Occupational Health and Safety (OHS) Incident Management: The Role of Business Continuity Michael Torrance, Senior Associate, Occupational Health, Safety and Security 21 March 2013
Introduction Topics to cover Overview of OHS incident management principles Business continuity in the OHS context Legal drivers Case studies
Key messages Maintaining business continuity despite an OHS incident is critical to the survival of a company There are legal imperatives to ensure business continuity in the event of OHS disaster Business continuity planning begins long before an incident
What is business continuity? Continuation of commercial activities after an incident The availability of processes and resources for a business to continue achieving critical objectives Requires: systematic identification of critical business processes or assets Assessment of the vulnerability of the business to those assets or processes being disrupted or lost Development of continuity strategies and recovery procedures to address vulnerabilities Leading reference to business continuity management is HB 221:2004 Business Continuity Management
What is business continuity? Business continuity process: Risk and vulnerability analysis: environmental analysis, internal and external drivers and constraints; Business impact analysis: impact assessment process; Response strategies: includes emergency response, continuity and recovery response; Resource and interdependency requirements: ensure resourcing and external dependencies; Continuity plans for chosen strategy: comprehensive, simple and flexible; Communication strategy: identify and communicate to stakeholders; Training, maintenance and testing plans: ensure plan ready to implement; Activation and development of plans: identify triggers; Monitor and review: ensure current, comprehensive and correct.
Why is business continuity relevant to OHS incident response? OHS incidents entail commercial, legal and reputational risks Addresses operational vulnerability to the disruptive impact of an incident to commercial operations Contains commercial impacts of incident Business continuity is therefore part of a comprehensive approach to OHS incident response, considering commercial, legal and reputational aspects of an incident
Incident Management lifecycle Incident Response: Pre-incident: Emergency preparedness Business continuity plans (supply chain, training) Legal team preparedness Initial response Notification and dealing with regulators Communication strategy Investigation Business continuity plan (implement, manage) Post-incident: Inquiries Prosecutions Litigation Business continuity plans (implement, review, update)
Phases of OHS incident response Incident Management Emergency response Incident notification Interim preventative actions Communication Management Regulator liaison Stakeholder liaison Incident Investigation Root cause investigation Liability assessment Learning and dissemination Business Continuity
Integrated Management Systems To be effective, OHS management systems must become an integral part of doing business Must incorporate OHS management into operational and governance decision making systems Embedded in supervision structures and management processes Defuse tension between production and OHS Business continuity linkage helps facilitate this integration Create synergies Encourage information exchange
Legal and policy drivers Work Health and Safety Act, 2011 Key topics General duties Incident notification and site preservation Emergency response Major hazards facilities and critical infrastructure
This is a criminal regime (for primary duties) Category Description Maximum penalty Category 1 Most serious cases Breach of the primary duty involving recklessness and serious harm to a person or risk of such harm. Corporation: $3 M Officers: $600,000 Gaol up to 5 yrs Workers & other persons: $300,000 Gaol up to 5yrs Category 2 Breach of the primary duty where serious harm or the risk of it without the element of recklessness. Corporation: $1.5 M Officers: $300,000 Workers & other persons: $150,000 Category 3 Breach of the duty that does not involve high risk of serious harm. Corporation: $500,000 Officers: $100,000 Workers & other persons: $50,000
12 Reasonably Practicable
Duty of Care of PCBU Reasonably Practicable Standard Work Health and Safety Act, 2011, Part 2 Person conducting business or undertaking Duty to manage risks to health and safety as far as is reasonably practicable Duty to ensure health and safety of workers and other persons from work carried out Reasonable practicability = Weighing up Likelihood of risk Degree of harm that might result What person concerned knew or ought to have known about risk and eliminating it Availability of ways to eliminate or minimise risk Costs associated with eliminating or minimising risk, and whether cost is grossly disproportionate
Reasonable practicability Not Reasonably Practicable Reasonably Practicable
Duty of Officers Work Health and Safety Act, 2011, Part 2, Division 4 Officer defined in relation to Corporations Act 2001 The duty: Put simply, to interrogate OHS management system through a process known as due diligence Elements of due diligence set out in section 27
Who is an officer? Director Trustee of a compromise or other arrangement Company Secretary Administrator, Liquidator, received or receiver manager Shadow directors - instructions or wishes accustomed to act Officer Affects financial standing Makes, or participates in, decisions affecting the whole or a substantial part of business
Due diligence includes taking reasonable steps to Provide and use appropriate resources & processes to minimise WHS risks Monitor information on incidents, hazards and risks and respond in a timely way to that information Gain an understanding of the nature, hazards & risks associated with the operations of the PCBU. Ensure work health and safety & legal compliance Acquire and keep up-to-date knowledge of WHS matters Due Diligence Verify the use of these resources and processes These six elements fall into two categories: 1. Knowledge and understanding and 2. Management action
The Workers duty Take reasonable care for own health and safety Take reasonable care that his or her acts or omissions do not adversely affect health and safety of others Worker Duty Comply, so far as worker is reasonably able, with any reasonable instruction that is given by PCBU to allow the PCBU to comply with the WHS Act Co-operate with any reasonable policy or procedure of the PCBU relating to health and safety at the workplace that has been notified to workers 18
Incident Notification and Site Preservation Work Health and Safety Act, 2011, Part 3 A notifiable incident: Death of a person Serious injury or illness of a person Dangerous incident Duty to notify Must be done immediately after becoming aware that a notifiable incident has occurred Must use fastest possible means, including by telephon or in writing (e-mail or facsimile included) Penalty for failure to notify = $10k individual, $50k corporate Need Business Continuity for this to happen!!
