Internal Audit, Risk, Business & Technology Consulting

Achieving a Top-Performing Environmental Health and Safety ProgramElevating EHS capabilities begins with a comprehensive risk diagnostic

Getting a precise read on the current state of a company’s EHS program requires a systematic and objective assessment. Third-party EHS experts are well positioned to diagnose, test and validate existing EHS processes.

At companies with leading EHS practices, EHS is not the responsibility of a single manager, team or department. Instead, EHS responsibility is shared throughout the organization and supported by a broad range of enablers, including training, per-formance measures, process integration, budget consideration and the right tone at the top.

It is far more cost-effective (and risk-savvy) to be proactive and invest the time, energy and resources necessary to develop leading EHS practices than it is to pay fines and perform mandated corrective actions in the wake of a significant EHS incident.

Achieving EHS compliance is not a one-time push. OSHA requirements and environmental regulations change constantly and require vigilant monitoring as well as continual adjustments to internal approaches and processes to stay current.

Achieving a Top-Performing Environmental Health and Safety Program · 1protiviti.com

Environmental health and safety (EHS) ini-

tiatives centered on achieving zero accidents

reveal almost nothing about the quality of an

organization’s management and implementa-

tion of EHS standards. Although zero-accident

initiatives are useful components of most EHS

programs, tracking historical measures, such as

past accidents, is rarely as useful at preventing

environmental and safety mishaps as monitoring

leading indicators. Leading indicators should

be actionable by helping organizations mitigate

risks associated with the current regulatory

environment. Leading indicators also should

proactively gauge the effectiveness of the

process while highlighting areas for improve-

ment. This forward-looking stance is crucial

because failing to prevent safety mishaps or

noncompliance with environmental regu-

lations can result in steep fines, mandated

remediation efforts and painful hits to

shareholder value.

Leading indicators and metrics figure prominently

among other attributes of high-performing EHS

programs. To develop such a program, business

leaders should start by gaining a clear understanding

of their current EHS capabilities and the maturity

of their EHS program — which can be difficult.

As business leaders with EHS responsibilities seek to

improve their capabilities in the most cost-efficient

and effective ways possible, they should keep the

following in mind:

Introduction

2 · Protiviti

The Ever-Evolving Case for Improvement

EHS requirements continually change but rarely

decline in number — even with shifts in regulatory

philosophies. While the executive and legislative

branches of government influence the leadership

ranks of federal agencies, and to a lesser extent,

set the tone for some enforcement approaches, the

vast majority of essential EHS standards with which

companies must comply remain relatively stringent

and unlikely to be significantly altered. Insurance

companies also use these standards to set rates for

worker’s compensation and general liability policies,

which is why leading EHS programs often deploy

internal standards that are more stringent versions

of baseline regulatory requirements as a way to avoid

incidents that cause premiums to spike.

Regulatory bodies also continually refine existing

standards, publish new rules, and shift the focus

of their enforcement activities. Between 2015 and

2017, for example, the Environmental Protection

Agency (EPA) published 5,043 items in the federal

register. Since 2010, the EPA has published more

than 14,000 notices, rules and proposed rules in the

federal register — a number significantly higher

than other major government agencies. These rules

apply to environmental protections, reporting and

recordkeeping requirements, air pollution control,

administrative practices and procedures, chemicals,

confidential business information and more. Other

agencies also have made thousands of changes over the

same period of time.

“Based on our experience with a number of experts in the occupational health and safety field, two themes emerge in successfully enhancing the EHS perspectives of an organization: The need for leadership-driven EHS effort and the need to assess EHS programs on leading indicators.” — Jon Critelli, Director, Protiviti

* Items published from Jan 1, 2010 through April 27, 2018. Federal Register, www.federalregister.gov/documents/search?#advanced.

