Spring is here…warmer temperatures, melted snow, anticipated rain, and, unfortunately, elevated flood warnings. Is your facility set with its flood preparations/Storm Water Pollution Prevention Plan (SWPPP)?

Safeguarding Against Spring Thaw

Many areas, primarily across the Midwest, are at a far higher risk of flooding this spring due to heavy winter snowpack, near record levels of soil moisture, and existing stream flows that are already significantly higher than normal. Spring thaw is a critical time to evaluate potential runoff impacts from storm waters and to ensure compliance with regulatory requirements for storm water management, particularly this year.

Permit Requirements

According to the U.S. Environmental Protection Agency (EPA), “The National Pollutant Discharge Elimination System (NPDES) permit program addresses water pollution by regulating point sources that discharge pollutants into the waters of the United States.” NPDES permits are issued by states that have obtained EPA approval to issue permits or by EPA Regions in states without such approval.

Businesses with specific SIC/NAICS codes are required to have NPDES general permits in place to help assure protection of the nation’s surface waters. If a business is required to have an NPDES general permit, they are also required to have a Storm Water Pollution Prevention Plan (SWPPP) for their site.

What Is a SWPPP?

A SWPPP is a site-specific, written document that is required to comply with a storm water general permit. The SWPPP describes:

• Potential sources of storm water pollution at the site
• Activities to control sedimentation and erosion
• Practices to reduce pollutants in storm water discharges from the site
• Procedures to comply with the terms of the general permit and Clean Water Act requirements

SWPPPs are intended to be “living” documents that are updated to reflect changes at the site. With thawing, raining, and flooding in the forecast, it is important to review the SWPPP and any Best Management Practice (BMP) strategies to ensure the site is effectively managing storm water and meeting permit and regulatory requirements.

SWPPPs and BMP Strategies for Low-Level Contamination

Kestrel recently talked with the Iowa Department of Natural Resources (IDNR) about how sites can manage the potential impacts of storm water runoff due to anticipated flooding. Here are a few tips to share based on discussions and consultation with IDNR:

Q: If the sites have had no known spills and have evaluated the contained storm water (visual evaluation for sheen, pH testing, BOD, VOCs, Tier II chemicals, and/or any requirements listed on their NPDES permit), is it an acceptable management practice for them to pump the storm water from their containment areas if they are filled with storm water? If they can pump the storm waters, where is the best option to pump them to? Is it acceptable for the industry to pump the retained, non-impacted storm waters to a ditch/culvert basin off their industrial site property?

A: Under the conditions described, storm water can be pumped out of the containment areas when the facilities are permitted if they are required to have permits. The water can be pumped anywhere to which storm water runoff could otherwise be discharged. The discharge by pumping is no different than a discharge by natural runoff, but if the water is clean, it is best to pump during low flow to not exacerbate any issues caused by high flows.

Q: If a business meets the SIC code requirement and all they store outside is a garbage dumpster with a poly lid that covers the top, do they still have to have an NPDES general permit and a SWPPP?

A: Unless the dumpster is covered by a storm-resistant shelter that also precludes run-on and subsequent runoff from the area of the dumpster, including loading and unloading areas, a permit would still be required despite the presence of the lid on the dumpster.

Storm Water Preparedness

Kestrel has worked with many industrial sites that have engineered detention basins designed to help with storm water management and, in some cases, containment for chemical spills or fire waters. Frequently, management of these sites during high water events and in compliance with regulatory requirements can be confusing. Kestrel understands how to manage onsite detention basins that have filled with spring thaw waters and rain.

Contact Kestrel today for a 30-minute, no-obligation consultation to discuss your storm water management and permitting needs. We can help you identify and implement SWPPP and Best Management Practice (BMP) strategies to effectively deal with storm water and potential runoff impacts—and ensure compliance with your National Pollutant Discharge Elimination System (NPDES) permit requirements.

Cost-effective management of environmental liabilities is a challenge for any organization, but it is particularly challenging for those companies with a large portfolio of liabilities at varying stages of maturity. The complexity of liability management is increased even more for those organizations adhering to generally accepted accounting practices (GAAP), which apply additional requirements to the process. Ultimately, the goal of liability management is to create a reliable system that enables the company to minimize risk and quickly drive projects to closure with as little expenditure of internal and external resources as possible.

The manner in which a liability is accounted (and managed) is based largely on the liability itself and the available information. Environmental liabilities are typically managed as either loss contingencies or asset retirement obligations (AROs). A company may also decide to address certain environmental liabilities as operating expenses or capital expenditures. Regardless, companies should employ a cross-functional team (i.e., finance, law, operations, and EHS departments) to establish and document a repeatable and defensible process—consistent with applicable GAAP standards—for how the liability will be managed. Further, companies should develop standard procedures that define how and when costs associated with the liabilities are estimated.

