The Auditing Roundtable
 Winter 2010 Meeting, Exposition, and Training  
“Incorporating Risk Management into EHSS Auditing” will be held in Phoenix January 11-13, 2010.

Laws, regulations, and standards keep changing, as to business goals, capabilities of IT, communications methods, and stakeholder expectations.  EHSS auditors fulfill a critical role in maintaining compliance with EHSS laws, regulations, and standards.  This meeting will focus on how EHSS auditors can help identify, evaluate, and help organizations manage risk in uncertain times.    Presentations will also focus on risk transfer and management, moving beyond compliance into risk management, auditing risk, and using risk-based approaches to managing audits and conducting auditing programs.  Regulations designed to reduce risk (including Homeland Security and Process Safety) and Business Continuity Planning will also be discussed.

Mr. Lawrence Heim of Elm is currently scheduled to speak on Merging Risk Management, EHS and Auditing Concepts.

The meeting will also continue with standard features, including industry sector break-outs, topical interest groups, and ample time to mix and mingle with EHSS auditing and management professionals.

The AR is also offering training courses on Basic Auditing Skills, Environmental Auditing, and Health & Safety Auditing.  Developed by request of membership, these courses offer the opportunity to brush up on basics, or to achieve greater proficiency.  These courses qualify for Continuing Professional Development credit for CPEAs, and applicants will find them to be a good resource in preparation for the Certified Professional Environmental Auditor (CPEA) exams offered by the Board of Environmental, Health & Safety Auditor Certifications.

For more information, click here.

The U.S. Environmental Protection Agency today issued a final rule to help reduce water pollution from construction sites. The rule takes effect in February 2010 and will be phased in over four years. 
This is the first time that EPA has imposed national monitoring requirements and enforceable numeric limitations on construction site stormwater discharges

The final rule requires construction site owners and operators that disturb one or more acres to use best management practices to ensure that soil disturbed during construction activity does not pollute nearby water bodies.

In addition, owners and operators of sites that impact 10 or more acres of land at one time will be required to monitor discharges and ensure they comply with specific limits on discharges to minimize the impact on nearby water bodies.

Today, EPA announced a final regulation that amends certain requirements for facilities subject to the Oil Spill Prevention, Control and Countermeasure (SPCC) rule.  The amendments clarify regulatory requirements, tailor requirements to particular industry sectors, and streamline certain requirements for a facility owner or operator subject to the rule.

This rulemaking marks the completion of the SPCC action, which was proposed on October 15, 2007, finalized on December 5, 2008, and for which the agency requested public comments again on February 3, 2009.

In general, this final rule retains most of the December 5, 2008 provisions, with 3 major differences.  EPA has eliminated the exemptions for:

• certain produced water containers;
• the alternative criteria for oil production facilities to be eligible for self-certification of their SPCC plan; and
• the exclusion of oil production and farm facilities from the “loading rack” requirements.

The amendments do not remove any regulatory requirement for owners or operators of facilities in operation before August 16, 2002, to develop, implement and maintain an SPCC plan in accordance with the SPCC regulations then in effect.  Such facilities continue to be required to maintain their plans during the interim until the applicable date for revising and implementing their plans under the new amendments.

The effective date of this final rule is January 14, 2010.

See the official pre-publication version of this final rule here.

The U.S. Department of Labor’s Occupational Safety and Health Administration (OSHA) today announced it is issuing $87,430,000 in proposed penalties to BP Products North America Inc. for the company’s failure to correct potential hazards faced by employees. The fine is the largest in OSHA’s history. The prior largest total penalty, $21 million, was issued in 2005, also against BP.

BP entered into a settlement agreement with OSHA in September 2005, under which the company agreed to corrective actions to eliminate potential hazards similar to those that caused the 2005 tragedy. Today’s announcement comes at the conclusion of a six-month inspection by OSHA, designed to evaluate the extent to which BP has complied with its obligations under the 2005 agreement and OSHA standards.

For noncompliance with the terms of the settlement agreement, the BP Texas City Refinery has been issued 270 “notifications of failure to abate” with fines totaling $56.7 million. Each notification represents a penalty of $7,000 times 30 days, the period that the conditions have remained unabated. OSHA also identified 439 new willful violations for failures to follow industry-accepted controls on the pressure relief safety systems and other process safety management violations with penalties totaling $30.7 million.

The U.S. Environmental Protection Agency Administrator Lisa P. Jackson announced that the agency is stepping up its efforts on Clean Water Act enforcement.

