Industry Should Lead, Not Follow Regulations

There were three mine disasters in 2006 before the latest disaster at the Crandall mine in Utah. At the Crandall mine, a seismic event equivalent to a 3.9 magnitude earthquake trapped six miners. Days later, during the rescue effort, another collapse killed three rescuers, including a member of the Mine Safety and Health Administration. Weeks later, the company is still boring holes into the mine, trying to recover the bodies.

This has led the governor of Utah to investigate whether state mine safety regulations need to be tightened because federal regulations aren’t stringent enough. More significantly, OMB Watch has said “The Aug. 13 issue of Mine Safety and Health News reported that Dr. R. Larry Grayson, who heads the Pennsylvania State University mining and engineering program, agreed
…the mining company may have been following the MSHA-approved mining plan, but that does not mean that it was safe.”

This is a worrisome trend. Professors are second-guessing regulators, who are second-guessing the people in the industry itself.

What is really needed here is some thought about good incident management systems and real-time emergency response systems in the mining industry overall. There is actually a global need for stronger health and safety protection for the mining industry, including these incidents as well as the ones in China. Would a better emergency response or incident management
system have helped the rescue workers respond more efficiently? I think so. Good systems can be proactive, rather than reactive, even in situations that can’t be predicted, like seismic shifts.

OMB Watch goes on to point out that perhaps it is wrong to allow industry to comply voluntarily with regulations. A promotional email I got from them this morning said “Two recent stories exhibit the problems associated with
voluntary industry compliance with federal rules. In New York, Governor Elliot Spitzer is using state law to enforce a mandatory recall of children’s toys contaminated by lead paint. Spitzer cites the federal government’s weak voluntary recall system as reason for pursuing action at the state level.”

The writer goes on to discuss the use of “compliance assistance” in the Occupational Safety and Health Administration and the Mine Safety and Health Administration in the Crandall disaster.

What is the takeaway from this? Industry should lead, not follow, the regulations. I don’t know one client of ours (or non-client for that matter), who would like to experience a disaster like Crandall if it could be anticipated. That’s what GRC initiatives are designed to address.

Add comment August 30th, 2007

“Green” Values Aren’t About Branding: It’s About Survival

There’s a new blog called 21st Century Citizen that explores what the true values should be for those who are living in this century. This is very different from the Environmental Leader blog that’s discussing where your company’s brand will be when the “green” fad ends. One is deeply felt and strategic, while the other marks a trend. Enterprises must make the strategic choices, rather than branding through “quick fixes.” That never works.

Having been around in the ’70s when there was an earlier “green” movement, I know that all issues have a life cycle shaped like a bell curve. Al Gore has now made environmental issues hot (no pun intended) by talking about global warming. Indeed, we will come to a compromise system of carbon trading and emissions efficiencies, regulations and compromises, and then environmental issues will be off the table as emergencies once more.

But 21st Century Citizen asks the question “should you ride or bike?” and comes to grips with some of the complexities involved in that decision. To bike, many people would have to move closer to their jobs. Or change jobs. Or work from home. Or move closer to the grocery store. The long and short of it is that we have to re-examine not one choice, but all of our life choices as individuals in order to create sustainability. I think the purpose of this new blog is to start the discussion about the future.

And corporations are pondering some of the same decisions, as well. It’s not just your greenhouse gases that you have to track. It’s your chemical waste. It’s the components of your supply chain, and the byproducts of your manufacturing process. Environmental issues may disappear and re-appear from the radar screen per se, but the safety issues posed by environmental contaminants around people will always be an issue for employers. The world is round, not flat, which means we have finite resources available to meet our ever increasing population’s demand. The thoughtful management of these resources as well as our waste and pollution byproducts will continue to become ever more critical for sustainability.

This round of environmental initiatives isn’t about branding. It is about survival.

1 comment August 1st, 2007

Going Beyond Regulatory Compliance

Environmental compliance suddenly has become a hot topic, especially as businesses try to better manage their operational risks. Compliance risk has emerged as a subset of governance, risk and compliance, with a definition all its own: the risk of impairment to the organization’s business model, reputation and financial condition from failure to meet laws and regulations, internal standards and policies, and expectations of key stakeholders such as customers, employees and society as a whole.

