifying bodies, internal)
• Establishes compliance practices for when an incident occurs
• Helps companies know where to look for continuous improvement
• Reduces surprises and unnecessary spending on reactive compliance-related activities
• Informs management’s need to know