Biotechnology Focus

• Are you managing your waste correctly? 
• Are you disposing of your waste efficiently and cost-effectively? 
• Do you have a system to track your waste and sustain its management? 

Waste is one of those risks that is often overlooked at companies because it isn’t something core to operations. Unfortunately, if waste is incorrectly managed, there are regulatory compliance risks, exposure risks, and potential financial penalties that can impact your business.  

The following represent just some of the challenging waste situations facing biotech companies that must be addressed:  

• Chemical liquid waste going down the drain 
• Chemicals being evaporated up the hood 
• Biohazardous materials being thrown in the trash 
• Chemical spill cleanup materials that are being thrown in the trash 

Waste products such as these do not belong in standard trash and may hold either more value or more risk to the organization. For example, some wastes have continued value through recycling or repurposing. Conversely, other wastes may be regulated, requiring special disposal processes. Improperly disposing these regulated wastes (i.e., through standard trash) can create safety or environmental risks that may cost big dollars.  

How do you avoid making pricey mistakes?  

Methodical Approach

A methodical, analytical approach to characterizing and evaluating waste can substantially improve efficiencies when it comes to handling waste, and minimize the risks of improper waste management. Evaluation of waste streams (i.e., the type of waste generated and how/where it is generated) can help to identify:  

• Areas to improve efficiencies in waste management processes 
• Wastes that can be minimized and/or prevented to reduce disposal costs 
• Alternative strategies for disposal and waste management that may result in minimized inputs and lower cost of initial supplies  
• Regulatory requirements to avoid any potential penalties for non-compliance 

Let’s take the evaluation of waste solvent as one example. Companies frequently purchase large quantities of solvent and then end up paying for its disposal. Reviewing the type of solvent and how it is being used may reveal an alternative with the potential for significant savings, such as a bench–top distillation unit, which would provide for: 

• Lower upfront costs in the purchase of solvent 
• Lower costs in the disposal of hazardous waste solvent 
• Fewer risks and regulatory requirements associated with stocking less solvent   

Business Benefits

Strategic evaluation of one type of generated waste may also lead to significant business benefits beyond the waste itself. A thorough review of business and operational processes and the waste being generated creates the opportunity for a “bottom–to–top” evaluation of all regulatory compliance. And that can lead to potential savings that a business may not have previously identified. Review and understanding of wastes being generated within a lab or business often leads to the following program area discussions: 

• Review of EPA hazardous waste and opportunities to minimize or more cost-effectively manage this expensive waste stream. 
• Evaluation of compliance with EPA waste requirements to make sure waste is labeled, stored, disposed, and reported correctly. 
• Review of other waste streams, such as biohazardous, radiological, and universal waste streams, to assure they are being efficiently managed and in compliance with regulations. 
• Evaluation of how chemicals are being managed in accordance with regulatory requirements (e.g., EPA, OSHA, DOT). 
• Review of OSHA safety programs and discussions to ensure training, documentation, and procedures are in place to keep employees safe while meeting requirements for such programs as hazard communication, personal protective equipment (PPE), respiratory protection, safety showers, eye wash stations, fire extinguishers, confined space, energy control and emergency response planning. 
• Exploration of options for recycling and best practices that have the potential to significantly improve financial bottom line management and increase sustainability of lab operation. 

Strategy Going Forward

Effectively managing your waste really begins with a comprehensive review of operations. It is a process of understanding what you have, where it fits, and what you need to do with it to minimize risk, reduce costs, and ensure compliance. This process walks a company through the following basic questions:  

• What are my business processes? 
• What kind of waste does my company generate? 
• What waste regulations apply to my business? 
• How do I understand the potential impacts of my waste? 
• How do I come up with a strategy to effectively minimize waste and reduce cost while keeping employees safe? 
• How do I ensure that we efficiently and cost-effectively manage waste and compliance for the long run? 

Over the next several weeks, we will be answering each of these questions in a series of articles to help address some of the common—and often costly—mistakes related to waste management and to help ensure you are managing your wastes in the appropriate and most cost-effective ways possible. 

On August 14, 2019, the U.S. Department of Transportation’s (DOT) Pipeline and Hazardous Materials Safety Administration (PHMSA) released a proposed rule to make several miscellaneous amendments to the Hazardous Materials Regulations (HMR) to ensure the safe and secure movement of hazardous materials to industry and consumers by all modes of transportation. This proposed rule is in response to numerous petitions submitted requesting PHMSA address a variety of provisions, including some on packaging, hazardous communication, and incorporation by reference documents. According to PHMSA, the amendments are intended to update, clarify, improve the safety of, or provide relief from various regulatory requirements in the HMR. The proposed amendments include:

