Once I started developing and implementing management systems, I could not resist applying management system theory to this event.  I developed a Christmas Party Checklist.  This checklist sets out the various tasks that need to be done and has blanks for assigning responsibilities and checking off each task when it is done.

Why do I use a checklist?

One year, I found the strawberries for the appetizer course still in the refrigerator when I put the leftovers away.  Another year, I had to scramble to find the meat platter while the guests watched from the table.

This checklist helps the party go smoothly and, more importantly, it helps me relax and actually enjoy the party because I know I am not going to forget anything important.

The morning after the party I make notes and additions to the checklist and file it away for the following year.

So what does this have to do with OHSAS 18001?

Checklists are an important part of a management system.  As with our Christmas party, they prevent you from missing important tasks.  They also help make your job more manageable and enjoyable – that is, if they are done right.

Want to learn more about creating effective checklists?

Click here to check out my previous blog and sign up for my mini-course (starting January 16, 2012) focused on checklist creation.

p.s.  It was a great webinar Tuesday on ISO 19011:2011 – The Impact on Management System Auditing. Thank you to those of you who participated and submitted questions for the Q&A.  Come back here next week for a link you can use to view this presentation.

© ENLAR Compliance Services, Inc. (2011)

So, what is an audit program and how does it differ from audit procedures?

ISO 19011:2011 defines an audit program as “arrangements for a set of one or more audits planned for a specific time frame and directed towards a specific purpose”.

A procedure is defined as “a specified way to carry out an activity or process”. (ISO 9000 3.4.5)

According to www.dictionary.com, a program is a “planned, coordinated group of activities, procedures, etc., often for a specific purpose”.

In other words, audit procedures are one component of an audit program.

In order to have an internal audit program, an organization must have the following:

1. A defined purpose (established audit program objectives)
2. Audit arrangements (audit procedures)
3. Scheduled audits (audits planned for a specific time frame)

Want to know more about establishing an audit program?

Click here to sign up for the FREE webinar I am giving next Tuesday (December 20th) – ISO 19011:2011 – Impact on Management System Auditing.

© ENLAR Compliance Services, Inc. (2011)

The most significant change is that the scope of the standard has been broadened from the auditing of quality and environmental management systems to the auditing of any management system.  This includes audits of occupational safety and health management systems.  ISO 19011:2011 specifically references OHSAS 18001:2007 in the bibliography and includes an “Illustrative example of discipline-specific knowledge and skills of auditors in occupational health and safety management” in Annex A.8.  This expansion in the scope of the standard to cover OH&S management system audits is the primary reason that I participated in this standard development effort as one of the U.S. experts.

Want to know more about the revisions made to the ISO 19011 standard and the likely impact on management system audits?

Sign up below to attend a FREE webinar on December 20, 2011 at 3 pm (Eastern Time). 

In the meantime, you can check out the PowerPoint slides for a presentation I did in May 2011 at the American Industrial Hygiene Conference – click here to go the blog post where you can access this presentation.  Even if you can’t attend the webinar on December 20th – sign up below to get access to the webinar recording so you can listen to it later. 

Also, you can subscribe to this blog (by entering your e-mail in the box on the right) and get future posts delivered to your e-mail.  Over the coming weeks, I will be posting additional information about how the guidelines set out in ISO 19011:2011 will impact environmental and OH&S internal audit programs.

Fill in your contact information below to attend a FREE webinar – ISO 19011:2011 – Impact on Management System Auditing.

If you want to purchase a copy of ISO 19011:2011 – Click here.

© ENLAR® Compliance Services, Inc. (2011)

Similarly, correction and corrective action are NOT the same.

These are defined terms that have been taken from the quality world and applied to EHS management systems.  They are also an entrenched part of registration audits so it is important to understand how registrars define them (i.e. their ISO 9000 definitions).  When registrars issue corrective action requests (CARs), they often request information on any corrections done as well as a description of the corrective action planned.

A correction is defined as “action to eliminate a detected nonconformity”.  In the quality world, correction is often referred to as containment (as in preventing nonconforming product from reaching the customer).  Correction in a QMS can consist of repair, rework, scrapping the product, etc.  The first action taken is often segregation and control of non-conforming product.

