Information Advisory CER IA 2021-003 2020-21 CER Compliance Audits: Lessons Learned
File OF-Surv-Gen 11
12 August 2021
To: All Companies under the Jurisdiction of the Canada Energy Regulator (CER)
Canadian Energy Pipeline Association
Canadian Association of Petroleum Producers
Provincial and Territorial Regulators
Please find attached the CER Information Advisory IA 2021-003.
The Canada Energy Regulator (CER) has issued the attached Information Advisory to provide clarity regarding the CER’s interpretation and expectations of a management system’s annual report and the results of recent audits which focused on this topic. These audits were conducted virtually due to Covid-19 pandemic.
CER-regulated companies are expected to review and address the deficiencies noted and confirm they do not exist in their management systems. The CER will incorporate these learnings into its compliance and oversight activities and in future audits.
If you require any further information or clarification, please contact the Director of Audit, Enforcement and Investigation through our toll free number at 1-800-899-1265 or post a question on our Q&A link.
This, and other advisories are published on the CER Safety and Environment website located here.
Gitane De Silva
Chief Executive Officer
CER IA 2021-003
12 August 2021
Information Advisory: CER IA 2021-003 2020-21 CER Compliance Audits: Lessons Learned
Basis for Issuance
The Canada Energy Regulator (CER) requires all companies to establish and implement an effective management system in order to proactively identify and analyse hazards and manage the associated risks to prevent harm to people and the environment. A well-designed and implemented management system as described in the Canadian Energy Regulator Onshore Pipeline Regulations (SOR/99-294) (OPR), enables hazard management, learning and continual improvement throughout an organization. When coupled with a robust safety culture, it supports strong safety and environmental protection performance and outcomes.
As part of its ongoing oversight activities, the CER’s 2020-21 audit program focused on OPR requirements related to the management system’s annual report. Four companies ranging from small to medium size were selected for the audits, all of which were chosen based on the CER oversight risk identification and prioritization model.
The objectives of the audits were to verify that each company’s annual report meets the requirements of the OPRand that the company has the necessary processes, procedures, and work instructions in place to fulfill the requirements of section 6.6 of the OPR.
The generation of an annual report in accordance with the requirements of the OPR is considered very important by the CER because it provides the accountable officer with an annual assessment of the adequacy and effectiveness of the company’s management system and programs. It serves to ensure that the accountable officer is aware of any deficiencies that have been identified through the company’s quality assurance measures and the actions being taken to rectify those deficiencies. Equally important, the accountable officer’s review and sign off of this document demonstrates to the CER that the company’s accountable officer has the necessary information to assess if changes need to be made to the company’s management system or resources in order for appropriate action to be taken.
Management System Learning Areas
Common deficiencies from the Audit Reports are summarized in this Information Advisory (IA) in order to promote learning and improvement across all CER-regulated companies.
Corporate Policies and Goals
It was found that corporate policies and goals did not meet the requirements of the OPR. While a company can establish policies and goals specific to its operational needs, the OPR requires that CER-regulated companies establish documented policies and goals to ensure that their obligations under the OPR are met. Within its corporate policy, a company is to have:
- a specific policy for the internal reporting of hazards, potential hazards, incidents and near-misses;
- corporate goals for the prevention of ruptures, liquid and gas releases, fatalities and injuries and for the response to incidents and emergency situations; and
- a policy statement that sets out the company’s commitment to those policies and goals and communicate it to the company’s employees.
In almost all instances, the audited companies had corporate policies concerning operations and maintenance, but they did not include the safety and environmental protection policies or goals required by subsection 6.3(1) of the OPR as specified above. The company’s commitment statement was also absent.
Departmental Goals, Objectives and Targets (GOTs)
The OPR requires that each CER-regulated company base its management system, as well as its section 55 programs on its corporate policies and goals. Therefore, a company must have a process for setting the objectives and specific targets required to achieve the corporate goals, as well as performance measures. A company must also have a process to evaluate the company’s success in achieving its goals, objectives and targets. Several of the audited companies did not have program specific GOTs or performance measures designed to meet the corporate goals.
Evaluating the Management System
The OPR requires a company to establish and implement a process to evaluate the adequacy and effectiveness of the management system; and to monitor, measure and document the company’s performance in meeting its obligations under the OPR.
While most of the audited companies had a management system in various stages of development, not all had a process to evaluate if it is achieving its intended objectives of providing oversight over the company’s operations and the necessary oversight over safety, security and environmental protection. One way this is achieved is through the use of a quality assurance program, including audits and inspections, to verify compliance with legal requirements and the company’s own procedures. Where deficiencies are identified, they must be tracked through to their rectification, and reviewed during the management review process to ensure that improvements have been made to prevent their reoccurrence.
Inadequate Annual Report
The OPR requires that each year, a company generate an annual report for the accountable officer’s review and signature. The annual report is to describe the company’s performance in achieving its goals, objectives and targets during the previous year, as evaluated by the company’s performance measures. In addition, the report is to describe the adequacy and effectiveness of the company’s management system in achieving the company’s policies, goals and objectives; and the actions taken during the year to correct any deficiencies identified by the company’s quality assurance program.
In most cases, the audited company’s annual report did not contain this information.
Accountable Officer Confirmation
The accountable officer’s signature on the annual report signals that they are aware of the adequacy and effectiveness of the company’s management system and programs; any deficiencies identified through the company’s quality assurance measures; and the status of the actions being taken to rectify any deficiencies.
In most cases, the auditors found that the accountable officer had not signed the annual report. The absence of the accountable officer’s signature is considered a non-compliance and a missed opportunity to showcase leadership awareness and oversight. Deficiencies in management system processes, such as the ones described herein can contribute to an inadequate safety culture, which in turn can lead to environmental and safety impacts including incidents such as fatalities, serious injuries, pipeline ruptures, and major spills.
While the deficiencies noted indicate inadequate management system processes, the CER auditors were able to verify through interviews and inspection of documents and records that the companies were conducting activities to provide oversight over safety and protection of the environment. For these four auditees, corrective and preventive action plans are currently underway to bring them into compliance with the regulations.
To assist companies in the CER’s expectations, the CER has published updated operations audit protocols and an associated guidance document on the CER’s external website. These documents can be used by companies to understand how to achieve and demonstrate compliance to the various regulatory requirements in the OPR.
CER-regulated companies are expected to review and address the deficiencies noted and confirm they do not exist in their management systems. The CER will incorporate these learnings into its future compliance and oversight activities, which may target the same companies with the same or other compliance verification activities to ensure better performance in this area. Other companies may also be audited in the near future.
- Date modified: