Internal Audit Report

Audit of Management of Occupational Health and Safety and Physical Security in Laboratories

Project 2015-6B272
March 11, 2016


TABLE OF CONTENTS



1.0 EXECUTIVE SUMMARY

Fisheries and Oceans Canada (DFO) is a science-based department; in order for it to achieve its mandate, it must rely on expert scientific analysis and advice to support its decision-making, policy and program delivery. DFO’s Science program relies heavily on the scientific work undertaken in DFO’s laboratories. DFO has a network of 13 institutes and experimental centres across six operational regions that contain the majority of the Department’s laboratories. Like all federal government departments, DFO is responsible for safeguarding employees and assets within their area of responsibility. As a result of the nature of the operations, their location and the assets used, laboratory facilities present a higher occupational health, safety and security risk for laboratory employees.

The Audit of Management of Laboratories was initiated in accordance with the Internal Audit Directorate’s 2015-2018 Risk-based Audit Plan. The audit focused on physical security, safety and occupational health for laboratories and auxiliary spaces within the institutes and experimental centres that Ecosystems and Oceans Science Sector operates from; and excluded field stations and camps with basic laboratory facilities, and off-shore science vessels. While the audit was conducted based on the lines of enquiry and audit criteria identified in the planning phase, this report is structured along the following main themes: governance; policy, standards and guidelines; and organizational culture.

Based on the audit work conducted, it was evident that a strong occupational health and safety culture exists in laboratories despite the fact that the formal requirements of the occupational health and safety program are not always being met, as a result of gaps in the existing governance structure and in the guidance being provided. Physical security requirements are not always being assessed, implemented and adhered to at laboratory facilities, putting the Department’s employees and assets at risk. The recommended improvements are as follows:

  • Roles and responsibilities within the existing governance structures be reaffirmed to provide sufficient management oversight of occupational health and safety, and physical security within laboratory facilities.
  • Necessary tools and training be provided to ensure that management adopts a consistent, integrated approach to implementing, communicating and monitoring OHS and physical security within laboratory facilities.
  • The release of the new OHS manual be accompanied by training and support, as well as national monitoring and coordination to ensure consistency in the application of policies, standards and guidelines across the Department.
  • A framework for security threat and risk management be developed and implemented across the Department.
  • Occupational health and safety and physical security policies, procedures and guidelines are disseminated and communicated consistently across all DFO regions and facilities, including laboratory-specific guidance where possible.
  • An information management strategy be developed for occupational health and safety information that allows for the collection, validation, and consolidation of Task Hazard Analyses, Safe Work Procedures, and emergency response procedures across the Department.
  • Regional directors general should ensure sufficient physical security measures are in place at laboratory facilities in their regions, and that they are being enforced.

Management Response

Management is in agreement with the audit findings, has accepted the recommendations included in this report, and has developed a management action plan to address them.  The management action plan has been integrated in this report.

Approvals

The Internal Audit Report “Audit of Management of Occupational Health and Safety and Physical Security in Laboratories” was presented at the Departmental Audit Committee on March 11, 2016. The Report was recommended for approval by the Departmental Audit Committee and approved by the Deputy Minister.

2.0 BACKGROUND

Fisheries and Oceans Canada (DFO) is a science-based department; in order for it to achieve its mandate, it must rely on expert scientific analysis and advice to support its decision-making, policy and program delivery. DFO has one of the most complex and comprehensive science programs in the federal government, both in terms of function and geography.  DFO’s Science program relies heavily on the scientific work undertaken in DFO’s laboratories. This scientific work includes, but is not limited to: various research activities such as, physical sampling and testing of different species, stock assessment and monitoring, aging, ecological sciences, aquatic invasive species research, habitat sciences and modeling. The resulting products such as science papers, expert scientific analysis and advice support DFO’s mandate and priorities.

The Ecosystems and Oceans Science Sector operates out of 13 institutes and experimental centres in six regions (excluding the National Capital Region). These facilities feature a range of special purpose spaces required for the Science program; including laboratories, workshops, hatcheries, and equipment rooms. Like all federal government departments, DFO is responsible for safeguarding employees and assets within their area of responsibility. Employees working in laboratory facilities are inherently at higher occupational health, safety and security risk as a result of the nature of the operations, the location and/or the attractiveness of the assets. Failure to manage occupational health and safety, and physical security can have significant human and organizational costs.

The Audit of Management of Laboratories was included in the Internal Audit Directorate’s 2015-2018 Risk-based Audit Plan. During the Planning Phase of the audit engagement, the Internal Audit Directorate conducted an extensive preliminary survey in order to gain an understanding of the audit entity, identify the risks, refine the objective and identify an appropriate scope for the audit engagement. Based on the results of the risk assessment, a number of significant risks emerged, all of which are being addressed under the Science 2016 Initiative with the exception of the Safety and Security risks. For this reason, the approach for the audit was to undertake an assurance engagement focusing on the physical security, safety and occupational health in DFO’s laboratory facilities.

