In March, EPA promulgated major changes that became effective last month to the 1996 Risk Management Plan (RMP) regulations under 40 CFR 68. These regulations apply to facilities that hold specific “regulated substances” in excess of threshold quantities. These facilities are required to assess their potential release impacts, undertake steps to prevent chemical releases, plan for emergency response to releases, and summarize this information in a risk management plan (RMP) that is submitted to EPA. Among the revisions are new requirements for third-party audits and auditor competency (40 CFR 68.59 and 68.80) for when such audits are needed.
The new auditor requirements include:
- Auditor competency elements;
- Training on auditing techniques;
- Independence criteria, including a signed and dated conflict of interest statement documenting that the auditor(s) meet these criteria;
- Written policies and procedures to ensure that all audit personnel comply with the competency and independence requirements; and
- Inclusion of a specific auditor certification statement in the audit report.
Another change from the original rules is that once the audit report is issued, the facility owner/operator must immediately send the report to the company’s audit committee of the Board of Directors, or other comparable committee or individual.
While EPA’s RMP regulation tracks closely with OSHA’s Process Safety Management (PSM) rule, OSHA has not issued similar changes to its audit/auditor requirements, so these new mandates only apply to EPA’s RMP.
This is another indicator of increasing formalization of audits in the ESG realm, which should be applauded. I expect this trend will continue.
If you aren’t already subscribed to our complimentary ESG blog, sign up here: https://practicalesg.com/subscribe/ for daily updates delivered right to you.