U.S. Federal Agency Federal Register Items Published*

Environmental Protection Agency (EPA) 14,369

Agriculture Department (USDA) 9,227

Justice Department (DOJ) 6,839

Labor Department (DOL) 6,152

Education Department (ED) 3,683

FY 2011 FY 2012 FY 2013 FY 2014 FY 2015 FY 2016

Total programmed inspections Total unprogrammed inspections

0

25,000

20,000

15,000

5,000

10,000

Source: U.S. Department of Labor, OSHA 2016 Enforcement Summary, www.osha.gov/dep/2016_enforcement_summary.html#1

OSHA Inspections

Achieving a Top-Performing Environmental Health and Safety Program · 3protiviti.com

Organizations should remain poised to respond to

further additions, subtractions and alterations to the

regulatory code. A quick glance at the total inspections

conducted by the U.S. Occupational Health and Safety

Administration (OSHA) shows that unprogrammed

inspections have increased in recent years even as

programmed inspections have declined:

Additionally, the penalties for OSHA violations remain

significant, ranging from $12,934 per violation to

$129,336 for willful or repeated incidents.1 OSHA

levied a total of more than $30 million in fines in 2016

for the 152 significant violations that topped the

$100,000-penalty threshold.

These penalties represent only a portion of the prob-

lems companies incur due to ineffective EHS processes

and capabilities. Other potential problems include hits

to shareholder value, brand and reputational damage,

lawsuits, and scrambling to make expensive mandated

remediations while dealing with the fallout.

Establishing an effective and continuously improving

EHS capability is a great way to avoid these issues.

Mature EHS programs help companies keep tabs on

new and developing regulations, integrate an EHS

mindset into the company culture and help support

and manage corporate sustainability initiatives.

1 U.S. Department of Labor, OSHA Penalties, www.osha.gov/penalties/, accessed March 23, 2018.

4 · Protiviti

Warning Signs

A recent EHS Today article described the many compli-

ance challenges posed by OSHA’s new record-keeping

regulation, which requires employers to publish

work-related injury and illness records on a new OSHA

website. Writer Hannah Stewart notes that OSHA

believes this transparency requirement will “nudge”

companies to mitigate brand risks associated with

injuries and the unsafe workplace perceptions among

investors, customers and employees. Stewart pointed

to BP’s 52 percent swoon in market value and 40

percent decline in U.S. gas station revenue following

the 2010 Deepwater Horizon disaster.2 All of these

points neatly summarize the risks associated with

operating under-resourced, underfunded and/or subpar

EHS programs.

The costs of major EHS violations can include remedia-

tion (in the case of an environmental incident); changes

to equipment and facilities (e.g., construction, retrofitting

a facility) that must be performed quickly following an

incident; regulatory fines; lawsuit-related costs; increases

to insurance premiums, which are based on experience

modification rates (EMRs); and potential declines in

revenue and shareholder value. If, for example, a water

bottling company’s mishap introduces unsafe materials

to the manufacturing process, consumers may shun that

product long after the problem has been remedied.

These worst-case scenarios are more likely to occur

in companies with ineffective EHS programs, which are

recognizable by the following:

• Underfunded programs and insufficient staff size

• Treating EHS as an afterthought to other priorities

• EHS complacency resulting from following well-

known standards while neglecting to monitor and

plan for new and emerging standards

• A lack of benchmarking against leading

industry practices

• Focus on lagging indicators of EHS performance

(injuries, environmental incidents, etc.) as opposed to

leading indicators, such as gauging the effective-

ness of EHS programs, encouraging a culture of

safety, enhancing the visibility of EHS performance

to the entire organization, tracking the number of

management visits to that area, monitoring training

completion percentages and more.

2 “OSHA’s New Recordkeeping Rule: Top 3 Challenges Coming Down the Line,” by Hannah Stewart, EHS Today, Nov. 9, 2017: www.ehstoday.com/osha/oshas-new-recordkeeping-rule-top-3-challenges-coming-down-line.

Achieving a Top-Performing Environmental Health and Safety Program · 5protiviti.com

Leading Practices

One of the most vivid differences between companies

with lagging and leading EHS capabilities relates to how

organizations treat specific EHS rules and standards.