Environmental Loss Contingencies

An environmental loss contingency represents the cost to remediate an environmental liability where:

1. It is probable that the liability has occurred, and
2. The cost can be reasonably estimated.

The GAAP for loss contingencies is established in Accounting Standards Codification (ASC) 450-20. In very general terms, environmental loss contingencies include environmental investigations and remediation that are not the result of normal operations and that are generally triggered by a regulatory agency action or order.

As stated, the goal of loss contingency management is to create a system to cost-effectively minimize risk and quickly drive projects to closure, while keeping in mind the ultimate outcome of enabling future final use options to return the property to productive and valuable use without rebound liability.

Lifecycle Costs of Remediation

While the most significant cost of a remediation project is typically the expense of the remediation itself, the overall lifecycle cost of a project can be impacted significantly by the following:

• How efficiently a project moves from stage to stage (milestones) and, ultimately, to closure. Many projects get stuck at some point along this path, often significantly increasing the overall project lifecycle cost. Maintaining project velocity through each milestone can keep costs in check.
• The project team’s understanding of critical aspects of the Conceptual Site Model (CSM) before remedies are selected and implemented. Often, projects jump to a remedy—particularly interim remedies—before there is a clear understanding of the CSM (i.e., constituents of concern (COCs), pathway, receptors), resulting in premature or only partial remediation.
• Failure to address all risks associated with a site. This can include physical risks associated with buildings, foundations, and other historical operating structures and equipment.
• The project team’s understanding of the designed project end point. A periodic assessment of the end point of a project is vital to aligning stakeholders and ensuring that all efforts are directed toward the desired outcome. As data and information are collected on a project, it is sometimes necessary to reset the project strategy toward an alternative end point.
• How efficiently and effectively the project team communicates critical project information for decision making. A portfolio-based approach establishes a standard way of communicating project activities, schedule, and budget. This allows for more efficient communication between critical internal stakeholders (e.g., legal, public relations, real estate, and senior management) and with external consultants/advisers.

Portfolio-Based Management Model

There are several key elements to developing an effective portfolio-based management model, including those described in the sections below.

Standard Project Milestones
Controlling a large number of ongoing site remediation projects requires establishing a series of standard project milestones (i.e., project progressions) and associated work subtasks. This standardization establishes a common language and sets the framework for developing common subtasks for project budgeting and scheduling.

A milestone structure for remediation projects would typically include the items listed below. This structure can be adapted to projects where certain impacts to groundwater or soils can move at different velocities through project milestones.

• Project startup: Early project activities that typically include records review, strategy development, regulatory agreement negotiations, etc.
• Preliminary site investigation: Initial data gathering to assess the nature and extent of the impacts; may end with a Remedial Investigation Report (RIR)
• Site characterization and risk assessment: Complete characterization of the site to develop a CSM based on COCs, pathways, and receptors, and to identify physical aspects of the site that must be addressed as part of the project
• Feasibility study: Assessment of alternative remedial options
• Final design: Post-regulatory approved remedy design
• Implementation and OM&M: Remedy implementation and ongoing operation, maintenance, and monitoring
• End point: The targeted point for each project when all work necessary to eliminate the risk has been conducted or the point when no further work will result in additional risk mitigation

Standardized Work Breakdown Structure
For each of the milestones, a common set of subtasks is established to facilitate the development of detailed project workplans and for schedule and cost tracking. These subtasks ensure that workplans consider all the activities required to complete the work and allow for standardization across projects.

Having standardized project milestones and subtasks creates an additional benefit in that they can be used to create a more consistent and documented method for estimating contingent liability under ASC 450-20. By developing lifecycle cost estimating rules for each milestone, a company can ensure that its projects are using a common estimating logic (i.e., known and estimable) for determining the cost of investigation, design, and remedy implementation. A similar process could also be developed to ensure common estimating standards are applied to AROs ASC 410.

Project Control and Change Management
One common flaw in remediation projects is the tendency to enter into interim remedies or to identify a remedy that is not supported by data. This often results in incomplete remedies being implemented or remedies being installed that are not tied to a clear end point.

Developing standard project workplans allows for efficient project control and change management. As work progresses through milestones, data and information emerge to help identify a data-driven set of alternative remedies or a presumptive remedy. The disciplined progression of a project through milestones prevents projects from jumping to a preferred remedy without supporting data.