The plan announced outlines how the agency will strengthen the way it addresses the water pollution challenges of this century.  These challenges include pollution caused by numerous, dispersed sources, such as concentrated animal feeding operations, sewer overflows, contaminated water that flows from industrial facilities, construction sites, and runoff from urban streets.

The goals of the plan are to target enforcement to the most significant pollution problems, improve transparency and accountability by providing the public with access to better data on the water quality in their communities, and strengthen enforcement performance at the state and federal levels.

Elements of the plan include the following:

• Develop more comprehensive approaches to ensure enforcement is targeted to the most serious violations and the most significant sources of pollution.
• Work with states to ensure greater consistency throughout the country with respect to compliance and water quality.  Ensure that states are issuing protective permits and taking enforcement to achieve compliance and remove economic incentives to violate the law.
• Use 21^st century information technology to collect, analyze and use information in new, more efficient ways and to make that information readily accessible to the public.

More information on the plan: http://www.epa.gov/compliance/civil/cwa/cwaenfplan.html

Identifying and correcting potential compliance issues ahead of EPA’s actions would likely prove a wise use of resources given the current enforcement/penalty trends.

EPA is using non-traditional methods for locating violations.

On October 2, EPA announced a PCB enforcement case stemming from an eBay auction.  EPA investigators found Railside LLC, a factory surplus liquidator, offering to sell an unmarked General Electric Pyranol capacitor on eBay. EPA then inspected the seller’s warehouse, and alleged that Railside violated PCB regulations by failing to mark its capacitor with a label identifying it as containing PCBs as prescribed by federal law. Railside responded quickly and cooperated with EPA; the Agency settled for a penalty of $250 and an enforceable agreement to properly dispose of the PCB-containing equipment. This disposal cost the seller $1,200. It should be noted that eBay was not a party to this enforcement action and did not violate any environmental regulations in this case.

While the actual enforcement costs are low in this case, it does highlight EPA’s success at using new ways of finding violations.  Companies using web-based asset management methods should ensure that those activities do not escape EHS review.

As EHS audit programs have matured over the past 25 years, most companies that have established such programs have generally achieved the desired goal of reduced violations and financial penalties.  But in the current economic climate, companies have been looking at all costs and their justifications.  EHS audit activities are also under the microscope.  The reduction in noncompliance costs over time – a good thing – can sometimes trigger questions from senior management about what value EHS auditing is creating NOW – a bad thing.

Answering such questions adequately depends on the individual company, but the threat of future violations (which are more likely to occur without corporate compliance oversight/auditing/reporting activities) is a common thread.  Elm took a look back at USEPA’s enforcement announcements thus far in 2009 to see if any notable trends could be identified.

Our review was not exhaustive and was limited to publicly available information on federal EPA activities.  But there is no question that EPA’s 2009 data clearly show aggressive enforcement involving many multi-million dollar settlements.  This summary information may be useful to those EHS audit programs that use enforcement data as an economic risk/value factor in rationalizing the continuation of audit activities.

-       Oct. 5 – Mosaic Fertilizer will spend approximately $30 million on air pollution controls and will also pay a civil penalty of $2.4 million to resolve alleged Clean Air Act violations

-       Oct. 3 – A federal judge fined Southern Union Gas $18 million for illegally storing mercury at a company-owned site in Pawtucket, R.I.  The penalty involves a $6 million criminal fine and $12 million in fines.  This case is also notable due to the third-party vandalism that resulted in spreading the mercury beyond Southern Union’s property.

-       Aug. 14 – A pipeline company and two of its former operating firms will jointly pay a civil penalty of $3.65 million to resolve violations of the Clean Water Act resulting from anhydrous ammonia spills. Magellan Ammonia Pipeline, of Tulsa, Okla.; Enterprise Products Operating, of Houston, Texas; and Mid-America Pipeline Company, also known as MAPCO, also of Houston, agreed to the settlement.

-       Aug. 4 – Aleris International Inc. and 13 of its subsidiaries have committed to implementing environmental improvements and controls projected to cost $4.2 million at 15 plants located in 11 states. The company also agreed to a $4.6 million civil penalty to resolve violations of the Clean Air Act, which will be allowed as an unsecured claim in Aleris’s bankruptcy proceeding pending in Delaware.

-       July 31 – The former and current owners and operators of a chemical facility in Addyston, Ohio, LANXESS Corp. and INEOS ABS USA Corp., agreed to pay a $3.1 million civil penalty and INEOS will spend up to $2 million to install environmental controls and modify operating procedures to resolve violations of multiple environmental laws.