• Adopting a phase-out schedule for certain railroad tank cars used to transport poisonous-by-inhalation materials
• Clarifying the cleaning standard for metal drums, including removing residual adhesive from labels
• Allowing the continued use of certain portable and mobile refrigerator systems commonly used in the produce industry
• Allowing for all waste materials to be managed in accordance with the lab pack exception whether they meet the definition of a hazardous waste per the U.S. EPA
• Incorporating an industry standard that can help to enhance the production of oil and gas wells
• Several additional proposed amendments derived from PHMSA’s petition for rulemaking process

EPA’s Hazardous Waste Generator Improvements Rule became effective on May 30, 2017, federally and in those states and U.S. Territories not authorized for RCRA (i.e., Iowa, Alaska, tribal lands and most of the territories). In the remainder of the states, the rule becomes effective when the state adopts it and adds it to their regulations. States were required to adopt more stringent revisions by July 1, 2019, which means the impacts of this rule should start to be realized across the country. The states are in various stages of adopting the regulation; check the status for your state.

For all intents and purposes, this is a good thing, as the Improvements Rule is designed to:

• Make the RCRA hazardous waste generator regulations easier to understand;
• Provide greater flexibility in how hazardous waste is managed to better fit today’s business operations; and
• Improve environmental protection.

Substantial Regulatory Revisions

The final rule includes over 60 revisions and new provisions to the hazardous waste generator program to make requirements more “user-friendly” in the end. Many of the revisions are technical corrections that address inadvertent errors in the regulations, remove obsolete programs, and clarify unclear citations. Some of the more substantial changes in the final rule, which states are required to adopt unless their requirements are more stringent, are outlined below.

Very Small Quantity Generators (VSQGs)

Conditionally exempt small quantity generators are now called very small quantity generators (VSQGs), and VSQG regulations are moved from 40 CFR 261.5 to 40 CFR 262. A VSQG generates less than 100 kg of hazardous waste in a month and may not accumulate more than 1,000 kg of hazardous waste.

Renotification for Small Quantity Generators (SQG)

The new rule now requires periodic renotification for SQGs every four years; SQGs were previously only required to notify once.

Waste Determinations

Any facility that generates waste needs to determine whether that waste is hazardous. According to the Improvements Rule, his waste determination must be made at the point of generation of the waste, prior to any dilution, mixing, and/or alteration.

Waste Consolidation

VSQGs are allowed to send hazardous waste to a large quantity generator (LGQ) to consolidate it before sending it to a RCRA-designated facility for management, under the condition that the facilities are under the control of the same person. Waste containers must be appropriately labeled (i.e., VSQG Hazardous Waste), and the LQG must notify the state of their participation.

Episodic Generation

Episodic generation of hazardous waste occurs when a non-routine event (planned or unplanned) results in a smaller generator generating atypically larger amount of hazardous waste in a month, triggering more stringent regulations. Under the Improvements Rule, VSQGs and small quantity generators (SQGs) are allowed to maintain their existing generator category in the event they experience an episodic generation event. The Rule allows for one event per calendar year, with the potential to petition for a second. Generators must notify EPA/state agency 30 days prior to initiating a planned event or within 72 hours of an unplanned event. 

Enhanced Labeling

Previous RCRA program labeling regulations did not require waste generators to identify the hazards of wastes, which resulted in failure to communicate risks of wastes being transported, accumulated, or stored in different locations. Under the Improvements Rule, labeling and marking of containers and tanks must clearly indicate the hazards of the hazardous waste contained inside and include the words “Hazardous Waste” . 

Waste generators may use one of several established methods to indicate the waste hazards, including:

• DOT hazard communication consistent with 49 CFR part 172 subpart E (labeling) or subpart F (placarding)
• OSHA hazard statement or pictogram, as described in the OSHA Hazard Communication Standard in 29 CFR section 1910.1200
• NFPA code 704 chemical hazard label
• RCRA hazardous waste characteristic (i.e., ignitable, corrosive, reactive, toxic)

The labeling requirements for containers in the satellite accumulation areas and for containers in the central accumulation area are identical, with the additional requirement that containers in the generator’s central accumulation area are marked with the date that the satellite container was moved to the storage area or the date that waste was initially added to the container in the central accumulation area.

Note that marking containers with RCRA codes is required for SQGs and LQGs prior to sending hazardous waste off-site, per 40 CFR 262.32.