In addition, periodic review meetings—a key project control—create touch points to:

• Review all aspects of the project’s scope, schedule, and budget
• Test the validity of the end point
• Emphasize the continued forward momentum of the project

Centralized Project Database
Implementing a centralized database, such as Kestrel’s liability and asset management tools, to house all project workplans and other key documents provides another valuable project control. The central project database becomes the real-time repository for project information. Functionality includes the following:

• An internal database for tracking project scope, schedule, and budget for projects in a web-based workplan format
• Exportable workplans for use outside the database
• Password-protected access of the system to allow consultants to see only their projects and company staff to see all projects
• Front-end dashboard to allow senior management to monitor key project activities/status at a glance
• Ability to store key documents for each project
• Customizable project information page that houses project information (e.g., key contacts, project details, COCs, involved media)
• Customized project reports and summaries
• Ad hoc query capability

Periodic Project Reviews
Despite all good intentions, projects (particularly complicated ones) can drift off track or hit dead ends. When these situations occur, Integrated Site Reviews (ISR) can keep projects progressing to the appropriate end point.

A formal ISR can include an external facilitator for larger, more complex projects or be adapted by the project team for smaller projects. An ISR typically follows these steps to validate the project’s direction or to reset a new direction:

• An ISR team is formed consisting of a cross-functional group of stakeholders that could include the consultant, legal, internal environmental manager, real estate, operational staff, and other outside experts. Pulling together all stakeholders ensures that there is alignment and agreement on the selected end point.
• The ISR team meets (typically for no longer than a day) and goes through a structured review of technical, regulatory, legal, and third-party project drivers.
• Depending on the stage of the project, a blue sky set of alternative end points is identified.
• The alternative end points are developed, discussed, and evaluated.
• In the end, the current end point is either validated or a new end point is developed.
• All necessary changes to the project workplan are made.

Companies can respond to the challenge of managing contaminated properties by either internally staffing up to provide day-to-day oversight of the projects or by outsourcing the projects to a consultant, who can efficiently execute the project and serve as the public face. Whichever route a company decides to take, following the key elements described above will allow for effective portfolio-based management that will reach the desired end points.

Regulatory enforcement, customer and supply chain audits, and internal risk management initiatives are all driving requirements for managing regulatory compliance obligations. Many companies—especially those that are not large enough for a dedicated team of full-time staff—struggle with how to effectively resource their regulatory compliance needs.

Striking a Balance

Using a combination of in-house and outsourced resources can provide the appropriate balance to manage regulatory obligations and maintain compliance.

Outsourcing provides an entire team of resources with a breadth of knowledge/experience and the capacity to complete specific projects, as needed. At the same time, engaging in-house resources allows the organization to optimize staff duties and ensure that critical know-how is being developed internally to sustain compliance into the future.

Programmatic Approach to Compliance Management

Taking a balanced and programmatic approach that relies on internal and external resources and follows the three phases outlined below allows small to mid-size companies to create standardized compliance management solutions and more efficiently:

• Identify issues and gaps in regulatory compliance
• Achieve compliance with current obligations
• Realize improvements to compliance management
• Gain the ability to review and continually improve compliance performance

Phase 1: Compliance Assessment

A compliance assessment provides the baseline to improve compliance management and performance in accordance with current business operations and future plans. The assessment should answer the following questions:

• How complete and robust is the existing compliance management program in comparison with standard industry practice?
• Does it have the capability to yield consistent and reliable regulatory compliance assurance?
• What improvements are needed to consistently and reliably achieve compliance and company objectives?

It is important to understand how complete, well-documented, understood, and implemented the current processes and procedures are. Culture, model, processes, and capacity should all be assessed to determine the company’s overall compliance process maturity.

Phase 2: Compliance and Program Improvements

The initial analysis of the assessment forms the basis for developing recommendations and priorities for an action plan to strengthen programs, building on what already exists. The goal of Phase 2 is to begin closing the compliance gaps identified in Phase 1 by implementing corrective actions, including programs, permits, reports, training, etc.

Phase 2 answers the following questions:

• What needs to be done to address gaps and attain compliance?
• What improvements are required to existing programs?
• What resources are required to sustain compliance?

Phase 3: Ongoing Program Management

The goal of Phase 3 is to improve program processes to eliminate compliance gaps and transition the company from outsourced compliance into compliance process improvement/program development and implementation. This is done by managing the eight functions of compliance—identifying what’s needed, who does it, and when it is due. Ongoing maintenance support may include periodic audits, training, management review assistance, Information Systems (IS) support, and other ongoing compliance activities.