The former camp treats these requirements as finite

by seeking to adhere only to the minimum standard and

seeing the compliance effort as a one-time exercise

to reach an end goal. Companies with mature EHS

capabilities regularly treat minimum requirements

as baselines and then establish stricter in-house

standards. They also view their EHS capabilities

dynamically and have the mechanisms in place to

adjust them as required.

A well-established EHS program not only helps prevent

incidents and fines, but also promotes compliance and

even pride throughout the organization. Leading EHS

programs typically possess and/or enable the follow-

ing characteristics:

• The right tone at the top — As is the case with any

regulatory compliance effort, the tone coming from

the top makes the difference between a leader and

a laggard. Organizational leadership should set the

right tone and inspire the right attitudes and behav-

iors regarding how EHS requirements are viewed

and managed throughout the company. This tone is

evident in tangible EHS processes and mechanisms,

such as the use of safety committees, as well as most

of the other items that follow on this list.

• EHS considerations are integrated into routine processes — Rather than addressing EHS standards

and rules after the fact, leading companies have

compliance requirements and other EHS practices

integrated into processes.

• Comprehensive training — Compliance with all

relevant regulations, rules and internal standards

is supported with training that extends to safety

procedures, equipment use, compliance reporting

requirements and more. Additionally, training is

managed by tracking the number of employees

trained (via training hours), dollars invested per

training hour, and savings generated by a

well-executed training program.

• The use of leading indicators — Mature programs

identify, monitor and respond to leading indica-

tors that highlight potential trouble spots so that

incidents can be prevented. Examples of leading

indicators include the percentage of employees that

have received adequate training; the number of

compliance-related visits to a site, and the number

of management visits to a site, among others.

• Performance tracking — Leading EHS teams

develop and implement performance plans with

metrics related to key EHS requirements and

standards. Key performance indicators (KPIs)

typically cover incidents and accidents, near

misses, lost time, permitting and the like. These

types of KPIs are applied at a program level as

well as across multiple departments and sites.

• Benchmarking — In addition to tracking internal

EHS KPIs, leading EHS programs also conduct regular

benchmarking activities to assess their performance

against industry yardsticks. Benchmarking identifies

where the organization is today with respect to health

and safety performance and the level of health and

safety performance the organization strives to achieve

in the future.

• Integration with functional and business processes —

EHS teams collaborate closely with business

partners throughout the organization on any and all

processes related to EHS matters. For example, EHS

teams work closely with their operations counter-

parts to ensure that waste management processes

address regulations and internal standards related

to hazardous waste disposal; EHS teams and their

human resources colleagues integrate EHS-related

6 · Protiviti

training and awareness into onboarding processes;

and EHS teams work with procurement to ensure,

for example, that regulated chemicals used in

refining processes are procured and handled in a

compliant manner.

• Budgetary considerations — Another relationship the

EHS team needs to manage is with corporate finance

and accounting. This ensures that compliance

requirements are understood as important, and are

considered and supported during annual budgeting

and planning processes.

Getting these and other components of a robust EHS

capability in place normally begins with a comprehensive

diagnostic of the program’s current state — typically one

conducted by a third party, which can provide optimal

objectivity and a fresh look at old problems.

“Our EHS team is extremely understaffed.” Business

leaders often utter that realization after examining

the results of a comprehensive third-party diagnosis

of their EHS capability. An effective and objective EHS

diagnosis would identify all of the EHS risks facing

an organization, the resources and structures needed

to address those risks, and the gaps that current EHS

capabilities fail to address. A quick glimpse at this

information in a single document tends to open the

leadership team’s eyes to the sometimes daunting

scope of their company’s EHS needs and the relatively

small number of resources many companies devote to

this area.

A two-pronged approach — consisting of a diagnostic

and a remediation plan — is a highly effective way of

improving EHS capabilities. This work begins with a

comprehensive EHS risk diagnostic, which includes

risk identification and profiling of the current EHS

processes. The results of this diagnostic highlight

all shortcomings within EHS procedures and training

programs. The diagnostic results also include

benchmarking information to help clarify both

the current state of EHS performance and the EHS

performance level the organization wants to achieve.