Emergency Response

Previous regulations required generators to make arrangements with Local Emergency Planning Commissions (LEPCs) for potential emergency situations. The Improvements Rule expands this to require documentation of these arrangements/efforts with the LEPCs. In addition, LQGs must prepare an executive summary of their contingency plans containing the information most critical for immediate response to an emergency situation. This Quick Reference Guide must contain the following eight elements:

• Types/names of hazardous waste and associated hazards
• Estimated maximum amounts of hazardous waste onsite
• Hazardous wastes requiring special treatment
• Map highlighting where hazardous wastes are generated, accumulated, and treated
• Map of facility and surroundings that identifies routes of access and evacuation
• Location of water supply
• Identification of onsite notification systems
• Name of emergency coordinator and contact information

Ensuring Compliance

Again, the final rule includes over 60 revisions and new provisions, and authorized states are required to adopt the more stringent portions of the rule and may choose to adopt the less stringent portions. It is important for facilities to:

1. Get a solid understanding of the rule for the states in which it operates. Regulations may vary from state to state.
2. Determine waste generator status to understand which requirements are applicable. VSQGs, SQGs, and LQGs have some different requirements due to their potential impacts on the environment.
3. Assess compliance with the new and revised provisions. Each facility should be assessed to compare existing efforts with updated regulatory requirements.
4. Create a plan to close any compliance gaps. In many cases, the rule offers flexibility to help facilities in their efforts to comply. There are alternatives facilities can and should explore to find solutions that offer the greatest economic and environmental benefits.

Note: EPA developed a workshop on the Hazardous Waste Generator Improvements Rule. The training is designed to explain the Rule’s provisions.

Compliance risk assessment helps to identify and assess risks related to applicable regulatory requirements. Internal and external events or conditions affecting the entity’s ability to achieve objectives must be identified, distinguishing between risks and opportunities. These risks are analyzed, considering the following:

• Size of the risk – where, how big, how often/many?
• Severity of the outcome – to what extent can it impact safety, environmental, operational, financial, customer relations, regulatory compliance?
• Likelihood/probability of each risk – how likely is the occurrence of a negative outcome, considering the maturity of existing controls?

Based on this assessment, management can prioritize risks, select appropriate risk responses (avoiding, accepting, reducing, sharing), and develop a set of actions to align with the entity’s risk tolerance/appetite. An acceptable level of residual risk is considered after selected improvements and controls are applied. From there, policies and procedures can be established and implemented to help ensure the risk responses are effectively communicated so operating managers and individuals can carry out their responsibilities.

A deeper dive compliance program assessment may be performed for those risks that are identified as the company’s most significant.

Compliance Program Assessment

A compliance program assessment looks beyond “point-in-time” compliance to critically evaluate how the company manages compliance programs, processes, and activities, with compliance assurance as the ultimate goal. Capability, capacity, programs, and processes to comply are examined as part of this review. Conducting routine process and compliance audits are also key components of a compliance assurance program.

Compliance program assessment should follow a disciplined and consistent process, resulting in an effective program that guides alignment of activities to an integrated management system for sustained compliance and continuous improvement. An essential part of the assessment, audits capture regulatory compliance status, management system conformance, adequacy of internal controls, potential risks, and best practices.

Compliance program assessment enables a company to define and understand:

• Compliance requirements and where regulated activities occur throughout the organization
• Current company programs and processes used to manage those activities and the associated level of program/process maturity
• Deficiencies in compliance program management and opportunities for improvement
• How to feed review recommendations back into elements of the management system to create a roadmap for sustaining and continually improving compliance

There are six phases associated with a compliance program assessment:

Phase 1 – Regulations, Requirements, and Applicability Analysis: Phase 1 focuses on identifying, organizing, validating, and understanding all of the requirements (legal or other) with which the company must comply. It provides an applicability analysis of the requirements to company operations by functional area and evaluates the associated risks. This stage engages representatives across the company who are responsible for activities subject to the requirements.

Phase 2 – Activities Analysis: This phase involves developing an inventory/profile of all company activities that may trigger the requirements identified in Phase 1. It asks the question, “What activities does the company carry out that are covered by the requirements?”

Phase 3 – Desired Compliance Program Standard: Establishing the company’s expectations for compliance program processes and controls—the desired condition—is essential. This “to-be” standard integrates management system principles into compliance program management. Programs should examine relative risks and ensure that risk-based priorities are being set.

Phase 4 – Actual Compliance Program Condition: In contrast to the desired standard identified in Phase 3, Phase 4 is about describing the company’s current compliance program. It defines how the company performs the activities outlined in Phase 3 (along with who, when, and where)—the “as-is” condition. This is done in the same framework as the desired standard in order to compare them in the next phase.

Phase 5 – Gap Analysis: The gap analysis compares actual compliance program management against the desired standard. It evaluates compliance program management processes, controls, and maturity to determine if they are good as is, need improvement, or are missing. These gaps and opportunities provide the basis for the improvement actions developed in Phase 6.

Phase 6 – Improvement Actions: Phase 6 moves the process along to developing action plans and an approach for ongoing management review that will guide the compliance program development and improvement activities. Compliance program management review is established at the end of this last phase. If there is a management system in place, program review information and action plan tracking can be integrated into that management system.