Case Study

For one Kestrel client, business growth has increased at a rate prompting proactive management of the company’s regulatory and compliance obligations. Following a Right-Sized Compliance approach, Kestrel assessed the company’s current compliance status and programs/processes/procedures against regulatory requirements. This initial assessment provided the critical information needed for the Kestrel team to help guide the company’s ongoing compliance improvements.

Coming out of the onsite assessment, Kestrel identified opportunities for improvement. Using industry standard program templates, in combination with operation-specific customization, Kestrel created programs to meet the identified improvement from the assessment. Kestrel then provided onsite training sessions and is working with the company to develop a prioritized action plan for ongoing compliance management.

Using the appropriate methods, processes, and technology tools, Kestrel’s programmatic approach is allowing this company to implement EHS programs that are designed to sustain ongoing compliance, achieve continual improvements, and manage compliance with efficiency through this time of accelerated growth.

Making the Connection

Kestrel’s experience suggests that the connection between management and compliance needs to be well synchronized, with reliable and effective regulatory compliance commonly being an outcome of consistent and reliable program implementation. This connection is especially important to avoid recurring compliance issues.

Following a programmatic approach allows companies to realize improvements to their compliance management and:

• Organize requirements into documented programs that outline procedures, roles/responsibilities, training requirements, etc.
• Support management efforts with technology tools that create efficiencies and improved data management
• Conduct the ongoing monitoring and management that are vital to remain in compliance
• Gain the inherent capacity, capability, and maturity to comply, review, and continually improve compliance performance

An audit provides a snapshot in time of a company’s compliance status. An essential component of any compliance program—health and safety, environmental, food safety—an audit captures compliance status and provides the opportunity to identify and correct potential business losses. But what about sustaining ongoing compliance beyond that one point in time? How does a company know if it has the processes in place to ensure ongoing compliance?

Creating a Path to Compliance Assurance

A compliance assurance review looks beyond the “point-in-time” compliance to critically evaluate how the company manages compliance programs, processes, and activities, with compliance assurance as the ultimate goal. It can also be used as a process improvement tool, while ensuring compliance with all requirements applicable to the company.

This type of review is ideal for companies that already have a management system in place or strive to approach compliance with health and safety, environmental, or food safety requirements under a management system framework.

Setting the Scope

The scope of the review is tailored to a company’s needs. It can be approached by:

• Compliance program/topic where the company has had routine compliance failures
• Compliance program/topic that presents a high risk to the company
• Compliance program/topic that spans across multiple facilities that report to a central function
• Location/product line/project where the company is looking to streamline a process while still ensuring compliance with multiple legal and other requirements

While each program, project, or location may differ in breadth of regulatory requirements, enforcement priorities, size, complexity, operational control responsibilities, etc., all compliance assurance reviews progress through a standard process that ties back to the management system.

Continual Compliance Improvements

Through a compliance assurance review, the company will define and understand:

• Compliance requirements and where regulated activities occur throughout the organization
• Current company programs and processes used to manage those activities and the associated level of program/process maturity
• Deficiencies in compliance program management and opportunities for improvement
• How to feed review recommendations back into elements of the management system to create a roadmap for sustaining and continually improving compliance

The U.S. Court of Appeals for the District of Columbia Circuit ruled on Friday, September 21, 2018 that the EPA must implement the Obama-era Risk Management Plan (RMP) Rule. This comes on the heels of the Court’s ruling on August 17, 2018, which stated that EPA does not have authority to delay final rules for the purpose of reconsideration. Usually, the Court would allow 52 days for the EPA to consider appealing the order and to plan how to implement the rule; however, groups supporting the regulation argued that it can’t wait.

Read more about the currently Court ruling.

On Monday, September 17, 2018, the Office of the United States Trade Representative (USTR) released a list of approximately $200 billion worth of Chinese imports, including hundreds of chemicals, that will be subject to additional tariffs. The additional tariffs will be effective starting September 24, 2018, and initially will be in the amount of 10 percent. Starting January 1, 2019, the level of the additional tariffs will increase to 25 percent.

In the final list, the administration also removed nearly 300 items, but the Administration did not provide a specific list of products excluded. Included among the products removed from the proposed list are certain consumer electronics products, such as smart watches and Bluetooth devices; certain chemical inputs for manufactured goods, textiles and agriculture; certain health and safety products such as bicycle helmets, and child safety furniture such as car seats and playpens.

Individual companies may want to review the list to determine the status of Harmonized Tariff Schedule (HTS) codes of interest.

View the final tariff list here.

Read the USTR press release.