3.0 AUDIT OBJECTIVE

The overall audit objective is to provide assurance that the Department has adequate security, safety and occupational health measures in place for laboratories.

4.0 AUDIT SCOPE

The audit focused on physical security, safety and occupational health for laboratories and auxiliary spaces within the institutes and experimental centres that Ecosystems and Oceans Science Sector operates from; and excluded field stations and camps with basic laboratory facilities, and science vessels (near, mid and off-shore).

Laboratories that have restricted access such as the National Aquatic Animal Health, radioisotope, and biocontainment laboratories were excluded as these laboratories are monitored for compliance by external regulatory bodies.

The audit team visited six laboratory facilities in three regions while conducting the audit, and an additional laboratory facility in a fourth region while planning the audit.

5.0 AUDIT APPROACH

The audit team carried out its mandate in accordance with Treasury Board’s Policy on Internal Audit, Internal Audit Standards for the Government of Canada and Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing.  These standards require that the engagement be planned and performed in such a way as to obtain reasonable assurance that the audit objectives are achieved. As such, the audit employed various techniques including a risk assessment of the audit entity, interviews, surveys, as well as reviews and analysis of documentation and information.

6.0 AUDIT FINDINGS

This section provides the observations and recommendations resulting from the audit work carried out.  While the audit was conducted based on the lines of enquiry and audit criteria identified in the planning phase, this report is structured along the following main themes:

  • Governance
  • Policy, Standards and Guidelines; and
  • Organizational Culture.

For conclusions by audit criterion, please refer to Appendix A.

Based on the audit work performed and our professional judgment, the risk associated with each observation was rated using a three-point scale. The risk ranking (high, moderate and low) is based on the level of potential risk exposure we feel may have an impact on the achievement of Fisheries and Oceans Canada objectives, and is indicative of the priority Management should give to the recommendations associated with that observation. The following criteria were used in determining the risk exposure level:

risk definitions
High Controls are not in place or are inadequate.
Compliance with legislation and regulations is inadequate.
Important issues are identified that could negatively impact the achievement of program/operational objectives.
Moderate Controls are in place but are not being sufficiently complied with.
Compliance with central agency/departmental policies and established procedures is inadequate.
Issues are identified that could negatively impact the efficiency and effectiveness of operations.
Low Controls are in place but the level of compliance varies.
Compliance with central agency/departmental policies and established procedures varies.
Issues identified are less significant but opportunities that could enhance operations exist.

6.1 Governance

The Institute of Internal Auditors (IIA) defines governance as the combination of processes and structures implemented by senior management to inform, direct, manage, and monitor the activities of the organization toward achievement of its objectives. 

DFO has a matrix management model, which is intended to enable a two-dimensional approach to managing resources, delivering services and applying policy. The matrix approach vests: policy authority with sectoral Assistant Deputy Ministers (ADMs) through functional directionFootnote 1; and operational authority with regional directors general (RDGs) through line relationshipsFootnote 2.  While occupational health and safety (OHS) and physical security are everyone’s responsibility, the ADM Human Resources and Corporate Services (HRCS) is the functional authority and each of the six RDGs have the operational authority for their respective region. 

It is the functional authority’s role to provide strategic direction, establish clear objectives and priorities, clarify accountabilities, and assign roles and responsibilities for OHS and Security. In doing so, it is also their role to interpret policies on behalf of the Department, and provide interpretation and associated guidance materials to ensure internal coherence and common management approaches across the Department. The Safety, Security and Emergency Management Oversight Committee (SSEMOC) was established in December 2014. This committee is chaired by the Associate Deputy Minister and includes membership from across the Department. The committee’s mandate is to support the Deputy Minister’s fulfillment of their accountabilities by providing management oversight, guidance, and direction with respect to safety, security and emergency management. Under the direction of this committee, a Comprehensive Review of Safety, Security and Emergency Management (SSEM) was recently undertaken.

Regional Directors (RDs), Real Property, Safety and Security (RPSS) are responsible for managing, administering and delivering their Regional OHS and Security Programs on behalf of their RDG, while taking functional direction from the Departmental Security Officer (DSO).  It is then the role and responsibility of all managers, supervisors and employees to implement the OHS and Security Programs at the workplace level. Each level of management should provide those responsible for overseeing OHS and physical security within their function with accurate, sufficient and timely information to support the execution of their oversight responsibilities.


observations 6.1.1
Observations - Occupational Health and Safety
Moderate 6.1.1 Governance structures are in place to oversee and manage the OHS Program. However, they are not always fulfilling their roles and responsibilities to ensure compliance with applicable OHS legislation, policies and directives; particularly the implementation of a Hazard Prevention Program.

