I recently presented to a large (ish) organisation about the new psychosocial legislation and options to implement a framework to deal with the law, support workers, reduce minimise regulatory interventions and improve legal risk. They were heavily focused on not being prosecuted for breaches of the law, which took us down the path of Due Diligence.
I suggested the executive refocus their attention on not only the ‘activities’ of risk controls but also their effectiveness. I asked them, “How do you know things are working as they’re suppose to?” This led to safety metrics! (big sigh).
Their metrics were all lag indicators and focused on safety 'activities', nothing was qualitative, and everything was quantitative. As an executive, focusing on quantitative lag indicators does not make your work safe, but it will create an illusion of safety. A 100% score of audits completed says nothing about the quality of the audit or auditor and is merely evidence that the audits were done, not good.
Managing WHS risk is not the same as managing legal risk.
Legal risk is concerned with, amongst other aspects, ensuring the organisation is complying with the law and controls are on place to eliminate or mitigate the WHS risks are working effectively. The way to manage organisational safety compliance is through exercising due diligence.
s.27 WHS Act 2011 (Cth) identifies the elements of due diligence but too often we succumb to the illusion of safety because we are measuring the wrong indicators.
To exercise due diligence, leaders should be examining the purpose and quality of the controls, not just counting 'activities'.
As a former WHS Regulator, here some key considerations I looked for in deciding culpability and whether to charge entities.
1. Counting activities, not purpose.
Leaders should focus on purpose, not just activity.
The safety profession is obsessed with counting activities as a metric of safety (just look at Take 5’s – don’t get me started!!!). I have lost count of the organisations that make workers complete paperwork for no safety value, only to count how many valueless pieces of paper are completed.
Leaders should focus on the purpose of the control and ensure it is working, not how many were done. Next time you read a safety report that has a quantitative metric, question whether that control is working as intended and how you know that.
2. Is there evidence of risk elimination or managing risk to a level that is as low as reasonably practicable?
This is a key aspect of managing legal risk. Regulators will look to find how this is done. Defence lawyers will want to see how this is managed to defend a charge.
Leaders should exercise due diligence and be able to evidence the effectiveness of their management. This is done by looking at the purpose of controls, are they working and how.
From my experience, a key ingredient to success in this matter is real time data, often through electronic platforms that provide information in real time (or as close to it as possible). Real time data allows adjustments to controls depending on what is known about that hazard at that time.
3. Don’t accept Zero Injuries as the true metric
Leaders should inquire into the reporting culture and gain an understanding of the story behind the metrics.
If you have zero injuries or incidents, make sure you inquire into the reporting culture and satisfy yourself that people are not hiding events. Blindly accepting the zero may present an illusion of safety when the reality is culture of non-reporting.
4. Quality over quantity
Look to the purpose of the control and test the effectiveness. This is more difficult than merely counting an activity done in the name of safety. Numbers are only part of the story.
If you are unsure about the quality of safety activities, get an expert to verify for you.
5. Don’t confuse safety and legal risk
Don’t confuse safety risk with legal risk, they are different.
Some safety activities can contribute to elevated levels of legal risk. As a Regulator, I regularly used an organisations own procedures and system against them. If you describe a process and don't follow it, this will increase the legal risk of prosecution and the non-compliance to your own process will be used as evidenced against you.
Exercise due diligence to ensure the organisation is compliant. Use real time data and experts to gain visibility of the quality of the activity, not just counting that it has been done.
Comments