This definition, put forward last year by Price Waterhouse Coopers, means that you can damage your business with behavior that can be legally defensible, yet not socially acceptable. The global executives surveyed by PWC agreed that compliance with government and exchange mandated rules is less important in avoiding risk to reputation than internal codes of practice.
Yes, one has to adhere to the law, but that’s not enough. The task of protecting stakeholders, including the environment as a whole, is much more onerous than just what the law requires. And that’s because the regulations are always a little behind when something becomes unacceptable to society.

Thus, what is thought of as sharp practice by informed customers today can become the subject of regulation tomorrow. Businesses that want to be regarded as socially responsible need to go further than existing mandates to establish their own internal codes and practices, and to develop a culture of compliance that comes out of attitude and desire rather than solely out of regulation. Following existing rules is not enough. Modern enterprises also must develop a sense of stewardship.

The compliance department alone cannot resolve the inherent conflict of interest between the desire for profit in an organization and its duty to wider stakeholders including the community in which it lives. Both outside regulations and internal rules are meaningless if there is a culture of noncompliance in an organization.

Developing a culture of compliance means using a sense of stewardship to look ahead, and make organizational changes from within BEFORE the outside rules change. Make them out of a desire to put the long term well-being of the larger society first, rather than only because the regulators say so. Interestingly, many of our customers seem to be doing this —— implementing EH&S policies that are ahead of those government mandates. They would rather be viewed as trend setters than reactors.

3 comments May 14th, 2007

Security is a Major Concern for Energy Company CEOs in Asia

I have just come home from a month-long road trip to Australia and Asia. While I was traveling in Southeast Asia, I found a common issue was dominating the minds of responsible individuals and leaders in these organizations: Terrorists in Thailand, the Philippines and Indonesia have been targeting oil and gas industry assets more frequently in those countries. So are the Tamil rebels in Sri Lanka. Once again, I am struck by the serendipity of our product development. Before I took the trip, I was glad we included a real time emergency response component in Essential Suite, but I never predicted how it might be most effectively used.

Now I know first-hand that not only do these organizations need to minimize operational risk, but much more critically, they have to deal with the risk of terrorist activities shutting down their facilities and with the potential for massive environmental exposure
from successful attacks. Security has become the biggest issue for them, and a real time emergency response is a real requirement for EH&S and Crisis Management systems all over Asia.

Earlier this week, the Tamil Tigers bombed two fuel facilities in Colombo, forcing the partial shutdown of the airport as major carriers decided only to fly there in daylight or not at all.

Here’s the story from Reuters Net Alert:

This security issue is a big concern of both local and multinational oil and gas companies and energy companies operating in Southeast Asia. I heard it repeatedly from CIOs and EH&S executives on this trip.

1 comment May 3rd, 2007

Can an Energy Company Achieve Sustainability Objectives?

The stereotyped view of large energy companies includes nothing about sustainability, corporate social responsibility, or concern for the environment. But actually, when you do business with as many energy companies as we do, the stereotype quickly disappears. Many of these companies have led the charge to deploy EH&S information management platforms like ours. And what we sell is a product that helps companies achieve operational excellence.

Operational excellence is a goal well beyond mere compliance. It’s proactive, where compliance is merely reactive.

While on the road in Asia and Australia this month, I’ve read a unique document: Chevron’s Operational Excellence Manual. Yes, Chevron has at least one manual for its Operational Excellence Management System (OEMS). This system is shared with employees to set the company culture. Chevron’s operations are spread across the globe, and the OEMS allows the company to identify and close performance gaps quickly.

In the words of Chevron’s CEO, operational excellence is not something separate from its business. It is the way they run their business to provide value to the shareholders. To me, this view is the wave of the future, as you know from previous posts here.

Chevron has developed an entire systems approach to operational excellence, which they try to integrate into their daily operations to protect people and the environment today and in the future.

The system begins with operational excellence objectives:

• Achieve an injury-free work place.
• Eliminate spills and environmental incidents.
• Identify and mitigate key environmental risks.
• Promote a healthy workplace and mitigate significant health risks.
• Operate incident-free with industry-leading asset reliability.
• Maximize the efficient use of resources and assets.

Chevron’s vision is “to be recognized and admired by industry and the communities in which we operate as world-class in safety, health, environment, reliability and efficiency.”