As all employees are responsible for the successful implementation of the OHS program, its success relies heavily on their buy-in and support. To support the achievement of this, it is important to have an effective governance structure in place; one that management and employees at the workplace level can rely on for guidance and support in discharging their OHS responsibilities. To be successful, the OHS governance structure must function cohesively, effectively and efficiently across all levels. It must consistently and efficiently communicate, support and provide guidance to all regions for the implementation and maintenance of their workplace OHS programs.

The audit found that the DFO OHS program has had a clearly defined governance structure in place since at least 2006. Functional and administrative responsibilities have been clearly defined for each applicable level, however these responsibilities are not always being fulfilled. Some regional OHS Advisors were said to be unable to fulfil their advisory role as a result of a lack of functional direction and guidance from the National Health and Safety Office, and a lack of resources. At the time of the audit, the 2006 OHS Manual was the primary source of reference for Regional OHS Advisors, and it contained minimal guidance to support activities such as developing a Hazard Prevention Program, which is required by law.

Regional OHS Advisors found it difficult to provide the support and expert advice managers/supervisors required, due in part to limited guidance being provided. As a result, managers and supervisors sought external expertise to assist them in fulfilling their responsibilities, developed their own methodologies at the expense of their core activities, or chose not to develop Hazard Prevention Programs for their workplaces. This has resulted in the Department not fully implementing a Hazard Prevention Program (HPP) in all regions. The Department identified similar deficiencies in relation to the creation and implementation of a HPP through its Comprehensive Review of SSEM, an internal self-assessment which was ongoing during the audit, and has begun to address these through a Management Action Plan. In addition, the new 2015 OHS Manual provides improved tools, templates and documentation to aid in HPP development.

As per the Canada Labor Code (CLC), Part II, the employer must establish an OHS Committee comprised of management and employee representation. DFO’s Occupational Health and Safety Policy further expands upon this requirement, by requiring that a network of OHS committees and representatives be established and operated throughout the Department in accordance with the requirements of the CLC Part II. It is expected that an OHS committee structure is established at various levels of the organization, clearly demonstrating oversight and support to each subsequent committee level.The Department has established a clearly defined system of OHS Committees, comprised of the National Policy Health and Safety Committee (NPHSC) at national headquarters (NHQ); a Regional Health and Safety Committee (RHSC) within each regional headquarters (RHQ); and a Workplace Health and Safety Committee (WHSC) for each workplace/facility.

Across the regions, the Workplace Health and Safety Committees demonstrated that they are executing their mandate, as described in their Terms of Reference, effectively and efficiently while respecting COHSR and CLC Part II requirements pertaining to the frequency of meetings, committee membership and stakeholder representation, inspection protocols, reporting, monitoring, review and analysis of hazardous occurrence investigation reports and reporting requirements. Each committee’s mandate, roles and responsibilities are clearly defined and articulated. Committee responsibilities include, but are not limited to monthly workplace inspections, monitoring and reviewing the implementation of HPPs and tracking and ensuring the implementation of remedial actions resulting from workplace inspections.

The Regional Health and Safety Office and the Regional Health and Safety Committee within each region are a pivotal piece of the OHS governance structure as they are the link between NHQ and Senior Management’s objectives for the OHS Program, and the workplace level’s implementation of the OHS Program. Regional Health and Safety Committees fall under the responsibility of the RDG who receives technical advice and support from RD, RPSS. Regional Health and Safety Committees across the regions do not appear to be fulfilling their responsibilities consistently.

A review of a sample Regional Health and Safety Committee meeting minutes from all regions visited, as well as testimonial evidence gained through interviews, revealed inconsistent engagement between Workplace Health and Safety Committees and Regional Health and Safety Committees. For instance, in two regions, Regional Health and Safety Committees appear to be providing support and oversight to the Workplace Health and Safety Committees by reviewing inspections, conducting analysis or summations of Hazardous Occurrence Incidents Reports and monitoring the regional Hazard Prevention Plans. Based on a review of the third region’s Regional Health and Safety Committee’s minutes, none of these activities have taken place over the last calendar year. In addition, based on a review of the TOR for this Region’s Regional Health and Safety Committee in conjunction with their minutes, there was no evidence to demonstrate that a review of workplace accident and injury reports/statistics and monitoring of the Workplace Health and Safety Committee’s activities had been conducted in order to confirm they are functioning as required under legislation and Departmental policy.

observations 6.1.2
Observations – Physical Security
Moderate 6.1.2 A governance structure for managing security within the Department exists, but the roles and responsibilities within this structure are not always being executed to ensure physical security at laboratory facilities.