-       May 7 – Anadarko Petroleum Co., and two related oil production companies agreed to pay a civil penalty of more than $1 million and implement injunctive relief, develop facility response plans, and revise spill prevention as well as containment plans at a cost of more than $8 million during the term of the settlement in order to resolve violations of the Clean Water Act.  Anadarko, Howell Corp., and Howell Petroleum Corp., agreed to pay $1.05 million and will upgrade and implement appropriate spill prevention plans and develop and implement facility response plans. The consent decree also requires the companies to implement a multi-phased integrity and mitigation plan that incorporates inspection, monitoring, testing, data collection and failure analysis activities.

-       Apr. 20 – DuPont and Lucite International Inc. agreed to pay a $2 million civil penalty to settle Clean Air Act violations at a sulfuric acid plant in Belle, W. Va. Further, the companies chose on their own to shut down the sulfuric-acid manufacturing unit of a larger chemical facility at the site by April 1, 2010.

-       April 13 – Invista will pay a $1.7 million civil penalty and spend up to an estimated $500 million to correct self-reported environmental violations discovered at facilities in seven states.  The company disclosed more than 680 violations of water, air, hazardous waste, emergency planning and preparedness, and pesticide regulations to EPA after auditing 12 facilities it acquired from DuPont in 2004.

-       Feb. 19 – BP Products North America Inc. agreed to spend more than $161 million on pollution controls, enhanced maintenance and monitoring, and improved internal management practices to resolve Clean Air Act violations at its Texas City, Texas refinery.  The company will also pay a $12 million civil penalty and spend $6 million on a supplemental project to reduce air pollution in Texas City.

-       Feb. 10 - Two petroleum refiners agreed in separate settlements to spend a total of more than $141 million in new air pollution controls at three refineries in Kansas and Wyoming. Frontier Refining and Frontier El Dorado Refining (Frontier) agreed to pay a civil penalty of $1.23 million and spend approximately $127 million in pollution control upgrades for alleged violations at its refineries in Cheyenne, Wyo. and El Dorado, Kan. Wyoming Refining Co. (WRC) agreed to pay a civil penalty of $150,000 and spend approximately $14 million in similar upgrades for alleged violations at its Newcastle, Wyo. refinery.

-       Feb. 5 – Patriot Coal Corporation agreed to pay a $6.5 million civil penalty to settle violations of the Clean Water Act.  The settlement includes the third largest penalty ever paid in a federal Clean Water Act case for discharge permit violations.

-       Feb. 3 – Kentucky Utilities (KU), a coal-fired electric utility, agreed to pay a $1.4 million civil penalty and spend approximately $135 million on pollution controls to resolve violations of the Clean Air Act.

-       Jan. 15 -  CEMEX California Cement LLC paid a $2 million civil penalty for emissions violations at the company’s Victorville, Calif., Portland cement plant.  The plant also is spending millions of dollars on new air pollution control equipment.

-       Jan. 12 – Three manufacturers of sulfuric acid agreed to spend at least $12 million on air pollution controls at six production plants in Louisiana, Ohio, Oklahoma, Texas, and the Wind River Reservation in Wyoming. Chemtrade Logistics, Chemtrade Refinery Services, and Marsulex also will pay a civil penalty of $700,000 under the Clean Air Act settlement.

-       Jan. 8 – The Explorer Pipeline Company agreed to pay a $3.3 million civil penalty in order to resolve an alleged violation of the Clean Water Act stemming from a spill of jet fuel from its interstate pipeline at a location near Huntsville, Texas.

Although not specifically reflecting EHS auditing professionals, the PCAOB conducted a study to review how well third party auditors did in complying with Auditing Standard No. 5 during 2008, the standard’s first full year of effectiveness.  Auditing Standard No. 5, An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements (“Auditing Standard No. 5″), was promulgated in response to the Sarbanes-Oxley legislation and is intended to address the practice of independent financial/accounting auditing professionals.

One of the main areas of PCOAB’s review of AS5 was how well auditors focused their efforts on the most important audit components, based on their identification/understanding of the risks posed.  CFO Magazine said about the study that the PCAOB found

cases in which auditors didn’t identify variability in risk levels at a company’s different locations. Also, some audits did not consider how deficient controls could affect their risk evaluations.

Financial auditing has been highly regulated and scrutinized for many years – certainly much more so in the past 5 years.  Yet even in light of that, financial auditors appear to need support and guidance in applying the concept of “risk” and the failure of risk controls.

The results of this study provoke thought for EHS auditors – how well versed are we on the concept of “risk” and the failure of risk controls?

Just yesterday, we posted about EPA’s GHG rule still being in the proposed status.  Today EPA announced that the rule has been finalized.  The first annual reports for the largest emitting facilities, covering calendar year 2010, will be submitted to EPA in 2011.

