This is something that has troubled me as an auditor for a while; the lack of integration of risk management and internal audit and health and safety risk and audit.
At a number of my clients I have dealt with health and safety officers. They invariably continue their work, in the main they are earnest, normally male, normally middle-aged or older and use the word hazard instead of risk. Similarly at my clients I have always been responsible for forming the opinion on the whole of risk, including health and safety risk. The UK is, I’m sure, in line with most countries in that boards and executives have increased legal responsibilities for the management of health and safety. This normally prompts a separate line in health and safety reporting to the board on health and safety issues, often bypassing the Audit Committee and going direct to the Board.
Why is this? Is health and safety not just another legislative, practical, business and financial risk as for any other?
This prompted me at my clients to be much more clear about my remit with regards health and safety. I am happy to audit it directly, or to provide assurance over the arrangements for health and safety; that is the process by which health and safety is risk assessed and assured.
Wherever I have audited health and safety directly I have generally found a shambles. Why? Well like most business risks general managers are not good at systematically managing risk, preferring, as for other business risks, to wait until they become issues and deal with them as and when. This is why incidents continue to occur. Even where intuitive actions take place, the systematic management of health and safety risk, such that an auditor such as myself could take comfort from it is rare. There are of course industries where the inherent health and safety risk is higher, hence they do systematise the management of it. Examples include the chemical and energy industries. Yet BP’s catastrophic failure in the Gulf of Mexico in the last few years suggests that even this enhanced approach is not adequate.
Then there is the health and safety industry itself, which is, I believe, fundamentally flawed. First most health and safety people straddle, in my experience, and unhelpfully a gap between management and audit. They do not have the discipline of being independent, objective and non-executive in the way that the internal audit profession does. They are often not well trained in risk-based audit and thus they focus on compliance and operational ticking. Yet really ‘wicked’ health and safety risks are cross-cutting in businesses. It is these risks that are often not picked up and dealt with on a timely basis. Management often have no ‘health and safety’ experts working for them (apart from the health and safety team which melts away to become ‘advisors’ only if it goes wrong. General managers may know their business but are not specialists. Management is also structured by silo’d structures in most organisations and thus a cross-cutting effort is not applied.
I have learnt therefore that the first audit at any new client is health and safety. Also that this will shake my confidence in the client. So when was the last time you audited health and safety?