Laboratory security is an issue that has grown in prominence in recent yearsFootnote 3 and is complementary to laboratory health and safety. Risks to laboratory security include theft or diversion of high-value equipment, theft of chemicals to commit criminal acts, intentional release of hazardous materials, or loss/release of sensitive information. Security risks vary between organizations and laboratories, are often related to the work being performed, and therefore must be assessed and managed on an individual basis. Responsible governance includes the assessment and management of security. The objective of the Treasury Board (TB) Policy on Government Security is to ensure that deputy heads effectively manage security activities within departments and contribute to effective government-wide security management.

The TB Policy on Government Security as well as the Directive on Departmental Security Management outlines the importance of ensuring that departmental security activities have a governance structure with well-defined roles and responsibilities for those employees with security responsibilities that are documented and communicated. A defined accountability structure for the Safety and Security Program exists and is outlined within DFO's Security Policy and Accountability Framework (SPAF). The SPAF subsequently identifies the activities the Department will undertake to ensure the accountabilities are fulfilled to achieve the objectives set out by the TB Policy on Government Security.

Departmental Security Plan

Under DFO's SPAF, the Departmental Security Officer (DSO) is required to establish and direct a security program that ensures co-ordination of all policy functions and implementation of policy requirements. The Department’s security program is described in the Departmental Security Plan (DSP). A DSP provides the details for managing security risks and outlines strategies, goals, objectives, priorities and timelines for improving Departmental security and supporting its implementation.

DFO’s DSP was approved in November 2012, with a review underway at the time of the audit. The DSP is said to have been developed by leveraging information from, among other things, TRAs, self-assessments, and other corporate documents. The DSP identifies five critical security risks, and of the five critical risks identified, Threat and Risk Assessments (TRA) were identified as a mitigation control for four.  As part of the audit, the audit team visited six out of 18 of DFO’s major facilitiesFootnote 4 and none had an up-to-date TRA. This affects the extent to which the Department is able to effectively manage security risks, particularly systemic risks that relate to laboratory facilities.

Regional Security

Under DFO's SPAF, the regional security officers (RSOs) are also responsible for implementing the DSP, developing regional security plans (RSPs), implementing a regional security training and awareness program, maintaining records of security incidents, identifying and documenting site-specific access control requirements, implementing security inspections, and conducting TRAs. However, RSPs did not exist at any of the three regions visited.  It was expected that RSPs would identify security risks specific to the Region and the detailed decisions related to the management of those risks.  None of the regions visited had an up-to-date assessment of security risks for their major laboratory facilities that could provide the base for the development of the RSP. In the absence of an RSP, it was noted that commissionaires documented post orders (site-specific access control requirements) for all sites visited but that these do not specifically consider laboratories. The audit team also noted that limited monitoring of physical security controls, such as security inspections, take place.

By not adequately assessing and managing security at laboratory facilities, it leaves the Department, the facilities, the scientific work being undertaken, and the people working in these facilities vulnerable.


recommendation and action plan
Recommendation Management Action Plan
R-#1 It is recommended that the Assistant Deputy Minister, Human Resources and Corporate Services:  
1.1
Reaffirm roles and responsibilities within the existing governance structures to provide sufficient management oversight of OHS and physical security within laboratory facilities.
1.1 Completed:

To increase management oversight of safety, security and emergency management in the Department, the Safety, Security and Emergency Management Oversight Committee (SSEMOC) was established in December 2014. Since its creation, it has approved a number of policy instruments that clarify roles and responsibilities:

  • The updated Hazard Prevention Program was approved by SSEMOC in April 2015.
  • The OHS Policy was approved by SSEMOC in July 2015.
  • The OHS Manual was approved by SSEMOC in August 2015.
  • The OHS Management Action Plan resulting from the Comprehensive Review was approved in August 2015; updates on the progress are presented to SSEMOC regularly.
  • The Policy on Departmental Safety, Security and Emergency Management (SSEM) approved by SSEMOC in October 2015, outlines departmental responsibilities pertaining to all areas of SSEM to ensure the effective management of SSEM activities at DFO and to support the Department’s business objectives and mandate, by safeguarding employees, information, assets and ensuring the continued delivery of services.

Ongoing/Pending:
Provide guidance to regional OHS advisors to ensure they are providing support and oversight to Regional Health and Safety Committees and Workplace Health and Safety Committees, and ensure Regional Health and Safety Committees and workplace committees are reviewing inspections, conducting analysis or summations of Hazardous Occurrence Incidents Reports and monitoring the regional or workplace implementation of the Hazard Prevention Program.

The regional directors general will be reminded of the need to ensure that their regional OHS and security teams are supporting the program requirements and implementing the guidance and direction received from the national OHS team.

   
1.2
Provide the necessary tools and training to ensure that RDGs and Program Heads adopt a consistent, integrated approach to implementing, communicating and monitoring OHS and physical security within laboratory facilities.
1.2 Completed:

Hazard Prevention Program training for OHS advisors has been completed.