Outcomes

As a whole, this process will help companies evaluate the degree to which:

• Compliance goals and objectives are set and communicated by management.
• Hazards and risks are identified, sized, and assessed, including an inventory of activities subject to the compliance requirements and the relative risks.
• Existing controls are adequate and effective, recognizing, and addressing changed conditions.
• Plans are in place to address risks not adequately covered by existing controls.
• Plans and controls are resourced and implemented.
• Controls are documented and operationalized across functions and work units.
• Personnel know and understand the controls and expectations, and are engaged in their design and improvement.
• Controls are being monitored with appropriate metrics and compliance auditing and assurance.
• Information system is sufficient to support management system-required functions (e.g., document management and control, action tracking, notifications, training tracking, task calendaring, metrics reporting). Information dashboards can be used for reports to management.
• Deficiencies are being addressed by corrective/preventive action and are being tracked to completion.
• Processes, controls, and performance are being reviewed by management for ongoing improvement, including the maintenance and continual improvement of the integrated management system.

A well-designed and well-executed compliance assurance program provides an essential tool for improving and verifying business performance and limiting compliance risks. Ultimately, however, a compliance program’s effectiveness comes down to whether it is merely a “paper program” or whether it is being integrated into the organization and used in practice on a daily basis.

The following can show evidence of a living, breathing program:

• Comprehensiveness of the program
• Dedicated staff and resources
• Employee knowledge and engagement
• Management commitment and employee perception
• Internal operational inspections, “walkabouts” by management
• Independent insider, plus third-party audits
• Program tailoring to greatest risks
• Consistency and timeliness of exception (noncompliance/nonconformance) disclosures
• Tracking of timely and adequate corrective/preventive action completion
• Progress and performance monitoring

Best Practices

To achieve a compliance assurance program on par with world-class organizations, there are a number of best practices that companies should employ:

Know the requirements. This means maintaining an inventory of regulatory compliance requirements for each compliance program, as well as of state/local/contractual binding agreements applying to operations. It is vital that the organization keep abreast of current/upcoming requirements (federal, state, local).

Plan and develop the processes to comply. Identify and assess compliance risks, and then set objectives and targets for performance improvement based on top priorities. From here, it becomes possible to then define program improvement initiatives, assign and document responsibilities for compliance (who must do what and when), develop procedures and tools, and then allocate resources to get it done.

Assure compliance in operations. The organization needs to establish routine checks and inspections within departments to evaluate conformance with sub-process procedures. Process audits should be designed and implemented to cut across operations and sub-processes in order to evaluate conformance with company policies and procedures. Regulatory compliance audits should further be conducted to address program requirements (e.g., environmental, safety, mine safety, security). Audit performance must be measured and reported, and the expectations set for operating managers to take responsibility for compliance.

Take action on issues and problems. Capture, log and categorize noncompliance issues, process nonconformances, and near misses. Implement a corrective/preventive action process based on the importance of issues. Be disciplined in timely completion, close-out, and documentation of all corrective/preventive actions.

Employ management of change (MOC) process. Robust MOC processes help ensure that changes affecting compliance (to the facility, operations, personnel, infrastructure, materials, etc.) are reviewed for their impacts on compliance. Compliance should be assured before the changes are made. Failure to do so is one of the most common root causes of noncompliance.

Ensure management involvement and leadership. Set the tone at the top. The Board of Directors and senior executives must set policy, culture, values, expectations, and goals. It is just as important that these individuals are the ones to communicate across the organization, to demonstrate their commitment and leadership, to define an appropriate incentive/disincentive system, and to provide ongoing organizational feedback.

Maintaining Ongoing Compliance

The compliance assurance program must be a living, breathing program. As risks change, the program must be refreshed, refined, and redeployed. A management system framework can help ensure operational sustainability. A management system drives the auditing process and helps companies say what they will do, do what they say and, importantly, verify it.

Together, there is a real value at the intersection of a compliance assurance program and management systems. Management systems define the internal controls that are in place to reduce risks, prevent losses, and sustain and improve performance over time through the Plan-Do-Check-Act (PDCA) cycle of continual improvement.

Testing and Monitoring

Testing, monitoring, and measuring are crucial elements of this cycle. Without them, it is difficult to understand what is working and what needs improvement. Robust testing and monitoring programs can serve as early warning systems for identifying potential compliance risks before they become enforcement issues.

Compliance should be tested and monitored throughout each level of the organization. A strong testing program will evaluate the results of the compliance risk assessment and assign compliance risks to the business units and processes where they are most likely to occur, creating clear lines of responsibility and accountability. Key risks and the related controls should be tested periodically using statistically valid sampling methodologies, and monitoring activities should be performed on an ongoing basis. Doing so produces trend data that provides the rationale needed for making changes to underlying business processes, as well as emerging risks.

Ongoing compliance excellence relies on top management, operations managers, EHS personnel, and individual employees throughout the organization working together to build and sustain an organizational culture that places compliance on par with business performance. Senior management must focus on the overall culture of the company in terms of taking the necessary steps to reduce risk and make prevention part of daily operations. While it may be impossible to eliminate all risk exposure, a solid risk framework, assessment methodology, and compliance assurance program can help to prioritize risks for active management, sustained compliance, and positive business impacts.

