Updated: Jul 25
With the emergence of the COIVID-19 pandemic many are working remotely with minimal on-site presence. This has put a strain on existing operational systems and processes particularly those connected with risk and compliance designed for and under different conditions.
Organizations that have relied solely on audits to identify gaps in their compliance may now discover them to be too late and too slow for that purpose. In fact, as operating conditions have significantly changed they may no longer be effective at all.
What should organizations do to deal with possible increases in incidents across their safety, environmental, regulatory, or quality programs?
In this blog I will explore how organizations can answer this question but first we need to understand why audits are used in the first place.
Use of Audits
The use of periodic audits as the primary compliance control is all too common and has always had its limitations.
By design audits provide evidence of what has happened. Audits provide a lagging indicator that can be used to identify and then correct prescriptive compliance gaps so that they don’t reoccur. Audits work best when organizations are mostly “in-compliance.”
Audits cannot correct what has already happened. However, they do provide status of the integrity of financial and other reports that give witness to the conditions at a certain point in time. Under normal conditions when organization's are mostly “in-compliance” they may be also help to identify minor violations or infractions against standard practices and procedures.
However, conditions today are not normal. The assumption that organizations are still mostly “in-compliance” may no longer be warranted or wise. In the presence of significant uncertainty in a COVID-19 pandemic world what should organizations now do so that they continue to operate between the lines? Are audits enough to provide the assurance that stakeholders require?
Lessons from Process Safety
In highly-regulated high-risk industries another process is used to stay ahead of the effects of uncertainty. This process is known as “Incident Management (IM)” and is a one of the pillars of an effective risk & compliance program.
Incident management systems are used to address emergencies but also to discover when organizations cross the lines well before audits might otherwise catch them. The hope is that infractions are caught when the consequences and the cost to correct them is small. In fact it may even capture near misses which can provide an earlier warning of possible future incidents. Incident Management (IM) systems help to turn this hope into a reality.
Incident management systems are used by safety-first organizations that have a culture of preparedness and response something that almost all compliance programs need these days.
The following are key principles of effective incident management programs. Practice of these principles can be observed in industries such as Energy, Oil & Gas, and Mining. However, they also can also provide insights for others who are experiencing higher levels of uncertainty and risk as result of the on-going COVID-19 pandemic.
Incident Management Principles
1. Preparedness and Response
While effective risk management aims to prevent incidents before they happen; incident management aims to protect the public, workers, property and the environment just in case it does. This requires awareness of the effects of uncertainty (c.f. RISK: ISO 31000) and establishing measures in advance to mitigate the effects should an adverse situation arise. Establishing response standards is essential to knowing the level of preparedness needed along with how best to address specific cases such as emergencies.
3. Emergency Management Process
Emergency management involves all the activities prior to and in response to a significant adverse event that has the potential of doing harm. Having a comprehensive response plan focused on rapid response can mean the difference between life and death along with the potential to avoid substantial remediation costs. After the emergency has been addressed, clean up, restoration, and remediation efforts are put in place informed by the results of a thorough incident investigation.
4. Incident Investigation
To prevent re-occurrence of an adverse event it is necessary to understand the root cause or at least primary causes leading to the event occurrence. This requires thorough investigation and expert practice of root cause analysis (ex. Apollo Method), STAMP (Systems Theoretic Accident Modelling and Processing), HAZOPS, and other techniques designed to identify factors that may create the conditions and actions for the re-occurrence of the incident or similar ones.
5. Incident Resolution
Investigation while important will not have its full effect unless measures are put in place to implement recommendations to reduce the probability of re-occurrence. Establishing new or updated measures and monitoring their effectiveness are necessary and where much of the failure in risk management occurs. Continuous evaluation of risk measure effectiveness is an essential practice for companies that strive towards operational excellence.
6. Incident Reporting
Incident reporting provides both leading and lagging information of incidents. Tracking of events that fall outside of risk and compliance boundaries or targets are essential for both government reporting as well as in the discovery of causes leading to possible future events. Capturing of “near misses” while not easy to define or to do is the current focus for many safety-first organizations that are serious on preventing harm to their workers, property, communities, and the environment.
7. Continuous Learning and Adaptation
For an incident management program to remain relevant and effective it must continually adapt to changing conditions and consider learning from within as well as outside of the organization. When conditions are changing as fast and as significantly as they are now it is imperative that organizations continue to learn and adapt their risk and compliance programs. For some (perhaps many) this begins with not assuming the state of existing risk & compliance is what it was prior to the pandemic. This will necessarily lead to establishing and or upgrading processes associated with incident management.
COVID-19 has created significant disruption and uncertainty across the world, across communities, and across businesses of all shapes and sizes. Assuming that prior risk & compliance controls have remained intact and are still effective may no longer be warranted or wise.
Waiting for downstream audits and reports may not be fast enough to close the gaps in programs essential to keep organizations operating between the lines and protect against harm or loss.
Under current pandemic conditions or until the state of risk and compliance programs are better understood, organizations should consider implementing incident management programs to mitigate the effect of adverse events which are now more likely to occur.
Tracking and monitoring of incidents may themselves provide early warning giving organizations time to prepare. However, safety-first organizations will take the proactive step to first understand their risks to ensure that they are ready to respond.
Lean Compliance helps forward looking organizations improve stakeholder trust by improving the effectiveness of risk and compliance programs.