Maturity assessments are designed to tell an organization where it stands in a defined area and, correspondingly, what it needs to do in the future to improve its systems and processes to meet the organization’s needs and expectations. Maturity assessments expose the strengths and weaknesses within an organization (or a program), and provide a roadmap for ongoing improvements.

Holistic Assessments

A thorough program maturity assessment involves building on a standard gap analysis to conduct a holistic evaluation of the existing program, including data review, interviews with key staff, and functional/field observations and validation.

Based on Kestrel’s experience, evaluating program maturity is best done by measuring the program’s structure and design, as well as the program’s implementation consistency across the organization. For the most part, a program’s design remains relatively unchanging, unless internal modifications are made to the system. Because of this static nature, a “snapshot” provides a reasonable assessment of the design maturity. While the design helps to inform operational effectiveness, the implementation/operational maturity model assesses how completely and consistently the program is functioning throughout the organization (i.e., how the program is designed to work vs. how it is working in practice).

Design Maturity

A design maturity model helps to evaluate strategies and policies, practices and procedures, organization and people, information for decision making, and systems and data according to the following levels of maturity:

• Level 1: Initial (crisis management) – Lack of alignment within the organization; undefined policies, goals, and objectives; poorly defined roles; lack of effective training; erratic program or project performance; lack of standardization in tools.
• Level 2: Repeatable (reactive management) – Limited alignment within the organization; lagging policies and plans; seldom known business impacts of actions; inconsistent company operations across functions; culture not focused on process; ineffective risk management; few useful program or project management and controls tools.
• Level 3: Defined (project management) – Moderate alignment across the organization; consistent plans and policies; formal change management system; somewhat defined and documented processes; moderate role clarity; proactive management for individual projects; standardized status reporting; data integrity may still be questionable.
• Level 4: Managed (program management) – Alignment across organization; consistent plans and policies; goals and objectives are known at all levels; process-oriented culture; formal processes with adequate documentation; strategies and forecasts inform processes; well-understood roles; metrics and controls applied to most processes; audits used for process improvements; good data integrity; programs, processes, and performance reviewed regularly.
• Level 5: Optimized (managing excellence) – Alignment from top to bottom of organization; business forecasts and plans guide activity; company culture is evident across the organization; risk management is structured and proactive; process-centered structure; focus on continuous improvement, training, coaching, mentoring; audits for continual improvement; emphasis on “best-in-class” methods.

A gap analysis can help compare the actual program components against best practice standards, as defined by the organization. At this point, assessment questions and criteria should be specifically tuned to assess the degree to which:

• Hazards and risks are identified, sized, and assessed
• Existing controls are adequate and effective
• Plans are in place to address risks not adequately covered by existing controls
• Plans and controls are resourced and implemented
• Controls are documented and operationalized across applicable functions and work units
• Personnel know and understand the controls and expectations and are engaged in their design and improvement
• Controls are being monitored with appropriate metrics and compliance assurance
• Deficiencies are being addressed by corrective/preventive action
• Processes, controls, and performance are being reviewed by management for continual improvement
• Changed conditions are continually recognized and new risks identified and addressed

Implementation/Operational Maturity

The logical next step in the maturity assessment involves shifting focus from the program’s design to a maturity model that measures how well the program is operationalized, as well as the consistency of implementation across the entire organization. This is a measurement of how effectively the design (program static component) has enabled the desired, consistent practice (program dynamic component) within and across the company.

Under this model, the stage of maturity (i.e., initial, implementation in process, fully functional) is assessed in the following areas:

• Adequacy and effectiveness: demonstration of established processes and procedures with clarity of roles and responsibilities for managing key functions, addressing significant risks, and achieving performance requirements across operations
• Consistency: demonstration that established processes and procedures are fully applied and used across all applicable parts of the organization to achieve performance requirements
• Sustainability: demonstration of an established and ongoing method of review of performance indicators, processes, procedures, and practices in-place for the purpose of identifying and implementing measures to achieve continuing improvement of performance

This approach relies heavily on operational validation and seeking objective evidence of implementation maturity by performing functional and field observations and interviews across a representative sample of operations, including contractors.

Cultural Component

Performance within an organization is the combined result of culture, operational systems/controls, and human performance. Culture involves leadership, shared beliefs, expectations, attitudes, and policy about the desired behavior within a specific company. To some degree, culture alone can drive performance. However, without operational systems and controls, the effects of culture are limited and ultimately will not be sustained. Similarly, operational systems/controls (e.g., management processes, systems, and procedures) can improve performance, but these effects also are limited without the reinforcement of a strong culture. A robust culture with employee engagement, an effective management system, and appropriate and consistent human performance are equally critical.

