See the latest EHS federal and state regulatory updates due to COVID-19

Environmental, Health and Safety (EHS) programs cover a large breadth of a company's operations, personnel, and even specific processes or equipment. Each individual program under the EHS umbrella is important and relevant to the overall compliance and conformance of a company with respect to applicable rules and guidance.

It's crucial to review, understand, and communicate the elements that compose your EHS program and identify the risk management gaps that may exist.

Not all programs will affect every site in the same manner or to the same extent, nor carry the same level of risk in terms of environmental, occupational health, and business continuity protection. Properly gauging the level of complexity of your EHS requirements will allow your company to see the “big picture” of EHS risks.

Employing a risk management approach as part of regulatory compliance and corporate EHS performance improvement programs will ensure that resources are focused and prioritized in accordance with the results of a systematic evaluation.

What is EHS Risk Management?

EHS Risk Management is a process in which all applicable EHS programs (statutory or internal) and the associated compliance or conformance tasks are prioritized according to a risk ranking. The prioritized results allows EHS management to focus resources on mitigating the most significant risks and taking advantage of relevant opportunities.

The risk management process usually involves conducting a systematic review of the relative risks of all EHS applicable standards (i.e. applicable federal and state rules, internal procedures and practices, stakeholder expectations etc.), and then ordering the different EHS programs according to the results in some sort of risk ranking system.

Relative risk can be assessed by different methodologies, but EHS risk assessment aspects usually focus on evaluating the following areas:

  • Risks to health and safety of employees and the general public resulting from deviations of applicable standards (e.g., exposure, occupational injuries, releases and offsite consequences, etc.)
  • Risks to human health and the environment resulting from deviations of applicable requirements (e.g., spills, fires, explosions, releases, deviations from permit conditions, etc.)
  • Risks to business and mission continuity resulting from deviations of applicable requirements (e.g., catastrophic failures, stoppages, significant monetary penalties, orders to cease and desist, etc.)

EHS Risk Management Areas

Companies wishing to engage in this type of evaluation should incorporate this approach early on during any merger, acquisition, or divestiture transaction. Typical EHS tools used to assess and manage risks during transactions (due diligence checklists and questionnaires, ASTM Phase Is, etc.) may not fully account for or document the overall EHS risk profile of a transaction.

A corporate transaction can present a great opportunity to kick start an EHS Risk Management program. Information generated as your company conducts diligence work and sifts through regulatory permits and internal procedures provides a strong foundation for a risk management program. Compliance and conformance audits (internal or third party) also provide valuable information and a solid backbone to develop the basic elements of the risk management program.

Audits also constitute an excellent follow up tool amenable to use as a metric tracking element of your risk management program. Key performance indicators (KPI) may be developed for certain areas (e.g., how many quarterly outfall samples are completed vs. missed, how many Method 9 readings are completed vs. missed, etc.) and audited on a regular basis to determine adherence to the established metrics.

EHS Risk Management Areas

The selection of areas or aspects to include as part of the risk management program will vary significantly among industry sectors and may be driven by location and size of the facility. A company may want to begin the development of the program with areas or programs ranked in the upper tiers of the risk scale. The following are typical program areas suitable for inclusion in a risk management system:

  • Air quality - notably releases, deviations, monitoring, and reporting
  • Wastewater and storm water - mainly aspects associated with discharges, permit limits, and sampling
  • ISO 14001 EMS and 45001 OHS management systems - especially beneficial since they require an evaluation of risks and opportunities related to environmental impacts and occupational safety hazards
  • General health and safety - inherent safety hazards, hazard communication, etc.
  • Specific occupational health and safety - respiratory protection, confined spaces, lockout/tagout, forklifts and powered platforms, hearing conservation, HAZWOPER, etc.
  • Solid and hazardous wastes - manifest tracking, inspections, general safety and security, fire protection and emergency preparedness (which interacts with SPCC, evacuation, etc.)
  • Spill prevention and response - inspections, alarms and notification systems, etc.
  • Process safety - mechanical integrity, hot work, process safety information, safe operating conditions, employee training, etc.
  • Fire prevention - hot work, proper classification of areas, fire mitigation and response systems, etc.

As noted above, these separate programs can have common aspects and elements. Feedback from hazardous waste storage area inspections could be used to manage the risks identified as part of the emergency preparedness requirements and so forth. Viewing these programs comprehensively allows for a consistent and efficient approach.

Some existing regulatory programs already incorporate risk management-based elements into their requirements. Programs such as OSHAs Process Safety Management (PSM) and various NFPA combustible dust standards provide a well-rounded framework which involves conducting risk assessments in order to produce a curated risk-based ranking system. The process hazard assessment (PHA) and the dust hazard assessment (DHA) are solid examples of systematic risk ranking systems. A company may opt to use an established risk ranking system from programs like process hazard analysis or DHA as a guide or can choose to develop their own ranking system.

When developing internal guidance for risk ranking systems, a company must decide which EHS risks to consider. Most pay specific attention to the following elements:

  • Regulatory risks - risks develop due to deviation from applicable rules in contrast with enforcement priorities, enforcement history, discretionary enforcement practices, National Enforcement Initiatives, etc.
  • Risks to life, health, and the environment - potential for deviation to cause harm to life, health, or the environment
  • Risks to mission continuity - risks associated with deviations (regulatory, procedural, or otherwise) which may cause fires, explosions, product contamination, etc.
  • Risks to stakeholder relationships - risks associated with deterioration of relationship with stakeholders due to transparency issues, business practices, governance and accountability, etc.

Benefits of an EHS Risk Management System

Most companies reap the benefits of the risk management system early in the process. This is more common for companies with recent audit or gap analysis reports that can be used to quickly rank findings and corrective actions according to risk. Some companies may choose to deploy the system just in one or two programmatic areas, and then build from there.

Benefits of incorporating comprehensive EHS risk management strategies into your corporate EHS program management include:

  • Consistency in approach and accountability across multiple sites, locations, and types of facilities
  • Enables companies to identify gaps in program coverage/efforts
  • Reveals areas where companies may need to ask more questions - how is this program, these efforts, this time/money helping us achieve our EHS goals?
  • Increases efficiency to demonstrate compliance with ISO certifications and voluntary programs
  • Allows companies to assign resources to high risk areas improving overall personnel and budget management

The extent and magnitude of benefits will vary from site to site. In general, adopting and implementing an EHS risk management system will strengthen an organization's overall EHS compliance programs.

EHS Risk Management Ensures Alignment

Taking a risk-based approach as part of your EHS management and compliance programs could provide tangible benefits. The success of established risk-based programs such as PSM serves as a positive benchmark and provides a strong framework on which to build your own program. Ultimately, this effort ensures all parts of your EHS program align with and advance your EHS goals enabling you to manage and mitigate EHS risks effectively.

For assistance with EHS Business Risk Management, contact John Fillo at or Rich Pandullo at or (919) 462-9693.