A national OHS reporting process, including THA completion, is in place and OHS metrics are reported regularly to management oversight committees.

Ongoing/Pending:
Implement the HPP in accordance with the HPP Implementation Plan.

Release HPP implementation training package for managers and implementation in regions.

Continue with the annual HPP and OHS program reporting requirements.  Commencing January 2016.

Office of Primary Interest: ADM, HRCS
Due Date: March 2016

6.2 Policy, Standards, and Guidelines

Policies and standards, when well designed, provide discipline and structure to support the achievement of Departmental objectives. It is equally important that the guidelines and procedures that support policies and standards, be established, communicated, interpreted, and practised to support employees in effectively performing their duties as a component of achieving departmental objectives. Laboratories, by virtue of the work that is conducted within them, are classified as hazardous work spaces. As such, it is imperative that the Departmental OHS and Security program give special consideration to the challenges presented by these types of work spaces when developing policies, guidelines and procedures meant to ensure the health and safety, and security of employees working within them. In addition, the regional directors general should ensure that their safety and security teams and responsible regional managers implement the direction received from the national OHS and Security program.

observations 6.2.1
Observations - Occupational Health and Safety
Moderate 6.2.1 Occupational health and safety policies and standards were not being interpreted and applied consistently across the Department; however, occupational health and safety policies and standards, with supporting guidance material, have been revised recently.

Throughout the audit, it was expected that Departmental OHS policies, guidelines and procedures that consider hazard prevention have been developed, implemented and communicated to laboratory employees. Also, these policies, guidelines and procedures should lend special consideration to hazardous work spaces that are common across the Department, such as laboratories. Providing sound guidance, through reinforced communication is a foundational element of a control framework, which allows for internal coherence, consistency, and alignment to core outcomes. A lack of laboratory-specific OHS guidance, in the form of policy, procedures, guidelines, and advice, has resulted in inconsistent practices within operational activities across laboratory facilities.

Hazard Prevention Program (HPP)

A HPP is a workplace-specific program that is required by law, designed to protect employees, and prevent work related injuries and diseases. Based on the observations of the audit team, deficiencies exist in relation to formalized hazard prevention programs (HPPs) for laboratory facilities. Task Hazard Analyses (THAs) have been completed to varying degrees between laboratory facilities, and safe work procedures (SWPs) have been completed to a lesser degree. Laboratory workplace inspections are being undertaken regularly but the frequency and inspection protocols are at the discretion of the Science facility management. Material safety is also being managed at the discretion of the facility manager and/or resident Science staff. The extent to which Emergency Response Plans address emergencies beyond fires, emergency evacuations and earthquakes (where applicable) is minimal.

Based on interviews and document review, it was determined that many of the deficiencies in the HPP at laboratory facilities were the result of there being little to no guidance or training being provided to managers/supervisors at the workplace level to assist in their development of a HPP. There was minimal guidance, including an absence of standard templates and risk rating scales, in the 2006 OHS Manual to support the consistent development of HPPs across the Department. It is the responsibility of the National OHS Office to provide such functional guidance and training; and Regional OHS Advisors to provide support and expert advice in implementing it.

Task Hazard Analysis

Due to limited functional guidance and training, Regional OHS Advisors in two of the three regions visited, provided little support to managers/supervisors in developing their THAs and associated SWPs. Throughout the conduct of the audit, the audit team noted inconsistencies in the THA processes including roles and responsibilities, the process for identifying tasks and the associated hazards, risk ratings (including the scales used), development of controls (other than SWPs) and monitoring. The audit team also observed that there were few opportunities to achieve economies, efficiencies and/or consistency in the THA process and development of associated SWPs. There were no mechanisms in place, such as a common database with standard THAs and SWPs, to facilitate sharing of common practices in laboratory facilities across the Department. This has resulted in a duplication of effort on the part of managers/supervisors between laboratory facilities across DFO.

It is important to note that DFO’s Comprehensive Review of SSEM, an internal self-assessment which was ongoing during the audit, also found significant gaps in the completion of THAs. In response, the RPSS Directorate has developed Management Action Plans to implement mitigating strategies including the development and implementation of a common database for all THAs and SWPs to facilitate sharing. RPSS has also developed a new OHS Manual, which outlines accountabilities, roles and responsibilities, and provides guidance and tools on how to apply the requirements of the Departmental OHS program. DFO’s new OHS Manual aims to provide the details of the Departmental OHS and hazard prevention programs, and be a source of reference for managers, supervisors, OHS committees/representatives, and employees seeking direction and guidance. The Task Hazard Analysis (THA) process is more prescriptive in comparison to the previous ‘Task Analysis’ process. It clearly outlines the steps, describes the roles and responsibilities, and provides supporting documentation, such as a standard rating scale and templates.

