The why and how of hazmat audits

Auditing your company's procedures for handling and transporting hazardous materials can improve safety and ensure compliance with federal regulations. Here's how to go about it.

By John V. Currie -- Logistics Management, 6/1/1999

When you hear the term "compliance audit," it's likely to conjure up an image of sinister federal agents, rulebooks in hand, bursting through your door intent on catching your business in an act of non-compliance.

Although you're reasonably secure in your knowledge of the complex regulations, you imagine that if they try hard enough, they'll be able to quote some obscure chapter and verse regarding a violation somewhere in your management system. In your worst dreams, you see them notifying the entire world that you have placed your company's employees--indeed, the general population--at grave risk by recklessly shipping or transporting dangerous materials. Furthermore, they say that these heinous acts can be absolved only through assessment of a staggering penalty that threatens to put your company out of business. You know it's a real possibility because you've heard that it has happened to others in the industry!

How can you make sure you're doing all the right things before the feds come to call? Staying current with applicable regulations, getting proper training, and maintaining a well-organized process-management system constitute your first line of defense, of course. But it's also important to have a means of measuring the effectiveness of your safety and compliance program. For many hazmat shippers and receivers, an internal compliance audit is the best way to accomplish that goal. Here's why you should conduct such an audit and how to go about it.

What an Audit Can Do for You

Although the thought of conducting an internal compliance audit may seem intimidating, there are many sound reasons for going to the trouble. Not only can an audit help you identify existing and potential problems in regulatory compliance and safety practices, but it also can help you develop a plan for rectifying those problems. Indeed, an audit seldom is perceived as something positive, but the process of looking inward for the purpose of evaluating a compliance program's direction, efficiency, and effectiveness is essential to making both short- and long-term improvements.

What else can a compliance audit do for you? A major concern for every business is controlling risks. These risks may include civil or criminal liability that may be incurred as the result of an action--or in some cases, a lack of action--on an employee's part. In addition to measuring your company's level of compliance and its vulnerability to enforcement proceedings, an audit can provide an opportunity to clarify corporate policy for controlling risk and to state expectations about how to minimize exposure. In short, it can help your company define and establish a corporate philosophy toward regulatory responsibility.

In addition, an audit may provide justification for dedicating resources to regulatory compliance. A properly designed and implemented audit program, moreover, will provide protection for the stockholders, officers, employees, and anyone else with a stake in the company's success and financial well being. Importantly, working for a company that is recognized as being a good corporate citizen and community neighbor because of its focus on safety compliance can instill pride in both employer and employee. Finally, if those federal agents do come to your door, you'll also have documentation to back up your statement that you're doing the right thing.

Set the Stage

Before embarking on a compliance audit, it's important to "set the stage" by defining exactly what the process will be and what it is intended to accomplish. The first step, perhaps, should be choosing the best word to describe it. Rather than use a threatening term like "audit," it may make more sense to call it a "review," since that's essentially what it is. The auditors (or "reviewers") will review business records, including written directives and shipping documents; company policies and procedures; adherence to employee manuals; and actual practices, such as loading and unloading operations and preparation of packages (including testing or following manufacturers' instructions for completing tested packaging).

It is important that everyone understands that a compliance review at best provides a snapshot of the management systems that existed on the date it was conducted. It's also important that they understand what a review is not. It is not intended to be a performance evaluation of any single employee. It is not intended to be a "quick fix" or "band aid" for addressing individual non-compliance. It should never be interpreted as a report card on a company's level of continuing compliance. The written report of the audit's findings, moreover, should never be viewed as regulatory guidance on the proper preparation of shipments or documentation on how to perform a particular function.

Most important of all, perhaps, is ensuring that the person who will receive the written report recognizes this. During one audit I conducted, the plant manager was hell-bent on firing all of the employees whose job performance was found to be deficient. She had missed the whole point of the review--it was designed to evaluate management systems, not individual employee performance.

Other types of advance planning are necessary in order to conduct a successful review. Preparation will reduce the time a review team spends in work areas, and that will minimize interruption and detrimental effects on productivity.

Once everyone understands the purpose of the review, the next step is to select the review team. There are two ways to approach team selection--choosing a group of company employees and bringing in a team--and each has its pros and cons.

