Both PSM and RMP require a 3-year audit to “verify that the procedures and practices developed under the standard are adequate and are being followed.” While it is not required, this Compliance Audit is traditionally done through a 3rd party. A common failing I see in this element is end-users not understanding what to do with the Compliance Audit once they’ve received it. What follows are my thoughts on best-practices once you’ve received the Compliance Audit report.
- Verify the Report
- Certify the Report
- Address the Findings / Recommendations
- Assess validity
- Decide on a solution to address valid recommendations
- Implement the solution including any needed interim solutions
- Document the resolution as closed
Verify the Report
You will want to ensure the report meets the requirements of the PSM/RMP rules as well as your internal Compliance Audit element Written Plan. First thing to do is to read through the report and any findings / recommendations to familiarize yourself with it. Your report may look different than the ones I deliver, but mine have five main parts:
- An introduction letter describing the audit methodology and the report’s format
- Closing meeting notes discussing highlights of the report and next steps.
- An Audit Certification Page (discussed in the next section)
- Statement of Qualifications: Qualifications of Company and PHA Facilitator / Compliance Auditor, Conflict of Interest Statement & Disclosure. This is basically a written answer to common “Who did this audit and why should we trust them” questions.
- Compliance Audit worksheets & Findings / Recommendations
Once you understand the format of the report, decide if it met the goals of a Compliance Audit. I use the 3-levels of compliance as my performance basis.
Once you’ve established that the Compliance Audit report meets this performance basis, make sure it is:
- Free of any copy-paste errors
- Lacking any blank spaces / questions
If you have any questions or concerns, work with your auditor to address them at this stage, because once we go to the next step, this report is “set in stone.”
Certify the Report
Both PSM and RMP require that the employer/owner/operator certify the Compliance Audit report. I include a letter to be dated and signed. This step is often missed but it’s a very simple thing. You are not certifying that the report is 100% accurate, found every single thing wrong, etc. All you are certifying is that “you have evaluated compliance…to verify that the procedures and practices developed under the standard are adequate and are being followed.” In some sense, you’re really certifying that this collection of documents is your Compliance Audit, that you have received it, and that you believe it to be accurate.
Address the Findings /Recommendations
Each non-compliance finding will require some sort of action on your part. To assist in this endeavor, I personally rate the findings on a 4-level scale.
A simpler explanation of that rating system might be:
Green: All Good.
Yellow: It’s good, but there might be a better way.
Orange: This is wrong and can get you fined bur probably won’t get anyone hurt in the short-term.
Red: This is wrong and can get someone hurt or even killed.
Below is the flowchart from our model PSM/RMP program on dealing with recommendations. Please see this longer post on the subject for more information. Properly Addressing PSM / RMP Findings & Recommendations
Recommendations will be considered “addressed” when a plan has been put in place to address them. In some cases, a recommendation will not be accepted. OSHA considers an employer to have resolved recommendations when the employer has either adopted the recommendations or justifiably declined to do so. According to OSHA, an employer can justifiably decline to adopt a recommendation where it can document that:
- The recommendation contains material factual errors;
- The recommendation is not necessary to protect the health of employees or contractors, the public or the environment;
- An alternative measure would provide a sufficient level of protection; or,
- The recommendation is not feasible.
Whether accepting or rejecting a recommendation, it is important that you document your reasoning for doing so and any progress you are making, or have made. In our system we rely on an Implementation Policy called “Resolution of Recommendation” to do this. Below is an example of a recommendation that was tracked to resolution. Note that since it is now complete, they have shaded it green.
Conclusion: While it’s time consuming and labor-intensive, dealing with Compliance Audit recommendations is a fairly straight-forward task. As always, feel free to Contact Us if you have any questions, and check out our Compliance Audit section if you would like us to perform your next Compliance Audit.
Note: Nearly everything in this article is equally true for reports and recommendations from PHA’s, independent Mechanical Integrity Audits, etc.