At the recent AIHS ‘Visions’ Conference the Deputy Director General (DDG) of the Office of Industrial Relations (OIR), Craig Allen shared his concern regarding the comment made by Coroner McDougall within the Dreamworld Inquest Report, that “…there was an unjustified trust held by the Regulator as to the sufficiency of the safety and maintenance systems in place…”

The DDG indicated that the Regulator will now be working to have a ‘justifiable level of trust’ – not assuming anything about what is happening in safety management, but rather they will satisfy themselves that these things are happening.

Considering this, as we move toward thinking about the New Year, it will be important to ensure at an organisational level that there is an effective system of WHS compliance in place. Every Management System Standard (including ISO 45001) requires a process of assurance or internal auditing. In formal terms, the purpose of this is to provide confidence that an organisation’s governance and internal control processes are operating effectively.

The internal audit process achieves much more though than just this confidence. It also provides:

  • Part compliance watchdog – in that it provides an overview of the general level of legislative compliance or management system conformance. The internal audit process allows the organisation to scrutinise their system and check the level of compliance with the regulatory requirements before the external auditors do.
  • Part education – in that the process drills down to analyse the systems and processes with all involved (including the auditor) receiving more understanding of the what, when and how things happen, and more importantly, the why.
  • Part continual improvement – born from the fact that every non-conformance or OFI is a learning opportunity to strengthen or improve the management system processes.
  • Part confidence builder – getting Management and staff comfortable and confident with the audit process for when an external auditor or regulator asks tough questions about how things work on the site.

A number of regulators nationally have used a Three Lines of Defence’ model adapted from the ‘Three lines of Defence (3LoD) in Effective Risk Management’ (which has been around since 2013 courtesy of the US-based Institute of Internal Auditors). This approach advocates that:

  • Operational Managers (as the risk owners) are the first line of defence, responsible for controlling their own risks and promoting / monitoring compliance.
  • The second line of defence is from functional area specialists (e.g. Safety, Engineering, Procurement, Contractor Management, etc.) who oversee and monitor conformance in their specialist discipline and seek opportunities for continual improvement.
  • The third line of defence is from independent assurance via internal auditing, with its main role to ensure that the first two lines are operating effectively, and also to monitor compliance.

This 3LoD structure affirms that the responsibility for monitoring of compliance (inc. system conformance) sits with everyone within the organisation, not just with the internal auditor (paralleling the structure of the duties in the WHS Act).

QRMC can assist in developing assurance plans, structuring compliance requirements across the various levels of the organisation, or undertaking external audits to support the internal audit processes.