One advantage of appointing a team of company employees is that they may be more familiar with the operations. They also will know the players who have management responsibility in each facility. Because they are insiders who know the "ins and outs" of their unique corporate culture, they might be in a better position to establish trust and to gain access to documents that the company's legal department otherwise might guard as proprietary.

On the other hand, sometimes it's better that those conducting the review not be personally acquainted with employees who are being interviewed, because they might have some bias or want to avoid offending a specific individual. Sometimes, too, they are so familiar with the daily operations that they might not recognize some of the issues that an outsider would identify.

That's why it's often beneficial to contract with a third party or to include an independent contractor as a member of the internal review team in order to ensure more objective observations. Another benefit of bringing in someone from the outside is that the contractor can benchmark management controls based on his or her experiences reviewing similar companies. Regardless of who conducts the internal review, though, the purpose and outcome should be the same.

Another important preliminary step is to identify the review project's scope. This entails identifying exactly where, when, and how regulated hazardous materials come in contact with your company and its employees. You will need to consider not only internal processes at your own plant, warehouse, or distribution center, but also processes that occur off-site when products are shipped or transported and where some of the greatest risks may be incurred. Among the questions you should ask are:

- Does the company distribute products that are regulated as hazardous materials and are prepared and packaged by an outside vendor?

- Are management systems capable of checking regulatory compliance on shipments of inbound salable products?

- Are finished goods that are manufactured and shipped by the company subject to the hazardous-materials transportation regulations for any modes of transportation?

- Are hazardous wastes generated as a result of facility processes?

- Are they accumulated on site?

- Are they shipped off-site by means of a hazardous-waste transporter under contract?

- Does the company actively practice and verify waste minimization?

- Are you a domestic or international carrier in one or more modes of transportation?

- Do you have your own fleet of vehicles?

- Do you use contract carriers, owner-operators, or common carriers?

- Do you manage compliance with the Motor Carrier Safety Regulations for vehicles and for drivers?

The answers to these and similar questions will determine the scope of your review. Because different companies will have different responses to each of them, there is no "boilerplate" or standard scope for all reviews.

An important issue to consider before a review is conducted is timing. A review should be conducted on a date that is convenient for all, not during the busiest week of the year and certainly not when the plant manager is on vacation! The reviewers should become familiar with the operations and regulatory history of the site to be reviewed. They also should notify the facility's management about which documents may need to be available during the review.

Using the Protocol

It is extremely important that the review produce an unbiased evaluation that is based upon an established protocol and that this protocol continually focuses on the management systems under review. A well-designed protocol should produce the same results regardless of who conducts the review.

The protocol should guide reviewers in identifying the applicable regulations or policies to be reviewed, creating tools and checklists for evaluating regulatory adherence or lack thereof, testing the effectiveness of management systems, and gathering evidence to support each of the review's findings. In other words, the protocol should provide the measuring stick to assess actual practices against the standards set out in the review's scope.

The protocol should specify what kind of information is to be gathered and how that should be done. The review of work in progress may require recording observations, interviews with employees, testing of computer programs, and similar tasks. Documents for review might include shipping papers, inventory reports, training logs, accident reports, vehicle trip reports, fuel receipts, drivers' log books, and governmental agency letters or reports. You may need to interview purchasing personnel and review related records to verify how they ensure that packaging meets specifications. Randomly check bulk packaging data to make sure systems are in place to track the inspection and testing for continued qualification of bulk packagings. Reviewers also could randomly inspect outbound packages, documents, and transport vehicles.

All on-site activities should fit within the defined project scope. The review team should gather all evidence within the defined scope, both negative and positive, without bias. Employee interviews should address only the factual information identified within the protocol; rumors, employee gripes, labor union issues, and other extraneous information volunteered should be politely but firmly discouraged. Strictly adhering to the protocol will prevent you from wasting time on information that would have no real impact on the audit results.

When collecting information, one of the basic rules is to keep complete and accurate field notes that support the analysis of each protocol step. You may want to provide the team with a standard-format worksheet for uniformity's sake. Evidence gathered during the review should be systematically logged and marked to ensure that continuity is not lost as papers accumulate. Make copies of documents and return the originals to the appropriate files so paper trails will not be broken and files will not be lost. Any physical evidence also must be protected from alteration, because that may affect the review's outcome.