Virtually every regulatory program—environmental, health & safety, security, food safety—has compliance requirements that call for companies to fulfill a number of common compliance activities. While they do not necessarily need to be addressed all at once or from the start, considering the eight functions of compliance (as outlined below) when designing a compliance Information Management System (IMS) helps define the starting point and build a vision for the “end point” when planning IMS improvements. These compliance functions translate into modules—facility profiles, employee counts, training tracking, corrective action tracking, auditing tasks, compliance calendars, documents and records management, permit tracking, etc.—that are instrumental in establishing or improving a company’s capability to comply. 

8 Functions of Compliance

1. Inventory means taking stock of what exists. The outcome of a compliance inventory is an operational and EHS profile of the company’s operations and sites. In essence, the inventory is the top filter that determines the applicability of regulatory requirements and guides compliance plans, programs, and activities. For compliance purposes, the inventory is quite extensive, including (but not limited to) the following:
   • Activities and operations (i.e., what is done – raw material handling, storage, production processes, fueling, transportation, maintenance, facilities and equipment, etc.)
   • Functional/operational roles and responsibilities (i.e., who does what, where, when)
   • Emissions
   • Wastes
   • Hazardous materials
   • Discharges (operational and stormwater-related)
   • Safety practices
   • Food safety practices
2. Authorizations, permits & certifications provide a “license to construct, install, or operate.” Most companies are subject to authorizations/permits at the federal, state, and local levels. Common examples include air permits, operating permits, Title V permits, safe work permits, tank certifications, discharge permits, construction authorization. In addition, there may be required fire and building codes and operator certifications. Once the required authorizations, permits, and/or certifications are in place, some regulatory requirements lead companies to the preparation and updating of plans as associated steps.
3. Plans are required by a number of regulations. These plans typically outline compliance tasks, responsibilities, reporting requirements, schedule, and best management practices to comply with the related permits. Common compliance-related plans may include SPCC, SWPPP, SWMP, contingency, food safety management, and security plans.
4. Training supports the permits and plans that are in place. It is crucial to train employees to follow the requirements so they can effectively execute their responsibilities and protect themselves, company assets and communities. Training should cover operations, safety, security, environment, and food safety aimed at compliance with regulatory requirements and company standards and procedures.
5. Practices in place involve doing what is required to follow the terms of the permits, related plans and regulations. These are the day-to-day actions (regulatory, best management practices, planned procedures, SOPs, and work instructions) that are essential for following the required processes.
6. Monitoring & inspections provide compliance checks to ensure locations and operations are functioning within the required limits/parameters and the company is achieving operational effectiveness and performance expectations. This step may include some physical monitoring, sampling, and testing (e.g., emissions, wastewater). There are also certain regulatory compliance requirements for the frequency and types of inspections that must be conducted (e.g., forklift, tanks, secondary containment, outfalls). Beyond regulatory requirements, many companies have internal monitoring/inspection requirements for things like housekeeping, sanitation, and process efficiency.
7. Records provide documentation of what has been done related to compliance—current inventories, plans, training, inspections, and monitoring required for a given compliance program. Each program typically has recordkeeping, records maintenance, and retention requirements specified by type. Having a good records management system is essential for maintaining the vast number of documents required by regulations, particularly since some, like OSHA, have retention cycles for as long as 30 years.
8. Reports are a product of the above compliance functions. Reports from ongoing implementation of compliance activities often are required to be filed with regulatory agencies on a regular basis (e.g., monthly, quarterly, semi-annually, annually), depending on the regulation. Reports also may be required when there is an incident, emergency, recall, or spill.

Reliable Compliance Performance

Documenting procedures on how to execute these eight functions, along with management oversight and continual review and improvement, are what eventually get integrated into an overarching management system (e.g., environmental, health & safety, food safety, security, quality). The compliance IMS helps create process standardization and, subsequently, consistent and reliable compliance performance.

In addition, completing and organizing/documenting these eight functions of compliance provides the following benefits:

• Helps improve the company’s capability to comply on an ongoing basis
• Establishes compliance practices for when an incident occurs
• Creates a strong foundation for internal and 3^rd-party compliance audits and for answering outside auditors’ questions (agencies, customers, certifying bodies)
• Helps companies know where to look for continuous improvement
• Reduces surprises and unnecessary spending on reactive compliance-related activities
• Informs management’s need to know
• Enhances confidence of others (e.g. regulators, shareholders/investors, insurers, customers), providing evidence  of commitment, capability, reliability and consistency in the company’s compliance program

The discipline required to design and implement a compliant environmental, health & safety (EHS) management system can help organizations improve in many areas over and above the tasks, as defined.

