HSE Assurance Overview

Transcription

1 HSE Assurance Overview

2 Agenda Assurance Framework Three Lines of Defense Model Interview Techniques Lessons Learned Documenting findings

3 BHP Risk and Assurance Hierarchy 3

4 Assurance Model Life Cycle 4

5 Three Lines of Defence Assurance Framework Board General Manager or Function Head Regional Leadership Team 1 st Line of Defence 2nd Line of Defence Operation / Function Management Control Owns and manages risk Identifies improvements Delivers compliance Business Functions Assess definition, implementation, compliance and effectiveness of HSE processes and controls Support verification of previously agreed corrective actions Support risk management requests 3rd Line of Defence Assurance (Group RAA) Independent & objective Systematic & disciplined Audit of 1 st &2 nd lines of defence Assesses whether control processes are effective External Audit Regulators 5

6 Three Lines of Defense 3

7 Three lines of defense Responsibilities Local Verification and Field Leadership Business and process owners whose activities identify, assess, control and mitigate the risks that can prevent achievement of the organization s objectives Not only own and manage risk, but responsible for implementing corrective action to address process and control deficiencies Functional Assurance Monitors risk and compliance and is a management and oversight function Applies additional expertise, process knowledge and monitoring to support the actions of the first line of defence, while remaining separate from it External Verification Primary responsibility for providing assurance directly to senior management and the Board about the other two lines governance, risk and control activities Objectivity and independence are integral to this role 7

8 Local Verification and Field Leadership Local Verification involves 1. Regulatory Compliance 2. Management of Critical Control Equipment 3. Critical Control Equipment Verification Tasks 4. Control Design Effectiveness Test Local Verification and Field Leadership The Field Leadership program consists of the following four layers: 1. Take Time Talks 2. Planned Task Observations 3. Critical Control Observations (Behaviors and Procedural compliance) 4. Layered Audits External Verification This is a sample text. Functional Assurance This is a sample text. 8

9 Functional Assurance External Verification Field Leadership This is a sample text. This is a sample text. This is a sample text. Functional Assurance One BHP Billiton Methodology Process owned and coordinated by HSE A&I Theme tested across Operations and relevant Functions Assessment conducted at an agreed frequency multiple times in a given financial year work around scheduled GRAA audits and operational requirements. Topics generally on a 2 3 year cycle Annual schedule and scope endorsed by Operational and Regional Leadership Verification field testing at an agreed sample of sites Internal report back to Operational and Regional Leadership 9

10 Functional Assurance Scope The program is focused on the management of HSE Controls, commitments and associated actions that have potential for significant impact on the business: Field Leadership This is a sample text. Controls HSE Our Requirements Regional HSE Standard, HSE Controls Framework requirements Commitments Key HSE Legal & Regulatory obligations External Verification This is a sample text. This is a sample text. Functional Assurance Action Management Management of identified HSE risk Verification of close out of previous HSE Audit & Assurance Assessment findings 10

11 Assurance Activity Local Verification and Field Leadership Functional Assurance External Verification Activities: CCE management CCV tasks Take Time Talks Planned Task Observations Critical Control Observations Layered Audits Frequency: Daily, Weekly, and or Quarterly based on verification activity. Activities: Assurance Assessments Desktop review (1 week) Field testing (2 weeks) Report write up (1 week) Feedback to PLT (at Endorsement sessions) Frequency: Spans 2-3 years, with 1 Process Theme every 6-8 weeks. Activities: BHP Billiton (Group) Technical & Asset Audits Management System Certification and Surveillance Audits Frequency: As per agreed FY schedule 11

12 The Assessment Process Preliminary Activity In-Field Sampling Evaluate and Report Findings Finalize sites for in-field sampling Initiate data submissions for desktop review Evaluate risk controls and records: Interviews Discussions Inspection Observation Document review Develop individual list of findings and recommendations Evaluate significance of findings set priorities Coordinate logistics Conduct desktop review Draft findings Discuss findings Validate findings Agree findings Team Review Complete Moderation Draft Report Finalize Report 12

13 Preparation & Reporting Before Assessment After Site Visit After Assessment After Report A Confirmation Memorandum will be distributed to key stakeholders. Desktop review across the business Confirm sample operational or functional sites for field sampling Site specific feedback will be provided to the General / Functional Manager or delegate and local HSE Manager. Additionally, feedback will be provided to the HSE Controls Framework Content Owner as required. Note: This will be an informal feedback meeting, formal outcomes will be provided in the assessment report. A report will be generated and issued. The report will include outcomes from the overall assessment; no site specific reports will be produced. Leadership Team may set priorities dependent on findings Key Petroleum deliverables from report will be documented and tracked in CMO Compliance Each Operation must develop an action plan to address applicable findings. Actions will be managed via an approved Action Management System. 13

