Safety First – Auditing HSE (including Process and Personal Health Safety and Environment)

Presented by:

David Aurelius

Head of Audit & Risk

Boral

11C

HSE Internal Audit• “Process safety is about protecting our people, the environment and our assets from

major accident hazards”

• At Origin, our HSE internal audit program constituted 35-40% of our total annual internal audit plan.

• The risks below are those that guide us in forming our audit objectives and scope:

Risk Title

Loss of containment of hazardous energy/ substances from a failure of production related civil structure

Loss of containment of hydrocarbons from an asset

Staff or contractors may be harmed due to exposure to work-related hazards

Loss of containment of hazardous chemicals/ substances (e.g. CCP and hydrochloric acids) from an asset

Loss of containment of mechanical energy from an asset

Loss of containment of pressurised systems from an asset

Loss of containment of electricity from an a asset

HSE Internal Audit• Three phased approach to HSE internal audit:

• Site-based risks / controls – specifically site based activity

• Business Unit risks / controls – BU specific processes and / or frameworks

• Organisational-wide risks / controls – broader theme-based activity or management system audits

• Audit resourcing consists of:

• In-house engineering capability

• Guest Auditors

• Co-source engineering subject matter experts (SME)

• Based on the audit scope, we then base our testing around the three types of critical controls categories (see following slide):

• Hardware controls

• Human controls

• Management System controls

• The framework below outlines the distinct approach we have to HSE internal audits.

• Our testing is based on the safety critical controls, as determined “in scope”.

Approach to HSE Internal Audit

Approach to HSE Internal Audit (cont.)

• A key focus of FY18 was to identify and test critical controls. With tailored assurance and risk management

programs in place across business units we’re now looking to adopt a common control framework.

• Given that many material risks are Health & Safety (both personal and process safety) risks (e.g., loss of

containment, land transport, asset security), a common control framework for critical controls that manage

HSE risks or “Safety Critical Controls” is being adopted:

• A suite of Safety Critical Controls (SCC) are being implemented to:

• Align framework and terminology with international standards (e.g., IOGP)

• Have a common language to build awareness and understanding across all lines of defence

• Integrate and connect data to controls to allow us to better understand the health of our controls

• Share knowledge and resources across business units to strengthen assurance and increase

collaboration

Loss of Containment (LOC) - Bow-tie

• As an example, this is how the boarder SCC Categories are represented on an LOC Bow Tie:

• *It’s worth noting that the new SCCs also cover personal safety, other risk bow ties (e.g. Land Transport) could be developed using the SCC categories also

Typical HSE audit “Objectives and Scope”

The objective is to assess the design and operating effectiveness of business unit and site based controls that manage:

Key HSE (focus on environmental compliance) and process safety / asset integrity (including asset, civil and structural integrity) risks in accordance with OE Directives, HSEMS Standards, external regulations and BU-specific policies and procedures.

Asset management strategies, plans and activities.

Operational processes (including, supply chain/procurement, inventory/materials management, and Information (IT) and Operational Technology (OT)).

In addition, this internal audit assessed the:

Appropriateness of risk management activities, including first and second line assurance activity.

Tracking, progress and closure of actions resulting from third party/regulator reviews.

Sufficiency of closure of prior year internal audit actions (where actions have been completed).

Scope

Site, business-unit, divisional and corporate controls related to the following (processes) were examined as part of the scope:

1. Process Safety / asset integrity management 5. Environmental Compliance

2. Asset Management 6. Supply Chain, Procurement, and Inventory and Materials Management

3. HSEMS Compliance (including personal safety) 7. Information and operational technology / data management

4. Business Resilience 8. Risk Management activity

Summary of HSE internal audit findings and themesCommon areas of control weakness and organisational learnings

Risk management behaviours (including processes, capability and culture)

Across all audited BUs, the recognition and management of risk could be strengthened by improving:

a. Hazard identification processes

b. Processes to identify, monitor and maintain Safety Critical Equipment

c. Embedding Operational Risk Assessments

d. The effectiveness of the first (operators) and second (functional groups) lines of defence can be strengthened.

Leveraging cross-functional capabilities, techniques and tools, and promoting shared learnings through formal

governance forums.

Management of change / Incident management

The effectiveness of Management of Change controls were inconsistent.

Improvements can be made to oversight and reporting of incidents associated with principal contractor operations.

Contractor management oversight and accountability

High reliance is placed on third party contractors to perform operational risk management activities.

Use of Data Analytics in HSE internal audits

The use of maintenance, incident, production and availability data to test the following internal audit hypotheses:

1. High compliance with preventative maintenance leads to fewer incidents

2. High compliance with preventative maintenance leads to increased availability/production

3. Unplanned outages are a result of high levels of corrective maintenance, or absence of maintenance

4. Non compliance with preventative maintenance leads to unplanned outages

5. Safety critical assets are maintained

6. Safety critical assets are subject to preventative maintenance with minimal corrective maintenance

7. Incidents are a result of high levels of corrective maintenance, or absence of maintenance

8. Sites with high numbers of observations have fewer incidents

9. Sites with high numbers of observations undertake more preventative maintenance

Data Analytics dashboards (1)

Data Analytics dashboards (2)

Other HSE Considerations

Part of the extended HSE strategy encompassed the following areas of focus

Process Safety

Contractor Management

Land Transport

Environment

Health and Wellbeing

In particular, assurance of Health & Wellbeing programs / services will be considered as part of the broader FY20 HSE Internal Audit Plan.

Key areas of focus / risks will be:

Successful implementation of the new Employee Assistance Program

Effectiveness of the “TouchBase” program around access to support employees in building personal resilience

Transition of support services from HSE to HR (including Change Management)

Medical services rationalisation

Front-line Leader Mental Health program assurance