1. Identify and categorize the organization’s EHS risks. Once this information is known, management will be able to prioritize and then pick and choose how to reduce risks and liabilities to acceptable levels. These risks will be better controlled through strict management accounting. Employees will become more attuned to thinking outside the box to help management improve the overall operation.
2. Develop work instructions and/or procedure to guide an employee’s actions and ensure that each EHS task is completed in a disciplined manner approved by management. This will reduce the risk to an organization of an employee accidentally making an environmental, health and/or safety mistake that causes the employee or others to be injured or worse; creates public awareness of the problem; or causes governmental inspections, fines, and loss of business.
3. Provide management assurance that the company does, in fact, know and understand the legal and EHS requirements that the business must meet on a daily basis. These legal requirements will drive improvement in having up-to-date procedures and work instructions for employees to follow every day.
4. Develop meaningful EHS goals and objectives. These objectives drive improvement in environmental and personal health & safety performance. They may also reduce internal costs by reducing trips to the hospital, payments for workers compensation, and employees on disability. Each business will have different goals that should change each year to ensure continuous improvement over time.
5. Develop a strong training program. Well-written procedures and work instructions help define the actions required of employees to meet EPA and OSHA requirements and company directives. A well-trained workforce is a motivated and happy work force. Turnover is reduced, accidents and incidents are reduced, and production efficiencies increase. Employees are very aware when an organization takes time to assure each job requested is completed in the safest and most environmentally sound manner possible.
6. Develop appropriate monitoring and measurement of key characteristics and requirements. These key performance indicators are based on regulations and laws intended to guide the organization’s actions in a direction of continuous improvement and compliance.
7. Allow employees to audit and verify that the EHS management systems are functioning as designed and implemented. By continuously auditing each OSHA program and environmental function, the organization will discover issues of concern and non-conformances prior to an employee being injured or worse, having an environmental spill or incident, or incurring a governmental agency finding. This allows the company to choose a timeframe that will best help improve the situation without undue influence by outsiders.
8. Design a fully functioning corrective/preventive action program to monitor issues of concern and/or non-conformance and the actions used to rectify each situation identified. As employees watch management fix problems, they will learn that management is concerned about continuous improvement and the employees will go back to making improvement suggestions. These suggestions will further drive improvement in areas outside the original EHS management systems.
9. Look at the business model and the EHS management systems in a holistic fashion. By using this self-reflection and identifying improvement opportunities, management can direct responsibilities for improvement actions across many departments within the company. Each of these improvement opportunities will again help the bottom line and reduce the possibility of an EHS liability now or in the future.
10. Know that you have done everything possible to maintain the business in a manner to meet all OSHA and EPA rules and regulations, as well as association requirements. The organization will have done everything possible to assure that the environment and the health & safety of employees are protected every day the doors are open for business. To a business owner, that knowledge is priceless.

A management system is the organizing framework that enables companies to achieve and sustain their operational and business objectives through a process of continuous improvement. A management system is designed to identify and manage risks—safety, environmental, quality, business continuity, food safety (and many others)—through an organized set of policies, procedures, practices, and resources that guide the enterprise and its activities to maximize business value.

The management system addresses:

• What is done and why
• How it is done and by whom
• How well it is being done
• How it is maintained and reviewed
• How it can be improved

Creating an Effective and Valuable Management System

Each company’s management system reflects its unique culture, vision, and values. To be effective and valuable, the management system must be tailored and focused on how it can enhance the business performance of the organization. It must also be:

• Useful to people in the operations
• Intuitive—organized the way operations people think
• Flexible—making use of methods and tools as they are developed and documented
• Valuable from the outset—addressing the most critical risks and processes
• Linked to the business of the business (not “pasted on”), with ownership at the operational level
• A means to better align operational quality, safety, and environment with the business

Attributes of an effective management system are senior management expectations and guidance coupled with employee engagement. Importantly, a management system involves a continual cycle of planning, implementing, reviewing, and improving the way in which safety, quality, and environmental obligations and objectives are met. In its simplest form, this involves implementing the Plan, Do, Check, Act/Adjust (P-D-C-A) cycle for continuous improvement.

 

Auditing for Ongoing Compliance

The connection between management systems and compliance is vital in avoiding recurring compliance issues and in reducing variation in compliance performance. In fact, reliable and effective regulatory compliance is commonly an outcome of consistent and reliable implementation of a management system.

Conducting periodic audits is a practical way to test a management system’s implementation maturity and effectiveness. One of the many advantages of audits is that they help identify gaps so that corrective/preventive actions can be put into place and then sustained and improved through the management system.

Audits also help companies with continuous improvement initiatives; properly developed audit programs help measure results over time. To achieve best value, audits should emphasize finding patterns that can yield opportunities for learning and continual improvement, rather than “gotchas” for exceptions that are discovered.

Management System Standards

Several options are available for structuring management systems, whether they are certified by third-party registrars and auditors, self-certified, or used as internal guidance and for potential certification readiness.

