No one likes audits.  Senior managers hate the high cost of sending audit teams into the field, and business units hate the disruption of their operations.

Most people do not perceive a benefit from audits either, although almost everyone believes they are necessary.  Audits typically measure compliance to regulatory standards, or conformance to management system requirements, or they validate the activities of the business units.  Always, audits are promoted as a method of continual improvement.  And as a sub-plot, audits are thought to help protect the backsides of senior managers and boards of directors.

At Pilko, we believe that audits can achieve their intended goals if they are done right, although we see few companies who put enough thought into how their audit programs are designed and implemented.  To address this gap, we’ve developed the Pilko Assurance Program in cooperation with several clients.  This new approach has actually resulted in business units asking to be “Assured” so they can showcase their accomplishments.

Before describing Assurance, let me recap the problems inherent in the traditional audit. Popularized in the late 1980s, this cookie-cutter approach has become a standard methodology still in wide use today.

If you ask most Audit Program Managers about their work, you will hear how their companies do audits – not how they drive out negative findings to achieve corporate goals and objectives.  Here are some of the reasons why traditional audits do not reap the intended benefits:

Companies become motivated to change their audit programs for three reasons: First, an event such as the BP Texas City disaster (or something much less) may trigger recognition of a problem.  Second is company growth, either internal or by acquisition, may highlight a need – for example, due diligence for a recent billion-dollar transaction revealed that one of the two companies did not even have an audit program.  And lastly, it may be that someone in senior management or on the board has a “moment of clarity,” a governance epiphany.

Regardless of the cause, companies seeking a better system want the following benefits:

For an Assurance Program to be effective, certain prerequisites must be met:

The Assurance Program should have three goals: First, to combine compliance and management system audits into one comprehensive program; second, to make the most out of the information that is collected; and third, to minimize disruption to operations by avoiding repetition and duplication, and by integrating audits with other business processes whenever possible.  You don’t have to send in a corporate audit group to do everything.

The best way to reduce audits is to redefine auditable units and group them; for example, you might group similar facilities (e.g., compressor stations); similar findings (facilities that tend to have the same issues); or everything within a given manager’s span of control.

At Texaco, we grouped Gulf of Mexico platforms into three geographical areas.  By auditing only one platform in each area every year, we cut the traditional number of audits in half.  Of course, we didn’t tell the platforms which would be audited, so they couldn’t dress up.

We made better use of the information we gained by ensuring that everybody related to a group of facilities got the reports – no more secrecy!  We applied the findings from each platform to every other platform in the same area.  As findings are driven out of the company over time, the audit group can be enlarged.  The goal is to use information to drive findings down and drive fixing up.

Findings should be risk ranked and dealt with accordingly.  Grouping and trending findings by “air”, “water”, and “waste” doesn’t tell much.  Instead, assign a risk level using a Risk Matrix; then attend to high-risk findings immediately, and ensure that you drive these findings out of the business.  Ideally, you will drive out most high-risk findings during the first two years.  Lower risk findings will probably continue to crop up every year.

It’s very important to treat high-risk findings as actual incidents and go after root causes.  Actually, a finding is a near-miss, and root-cause analysis should be part of every company’s incident learning and prevention process: Why did the finding happen?  Was it a breakdown of the management system?  A local phenomenon?  Poor supervision?  An employee error?

Pay special attention to recurring findings – if you’re finding the same things every time you run an audit, you’re not fixing things.  It’s also a good idea to look at recurring findings at “time zero” of the new system by examining old audit reports.

It’s a good practice to develop a list of findings that were either very common or so ugly that you never should have found them at all.  Publish that list annually.  And if the same findings appear in next year’s audit, public embarrassment can ensue.  We have found that this provides sufficient motivation for a very high level of accountability.

Finally, integrate audit findings and learnings into normal inspection processes, training programs, safety meetings, and any other business processes or management programs that can be used to address the issues.  There’s no reason that something found in an audit can only be worked on and corrected through a corporate audit program.

It should be clear by now that migrating from an audit to an Assurance Program is not trivial.  It takes both a change in activities and a change in attitude.  The Pilko Process takes clients through a customized methodology that offers two key benefits: a fantastic Assurance Program, plus implementation success.  By the end of the process, business units understand what’s happening, they accept it, and they have ownership.

We begin by holding a program design meeting with representatives from across the client company, typically a two-day meeting attended by 10-20 people.  We break the entire Assurance Program down into logical steps, highlighting alternate ways to accomplish each step.  Everyone in the meeting goes through every step and every choice, discussing the pros and cons and making the most appropriate choice for the company.

At the end of the process, we connect the choices, with the result that the client now has a customized program designed specifically for their needs.  Their system defines their Assurance Program and it also defines how they will handle findings and use the Assurance Program to provide value to the company.  Since client representatives have made the choices and built the program, buy-in is virtually automatic, which makes a profound difference in implementation.

We advise clients to be smart in how they build and conduct an audit or Assurance Program. The key is to emphasize fixing, not finding – if the audit guys are cops and the business units are victims, it just won’t work.  It still takes an auditor to identify findings, but it takes a committed and involved business to aggressively drive findings out of the company.

Converting to an Assurance Program requires forward thinking and planning, because implementing the ‘new way’ may take six months to a year.  You have to plant the seed early to get it to market at the right time!  Of course, once the system is operational, Assurance can revert to the typical fourth-quarter planning cycle.

We have seen the results the Pilko Assurance Program can provide as part of an integrated approach to EHS governance.  Clients can avoid expensive incidents and position their companies to derive competitive advantage from their EHS efforts.

##