Hazardous Material Management

All hazardous substances have an accompanying Material Safety Data Sheet (MSDS), which provides information on the potential hazards of chemical products and safety precautions to consider. Copies of MSDSs must be made readily available in the workplace, and kept up-to-date, as per the Controlled Products Regulations. It was noted that although MSDSs were easily accessible and up-to-date as required, in three out of the six facilities visited the process that allowed for this was a manual process when the Department holds a license for ‘MSDS Online’ which automates much of this, acts as a chemical inventory database, and has a regulatory reporting function. It was noted that not all laboratory facilities were aware of the Department’s license, and as such were not able to leverage such functionality.

Workplace Inspections

Effective workplace inspections contribute to reducing hazardous occurrences by identifying and addressing hazards, forming an integral component of a HPP. Performing regular workplace inspections provides an opportunity to examine facilities, equipment, materials, and workspaces, in an effort to protect the health and safety of employees. Workplace inspections of laboratories are being undertaken at least quarterly at all laboratory facilities but the checklist used for inspections was not standard and therefore varied from facility to facility. Results of inspections were being reported to Science facility management and/or the OHS committee, where corrective actions related to any deficiencies are being identified. Oversight of workplace inspections completed for laboratories by responsible managers or supervisors to identify trends and implement consistent corrective actions could be improved.

Laboratory Safety Manual

While the new OHS Manual recognizes that laboratories have greater occupational hazards, it does not provide any additional guidance related to laboratories. It was noted that the previous 2006 OHS Manual included a DFO Laboratory Safety Manual; however, this has now been retracted and there are currently no plans to replace it. In interviews with National OHS, it was suggested that required THAs and related SWPs will act to provide the required policies, guidelines and procedures to address specific safety issues in laboratories and that there was no need for a laboratory safety manual. Industry best practices advocate for laboratory safety manuals as a key component in managing occupational health and safety in a laboratory environment. Five out of six DFO sites visited as part of this audit had a laboratory safety manual in circulation for reference/training purposes.

Lack of policy, guidance and advice, as well as the absence of an information sharing mechanism to leverage information department-wide, has caused facilities to adopt self-governing approaches to address occupational health and safety. This requires additional effort, creates inconsistencies in managing occupational health and safety, and detracts from delivering the Department’s core mandate.

observations 6.2.2
Observations - Observations – Physical Security
Moderate 6.2.2 A departmental safety and security policy and accountability framework exists, which clearly outlines responsibilities of security practitioners, however supporting guidance is lacking to ensure security risks are regularly identified, updated and monitored.

Management of security requires the continuous assessment of risks and the implementation, monitoring and maintenance of appropriate internal management controls. Therefore, security practitioners must provide the appropriate guidance on prevention, detection, response, and recovery strategies. Throughout the audit it was expected that Departmental security standards have been developed and clearly outline expectations of security practitioners to ensure the safety and security of employees working within laboratories. However, it was determined that limited guidance and oversight related to physical security of laboratories existed to ensure security risks are assessed and managed appropriately.

The TB Guide on Developing a Departmental Security Plan identifies assessing risks as a key tool in prioritizing activities in the DSP. TRA's were identified as an existing control to assist in mitigating four out of five of the critical risks identified within DFO’s DSP. DFO’s SPAF clearly outlines the roles and responsibilities related to conducting TRAs, both nationally and regionally. Though the accountability framework does not explicitly state criteria of when a TRA should be conducted, TRAs for the major DFO laboratory facilities visited had not been updated within the past five years. Moreover, no criteria had been established to prioritize the conduct of TRAs.

As per the TB Operational Security Standard on Physical Security, TRAs help to determine the appropriate cost-effective means to control access to a facility, whether remedial measures are required as a result of modifications, the appropriate choice to control restricted-access areas, and the choice to implement electronic access controls. Some facilities have recognized the importance and benefits of having an updated TRA and work has been completed in an effort to initiate a TRA; however, limited guidance, expertise, and lack of resources, ultimately resulted in TRAs not being completed.

The audit team observed weak physical security controls at one of DFO’s major laboratory facilities. DFO’s Comprehensive Review of SSEM also highlighted gaps related to conducting TRAs, a lack of security inspections and sweeps within facilities, and the inconsistent application of security control measures. Management Action Plans related to the self-assessment are currently underway.

recommendations and action plan
Recommendation Management Action Plan
R-#2. It is recommended that the Assistant Deputy Minister, Human Resources and Corporate Services ensure:  
2.1
The release of the new OHS manual be accompanied by training and support, as well as national monitoring and coordination to ensure consistency in the application of policies, standards and guidelines across the Department.
2.1 Completed:

Hazard Prevention Program training for OHS advisors has been completed.

