Author: Brent Fewell, Founder, Earth & Water Group
Recently, I had the pleasure of speaking with a group of seasoned EHS auditors and share my perspective as a lawyer on the importance and role of auditing in ensuring effective compliance. I focused my remarks on the red flags that an auditor should watch for during an audit and what they should do when they find them. Things like poor-housekeeping, sloppy record-keeping, repeat violations, suspicious data, failure to timely submit regulatory reports, ignoring administrative orders, or perhaps receiving evasive answers during an audit, are all indicators that something more serious may be going on.
As a former EPA regulator, auditor, and EHS executive, I appreciate the diligence that most auditors bring to their profession, but some auditors can miss the forest for the trees by focus on checking boxes. What I mean by this is many auditors will view their role as limited to looking at the “what” and not the “why” – behaving more as a potted plant as opposed to a curious sleuth.
Why did this facility forget to submit its annual report? Why haven’t routine inspections been performed? Why does that data look too perfect? Why can’t someone find the records I’ve requested?
I can hear it now. Some of my auditor friends will respond by saying “that’s not my role, that’s the client’s responsibility.” However, I’m of a different mind and think an auditor’s role is so much broader and nuanced than simply documenting findings.
Auditors, and particularly third-party auditors, are in a unique position to spot-check and identify critical, systemic problems that may pose substantial enterprise risks to their clients.
We’re all familiar with those headline spills, explosions, or environmental cheating scandals, resulting in employee deaths or serious environmental harm. Not surprisingly, many of those companies had mature compliance programs, including EHS auditing. So, how is it that companies, even those with the best state-of-the-art compliance tools and mature EHS programs, can have serious compliance problems. First, companies are made up of fallible humans, who are prone to mistakes and occasional bad judgment. Second, and perhaps more importantly, however, is CULTURE. Invariably, corporate culture, which is an amalgam of values and attitudes, can explain the vast majority of environmental catastrophes or employee deaths that has ever occurred.
I’m not suggesting that auditors engage in psychological profiling or conducting internal investigations. That is surely the role and function of the client. However, what I am suggesting is that auditors must be better equipped and prepared to identify and elevate those red flags to the client that suggest something deeper may be wrong with a compliance program. It’s not sufficient to simply hand the client a report at the end of an audit when auditors have observed and sensed something more is amiss.
So let’s assume for the next audit, your corporate auditor goes out on a limb and does you a favor by identifying those red flags. What then? Well, once those red flags are identified, it becomes the responsibility of you, the client, to do a deeper dive into understanding what is going on, and what those red flags mean in terms of potential legal exposure. If your audit program is not covered under attorney-client privilege, I would strongly recommend reaching out to your in-house counsel or outside lawyer to discuss those red flags and whether and how to go about investigating them. It’s more than just fixing the technical problems of noncompliance – it’s about discovering and fixing the root cause, which may be complex and involve peeling back many layers of an onion. And there may be some stinky layers to that onion that you will encounter.
As I explained to my auditor audience, regulators and prosecutors don’t expect perfection, but they do expect a good-faith effort to comply with the law and to ferret out and correct violations with the law and deter future noncompliance.
When I’m approached by a new client about helping them assess their EHS compliance, I often share with them how prosecutors and regulators view and approach compliance. Often times, the first time a company meets the EHS police is after something has gone terribly wrong, when the client is in the cross-hairs of a serious criminal or civil investigation. That’s unfortunate, but it’s a reality. I typically share with them two documents that I keep with me and revert to often, documents which can help keep your company out of those cross-hairs: DOJ’s U.S. Attorney’s Manual (Title 9-28, Principles of Federal Prosecutions of Business Organizations) and U.S. EPA’s guidance on compliance-focused environmental management systems. Both are invaluable road-maps for companies to use to help ensure they have effective compliance programs.
Skimming DOJ’s s guidance document, you will note a common theme, corporate culture. And as someone who has advised and defended many companies on the topic, I can assure you that corporate culture will often determine whether a case will stay civil or go criminal. Just ask my business partner, Doug Parker, who served as the head of EPA’s criminal investigation division.
But this begs the question. Can corporate culture be measured? Are their red flags that suggest your company’s culture needs some fine-tuning or a serious overhaul? The answer to these questions is an unequivocal yes.
Which brings me back to the issue of EHS auditing. With experience and fresh eyes, auditors are on the front-line of flagging those red flags that should prompt curiosity, concern, and in most cases further inquiry. And to be clear, you won’t find the problems or solutions spelled out in the audit report. The due diligence associated with a good-faith effort requires a deeper dive into organizational self-awareness and the nuances of organizational behavior that influence effective compliance, including, organizational structure, communication, training programs and awareness, performance metrics, employee accountability, transparency, employee empowerment, and the list goes on and on.
Maybe its time for you to take a closer look at your corporate culture.