14 Interviewing Review relevant documentation and evidence before an interview Conduct your interview in the workplace Break the ice introduce yourself and make the interviewee feel at ease, be polite patient and friendly. Explain why you are there Have your mobile phone on vibrate if possible Listen and acknowledge what the interviewee says Use language of interviewee and organisation Consider your question style (open, closed etc.) Keep to the time allocated for the interview Thank the interviewee for their time 14

15 It s an interview not an Don t: interrogation Conduct the interview where conditions are too noisy, too hot, etc; if necessary ask to move to a more suitable location Interrogate the interviewee Lead the response or second guess the answer Judge, display anger, refute or be hostile to the person Make promises that cannot be kept Include entrapment or blame strategies in your enquiries 15

16 Question Styles Use open questions to gain understanding and encourage others to talk: Could you give me an overview of what happens in the meeting? Ask closed questions to clarify and confirm. Use probing questions to delve further. Adopt a friendly and considerate approach. Summarise and paraphrase regularly; this ties together and restates what the auditor thinks was said or meant. Avoid: Leading questions (where you provide an answer). Closed questions (yes, no). Use what if questions. Assume anything. Ask questions about the obvious. 16

17 Active Listening 17

18 Field Observations Limited time on locations Ensure your interpretation of the observation is accurate Rephrase and ask follow up question as needed Write down notes from interviews and field observations Intervene in situations where you observe unsafe acts, conditions, or behaviors 18

19 Sampling Limited vs Reasonable Assurance Reasonable means the auditor has gathered sufficient and appropriate evidence to provide an opinion on the truth and fairness of the financial reports. The auditor states, in an unqualified opinion, that they believe that the reports do provide a true and fair view of the position and performance of the client. Limited assurance the auditor performs a more limited set of audit procedures and gathers less evidence. The auditor provides an opinion stated in the negative form. They state that they have found no evidence which makes them believe the evidence does not provide a true and fair view of the position and performance of the client. 19

20 Sampling Guide The sample size for field testing is based on IIA criteria and: The frequency of the operation of the control being tested (how often is it used) The accessibility of records The type of assurance / opinion being provided (limited or reasonable assurance) Taking into consideration that multiple sites will be sampled: It is acceptable to use the minimum sample size defined but.. If a larger sample set is readily available, obtaining those would be preferential Control Operating Frequency Multiple times per day Daily Weekly Monthly Quarterly Annual Minimum Sample Size

21 Documenting Findings Complete Findings and Recommendations as you go Note the objective evidence Always tie the Finding to the Control Detail sampling methodology wherever possible (e.g. of the 25 documents reviewed, 5 showed, 1 file in every 10 was reviewed ) Discuss your observations as you go Do not surprise interviewees with findings 21

22 Findings Definitions Priority 1 Priority 2 Priority 3 Serious weakness in the design/ operating effectiveness of a control(s) or performance requirement(s) that requires immediate senior management attention Issue or systematic breach that is seriously compromising critical internal controls or key GLD requirement. A major impact at the Operation / Asset level and may have a Business wide impact. All repeat audit findings A weakness in the design or operating effectiveness of a control(s) or performance requirement that is compromising internal controls or effectiveness Issue that if unmitigated and prolonged could become a serious control risk. A moderate or systematic breach of a GLD requirement. A moderate level impact at the Operation / A level and may represent a systematic breach of a key control. A minor weakness in the design or operating effectiveness of a control(s) or performance requirement. Currently not critical, but which may become more material if not addressed Low level impact at the Operation / Asset level and may represent an isolated breach of key controls or breaches of minor controls. A minor breach of a GLD requirement (e.g. an administrative requirement). Improvement Opportunities can be raised when there is compliance but an opportunity for implementing good practice and or a more sustainable process exists. 22

23 Investigation Management Event Not # Q1 Q2 Q3 Q4 Q5 Q6 Q7 Q FY Event Not # FY Q1 Q2 Q3 Q4 Q5 Q6 Q7 Q8 Q1 The event is entered into SAP within 48 hours. Q2 The correct Risk Owner was assigned. Q3 The correct Investigation Evaluator was assigned. Q4 Timeline and 5Why analysis included as evidence Q5 Investigation Evaluator verifies Investigation Review Complete Q6 Investigation completed within 28 days Q7 Terms of Reference made available Q8 Actions closed by agreed due date

24 Lessons Learned Positive Outcomes Timely turn around from gap identification to corrective action Identification of systematic gaps that would not have been identified otherwise Communication Critical to successful assessments Find a balance for stakeholder engagement Post assessment communication vital to action close out Improvements Good in good out, garbage in garbage out data Feed back from key stakeholders Documentation and decision records 24 Slide 2

25