Ongoing/Pending:
Complete HPP training for all regional managers.

Provide additional training and guidance on the THA process, clearly defining roles and responsibilities.

Continue providing mandatory OHS training for regional managers, OHS representatives, and employees.

Continue with the annual HPP and OHS program reporting requirements.  Commencing January 2016.

   
2.2
A framework for security threat and risk management is developed and implemented across the Department.
2.2 Ongoing/Pending :

Develop and disseminate a Departmental TRA strategy which sets out common approaches for similar programs, services and facilities.

Prioritize conducting TRAs at facilities according to defined criteria.

Create a national tracking system for completed TRAs and site assessments
   
2.3
OHS and physical security policies, procedures and guidelines are disseminated and communicated consistently across all DFO regions and facilities, including laboratory-specific guidance where possible.
2.3 Completed:

A communications plan for safety and security, which includes communications plans for policy instruments, has been developed and approved.

Ongoing/Pending:
As part of the communications approach:

  • Continue promotion of the CSPS Security Awareness course (A230).
  • Supplement basic awareness with direction on department-specific issues. 
  • Finalize awareness booklets and accompanying videos from CCOHS for employee training in remote regions and onboard vessels.
  • Update the SSES intranet content.
  • Continue promotion of managers’ review of their THAs and Safe Work Procedures for laboratory safety.
   
2.4
The information management strategy for OHS information be further developed to allow for the collection, validation, and consolidation of Task Hazard Analyses, Safe Work Procedures, and emergency response procedures across the Department.
2.4 Completed:

A national listing of completed THAs and SWPs is available on the SSES OHS intranet. Ensure that the listing is maintained.

Ongoing/Pending:
A listing of all employees and mandatory OHS training shall be maintained by the Manager/ Supervisor.

Corporate OHS to review all lab safety manuals created by the Science Sector to ensure national consistency in practices and guidance.
Office of Primary Interest: ADM, HRCS
Due Date: September 2016

6.3 Organizational Culture

Sustaining an effective OHS and Physical Security Program requires that both these activities be seen as pillars of management’s operating philosophy. They have to be part of the organizational culture, ingrained within the way management and employees reflect on and execute their daily activities. Explicit, well-communicated and well understood OHS and Physical Security requirements are key elements contributing to the commitment of employees as they set the standard to which all staff must adhere in their daily practices. Reinforced through ongoing communication, training and the organization’s policies, procedures and guidance, this foundational element of both OHS and Physical Security Programs is key to ensuring the health, safety and safeguarding of DFO’s employees and assets.

observations 6.3.1
Observations
   Low    6.3.1 Laboratory employees/supervisors and workplace OHS committees work together to foster a culture of health and safety within laboratory facilities, but the same cannot be said for ensuring physical security.

To be effective, OHS and Physical Security have to be embedded in the organizational culture at the workplace level.

Occupational Health and Safety

Within DFO laboratories, a strong health and safety culture exists, due in part to the nature of science as a discipline.  Science is a discipline where habitual risk assessment, experiment planning, and consideration of worst-case possibilities for oneself and one's fellow workers is very much engrained. The limited number and type of hazardous occurrences reported across all regions visited over the past two fiscal years lends support to this observation, as do testimonials obtained during interviews with Science employees.

While the existence of a strong health and safety culture is the desired condition in any organization, mechanisms must be in place to ensure its sustainability. Such an organizational culture must be maintained and reinforced. DFO Science ensures this by incorporating health and safety in its orientation and training activities. Interviews and document reviews revealed that as part of all new employee orientation activities, employees and supervisors had to sign off confirming this had been covered. Another way of ensuring sustainability is to document formally, within workplace manuals, guides and policies or procedures, what behaviours and actions are expected of those working in DFO laboratories. Interviews and document reviews revealed that while the previous DFO Lab Safety Manual had been retracted and not replaced, individual facilities / laboratories have continued to use it, adopted another laboratory safety manual and/or developed their own lab safety orientation manuals as a means of formally conveying those expected behaviours and actions.

The strength of DFO laboratories’ health and safety culture relies on the continued involvement and guidance of the Workplace Health and Safety Committee. Through interviews with committee members, employees and supervisors, it was evident that Workplace Health and Safety Committees were very active in promoting and reinforcing OHS within the organization. This was demonstrated by their support and coordination of the workplace Hazard Prevention Program, their involvement and assistance with the hazardous occurrences process, the conduct of workplace inspections and their willingness to provide ad hoc support as required.