The International Organization for Standardization (ISO) standards are some of the most commonly applied. The ISO standards for quality (ISO 9001), environment (ISO 14001), health & safety (OHSAS 18001), business continuity (ISO 22301), and food safety (FSSC 22000) have consistent elements, allowing organizations to more easily align their various management systems. Aligned management systems help companies to achieve improved and more reliable quality, environmental, and health & safety performance, while adding measurable business value.

Certification

Companies can become certified to each of the standards discussed above. Certification has a number of benefits, including the following:

• Meet customer or supply chain requirements
• Use outside drivers to maintain management system process discipline (e.g., periodic risk assessment, document management, compliance evaluation, internal audits, management review)
• Take advantage of third-party assessment and recommendations
• Improve standing with regulatory agencies (e.g., USEPA, OSHA, FDA, and state programs)
• Demonstrate the application of industry best practice in the event of incidents/accidents requiring defense of practices

However, if there is no market or other business driver, certification can lead to unnecessary additional cost and effort regarding management system development. Certification in itself does not mean improved performance—management system structure, operation, and management commitment determine that.

Business Value

There are a number of reasons to implement a management system. A properly designed and implemented management system brings value to organizations in a number of ways:

• Risk management
  • Identify risks
  • Set priorities for improvement, measurement, and reporting
  • Provide great opportunity to identify, share, and learn best practices, while recognizing operational differences
• Protection of people
  • Send people home the way they arrived at work
  • Protect the public and the environment
• Compliance assurance
  • Improve and sustain regulatory compliance
• Business value
  • Continually improve quality, environmental, and safety performance across the organization (employee, public, equipment, infrastructure)
  • Reduce incident costs and accrued liabilities
  • Protect assets
• Reliability
  • Assure processes, methods, and practices are in place, documented, and consistently applied
  • Reduce variability in processes and performance
• Employee engagement
  • Help employees to find and use current versions of all procedures and documents
  • Provide a ready reference for field management to structure location-specific procedures
  • Enable the effective transfer of standards, methods, and know-how in employee training, new job assignments, and promotions

When business is disrupted, the costs can be substantial. Unfortunately, every organization is at risk from potential operational disruptions—natural disasters, fire, sabotage, information technology (IT) viruses, data loss, acts of violence. Recent world events have further challenged organizations to prepare to manage previously unthinkable situations that may threaten the future of the business.

Securing Company Assets

This goes beyond the mere Emergency Response Plan or disaster recovery activities that have been previously implemented. Organizations must now engage in a more comprehensive process to secure their companies’ assets (e.g., people, technology, products, and services). Today’s threats require implementation of an ongoing, interactive process that assures the continuation of the organization’s core business activities and data center(s) before, during, and, most importantly, after a major crisis event.

Creating a Resilient Organization

Business continuity planning helps ensure that companies have the resources and information needed to maintain service, reliability, and resiliency under adverse conditions. While companies can’t plan for everything, they can take steps to understand and effectively manage events that might compromise their products/services, supply chain, quality, security, and future as an organization.

A Business Continuity Plan ensures that all involved parties understand who makes decisions, how the decisions are implemented, and what the roles and responsibilities of participants are when an incident occurs. Through business continuity planning, companies are able to:

• IDENTIFY the human, property, and operational impacts of potential business threats
• EVALUATE the potential severity of associated risks
• ESTIMATE the likelihood of business threats occurring
• CREATE timelines for restoration and strategies that proactively mitigate the most pressing business threats, take advantage of opportunities that lie ahead, and provide for a more resilient and sustainable future

Systematic Approach

A sound Business Continuity Program relies on a systematic approach to identify and critically evaluate risks/opportunities, as outlined below. This approach broadens the scope of issues beyond mere emergency response and allows companies to budget for and secure the necessary resources to support critical business activities before, during, and after a major crisis event. Ultimately, following this process helps companies to stay in business through a time of crisis.

Sustaining Business for the Long Term

Sustainability is about staying in business for the long term, and today, business continuity is key to sustaining business over time. That is because a well-developed and implemented Business Continuity Plan:

• Keeps employees and the community safe when an incident occurs
• Protects the organization’s important assets (e.g., people, technology, products, services)
• Reduces disruption to critical functions in order to limit financial impacts due to loss of product/service
• Reduces adverse publicity, loss of credibility, and loss of customers
• Reduces legal liability and regulatory exposure
• Reduces the risk of losing critical business data (e.g., historical, operational, customer, regulatory compliance)
• Provides for an orderly and timely recovery by allowing critical decisions to be made in a non-crisis mode
• Helps companies mitigate risks and focus on the future

*****
Guiding Standards

ISO 22301: Societal Security – Business Continuity Management Systems is specifically designed to help organizations protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise. Like other ISO standards, ISO 22301 applies the Plan-Do-Check-Act/Adjust model to developing, implementing, and continually improving a Business Continuity Management System. Following this internationally recognized standard allows organizations to leverage their existing management systems and ensure consistency with any other ISO management system standards that may already be in place (e.g., ISO 14001 – environment, ISO 9001 – quality, ISO 45001 – safety, ISO 22000 – food safety).