To achieve this, Chevron counts on its leadership to set the pace. And here’s what the company says a leader can do to build a culture of operational excellence.

1. Engage in dialogue with members of the workforce (employees and contractors); inquire about their work and working conditions. Understand and recognize the value of each individual’s contribution to incident-free operations.
2. Positively reinforce safe behaviors on the spot. Act immediately to mitigate unsafe or environmentally unsound conditions. Share personal examples of safety learnings and observations from both on and off-the-job.
3. Never ignore a suggestion to improve operations.
4. Devote required resources, including your time, to operational excellence. Know your OE network representatives and participate in OE network activities.
5. Sponsor and participate in critical OE processes; make safety observations, participate in a Job Safety Analysis (JSA) or an incident investigation to determine root causes.
6. Set clear, specific, measurable objectives for operational excellence. Communicate frequently with all members of the workforce on the objectives, measures, plans and progress. Regularly recognize progress on indicators and achievement of results.
7. Role model Tenets of Operation by always following tenets, holding others accountable for following tenets and recognizing those that do.
8. Conduct field visits, ask questions about safety, environmental and reliability conditions and provide immediate pin-pointed feedback (both positive and constructive).
9. Hold yourself and others accountable for operational excellence performance. Include OE performance in ranking, salary and job selections.
10. Set high, specific standards for continuous improvement of critical OE processes. Share lessons learned and seek out and adopt processes that could improve performance.

There is much to admire in Chevron’s commitment. Expect to hear more about this from me in the future.

Add comment April 26th, 2007

Rasmussen Relates Corporate Social Responsibility to GRC

Michael Rasmussen is an analyst I follow, because he seems to have the most similar view on GRC to my own. I especially like the following letter in which he relates corporate social responsibility to GRC and how the merging of all these corporate initiatives produces fear of change. At ESS, we like to embrace change, although we, too, know how difficult it can be for our growing company.

“The acronym GRC (governance, risk, and compliance) is causing quite a stir…. organizations are changing the way they focus on and manage governance, risk, and compliance. This is causing insecurity in some and ambition in others. Risk managers and compliance officers are both in a state of confusion - do we embrace GRC and lead this charge for our organization? Or do we fight against this change?

I have been on three continents already this year and have had numerous conversations spanning vertical industries - the truth is organizations are strongly evaluating the silos of risk and compliance management of the past and looking at what they need for the future. There is discussion as well as debate on what the individual terms ‘governance,’ ‘risk,’ and ‘compliance’ mean as well as what they mean together as ‘GRC.’ Further, many are considering the role of corporate social responsibility and how it aligns with GRC.

The corporate secretary is the aggregation point for a holistic view of GRC. It is the Corporate Secretary’s role to consolidate corporate performance, compliance, and risk information that gets communicated to the board and goes into the financial statements and reports. Consider the fact that this past year, Corporate Secretary magazine added the tagline “The Governance, Risk and Compliance Monthly.”

Risk management. Risk management has been buried in discrete silos often focused on financial and treasury risk, or was a function looking at project risk. Now many organizations, across industries, are trying to define and understand what Enterprise Risk Management (ERM) is all about. Rating agencies, like Standards and Poor, are using ERM as a factor in rating corporations. When companies begin to explore ERM, they quickly see that it is expansive and includes the world of operational risk as well as legal, regulatory, and compliance risk - thus converging the world on GRC.

Compliance management. Compliance has often been managed across many silos focused on different issues. HR might be focused on employment/labor compliance issues, such as harassment and discrimination, manufacturing might focus on product quality and safety compliance, while legal is focused on things like ethics and U.S. Sentencing Commission Organizational Sentencing Practices. The trend is for organizations to establish a Chief Compliance Officer, but often this role is quickly getting involved in risk management. The move toward principle-based regulation is further converging the worlds of risk and compliance. Several organizations I have visited this past three months have recently moved compliance under ERM - either reporting parallel to operational risk or as a function of operational risk itself.

Internal audit. Audit is one of the most challenging roles to define around GRC. A purist/idealist perspective states that audit has an important role, but it is one of risk and control review - to validate that the organization is managed according to its regulatory requirements and corporate policies. Audit does not have a role in day-to-day management of risk and compliance.