Physical Security

As per the TB Policy on Government Security, security is achieved when it is supported by senior management as an integral component of strategic and operational planning and embedded into departmental frameworks, culture, day-to-day operations and employee behaviours. The DFO laboratory facilities visited did not demonstrate a strong culture of physical security. Science is a discipline that champions collaboration and sharing of knowledge, which poses challenges to an organization’s need for physical security in order to protect its valuable assets, resources, information and employees. Based on laboratory facility site visits, physical security weaknesses were observed at several laboratory facilities. This included entry points not being secured, laboratory doors being left open when they were vacant, master keys being used to override electronic swipe cards, limited security sweeps, access to restricted areas not being sufficiently controlled and visitors not always being escorted. These weaknesses existed despite the Department’s recent efforts to promote security awareness, including mandatory training for all employees.

recommendations and action plan
Recommendation Management Action Plan
R-#3   It is recommended that the Assistant Deputy Minister, Human Resources and Corporate Services, via the Safety, Security and Emergency Management Oversight Committee (SSEMOC), ensure that:  
3.1
RDGs demonstrate that sufficient physical security measures are in place at laboratory facilities in their regions, and that they are being enforced.
3.1 Ongoing/Pending:

Support RDGs with tools to conduct/update TRAs at laboratory facilities, including enforcement and monitoring,  every five years.

Maintain a national listing of TRAs completed at each site.

Ensure that regional security follows up on implementation of TRA recommendations to reduce security risks.

In addition, a change in reporting relationship of the regional SSES teams from the RD Real Property, Safety and Security to the Associate RDG in each region will be explored to provide an appropriate level of oversight and direction to the safety and security function.

Office of Primary Interest: ADM, HRCS
Due Date: March 2016

7.0 AUDIT OPINION

Based on the audit findings, our opinion is that there are opportunities for improvement to ensure that the Department has adequate security, safety, and occupational health and safety measures in place for laboratories. While governance structures do exist, their roles and responsibilities should be fulfilled to ensure the Occupational Health and Safety and Security Programs are being adequately and effectively managed. Although OHS guidance is being inconsistently applied and interpreted across the Department, DFO’s departmental OHS Program is updating current health and safety policies and standards and can be further strengthened by ensuring effective implementation. Opportunities exist to strengthen DFO’s security program by strengthening the physical security culture within laboratory facilities and establishing supporting guidance to ensure threats and risks are regularly updated and monitored.

8.0 STATEMENT OF CONFORMANCE

In my professional judgment as Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the opinion provided and contained in this report.  The extent of the examination was planned to provide a reasonable level of assurance with respect to the audit criteria.  The opinion is based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria that were agreed on with Management.  The opinion is applicable only to the entity examined and within the scope described herein.  The evidence was gathered in compliance with the Treasury Board Policy and Directive on Internal Audit.  The audit conforms with the Internal Auditing Standards for the Government of Canada, as supported by the results of the Quality Assurance and Improvement Program (QAIP). The procedures used meet the professional standards of the Institute of Internal Auditors. The evidence gathered was sufficient to provide Senior Management with proof of the opinion derived from the internal audit.

APPENDIX A – AUDIT CRITERIA

Based on a combination of the evidence gathered through documentation examination, analysis and interviews, each of the audit criteria listed below was assessed and a conclusion for the audit criteria was determined using the following definitions:

conclusions and opinions
  Conclusion on Audit Criteria Definition of Opinion
1 Criteria Met – Well Controlled Well managed or no material weaknesses noted, controls are effective.
2 Criteria Met with Exceptions – Controlled Requires minor improvements.
3 Criteria Met with Exceptions – Moderate Issues Requires improvements in the areas of material financial adjustments, some risk exposure.
4 Criteria Not Met – High Impact – Significant Improvements Needed Requires significant improvements in the area of material financial adjustments, serious risk exposure.

The following are the audit criteria and examples of key evidence and/or observations noted which were analyzed and against which conclusions were drawn.  In cases where significant improvements and/or moderate issues were observed, these were reported in the audit report.

criteria
Audit Criteria Conclusion on Audit Criteria Examples of Key Evidence/ Observations
Line of Enquiry 1 – Occupational Health and Safety
Criterion 1.1:  Documented laboratory safety policies, guidelines, and procedures that consider hazard prevention exist and are communicated to laboratory employees. 3 6.2.1
6.1.1
Criterion 1.2: DFO management has developed and implemented a training plan that considers laboratory health and safety. 2 6.2.1
6.3.1
Criterion 1.3: An occupational health and safety committee exists, and laboratory inspections are carried out. 2 6.1.1
6.2.1
Criterion 1.4: A preventive maintenance program exists and required maintenance is carried out to avoid failures that could result in a hazard to employees. 2 N/A
Line of Enquiry 2 – Physical Security
Criterion 2.1:  The Department has identified and assessed the requirements for ensuring the physical security of laboratory facilities, and safeguarding employees/assets. 3 6.1.2
6.3.1
Criterion 2.2: The Department has put in place the necessary physical security measures to protect laboratory facilities and safeguard employees/assets. 3 6.1.2
6.3.1