A culture assessment incorporates an assessment of culture and program implementation status by performing interviews and surveys up, down, and across a representative sample of the company’s operations. Observations of company operations (field/facility/functional) should be done to verify and validate.

A culture assessment should evaluate key attributes of successful programs, including:

1. Leadership
2. Vision & Values
3. Goals, Policies & Initiatives
4. Organization & Structure
5. Employee Engagement, Behaviors & Communications
6. Resource Allocation & Performance Management
7. Systems, Standards & Processes
8. Metrics & Reporting
9. Continually Learning Organization
10. Audits & Assurance

Assessment and Evaluation

Data from document review, interviews, surveys, and field observations are then aggregated, analyzed, and evaluated. Identifying program gaps and issues enables a comparison of what must be improved or developed/added to what already exists. This information is often organized into the following categories:

• Policy and strategy refinements
• Process and procedure improvements
• Organizational and resource requirements
• Information for decision making
• Systems and data requirements
• Culture enhancement and development

From this information, it becomes possible to identify recommendations for program improvements. These recommendations should be integrated into a strategic action plan that outlines the long-term program vision, proposed activities, project sequencing, and milestones. The highest priority actions should be identified and planned to establish a foundation for continual improvement, and allow for a more proactive means of managing risks and program performance.

The EPA’s Risk Management Plan (RMP) Rule (Section 112(r) of the Clean Air Act Amendments) has garnered a lot of attention as its status as a rule has fluctuated since the RMP Amendments were published under the Obama Administration on January 13, 2017.

The latest development in the RMP saga came on August 17, 2018, when the U.S. Court of Appeals for the District of Columbia Circuit ruled that EPA does not have authority to delay final rules for the purpose of reconsideration.

Background

The original RMP Amendments of 2017 were developed in response to Executive Order (EO) 1365, Improving Chemical Safety and Security, and intended to:

• Prevent catastrophic accidents by improving accident prevention program requirements
• Enhance emergency preparedness to ensure coordination between facilities and local communities
• Improve information access to help the public understand the risks at RMP facilities
• Improve third-party audits at RMP facilities

However, after EPA published the final rule, many industry groups and several states filed challenges and petitions, arguing that the rule was overly burdensome, created potential security risks, and did not properly coordinate with OSHA’s Process Safety Management (PSM) standard.

Under the Trump administration, EPA delayed the effective date of the rule by 20 months—until February 2019—and announced its plan to reconsider the rule’s provisions. On May 30, 2018, the RMP Reconsideration Proposed Rule was published and proposed to:

• Maintain consistency of RMP accident prevention requirements with the OSHA PSM standard
• Address security concerns
• Reduce unnecessary regulations and regulatory costs
• Revise compliance dates to provide necessary time for program changes

Recent Court Actions

In the most recent actions, the federal court ruled that the EPA can no longer delay enforcement of the RMP Rule. In its court opinion, the judges cited that the delay “makes a mockery of the statute” because it violates the CAA requirement to “have an effective date, as determined by the Administrator, assuring compliance as expeditiously as practicable.” The court further stated that the delay of the rule was “calculated to enable non-compliance.”

EPA Administrator Scott Pruitt countered that the EPA needed more time to weigh concerns, particularly those about security risks associated with chemical facilities disclosing information to the public.

The judges have noted that EPA can still substantively revise the RMP Rule and its compliance deadline(s); however, they reinforced that in the CAA, “Congress is seeking meaningful, prompt action by EPA to promote accident prevention.”

What’s Next?

The RMP Rule will not take effect immediately; EPA has time to appeal the decision and petition for rehearing. The earliest that the RMP Amendments (as originally published) could realistically go into effect is October 2018. Based on this, effective dates for requirements contained in the RMP Amendments would be as follows:

• Effective immediately: 3-year compliance audits in each covered process at the facility (original date: March 14, 2017)
• Effective immediately: Duty to coordinate emergency response activities with local emergency responders (original date: March 14, 2018)
• March 14, 2020: Emergency Response Program revisions
• March 15, 2021: Third-party auditor requirements; incident investigation and root cause analyses; safer technology and alternatives analyses/IST provisions; emergency response exercise; public availability of information
• March 14, 2022: Revised elements of RMP provisions in Subpart G

If a rehearing is granted, the timeline would likely extend further into the future. Meanwhile, comments are due on the RMP Reconsideration Proposed Rule on Thursday, August 23, 2018. Kestrel will continue to monitor developments with the RMP Rule, as its final status remains a moving target.