This quality concept was incorporated into ISO 14001 as correction and mitigation – as in taking action to mitigate environmental impacts (see Section 4.5.3 a).  The same concept was also incorporated into OHSAS 18001 as correction and mitigation – as in taking action to mitigate OH&S consequences (see Section 4.5.3.2 a).

In all the standards, the focus of correction is on the immediate fix.

A corrective action is defined as “action to eliminate the cause of a detected nonconformity or other undesirable situation.” A note to this definition in ISO 9000 states that “there is a distinction between correction and corrective action.”  The distinction is the focus.  In corrective action, the focus is on what CAUSED the nonconformity.

Since the focus of corrective action is on causation, some type of root cause analysis is a prerequisite to defining the appropriate corrective action.

© ENLAR® Compliance Services, Inc. (2011)

 When it comes time for our company to be audited on the OHSAS 18001 system, our auditor usually says, “Your Company has not identified ALL the hazards at your facility.”

…  I don’t believe that every potential hazard needs to be identified in order to be compliant.  I always explain this to the auditor, and address what it states in 4.3.1:

“The organization shall establish, implement and maintain a procedure(s) for the ongoing hazard identification, risk assessment, and determination of necessary controls.”

… I don’t feel our auditor is correct in saying we are not compliant because we have not identified all potential hazards.

I really would appreciate your thoughts on this matter.

You are correct in your analysis of the requirement in Section 4.3.1 of OHSAS 18001. What is required – and what auditors should be looking for – is a process NOT perfection.

This is an important distinction and a fundamental principle underlying all of the ISO management system standards and OHSAS 18001.  It is one of the 14 Points for Management that Deming emphasized in his 1982 book, Out of the Crisisand it is what the plan-do-check-act (PDCA) approach is all about.

To illustrate the difference, consider how one goes about controlling a manufacturing line making widgets.  There are 2 different approaches that can be used to ensure quality widgets – an inspection approach and a management system approach.

In an inspection approach, an individual sits at the end of the line and either accepts or rejects each widget on the basis of whether it is conforming or nonconforming.  Conforming widgets become products and nonconforming widgets become waste.

In a management system approach, procedures and operational criteria are put in place to ensure that quality products are made in the first place.  Quality is ensured by the process controls in place during manufacture not by a final inspection.  If a final inspection is done, the primary purpose is for evaluating the adequacy of the process controls not for product acceptance or rejection.

Some OHSMS auditors approach management system auditing with a “final inspector” mentality.  Rather than focusing on evaluating the adequacy of the management system, they gravitate to focusing on the OHSMS equivalent of looking for nonconformity products.  Rather than looking for system conformance, they look for isolated problems.  They act as inspectors not as auditors.

As in manufacturing widgets, isolated deficiencies do not establish the lack of an OH&S management system.  There can be many reasons for “flaws” – only some of which indicate management system failure.  The focus needs to be on evaluating the sufficiency of the management system procedures in place not on substituting auditor judgment for organizational process.

© ENLAR® Compliance Services, Inc. (2011)

Other presenters talked about what the requirements are for a management system and how to establish a management system within an organization.  I discussed management system auditing.

In particular, I outlined five ways that ISO 19011 impacts management system auditing –

1. Defines what is – and is not – an audit.  One of the key things a standard does is establish common definitions for the terms used within that standard.  For purposes of management system auditing, ISO 19011 defines what an audit is – the dictionary does not.  Importantly, in order to be an “ISO audit”, an assessment activity MUST be objective, independent and documented.  This means that a lot of the activities that safety professionals refer to as “audits” really are not.
2. Fosters audit program integration.  Since ISO 19011 covers all types of audits (internal, supply chain, certification) for all subject matter disciplines (safety, quality, environmental…) in all types and sizes of organizations, it sets out a common structure and guidelines for establishing an audit program.  There can be one program instead of many. 
3. Sets a global standard for audits.  The overarching goal of ISO is harmonized international standards.  Since ISO 19011 is an international standard, it can be applied anywhere in the World.
4. Defines what an audit program is.  Section 4.5.5 of IS0 14001 and OHSAS 18001 require that both audit procedures and an audit program be established, implemented and maintained.  Note that this is different than the requirements in other sections which only require that procedures be established.  ISO 19011 provides the answer for what makes up an audit program.
5. Provides consistent criteria for evaluating auditor competence.  In the upcoming revision of ISO 19011, the focus of Section 7 of ISO 19011 will shift from defining auditor competence criteria to setting out a process for evaluating auditor competence.  The auditing organization needs to have a process in place to select the appropriate audit team members to meet the audit program objectives.