The second part of the improvement effort consists

of the remediation plan. The plan details how EHS

performance will be improved so that the company

can achieve and sustain compliance with all applicable

EHS rules and standards, as required by law. Again,

companies with leading EHS programs routinely exceed

compliance with those rules and standards, which they

treat as minimums.

In many instances, the remediation plan identifies

preventive and/or corrective actions along with the

development of standard operating procedures related

to each EHS risk area. The operating procedures are

tested and validated, and training plans tied to these

procedures are developed. All of this information is

subsequently used to track the progress of all preventive

and corrective actions being taken in response to the

assessment.

Advancing Along the Maturity Continuum

Achieving a Top-Performing Environmental Health and Safety Program · 7protiviti.com

Although EHS evaluation and improvement efforts

are almost always modified to address the unique

characteristics of a company (e.g., industry, size,

compliance requirements, etc.), most efforts address, at a

minimum, the following four categories:

01 02 03 04

Areas for EHS enhancement, including:• Maintenance plans

• Preventive programs

• Hazmat programs

• Prevention processes

Structures, systems and other mechanisms by which processes and activities are executed, including: • Daily work authorizations

• Safety meetings

• Safety promotions and communications

• Safety training

Organizational initia-tives and programs that enable safety, including: • Companywide initiatives

• Dedicated safety staff or a department

• Employee training

Governance, which covers the specific controls and processes that drive safe execu-tion, such as: • Safety assessments

• Training hours

• Management of new laws and processes

• EHS evaluations

By understanding how an EHS diagnostic works and

the key EHS components it targets, business leaders

are positioned to close troubling EHS-management

gaps while elevating their program’s performance.

Closing those gaps requires a collection of skills and

expertise, ranging from knowledge of current and

emerging regulatory requirements, to familiarity of

leading indicators of EHS performance, to knowing

how to knit EHS considerations into a wide range

of business processes throughout the organization,

change management savvy, and much more.

8 · Protiviti

Conclusion

Well-planned, systematic improvements to

EHS capabilities tend to yield a set of mutually

reinforcing benefits.

EHS programs that integrate OSHA training into the

new-employee onboarding process, for example, send

a clear message to new hires about how seriously the

organization treats external EHS requirements and

more stringent internal standards. This type of process

integration also makes EHS considerations part of the

daily workflow of a larger portion of the workforce and

helps extend compliance responsibilities beyond the

exclusive domain of the EHS group. This widespread

sharing of EHS processes, responsibilities and awareness

increases the likelihood that individual EHS initiatives,

such as zero-tolerance programs, will be embraced by

employees, and recognized and rewarded by leadership.

An EHS diagnostic is the first step in the improvement

work that yields those benefits.

Case Study: An EHS Audit at an Energy Company Leads to Marked ImprovementsEarlier this year, Protiviti performed an audit of an energy company’s environmental, health, safety and security (EHS&S) oversight processes. The effort was motivated by an internal audit plan that identified EHS&S as a high risk area for the company. Specifically, the audit plan called for an audit of the EHS&S management team’s oversight of compliance activities in all refinery and non-refinery operations. It required the team to understand, assess and test key control activities, procedures and supporting technology in three areas:

• Management processes

• A safety management system (SMS) and an environmental management system (EMS)

• Physical plant security programs and protocols

The goal of the EHS audit was to provide an objective EHS diagnostic by a third party to shed light on possible improvements. To this end, a Protiviti EHS expert joined the company’s internal audit team, and, following the comprehensive diagnostic of the identified areas, recommended a set of specific improvements. For example, Protiviti determined that each operational location had a unique management system and that the level of preparation to incorporate new corporate standards into those systems varied widely. Each refinery and non-refinery operation was in the process of identifying its location-specific EHS risks, compliance requirements and risk mitigation strategies. Protiviti helped identify potential areas for improvement that also included implementation of the corporate standards into the management systems.