Audits provide an essential tool for improving and verifying compliance performance. As discussed in Part 1, there are a number of audit program elements and best practices that can help ensure a comprehensive audit program. Here are 12 more tips to put to use:

1. Action item closure. Address repeat findings. Identify patterns and seek root cause analysis and sustainable corrections.
2. Training. Training should be done throughout the entire organization, across all levels:
   • Auditors are trained on both technical matters and program procedures.
   • Management is trained on the overall program design, purpose, business impacts of findings, responsibilities, corrections, and improvements.
   • Line operations are trained on compliance procedures and company policy/systems.
3. Communications. Communications with management should be done routinely to discuss status, needs, performance, program improvements, and business impacts. Communications should be done in business language—with business impacts defined in terms of risks, costs, savings, avoided costs/capital expenditures, benefits. Those accountable for performance need to be provided information as close to “real time” as possible, and the Board of Directors should be informed routinely.
4. Leadership philosophy. Senior management should exhibit top-down expectations for program excellence. EHSMS quality excellence goes hand-in-hand with operational and service quality excellence. Learning and continual improvement should be emphasized.
5. Roles & responsibilities. Clear roles, responsibilities, and accountabilities need to be established. This includes top management understanding and embracing their roles/responsibilities. Owners of findings/fixes also must be clearly identified.
6. Funding for corrective actions. Funding should be allocated to projects based on significance of risk exposure (i.e., systemic/preventive actions receive high priority). The process should incentivize proactive planning and expeditious resolution of significant problem areas and penalize recurrence or back-sliding on performance and lack of timely fixes.
7. Performance measurement system. Audit goals and objectives should be nested with the company business goals, key performance objectives, and values. A balanced scorecard can display leading and lagging indicators. Metrics should be quantitative, indicative (not all-inclusive), and tied to their ability to influence. Performance measurements should be communicated and widely understood. Information from auditing (e.g., findings, patterns, trends, comparisons) and the status of corrective actions often are reported on compliance dashboards for management review.
8. Degree of business integration. There should be a strong link between programs, procedures, and methods used in a quality management program—EHS activities should operate in patterns similar to core operations rather than as ancillary add-on duties. In addition, EHS should be involved in business planning and MOC. An EHSMS should be well-developed and designed for full business integration, and the audit program should feed critical information into the EHSMS.
9. Accountability. Accountability and compensation must be clearly linked at a meaningful level. Use various award/recognition programs to offer incentives to line operations personnel for excellent EHS performance. Make disincentives and disciplinary consequences clear to discourage non-compliant activities.
10. Deployment plan & schedule. Best practice combines the use of pilot facility audits, baseline audits (to design programs), tiered audits, and a continuous improvement model. Facility profiles are developed for all top priority facilities, including operational and EHS characteristics and regulatory and other requirements.
11. Relation of audit program to EHSMS design & improvement objectives. The audit program should be fully interrelated with the EHSMS and feed critical information on systemic needs into the EHSMS design and review process. It addresses the “Evaluation of Compliance” element under EHSMS international standards (e.g., ISO 14001 and OHSAS 18001). Audit baseline helps identify common causes, systemic issues, and needed programs. The EHSMS addresses root causes and defines/improves preventive systems and helps integrate EHS with core operations. Audits further evaluate and confirm performance of EHSMS and guide continuous improvement.
12. Relation to best practices. Inventory best practices and share/transfer them as part of audit program results. Use best-in-class facilities as models and “problem sites” for improvement planning and training.  The figure below illustrates an audit program that goes beyond the traditional “find it, fix it, find it, fix it” repetitive cycle to one that yields real understanding of root causes and patterns. In this model, if the issues can be categorized and are of wide scale, the design of solutions can lead to company-wide corrective and preventive measures. This same method can be used to capture and transfer best practices across the organization. They are sustained through the continual review and improvement cycle of an EHSMS and are verified by future audits.

Read the part 1 audit program best practices. 

Audits provide an essential tool for improving and verifying compliance performance. Audits may be used to capture regulatory compliance status, management system conformance, adequacy of internal controls, potential risks, and best practices. An audit is typically part of a broader compliance assurance program and can cover some or all of the company’s legal obligations, policies, programs, and objectives.