Under the rule, fossil fuel and industrial GHG suppliers, motor vehicle and engine manufacturers, and facilities that emit 25,000 metric tons or more of CO2 equivalent per year will be required to report GHG emissions data to EPA annually.

Vehicle and engine manufacturers outside of the light-duty sector will begin phasing in GHG reporting with model year 2011. Some source categories included in the proposed rule are still under review.

Recently, CyberRegs published a brief Q&A with Elm Managing Director and President of The Auditing Roundtable Rob Bray.  The Q&A addressed how corporate EHS audit programs have been impacted by the current economic situation and what is on the horizon.

Read the CyberRegs article.

A cooperative client service relationship to integrate Environmental, Health and Safety (EHS) into Governance Risk and Compliance (GRC) consulting services

August 24, 2009 -  The Elm Consulting Group International, LLC and Milo Belle Consultants LLC announce the formation of a cooperative relationship that will augment Milo Belle’s Governance, Risk and Compliance (GRC) services to include Environmental, Health and Safety (EHS).

Chris Maxwell, Milo Belle Partner in St. Paul:  “We are happy to forge an affiliation with Elm.  They bring highly complementary expertise to our GRC services.  We believe our clients are also integrating EHS management into larger internal GRC initiatives.  Elm allows us to bring highly qualified EHS expertise to the table to support those clients.”

“Our business models and philosophy are very similar, so our mutual learning curves will be short,” said Lawrence Heim, Director in Elm’s Atlanta office.  “We both emphasize high quality client service and innovative business thinking, while minimizing internal administrative processes.  We are confident that clients will find the joint Milo Belle/Elm expertise valuable as corporate EHS departments frequently are considered an element of GRC programs.”

About Milo Belle:  Milo Belle Consultants, LLC is a Governance, Risk and Compliance professional services firm.  With a full staff of experienced finance, accounting and IT professionals our team offers comprehensive consulting and staff augmentation solutions to companies of any size. Our professional staff range from former CFOs and Controllers, IS System designers to Project Management experts and Internal Control specialists. We have backgrounds in almost every industry, including renewable energy, healthcare, transportation, non-profits, construction, manufacturing, agri-business, banking, hospitality and software. Milo Belle’s corporate headquarters are in Sioux Falls, SD, with additional offices in St. Paul, MN, Omaha, NE and Denver, CO.

About Elm:  The Elm Consulting Group International, LLC is an environmental health and safety (EHS) consultancy with offices in Connecticut, California, Georgia, Texas, Mexico, New Zealand and Argentina, and clients in over 60 countries.  Our expertise is assisting our clients with the development and deployment of effective EHS management, compliance, risk reduction and sustainability programs.  Unlike most engineering consultants, ELM has substantial experience developing and implementing tools/strategies that directly integrate EHS into internal risk management functions – in terms relevant to clients’ own internally-established and credible risk benchmarks.

Contact:

Joel Dykstra, Milo Belle Consultants     (605) 275-6527 ext.1018

Lawrence Heim, The Elm Consulting Group International     (678) 200-5220

Today, EPA Region 2 announced that it fined a U.S. company almost $200,000 for illegally exporting non-working computer monitors to Hong Kong in 2007 and 2008, and for failing to promptly respond to EPA’s requests for information.

This action is part of a national effort to crack down on the illegal export of electronic waste.

Traditional waste disposal vendor programs in the U.S. have centered around hazardous waste management.  E-waste may be a somewhat different challenge for internal EHS staff to manage.  IT departments typically drive equipment replacement and disposal programs within companies.  EHS is not normally linked into the IT department, so communication between the two functions may not exist.  However, the connection between the two should be strengthened.

EPA’s enforcement initiative, combined with significant public/media pressure surrounding e-waste exports, highlight the need for companies to incorporate this wastestream into waste vendor audit programs.

E-SPIN Group Quality Assurance System New Development with Group Email and
Committee Management

Aug 04, 2009 Kuala Lumpur. E-SPIN Group of Companies E-SPIN is very
excited to announce new development for the Group Quality Assurance System.
The Group is under accelerate grow and business expansion. To cater for the
E-SPIN Group businesses, E-SPIN is tuning and realigning internal structure
to become process driving as part of the Group Quality Assurance System
(QAS) initiative. From today onward, most of the personal email will be
replaced by the group email. For instance, developer and business analyst
personal email will be replace with development(at)e-spincorp.com , it help
to standardize all the public communication channel for effective and
efficient management.