The American Society for Industrial Security (ASIS) Business Continuity Management System Standard, National Fire Protection Association (NFPA) 1600: Standard on Disaster/Emergency Management and Business Continuity Programs, and Office of the Comptroller of the Currency (OCC) federal banking requirements for business continuity provide further industry-specific guidance on business continuity management.

Today’s business managers face greater complexities than ever when it comes to making business decisions. For every business decision, there are a number of factors that impact the associated risks. Fortunately, the use of statistics, predictive analytics, and data mining has become increasingly useful in taking the “gut feel” out of making important and often complex business decisions.

Data-Driven Decisions

Most people are familiar with common descriptive statistical techniques, like measures of central tendency (e.g., mean, median, mode) or variability (e.g., interquartile range, standard deviation). More advanced data mining and predictive analytical techniques are increasingly being used to explore and investigate past performance to gain insight for future business decision making.

Data mining draws on large amounts of data to identify patterns, which are often classified as opportunities or risks. Predictive analytics encompasses a variety of statistical techniques that are used to analyze historical data to predict the most probable future events. A few examples of these include the following:

• Discriminant Analysis – a machine learning model where a computer program “learns” a pre-existing data set that includes attributes and outcomes for each individual, and then predicts probable outcomes for individuals in the new data set based on attributes.
• Linear Regression – creates an equation so that one variable can be predicted based on the known values of other variables.
• Logistic Regression – a machine learning model where a computer program “learns” a pre-existing data set that includes attributes and a binary (“yes/no”) outcome for each individual, then predicts “yes/no” outcome for each individual in a new data set, along with a probability associated with the decision.
• Decision trees – machine learning model where a computer program “learns” a pre-existing data set that includes attributes and outcomes (not necessarily binary) for each individual, then predicts outcomes for each individual in a new data set, along with confidence in the decision; also identifies the attributes that are most helpful for making predictions (i.e., those that are best able to discriminate between outcomes).
• Neural networks – similar to decision tree, but more effective if finding the connections between attributes is a concern.

Together, this information can help decision makers to predict the outcome(s) of a decision before it is made—and make smarter decisions based on data instead of gut feelings. The following case studies demonstrate the value that statistics provide when it comes to making important business decisions.

Case Study: Wildfire Risk Index

For a large transportation organization, wildfires have historically presented a unique challenge. The company has worked diligently over the past several years to control its fire risk through research and a number of assessments. To help further minimize the wildfire risk, the company turned to past data and is working with Kestrel to develop a comprehensive Wildfire Risk Index to:

1. Quantify the operational risks of wildfires (i.e., identify environmental conditions, determine areas of concern)
2. Make informed business decisions to help minimize identified risks

Creating the Index requires a significant amount of data from both internal and external resources, including traffic, weather, geography, internal fire incidents, and others. This information is used in several components contained within two main models that create the Wildfire Risk Index. These model components are relatively simple when used on their own. The complexity arises when combining the various models and their components into a single Wildfire Risk Index that reasonably reflects relative risks, while considering all variables.

The ultimate output of the Wildfire Risk Index is a single number that quantifies the relative risk of wildfire by location and by month. This information will help the company to:

1. Identify the areas of greatest risk.
2. Focus resources on those areas.
3. Make more informed decisions regarding operations—like when to plan hot work and when and where to perform vegetation control—to help prevent future incidents.

Case Study: Incident Data

For a large petroleum refining organization, safety and environmental incidents present a significant risk to operations. In order to reduce incident frequency, the company has implemented a robust safety management system, which includes frequent audits and inspections. Despite the company’s best efforts, however, incidents have continued to occur.

To further improve safety and environmental performance, Kestrel is working with the company to conduct detailed reviews of previous incidents using Kestrel’s proprietary Human Performance Reliability (HPR) approach. This approach identifies and classifies the human factors contributing to incidents, as well as the controls associated with those human factors (engineered, administrative, and/or PPE). Once the reviews are finished, the results are statistically analyzed to generate a prioritized list of human factors to be addressed. Kestrel’s Human Factors Integration Tool (HFIT™) software then generates a list of existing controls associated with the top human factors, as well as a list of missing controls that could be created and implemented.

The ultimate output of the incident review process is to help the company identify the human factors contributing to incidents, create or improve associated controls, manage operational risks, and protect the health and safety of workers and the surrounding environment.

Versatility

These examples demonstrate how predictive analytics can be used to support decision making. The versatility of predictive analytics, combined with the variety of statistical techniques available, can be applied to help companies analyze a wide variety of problems and gain insight for future business decision making.