I would discourage the use of recording devices for keeping personal notes for later transcription because they may arouse suspicion and intimidate employees. If recording devices must be used, ask the employee beforehand if he or she has any objection to their use. I also recommend against photographing or videotaping interviews unless it is absolutely necessary for verification purposes--and then only with prior permission from supervisory personnel and/or legal counsel.

All communications, whether written, spoken, or recorded, should be held in the strictest confidence by both the review team and management personnel who receive reports of the findings and by those who will be responsible for preparing the follow-up report.

Using the Review Findings

The single most troublesome aspect of conducting a compliance review is that once you find a deficiency, you are duty-bound to correct it. If you don't, your liability will increase significantly, because that disclosure could support allegations that you are "knowingly" acting in violation of regulations.

Any review finding should be documented and verifiable by presentation of evidence. Don't include any generalities or personal opinions. You should report all information that you gather as evidence; do not screen it to support any particular position on an issue. The findings should reflect the protocol at issue and include only pertinent information.

It's essential to hold an "exit briefing" after the team has finished collecting data but before the final report is written. The purpose of the briefing is to lay the groundwork for follow up on action items. Everyone present should receive copies of an "exit meeting discussion sheet" summarizing the findings that will be detailed in the formal written report that later will be submitted to upper-level management.

Keep the meeting atmosphere congenial, and have the review team sit among the site employees instead of at a separate table. Courteously but firmly communicate that this is not a time for employees to dispute the findings or to try to discredit the evidence. Rather, use this opportunity to make sure everyone understands what the deficiencies were and why they need to be corrected. Assign responsibility for preparing follow-up reports and/or another audit to make sure that deficiencies in management systems are in fact corrected and that the corrective action has been documented.

When preparing the final report, keep in mind the process's goals, both short-term and long-term. Remember that the report and its recommended corrective actions should address management systems rather than individual instances of non-compliance--but regulatory compliance is always the minimum standard. The report should address the findings as they relate to the applicable regulatory codes or policies, cite any enforcement actions, list the documents reviewed and their contents, and recommend corrective actions for the applicable management system. Work sheets or notes should not be included, but they may be discussed in follow-up communications about implementing corrective actions.

Assigning deficiency types and priority levels to each finding helps prioritize corrective actions. I recommend assigning deficiency findings to the following categories:

- Government regulation--a regulatory deficiency or violation;

- Company policy--a deviation from a company directive or written instruction;

- Management system--suggested enhancement to an existing system; and

- Local attention--immediate correction with no response required.

The priority level is based on the seriousness of the deviation:

- High risk--potential for death or injury;

- Serious deviation from regulations--potential for significant penalties;

- Deviation in recordkeeping--not life threatening; and

- Management-system enhancement--recommendation only.

The success or failure of a review often can hinge on the level of commitment at the highest levels of management. That's why it's important to follow up the audit by reviewing the entire report with someone at the highest level of management you can reach. Be sure this individual knows that any uncorrected deficiencies could result in an increased exposure to civil or criminal liability. And finally, do not close out the review until every finding has been verifiably corrected through the appropriate management system.

Measuring Results

One of the most common statements I hear from transportation-safety professionals is that it's difficult to quantify the results of their day-to-day endeavors. Information gathered during safety-compliance audits can, in fact, measure the benefits of a good compliance program. Historical records, for example, can show improvements in the number of violations compared to the total number of hazardous-materials shipments. Audits can verify reductions in costs related to non-compliance, such as fees for representation by counsel and reductions in civil penalties. Carriers may be able to show reductions in the percentage of accidents reported per million miles traveled, while shippers may be able to quantify reductions in the loss of work hours due to accidents.

There also are other nonquantifiable benefits that can have a strong influence on bottom-line revenues. Things like community good will, improved relationships with regulatory authorities, higher employee morale and pride in being part of a good company (which influences job performance), and improved business relationships all contribute to success. And, as a bonus, you'll have peace of mind when the inspector does come knocking on your door.

Editor's note: Logistics columnist John V. Currie writes, teaches, and conducts audits on hazardous-materials transportation and regulatory compliance.