On top of the group based email initiative, E-SPIN is open up two group
committee email for internal and external communication, namely complain(at)
e-spincorp.com and compliance(at)e-spincorp.com. Complain is open for public
complain, since we are service oriented company, we want to ensure all our
customer and clients complain will be hear and handle in professional
manner.

During the transition period, some customer and client may feel the
different and uncomfortable. We want to ensure all our client that with the
new change in place, it will allow us to deliver better quality service due
to better process control, and empowering our group committee to enforce the
quality of service in place.

Stay tune for E-SPIN Group of Companies News update. The News is published
via various E-SPIN News Channel, from E-SPIN New Section, Press Release,
Blog, Twitter, Facebook to LinedIn.

# # #

E-SPIN SDN BHD (www.e-spincorp.com, www.espin.com.my ) is a leading
enterprise IT solutions and outsourcing service provider deliver end to end
IT solutions (hardware, software, service), E-Business and Web Solutions,
business process and technology outsourcing services from consultancy,
solution development, application integration, project management, certified
training, to maintenance support for enterprise, corporate, government and
military agencies.

Last year, The Economist Intelligence Unit (EIU), the business research arm of the company that publishes The Economist magazine, published a survey about the concerns and trends for environmental risk management.  The survey, sponsored by ACE, KMPG, SAP and Towers Perrin, was sent to 320 executives globally, half of which represented companies with greater than US$500million in annual revenue.  All respondents had material involvement in risk management for their organizations.

The results of the survey provided a number of insights into perceptions of environmental matters within the context of overall corporate risk management.  A shortened list of the findings is reviewed below.

Three key findings were:

-       Only one-third of those surveyed include environmental within their overall risk management strategy.  The remaining two-thirds address environmental in an ad hoc fashion, outside of corporate risk management, or not at all.  EIU commented:

This piecemeal approach may enable companies to identify isolated problems, but without oversight it will be difficult for them to obtain an overall picture of the risks they face.

-       Three of the top four identified obstacles to effective environmental risk management illustrate this lack of an integrated approach and overall picture:

• Lack of certainty about impact of environmental liabilities,
• Cost of managing environmental risk, and
• Difficulty establishing benchmarks of key performance indicators.

-       Forty percent of the respondents stated that the scale of their environmental liabilities had increased over the past three years, and a full 58% felt that the next three years would see more increases.  Similarly, 59% indicated the amount of time and money dedicated to environmental risk increased in the past three years and 75% anticipate increasing that over the next three years.

Taking these three points in context of each other, what is surprising is that companies anticipate investing more in environmental risk management even in the absence of

-       an internal integrated structure to manage the risk, and arguably the projected increase in attention/resources;

-       an understanding of how environmental risk impacts the company;

-       metrics for measuring effective risk reduction and the associated financial return on the current – and future – expenses.

Another interesting point may be seen as a sore spot for environmental and EHS professionals: the reputed growth in ISO 14001 and other environmental management systems (EMS), ostensibly integrating environmental management into business operations, appears not to have seen the holistic success envisioned.

Companies who see the need to increase environmental risk management efforts would be well served to first invest time in improving the connection between risk management and environmental management.  Those who rely on an adopted EMS may also benefit from reviewing the framework in the context of risk, metrics and ROI.

Read the survey.

This week, two attempts at waste disposal beyond the borders of the US resulted in enforcement and made headlines, highlighting the need for companies to understand how their wastes are managed by vendors.

In one case, EPA announced that The Hong Kong Environmental Protection Department intercepted a shipment of over 500 computer monitors that had been sent for disposal in China from two US companies.  The waste was shipped back to the companies, who must properly manage the CRTs as well as comply with other requirements of the enforecement actions.

Another case involves waste generated in the UK that was intercepted by Brazilian authorities.  Over 80 shipping containers were found to contain batteries, computer parts, cleaning product containers, baby diapers, food remains and medical waste, among other items.  The wastes are being shipped back to the UK for proper management.

While these instances are public, others may not catch the attention of the media.  Elm recently assisted one client who was the subject of EPA enforcement related to a waste disposal contractor’s unauthorized disposal of hazardous waste generated at one of the client’s manufacturing locations.  That case demonstrated that the contractor had committed fraud and dumped hazardous waste drums on abandoned property.

In economic conditions that are pushing cost reductions to the limits – and costing jobs/salary reductions – inappropriate waste disposal decisions are a possibility within an organization.  Maintaining a strong waste management program and disposal vendor review can be a simple yet powerful tool in significantly reducing off-site waste disposal liabilities.

Two recent articles in European publications discuss results of studies related to

• how “risk” is defined/perceived, and
• implementing risk assessment processes

Both articles and perspectives have their foundations in different contexts (one crowd behavior control, one IT), but the conclusions are the same: smaller, more frequent risks are generally ignored, while “headline grabbers” get attention.  Further, the risks that are ignored are likely to aggregate and have material impacts.