For more information, click here to view a copy of my presentation slides.

© ENLAR® Compliance Services, Inc. (2011)

Just as there are different types of sustainability audits, there are different types of objectives required for management system audits.  Importantly, an organization needs both audit program objectives and specific objectives to guide the conduct of each individual audit.  Although the audit program objectives and individual audit objectives are related, they are not necessarily identical.

It is important to remember that an audit and an audit program are not the same thing.  An audit is a “systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled”.  An audit program is “set of one or more audits planned for a specific time frame and directed toward a specific purpose”.  (Definitions from ISO 19011:2002)

OHSAS 18001 requires that an audit program be established. 

An audit program involves more than just doing audits every once and a while.  It requires audit planning and it requires the creation of audit procedures.  As set out in the note to the definition in ISO 19011 –  an audit program includes “all activities necessary for planning, organizing and conducting the audits”.

ISO 19011 provides guidance on how an organization should go about establishing an audit program for conducting management system audits.  Although originally developed for quality and environmental management system audits, the United States version (ANSI/ISO/ASQ QE 19011S) was expanded in 2008 to cover OHSMS audits.  ISO 19011 is currently being revised to cover all management system audits – regardless of subject matter or discipline.  It is anticipated that this revision of ISO 19011 will be published in the fall of 2011.

One of the keys to a successful audit program is establishing objectives to guide the planning and implementation of the audits that are to be conducted.  These audit program objectives need to be consistent with the policies, priorities and objectives of the organization as a whole.  This will help to ensure that the audits conducted – taken as a whole – provide the information top management needs to assess the suitability, adequacy and effectiveness of the OH&S management system. (Click here to read a prior blog on evaluating the effectiveness of an OHSMS.)  

Want additional guidance on establishing audit program objectives for an OHSMS audit?

Check out section 5.2.1 of ANSI/ISO/ASQ QE 19011S.  For example, section S5.2.1.3 suggests that objectives for an OHSMS audit program might include consideration of the frequency and severity the injury or illness that may be caused by particular hazards.  Other objectives for an audit program may include the identification of opportunities for reducing OH&S risks, enhancing customer product stewardship, verification of supply chain capabilities and evaluation of contractor control.   The internal audit program objectives need to be closely aligned with the goals of the organization.

© ENLAR® Compliance Services, Inc. (2011)

What does this mean?  What is the difference?

These two types of audits relate to two different definitions of sustainability.

The first definition, derived from the Brundtland Commission Report’s definition of sustainable development, is “meeting the needs of the present without compromising the ability of future generations to meet their own needs.”  Although originally environmentally focused, this concept has evolved to include other components as well.  Notably, for occupational health and safety, sustainability is seen as including the actions and conditions that affect all members of society including workers (the “social” component). 

The second definition, the dictionary definition, is to “endure without giving way.”  This concept of sustainability is focused on survival and maintenance in the face of changing conditions.  This is often referred to as management of change.  As stated in section 4.3.1.5 of OHSAS 18002, “The organization should manage and control any changes that can affect or impact its OH&S hazards and risks”.

The internal audit element of OHSAS 18001 (section 4.5.5) requires that audits be conducted in order to make the following three types of determinations:

1.  the OHSMS conforms to the OHSAS 18001 requirements and the organization’s planned arrangements;
2. the OHSMS is properly implemented and maintained; and
3. the OHSMS is effective in meeting the organization’s policy and objectives.

Many organizations focus almost exclusively on conducting internal audits to determine conformance – the first type of determination listed in section 4.5.5.  These organizations often ignore the other two purposes of an internal audit listed in OHSAS 18001 – the requirements for sustainability audits.