Information technology. The IT department is getting heavily involved in GRC in two areas. There are parts of risk and compliance that affect IT directly - where IT has to manage its own risk and implement controls within the IT environment, and where IT can be used to drive sustainability, consistency, efficiency, and transparency across business GRC functions that are not focused on IT risk and control.

Security. Within both corporate/physical security as well as IT, there are increased regulations as well as risk to the organization that are driving this function to be part of the discussion on enterprise GRC strategies.

The list does not stop there - you have others such as investigations, fraud, legal, lines of business and reputation issues that involve public relations and marketing, as well as the increasing awareness of corporate social responsibility.

However, many risk and compliance professionals feel threatened by this change and are entrenched at seeing that their job does not change. My perspective - change is afoot. Individuals involved in risk and compliance can step forward and be the leaders of this initiative in their organization or they can sit back and let another role lead it, and they will have to fall in line.”

Add comment April 25th, 2007

EHS Systems Making Major Impact with Overseas Companies

I returned recently from a business trip to Asia in January. I was in China, Japan, Taiwan, Malaysia, Singapore, Philippines, Thailand, the Middle East and India visiting with our international partners and customers. One of my meetings was at PetroChina in Beijing where our complete EHS software platform has been deployed.

This is the first and largest enterprise-wide software system implemented in China for environmental, health, and safety. The deployment encompasses more than 10,000 ESS licenses used in 41 branches. Each of these branches supports between 2 to 10 plants across China. What is even more exciting is that we have localized their software platform so that it displays all their safety data in Mandarin Chinese.

IBM Global Services implemented the project. I am proud to say it was a success and is now expanding to its parent company, China National Petroleum Company. While there I met with the CIO of both PetroChina and CNPC who discussed how our products are being used to help protect employees’ health and safety and reducing the environmental impact of their oil and gas operations.

In the Middle East, I met with our customers Kuwait National Petroleum Company in Kuwait and Abu Dhabi Oil Company. They shared with me how ESS software is being used to not only help manage the environmental emissions of their assets, but also how the software is helping them show their communities proof of their environmental leadership. Here is what they had to say about their accomplishments in their own words.

Frankly, it is at times like these that I am taken aback when I realize what an impact ESS is having globally helping organizations execute on their corporate strategies and initiatives for environmental sustainability and health and safety. ESS is now positioned where I wanted it to be 14 years ago when I started the company.

But what does that mean for our customers? Simply put, decision makers from corporate leaders to government agency heads trust our solutions to help them mitigate operational risks, lower costs and reduce their environmental footprint. We have the full range of environmental, health, safety and crisis management solutions that will help your company meet its triple bottom line objectives. No other company comes close.

We have worked hard to earn the trust of customers, and our products and services are delivering on that promise. Now we’re taking additional steps to ensure that our products and services continue to meet our customers’ expectations as we grow.

ESS is making tremendous investments in our company to better serve both U.S. and global markets. We will continue our precedent of defining the market and demonstrating to our customers that we deliver our Operational Risk Management solutions both as enterprise solutions to meet the needs of global companies who want a centralized approach, and decentralized local solutions to address issues at a specific facility. We think this is a winning combination that will resonate among decision makers at all levels and in any organization.

This year, we also are looking to strengthen our top-tier partnerships, many that were forged in 2006, to take us further in both domestic and global markets. We’re especially eager to continue our growth among companies in the Asia-Pacific region, and we are moving into Europe as well. We think we have all of the components to make 2007 another banner year for ESS. I’ll continue to share details with you in the weeks to come.

Add comment March 6th, 2007

Key Performance Indicators:
Proactive Opportunity or a Reactive Reality

Based on recent industry trends, I have noticed that the focus of the proactive Environmental, Health and Safety (EHS) professional has moved beyond compliance activities. Emphasis is now placed on finding ways to add business value and increase a company’s shareholder value through enhanced EHS performance.

Managers can see that this shift in focus is evidenced in the recent trends for risk portfolio management. Analyst groups offer evidence of links between EHS risk management and financial performance. Stock trends highlight upward trends for companies with strong EHS performance records.

One example is translating injury and illness data into key performance indicators (KPI) that provide proof of your company’s commitment to employee and community safety. OSHA requires that this data be collected anyway. Using the data for performance metrics is a natural progression.