In an article from Science Daily, UK Researcher in Organisational Psychology Rose Challenger authored a study for the Cabinet Office UK Resilience.

“There can be a tendency when planning events to prepare for the big dramatic ‘what ifs’ but ignore the smaller, less visible although more likely ones which collectively can cause serious problems,” says Challenger. “It’s important to ensure your risk assessment isn’t blinkered. For example, at Hillsborough there was an over emphasis on hooliganism as that was the big issue of the day, but other more generic safety issues were overlooked. Today, we may tend to focus on the risk of a terrorist attack and ignore more banal risks such as power or transport failures or a gas leak.”

Read the study here.

Similarly, Siri Segalstad, in his article published on ScientificComputing.com, summarized it this way:

People’s perceptions of risk are influenced more by what “sounds scary” than by how likely it is to happen.

Although these studies are from backgrounds unrelated to HSE or environmental management, the results are consistent with Elm’s client experiences in integrating and implementing risk concepts into EHS and environmental functions.  Our risk assessment process is designed to indentify potentially ignored or overlooked issues, map them in a frequency/severity matrix, then identify potential solutions for all the identified risks.  Contact us to find out more.

The Elm Consulting Group International, LLC (Elm) – a recognized leader in health, safety and environmental (HSE) risk management consulting – announces the opening of three new international offices:  Mexico City, Mexico; Auckland, New Zealand; and Buenos Aires, Argentina.

“The formation of these new Elm offices is the culmination of business relationships that have existed for several years,” said Patrick J. Doyle, Managing Director and Founder of Elm.  “Our international colleagues provide a full range of HSE and sustainability consulting services to Elm’s clients, across many industry sectors.  Elm’s ability to use tested and trusted internal resources creates value for our clients through cost savings, regional knowledge and language capabilities.”

Mr. Doyle also indicated that more announcements concerning additional international offices will be made in the near future.

Last year, Harvard Business School and the Georgetown University Law Center jointly conducted a detailed statistical analysis to evaluate the effectiveness of EPA’s Self-Audit and Disclosure policy (“Audit Policy”) in the context of two questions:

-       Do the regulators trust self-disclosed audit information enough to reduce inspections at those companies who choose to self-disclose?

-       Are self-audit programs resulting in the reduction of environmental incidents?

The authors, Michael W. Toffel (Harvard Business School) and Jodi L. Short (Georgetown Univesity Law Center) stated that this was the first study to analyze these questions in the context of statistical analysis of outcomes and behavioral analysis of regulator actions.  In summarizing the results of their analysis, the authors stated:

Our results … demonstrate that Audit Policy participants with clean past compliance records improved their environmental performance by reducing their accidental releases of toxic chemicals to the environment.  We also find that regulators rewarded these effective self-policers with an inspection holiday.  By contrast, bad apple self-disclosers did not improve their performance compared with similar non-disclosing firms.  We find no evidence that regulators altered their scrutiny over these ineffective self-policers.

… it turns out that regulators are quite adept at … sorting the good apples from the bad.  We found that regulators had accurately parsed these two groups of self-disclosers, rewarding the former but not the latter with inspection holidays.

… self-disclosing firms on average reduce the number of abnormal events resulting in toxic chemicals being released to the environment.

EPA is now expanding the Audit Policy applicability to mergers and acquisitions.  EPA has stated that “new owners” of companies/sites may also seek penalty mitigation if they conduct self-audits of the newly acquired locations and self-disclose the results in accordance with slightly-modified requirements of the Audit Policy.

Operational environmental compliance is beyond the scope of traditional environmental due diligence (EDD).  Contaminated property determinations are the sole aim of typical EDD reviews known as “Phase I” and “Phase II” studies.  However, operational compliance can drive environmental costs for pollution control equipment that may far outstrip liabilities associated with contaminated property.  Therefore, transactions involving industrial operations –especially those with any type of pollution control equipment – should include a compliance audit as a standard element of the EDD.

In the context of Toffel and Short’s results, should a “new owner” choose to undertake an operational audit and self-disclose the results? The authors’ work indicates that new owners should obtain further information to determine the benefit and regulatory perception of self-reporting the EDD compliance audit information.  It appears important to determine whether the company to be acquired is a “good apple” or a “bad apple” to use the terms from the research paper.

