The most basic audit is a compliance or condition inspection. OSHA does not specifically require that companies conduct safety and health audits, but OSHA regulations are written such that employers must furnish their employees with a place of employment free from recognized hazards and comply with certain OSHA standards. Management then develops programs for each employee to comply with certain standards, rules, and regulations. In addition, compliance requirements dictate certain record-keeping, programs, and training requirements. A true compliance audit will look at all three factors — conformance, record-keeping, and training.
A safety audit based on OSHA compliance will determine whether the company can provide a safe and healthful workplace. But this audit on its own tends to focus more on unsafe conditions rather than unsafe acts and behaviors. However, the majority of accidents occur from unsafe acts — i.e., you can have a wet floor (unsafe condition), but an injury may not occur until someone walks on the wet floor and slips (unsafe act). It is impossible to have a workplace free from unsafe conditions all of the time, because conditions and people change and the potential that someone will create unsafe conditions is always present.
Program Audit
To achieve a goal of reducing accidents and incidents, as well as unsafe acts and conditions which result in accidents, you must have programs in place that dictate how to implement safety rules or requirements. An example of a regulatory requirement is to record accidents on an OSHA 300 log and to do so within six days. A program requirement would describe the method one would use to investigate the accident. OSHA, while providing suggestions for investigating an accident, does not regulate how to investigate. So it is up to the company to define and write down the procedure for investigating the accident in order to implement the safety rule or requirement and to make it meaningful. Having done so, the company now has a safety program in place for the procedure.
A program audit is an analysis that gauges the implementation and strategy of these safety programs. Is the company following its own procedures and programs?
One drawback to a program audit is determining what to use as a standard. There is plenty of guidance but not much consistency in professional practice when it comes to what should be included in safety programs. There are some fundamentals, however. For one, it is essential to any safety program that all procedures are written down. Writing down the program allows the communication of the hazard as well as the procedures for minimizing exposure to the hazard and allows the procedure to be checked, measured, and/or audited. If unsafe acts create unsafe conditions, you need a program to communicate how to stop doing those things.
One challenge is that keeping safety programs current requires being able to manage change. New facilities, equipment, and personnel (e.g., a change in shift hours if it means an increase in workers’ exposure time) require changes in safety programs.
Both the compliance and program audit are useful snapshots to indicate potential exposures and risks. The value of these audits is to find the safety gaps so they can be closed. Another value is to verify if people are really following established safety guidelines. But an audit that is conducted only once a year is limited if there is no ongoing process by which to measure peoples’ performances — how often and how well are employees using and following safety programs.
Management Systems Audit
The final step in a comprehensive safety audit is to evaluate and validate the effectiveness of, and management’s commitment to, safety compliance and programs, employee involvement, and risk-control procedures. The management systems audit examines accountability, effectiveness of implementation, and how well the company’s health and safety program is integrated into the overall culture. A management systems audit integrates all three audit techniques — document review, interviews, and workplace observation — to make these determinations. Finally, to make safety programs sustainable, they must be integrated into the company’s existing business practices.
The Basics of a Safety Audit
First, determine your safety requirements and expectations, be they regulatory, program, organizational, or cultural. Some of this information can be obtained from industry publications, OSHA, other businesses’ benchmarks, industry associations, professional conferences, or by hiring a consultant.
The process by which the audit is conducted is best written down so it can be duplicated each time. Create a check list that is referred to at every audit — if the methodology for conducting the audit is different each time, how will you know if your safety standards and practices are improving?
There are many different ways to measure audit outcomes. Some type of scoring process is typically developed to be able to compare status and evaluate progress. Remember, auditing is not a one-time process. Each type of audit should be conducted at least annually, but it helps to know what’s going on between the audits.
Given that there are over 100 different OSHA regulations, different items within those regulations, and 20 to 30 programs to implement the regulations, it takes time to conduct an audit. An audit will probably take a minimum of two to three days to conduct if a company employs less than 100 people, longer if it’s the first audit. And if it is the first audit and the company is starting from scratch, it will probably take longer to develop the methodology for conducting the audit than to conduct the actual audit.
Why Conduct a Safety Audit
It can take a significant investment to make an assessment of your safety programs, and the pay off or return on investment is determined by management’s commitment to address the findings. If you do not establish a method to analyze trend data and track recommendations and follow-through, than a safety audit will not be as good of a return on investment as it could be. Companies that buy into wanting to know where there are gaps and weaknesses will find audits a valuable exercise worth the investment.
The type of audit you choose may depend on your corporate culture and what the company is most worried about. If it is liability, do a compliance audit. If the company is more worried about implementation gaps, do a program assessment. If the company wants to know about effectiveness gaps, a management systems audit is in order.
There are pros and cons to all three types of safety audits. A compliance audit alone may uncover a potential liability or OSHA citation, but it won’t necessarily help you learn how to avoid the problem in the future. A management systems audit identifies these gaps as symptoms of deeper-seated organizational or cultural shortcomings rather than listing the specific findings. It may not inventory all of your risks as a program or compliance audit will, but it can give you a better picture of how to prevent these risks and liabilities.
For this reason, many companies do all three types of audits in various stages and mixes. There are as many different implementation strategies for safety audits as there are companies. Some companies choose to do a hybrid of all three types of safety audits, depending on where that company is in terms of its maturity, as each type of audit requires an increasing level of business maturity (compliance being the most basic).
Once this maturation strategy has been determined and a company is able to progress successively from one type of audit to the other, the more basic audits, compliance and then program audits, require less effort, and eventually a company can wean down the compliance and program audits until they are far less intensive. But, when all is said and done, an organization should never really stop constantly assessing its total safety and health efforts.
To get additional information on this and other occupational health and safety topics, or to access a list of industrial hygiene consultants, visit the American Industrial Hygiene Association at www.aiha.org.