The audit of sustainability, related to the concept of societal sustainability, needs to focus on the assessment of whether the OHSMS is effective in meeting the organization’s stated policies and objectives.  This is particularly the case for organizations who have issued public sustainability statements and policies that proclaim their commitment to worker protection.

The audit for sustainability, associated with management of change, needs to focus on the adequacy of the OHSMS in addressing changing conditions.   As I discussed in a previous blog, changing conditions is where many of the most significant OHS hazards lurk.  An OHSMS that is not robust in the face of changing conditions will not be effective in achieving the overall goal of preventing injury and ill health.

What to hear more about this? 

I will be speaking on Auditing Integrated Management Systems – The Impact of ISO 19011 as part of a roundtable discussion at the American Industrial Hygiene Conference (AIHCE 2011) on Tuesday, May 17, 2011.  This roundtable will focus on the topic of Integrated Solutions in Sustainable Occupational Health and Safety Management Systems.  A colleague of mine, Charles Redinger, will also be speaking in the same Roundtable on the evolution of integrated management systems.  You can check out his blog at http://www.strategicehs.com/.  

I hope to see you there.

© ENLAR® Compliance Services, Inc. (2011)

 One of the conclusions set out in this paper is that the “accountability mechanisms” common to management system standards can have a negative impact on OH&S performance.

The authors suggest that many of the fundamental requirements of management system standards – establishing accountability, performance tracking and internal auditing – are “antithetical to measures that our findings suggested had a positive impact on OHS.”  They go on to discuss social science research that finds that accountability mechanisms can decrease trust and, as a result, negatively impact performance. 

What does this mean for OHSMS internal audit programs?

 First, it is important to recognize that internal audit programs have a purpose.  That purpose is best summed up by the phrase – “Trust – but Verify.” That is why OHSAS 18001 includes an internal audit program requirement.

 As Steve Covey states in his book - The Speed of Trust there is a difference between Judgment – what he calls “Smart Trust” and Gullibility.  Extending trust can bring great dividends; however, it can also create significant risks.  The goal is to find the appropriate balance of trust and scrutiny to manage risk appropriately while avoiding both gullibility and excessive suspicion.

To order this book from Amazon - click here The SPEED of Trust: The One Thing That Changes Everything

With that in mind, let’s examine the goal of an internal management system audit. 

 In an effective OH&S management system, the goal of your audits should be to find evidence of conformance – to verify that processes are being done right.  This means that the focus should be on documenting conformance NOT on finding nonconformities. 

It is human to resent being audited – very few people like having their work questioned.  Simply shifting the focus of the audit process away from a negative intent (finding problems) to positive (celebrate what you are doing right) will go a long way to improving the process and increasing trust.  So will treating the identification of any nonconformities as opportunities for improvement rather than occasions to assign blame.

Recognize the negative impact audits can have on “trust” and take steps to mitigate them.

Avoid using internal audits as “buck passing” or “institutional feel good” exercises. Make sure that top management is as invested in providing the resources needed to fix problems as they are in identifying them in the first place.  Here’s a thought – perhaps you can put a positive spin on your audit program by having a set amount of “safety bonus” dollars that are immediately available to fund one or more “opportunities for improvement” identified during the audit.  Every safety program has potential improvements that aren’t being pursued becaue of lack of funding.

© ENLAR® Compliance Services, Inc. (2009)

The purpose of this blog is to provide real-world practical advice to assist you in establishing, documenting, implementing and maintaining an integrated management system.

This website provides information and resources to help you understand the requirements of the various management system standards - ISO 9001, ISO 14001, OHSAS 18001, etc.  In addition, it provides an opportunity for you to post your questions and comments on a variety of management system topics.

An integral part of this blog is the monthly FREE teleseminar that ENLAR will be hosting.  These monthly ”conversations with experts” will provide a unique opportunity for you to BOTH listen to experts on a variety of management system topics AND ask questions for them to answer in their calls.

Click here to check out this new blog.  While you are there, check out the upcoming teleseminars on -

• Revision of ISO 19011 – The Challenge of Drafting a Generic Auditing Standard
• Five Steps for Achieving Employee Engagement

 Thanks!  I hope you like this new site.

© ENLAR^® Compliance Services, Inc. (2009)