The manual User Certification, Identity Audit, Identity Attestation, Identity Certification are now replaced with the automated Sun Role and Compliance Manager(SRM) solution with little scope for errors and the certification is now completed in a timely manner. Moreover, the administrator has control over the users and their access requirements. Additionally, the client’s requirements of customized reports and internal naming conventions were met providing a smooth transition to the SRM certification process. As per the client’s request, dependent applications within a namespace were defined which helped the client to manage the access to applications in a much more secure manner.

With comprehensive Role Based Access Controls(RBAC) and certifications in place, the client has a hassle-free company-wide certification process.The client is interested in integrating the Sun Role Manager with the existing Sun Identity Manager to reap the benefits of identity correlation and import of users. This apart, the client is also exploring the utilization of other value-added functionalities of SRM to perform comprehensive role engineering and management to enhance the existing role definition.The client is a diversified financial services company operating in over 130 countries worldwide. It is one of the 30 components of the Dow Jones Industrial average and was ranked by Business Week in 2007 as one of the 20 most valuable brands in the world. Started as an express mail business over 150 years back, the client is now a Fortune 500 company with $150 billion in assets and 68,000 employees worldwide. The client has developed several key programs to support the diverse communities in ways that would enhance the company’s image with its employees, customers, business partners and other stake-holders.

Simeio Solutions is a professional services and management consulting company with a strong collective background in implementing identity and role based access control solutions, supporting Fortune 1000 clients such as Agiliance, CA, Computer Associates, Oracle,SailPoint, Novell, IBM.

Elm is proud to announce the formation of a highly experienced sustainability consulting team.  This group is unique because it consists of former in-house corporate sustainability managers of corporations considered to be global leaders in the sustainability realm.

• Liz Muller. With over 20 years of experience in the environmental field, she served as The Gap Inc.’s Senior Environmental Manager and was the primary authority on all aspects of the company’s environmental strategy and programs. Her accomplishments range from conducting the company’s first life cycle assessment and metrics system to implementing water quality and environmental procurement programs, launching organic cotton products, installing a solar array, and providing sustainability training to employees and suppliers. She currently advises clients on the development and execution of sustainability strategies and programs, including the development of policies, resources and tools, and corporate social responsibility reports.
• Shari Carle. Shari wrote Dell Computer’s green procedures while engaging with socially responsible shareholders. She also acted as Dell’s liaison with forest ethics and other interest groups in Dell’s efforts to create policies to support the company’s corporate responsibility efforts. She developed various communications of the company’s commitment to sustainable practices, including Dell’s forest products stewardship model, which set measurable goals and standards to protect forest resources in the printing of catalogs and purchasing. She also led the company in developing policies and positions on HIV/AIDS, political donation transparency and supply chain responsibility.
• Mark Schaffer. Mark has over ten years of environmental and sustainability experience.  Recently, he was with Dell Computers where he led efforts to green computer purchasing for the government while contributing to Dell’s sustainability reporting initiatives. Prior to Dell, he worked for Canon Virginia building their internal recycling program and designing new ways to manufacture laser printers.
• Tracy Grable.  Within Delta Airlines, Tracy began managing Delta’s air quality compliance program. She developed corporate manuals and training and became Delta’s in-house expert for greenhouse gas calculations, regulations, and emissions trading schemes. Eventually, this grew into the company’s corporate sustainability initiative which involved developing partnerships with internal and external stakeholders, including the conservation fund and producing the 2007 Corporate Responsibility report for Delta.

Elm has developed an innovative valuation methodology that leverages EHS and risk management concepts with economic analyses.  Our Return on Investment of Loss Avoidance (ROIa)^© demonstrates financial return of EHS risk reduction investments in terms of both reasonable anticipated loss and the cost of generating new profits needed to recover associated profits.  ROIa utilizes existing financial data along with frequency and severity data obtained through EHS risk assessment processes, then benchmarks that exposure information against varying sets of cost data that are most relevant to client organizations.  This produces ROI information for EHS management costs in the context of internally-credible values, risk management and revenue/profit generation benchmarks.

See our April 2009 presentation on ROIa at http://www.slideshare.net/lmheim/roia-presentation

Elm recently sponsored a poll on LinkedIn.com on the status of measuring improvements in EHS risk (or “HSE”, “environmental”, “environmental, health and safety” – whichever term is preferred).

This survey demonstrates the variety of views on the importance of and methods for risk quantification or risk measurements for environmental, health and safety matters.  The results indicate that only 20% of the respondents are using detailed financial analytics to measure and track the value created from EHS risk management.

-       202 responses were logged in less than 24 hours (the poll was set up for  a maximum of 200 responses).