Company press releases and annual reports are full of EHS key performance indicators. These neither provide business value nor drive improved performance since most data a) indicate what has already happened, b) represent situations that may no longer exist and c) often become the end result, not a tool for further evaluation and decision-making.

If corporation officers want to spend money on environmental protection, they must have realistic expectations of value those investments will generate, and that they are appropriate for the size and character of the corporation. We already know that environmental professionals in many companies struggle just to maintain regulatory compliance. This applies to companies of all sizes, although the challenge is greater for small and mid-size organizations.

Traditionally, the most effective “non-regulatory” environmental initiatives are those that require disclosure and executive management involvement. The Toxics Release Inventory (TRI) had a major influence on pollution prevention programs after business management discovered how much was being released in association with their company’s facilities.

Today executives and plant managers must sign off on their environmental reports. That has brought environmental issues to the forefront of corporate governance.
KPIs show where a company is headed and give production managers tools they need to take action ahead of significant performance downturns and where they need to produce performance measurements.

Examples of ‘next generation’ KPIs that could affect your operations in the near future:

• Measurements of performance trends, not merely performance. Leading indicators can be derived from trends in wastewater discharge overages, spills, audit findings, reportable injury rates, near misses, or workman compensation claims for a particular condition, among others.
• Periodic surveys of relevant opinion leaders. Targeted surveys could provide insights into both short and long term EHS trends.
• Sustainable development metrics. Metrics that monitor and understand regional and global environmental data using information solutions that capitalize on material and waste data management
• Other measures such as physical conditions, employee attitudes and other factors should be rolled up into data that track factors affecting performance and results.

Businesses and economists have been using leading indicators for decades. I think you’ll find that the secret to developing effective KPIs is to create a process that provides results rapidly, so managers can develop strategies and tactics to correct negative trends in a timely manner. Look for software solutions like Essential Performance Manager™ – which we expect to hit the market very soon.

1 comment February 12th, 2007

Is Your Company Poised to Address Operational Risks?

Is your organization ready to deal with internal risks that could cause business interruptions or negatively impact your bottom line? Recently I’ve had the opportunity to talk to managers and business owners from all corners of the globe to assess their risk readiness. Here are some perspectives that could be helpful to consider.

“The Enterprise,” while we always refer to it in the aggregate, is actually composed of many different types of businesses – from online virtual businesses like EBay to electric utility companies, from oil and gas companies to financial service companies. Many of the businesses that make up the enterprise are public companies that are discovering a new set of compliance issues with the passage of the Sarbanes-Oxley (SOX) legislation and have embraced a relatively new concept: enterprise risk management.

Although SOX may have given birth to a new focus on Enterprise Risk Management (ERM), SOX is only part of a larger concern: operational risk in general. Every business, large and small, should learn to better manage its operational risk. Many tenants of the World Trade Center discovered that on 9/11, and many New Orleans companies had the same epiphany after hurricane Katrina.

Especially in asset-rich industries, risk management is about the relationship between SOX compliance and every other government regulation passed before it and since. It is about any other strategic or operational risks a company needs to consider and how to assess both the asset and portfolio risk of the enterprise.

Operational risk management takes into account the links between the operational and the financial aspect of any compliance effort. What are the costs of compliance? What are the costs of being out of compliance? But it is more than a financial compliance and reporting mindset, it is about an integrated approach to corporate, financial, strategic and operational systems.

If the enterprise is to be protected, insofar as that is possible, more than just the ordinary financial risks must be considered. What would happen in a terrorist attack? A natural disaster? An oil spill?

A new ERM model emphasizes the need to go beyond internal financial controls and audit-related compliance and look at the operational interdependencies and associate the risk of these interdependencies with an organization’s strategic assets. In order to be successful, this ERM framework requires the use of systems and industry knowledge.

To create standardized internal controls, companies need to leverage industry specific people and industry-proven technologies with a centralized dashboard on which an executive responsible for operational risk management (a CRO, or a Chief Security Officer) can see everything in the company for which he or she is responsible. Systems specifically used for project management, asset and service management, EH&S, crisis management and financial management should be integrated to realize the full capability for an enterprise.

Add comment February 12th, 2007