Companies come in a variety of sizes with a range of different needs, so auditing standards remain fairly flexible. There are, however, a number of audit program elements and best practices that can help ensure a comprehensive audit program:

1. Goals. Establishing goals enables recognition of broader issues and can lead to long-term preventive programs. This process allows the organization to get at the causes and focus on important systemic issues. It pushes and guides toward continuous improvement. Goal-setting further addresses the responsibilities and obligations of the Board of Directors for audit and oversight and elicits support from stakeholders.
2. Scope. The scope of the audit should be limited initially (e.g., compliance and risk) to what is manageable and to what can be done very well, thereby producing performance improvement and a wider understanding and acceptance of objectives. As the program is developed and matures (e.g., Management Systems, company policy, operational integration), it can be expanded and, eventually, shift over time toward systems in place, prevention, efficiency, and best practices.
3. Committed resources. Sufficient resources must be provided for staffing and training and then applied, as needed, to encourage a robust auditing program. Resources also should be applied to EHSMS design and continuous improvement. It is important to track the costs/benefits to compare the impacts and results of program improvements.
4. Operational focus. All facilities need to be covered at the appropriate level, with emphasis based on potential EHS and business risks. The operational units/practices with the greatest risk should receive the greatest attention (e.g., the 80/20 Rule). Vendors/contractors and related operations that pose risks must be included as part of the program. For smaller, less complex and/or lower risk facilities, lower intensity focus can be justified. For example, relying more heavily on self-assessment and reporting of compliance and less on independent audits may provide better return on investment of assessment resources.
5. Audit team. A significant portion of the audit program should be conducted by knowledgeable auditors (independent insiders, third parties, or a combination thereof) with clear independence from the operations being audited and from the direct chain of command. For organizational learning and to leverage compliance standards across facilities, it is good practice to vary at least one audit team member for each audit. Companies often enlist personnel from different facilities and with different expertise to audit other facilities. Periodic third-party audits further bring outside perspective and reduce tendencies toward “home-blindness”.
6. Audit frequency. There are several levels of audit frequency, depending on the type of audit:
   • Frequent: Operational (e.g., inspections, housekeeping, maintenance) – done as part of routine EHSMS day-to-day operational responsibilities
   • Periodic: Compliance, systems, actions/projects – conducted annually/semi-annually
   • As needed: For issue follow-up
   • Infrequent: Comprehensive, independent – conducted every three to four years

7. Differentiation methods. Differentiating identifies and distinguishes issues of greatest importance in terms of risk reduction and business performance improvement. The process for differentiating should be as clear and simple as possible; a system of priority rating and ranking is widely understood and agreed. The rating system can address severity levels, as well as probability levels, in addition to complexity/difficulty and length of time required for corrective actions.
8. Legal protection. Attorney privilege for audit processes and reports is advisable where risk/liability are deemed significant, especially for third-party independent audits. To the extent possible, make the audit process and reports become management tools that guide continuous improvement. Organizations should follow due diligence elements of the USEPA audit policy.
9. Procedures. Describe and document the audit process for consistent, efficient, effective, and reliable application. The best way to do this is to involve both auditors and those being audited in the procedure design. Audit procedures should be tailored to the specific facility/operation being audited. Documented procedures should be used to train both auditors and those accountable for operations being audited. Procedures can be launched using a pilot facility approach to allow for initial testing and fine-tuning. Keep procedures current and continually improve them based on practical application. Audits include document and record review (corporate and facility), interviews, and observations.
10. Protocols & tools. Develop specific and targeted protocols that are tailored to operational characteristics and based on applicable regulations and requirements for the facility. Use “widely accepted or standard practice” as go-by tools to aid in developing protocols (e.g., ASTM site assessment standards; ISO 14010 audit guidance; audit protocols based on EPA, OSHA, MSHA, Canadian regulatory requirements; GEMI self-assessment tools; proprietary audit protocol/tools). As protocols are updated, the ability to evaluate continuous improvement trends must be maintained (i.e., trend analysis).
11. Information management & analysis. Procedures should be well-defined, clear, and consistent to enable the organization to analyze trends, identify systemic causes, and pinpoint recurring problem areas. Analysis should prompt communication of issues and differentiation among findings based on significance. Audit reports should be issued in a predictable and timely manner. It is desirable to orient the audit program toward organizational learning and continual improvement, rather than a “gotcha” philosophy. “Open book” approaches help learning by letting facility managers know in advance what the audit protocols are and how the audits will be conducted.
12. Verification & corrective action. Corrective actions require corporate review, top management-level attention and management accountability for timely completion. A robust root cause analysis helps to ensure not just correction/containment of the existing issue, but also preventive action to assure controls are in place to prevent the event from recurring. For example, if a drum is labeled incorrectly, the corrective action is to relabel that drum. A robust plan should also look for other drums than might be labeled incorrectly and to add and communicate an effective preventive action (e.g., training or posting signs showing a correctly labeled drum).

Read the part 2 audit program best practices.