• 37% from very large companies;
• 14% from large companies;
• 10% from medium companies; and
• 39% from small companies.
• 27% of the respondents represented the Management/Senior Management/Owner functions in their organizations

-       29% currently measure EHS risk reductions through some form of financial metric, but 10% indicated no rigorous metrics are used.

-       12% felt that no measurement is needed because the value of improving EHS exposures is inherent.

-       13% are looking for ways to develop financial metrics.

-       The remaining 43% stated that such measures are not a priority at this time.

LinkedIn members can view the poll at  http://polls.linkedin.com/poll-results/44274/mulee

Compliance Management ensuring that the actions of a set of people comply with a set of rules. The 1^st rule:  publish the set of rules, and punish people who transgress them. The 2^nd rule: publish an intermediate set of policies and procedures which comply with the rules, and ensure that people follow the policies and procedures.

IT-GRC – Information Technology – Governance, Risk & Compliance:-

The impacts and implications of compliance, risk management and governance on information technology are significant and pervasive.

IT Governance establishes decision structures and tracking mechanisms.

IT Risk Management helps mitigate adverse effects and identifies opportunities.

IT Compliance establishes and monitors IT controls.

Simeio Solutions is a professional services and management consulting company with a strong collective background in implementing identity and role based access control solutions, supporting Fortune 1000 clients such as Agiliance, CA, Computer Associates, Oracle, Radiant Logic, Sun, SailPoint, Novell and IBM.

Simeio offers the first in industry on demand DirectAXs – a one-stop SaaS solution for all your Identity and IT-GRC requirements. Our ICOMAXs, ROMAXs and GRCAXs offering encompass every possible solution in the IAM and IT-GRC space for today and the future. We have two types of solutions on DirectAXs depending on your requirements. Simeio Solutions brings along an intelligent vision of identifying the sweet spots in business process definition and Reengineering. We believe finding the correct identity management product is just one step of several. Key to the company’s success is analyzing and implementing sustainable processes.

technology organizations are at the center of three critical business management challenges: Regulation and control, risk management, and cost reduction. Successfully meeting these challenges requires IT to manage several interdependent disciplines. Originally, when regulations like the Sarbanes-Oxley act, GLBA etc were introduced, there was no specific methodology that could be used and hence the client developed it’s own.

Prior Certification Process •••

The manual certification process used by the client was an intensive process and required significant resources to complete. It entailed using spreadsheets, emails, phone calls etc and the outcome was unsatisfactory. There was a lack of adequate documentation and the process was not standardized.

Requirements •••

Common Repository

•    Have a central repository that contains all information regarding employees and contractors
•    Build a Business hierarchy Structure according to Client’s Business Practices.
•    Allow managers to certify on user access and entitlements
•    Allow application owners to certify on access based on individual applications
•    Provide an infrastructure for assessing compliance with controls
•    Automate the process of import of users and accounts

Simplify Certification Process
•    Develop a simplified process for certifications that would allow managers and application owners to perform periodic certifications
•    Provide client with documentation regarding import processes and certification
•    Certify accesses of 2.5k+ users distributes across multiple business units and applications
Prevent Human Errors
•    Development of a systematic solution with documentation should lead to a reduction in errors during the process as well as ensure that appropriate user and application access

Global Banking Giant Endorses SRM for Identity and Access Management(IAM), Identity Certification, Role Engineering, Role Management and Identity Audit. And Build an Identity Warehouse (common repository) within the SRM tool to load the application security extracts with user entitlement data for SoX critical applications.

The latest version of SRM v4.0.1 with enhanced features was implemented by the Simeio Solutions consultants to help the client achieve their Certification and Audit goals. The enhanced AJAX UI Interface, administrative dashboard, advanced Business Unit – Users correlation and an enhanced Identity Certification and Audit module provided by the new version was an ideal identity management solution to meet audit requirements.

The data imports process for building the Identity Warehouse for the 350k + users and their hierarchical entitlement data was completed by utilizing the ability of SRM to automate and schedule the process of users, accounts and glossary (business descriptions for the entitlements).

The certification module implemented ensured that access to sensitive application data is only provided to users with a valid business need. The two-stage enhanced Certification module implemented at the client verified that the users were reporting to the appropriate managers and in cases of users transferred to new managers/departments and terminated users, reports were generated and sent to the business to reassign them to the current managers. The updated data was reloaded in the SRM tool and new certifications sent to the correct managers. In parallel to implementing the Identity Certification module to review user access at client, SRM was used to address immediate needs to perform Segregation of Duties (SoD) analysis on SoX critical applications to meet client’s audit requirements. Overall close to 200+ SoD business policy conflicts were mapped in the tool and 350k+ users were scanned for SoD violations.