Benefits Achieved

The company took Protiviti’s improvement recommendations to heart and deployed its internal resources to implement them. Specifically, the company:

• Developed and communicated an SMS and EMS approach for each location. These systems included processes, procedures, training and assessments for each refinery.

• Developed and implemented robust and standardized EHS policies and tools to be adhered to and utilized across the organization

• Established a robust EHS framework based on regulatory and legal requirements and an audit program that tests adherence to the newly implemented SMS and EMS

• Utilized IMPACT, a web-based incident management system, to manage safety and environmental incidents and audit findings across all locations, and

• Established minimum requirements for site security across all locations.

Achieving a Top-Performing Environmental Health and Safety Program · 9protiviti.com

How Protiviti Can Help

Protiviti works with companies across industries to

devise and implement effective EHS programs. These

programs are actionable, attainable, meaningful,

transparent, and easy to implement. Protiviti evaluates

organizations’ current EHS capabilities in four catego-

ries: processes, structures and systems, organizational

initiatives and governance. Following a comprehensive

diagnostic of an organization’s current EHS capability,

Protiviti benchmarks the current and target state matu-

rity (using a proprietary EHS Maturity Model) across all

elements of EHS, and then implements improvements

that close current-target state gaps. Our efforts have

successfully identified and eliminated, or controlled,

risks related to both injuries and incidents, while equip-

ping companies with a framework to sustain high levels

of EHS performance.

ABOUT PROTIVITI

Protiviti is a global consulting firm that delivers deep expertise, objective insights, a tailored approach and unparalleled collaboration to help leaders confidently face the future. Protiviti and our independently owned Member Firms provide consulting solutions in finance, technology, operations, data, analytics, governance, risk and internal audit to our clients through our network of more than 70 offices in over 20 countries.

We have served more than 60 percent of Fortune 1000® and 35 percent of Fortune Global 500® companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.

Randall Coxworth+1.312.476.6957randall.coxworth@protiviti.com

Daniel Bouldrick+1.404.443.8236daniel.bouldrick@protiviti.com

Jon Critelli+1.404.443.8218jon.critelli@protiviti.com

Ruhtab Sahota+1.713.314.1235ruhtab.sahota@protiviti.com

CONTACTS

© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. PRO-0518-103117 Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.

© 2

017

Proti

viti

Inc.

An

Equa

l Opp

ortu

nity

Em

ploy

er. M

/F/D

isab

ility

/Vet

. PRO

-041

7

THE AMERICAS UNITED STATESAlexandriaAtlantaBaltimoreBostonCharlotteChicagoCincinnatiClevelandDallasDenverFort Lauderdale

HoustonKansas CityLos AngelesMilwaukeeMinneapolisNew YorkOrlandoPhiladelphiaPhoenixPittsburghPortlandRichmond

SacramentoSalt Lake City San FranciscoSan JoseSeattleStamfordSt. LouisTampaWashington, D.C.WinchesterWoodbridge

ARGENTINA*Buenos Aires

BRAZIL*Rio de Janeiro Sao Paulo

CANADAKitchener-Waterloo Toronto

CHILE*Santiago

COLOMBIA*Bogota

MEXICO*Mexico City

PERU*Lima

VENEZUELA*Caracas

EUROPE MIDDLE EAST AFRICA

FRANCEParis

GERMANYFrankfurtMunich

ITALYMilanRomeTurin

NETHERLANDSAmsterdam

UNITED KINGDOMLondon

BAHRAIN*Manama

KUWAIT*Kuwait City

OMAN*Muscat

QATAR*Doha

SAUDI ARABIA*Riyadh

SOUTH AFRICA*Johannesburg

UNITED ARAB EMIRATES*Abu DhabiDubai

ASIA-PACIFIC CHINABeijingHong KongShanghaiShenzhen

JAPANOsaka Tokyo

SINGAPORESingapore

INDIA*BengaluruHyderabadKolkataMumbaiNew Delhi

AUSTRALIABrisbaneCanberraMelbourneSydney

*MEMBER FIRM