Incident Notification and Site Preservation Work Health and Safety Act, 2011, Part 3 Duty to maintain records of notifiable incidents for 5 years Penalties = $5000 individual; $25000 corporate Duty to preserve incident sites Person with management or control of workplace where notifiable incident occurred must ensure so far as reasonably practicable that site not disturbed until an inspector arrives or any earlier time that an inspector directs Penalty = individual $10k; corporate $50k Does not prevent action to assist injured person, remove deceased person, essential to make site safe or minimise risk of further incident, associated with police investigation, or where inspector permits Need Business Continuity plan to ensure this!!
Emergency Response Work Health and Safety Regulation 2011, Division 4 PCBU must ensure that an emergency plan is prepared for the workplace Must provide Emergency procedures, effective response, evacuation procedures, notifications, medical treatment, effective communication, testing, training and instruction Penalties for non-compliance = $6k individual, $30k corporate This is Business Continuity planning required by law
Major hazard facilities Work Health and Safety Regulation, 2011, Chapter 9 Includes certain facilities, particularly involving Schedule 15 chemicals Must be licensed Major incidents involve risks of exposure to such chemicals Duties of operators include hazard risk and safety assessment, control of risk and emergency plan Addresses health and safety consequences of major incident Consults with local authorities, fire and rescue Be tested Notification requirements Business continuity essential for major hazard facilities
Critical Infrastructure Those facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for extended period, would significantly impact on the social or economic well-being of the nation or affect Australia s ability to conduct national defence and ensure national security Up to 90% is privately owned National Critical Infrastructure Protection Guidelines Legislative requirements and trends: Subject of legislative and policy reviews Major Hazard Facilities regulations, NSW, Terrorism Act 2003 (Victoria) Rail transport, maritime transport, banking, telecommunications Critical Infrastructure Resilience Strategy, 2010 Trusted Information Sharing Network (TISN) All about Business Continuity
Case Study: Influenza Pandemic Workplace OHS issue Represents workplace risk and hazard Obligations to manage such risks on PCBU and officers Duty of workers to cooperate Business Continuity issue Financial implications Emergency measures How to continue business without workers? See Being Prepared for a Human Influenza Pandemic: A Business Continuity Guide for Australian Business Illustrates necessary inter-linkage between OHS and Business Continuity in this context
Case Study: Terrorist Attack June 30, 2007 Glasgow Airport vehicle attempted to gain access to main check-in are of the terminal building, vehicle on fire, two suspects (one on fire) arrested at scene Fire rescue notified and arrived within 15 min, planes grounded, terminal evacuated to local convention centre, all travellers interviewed Flights resumed and terminal re-opened within 24 hours How was this achieved? Airport owners had plans in place for crisis management team and business recovery team Team assembled and operational within 45 minutes of incident Critical success factors identified in advance, short, medium, long term Leadership from the top Coordination and communication with airports and stakeholders Media strategy implemented business as usual message for next 4 weeks
Case Study: Terrorist Attack Key lessons: A business continuity plan was in place, personnel and resources were mobilised to respond to the incident Emergency response plan was triggered as soon as the incident occurred, teams were assembled and operational in very short timeframes Importance of first 24 hours was recognized Stakeholders and media were managed effectively to limit damages to business and reputation Culture of safety leadership was demonstrated with leadership of incident coming from the top Business Continuity and OHS incident management a critical partnership
Discussion and Questions? 27
About the Presenters
Our international practice 29
Disclaimer The purpose of this presentation is to provide information as to developments in the law. It does not contain a full analysis of the law nor does it constitute an opinion of Norton Rose Australia on the points of law discussed. No individual who is a member, partner, shareholder, director, employee or consultant of, in or to any constituent part of Norton Rose Group (whether or not such individual is described as a partner ) accepts or assumes responsibility, or has any liability, to any person in respect of this presentation. Any reference to a partner or director is to a member, employee or consultant with equivalent standing and qualifications of, as the case may be, Norton Rose LLP or Norton Rose Australia or Norton Rose Canada LLP or Norton Rose South Africa (incorporated as Deneys Reitz Inc) or of one of their respective affiliates. 30