Occupational Health and Safety (OHS) Incident Management: The Role of Business Continuity

Michael Torrance, Senior Associate, Occupational Health, Safety and Security 21 March 2013

Introduction • Topics to cover

– Overview of OHS incident management principles

– Business continuity in the OHS context

– Legal drivers

– Case studies

Key messages • Maintaining business continuity despite an OHS incident is critical to the

survival of a company

• There are legal imperatives to ensure business continuity in the event of OHS disaster

• Business continuity planning begins long before an incident

What is business continuity? • Continuation of commercial activities after an incident

• The availability of processes and resources for a business to continue achieving

critical objectives

• Requires: – systematic identification of critical business processes or assets – Assessment of the vulnerability of the business to those assets or processes being

disrupted or lost – Development of continuity strategies and recovery procedures to address vulnerabilities

• Leading reference to business continuity management is HB 221:2004 Business Continuity Management

What is business continuity? • Business continuity process:

– Risk and vulnerability analysis: environmental analysis, internal and external drivers and

constraints;

– Business impact analysis: impact assessment process;

– Response strategies: includes emergency response, continuity and recovery response;

– Resource and interdependency requirements: ensure resourcing and external dependencies;

– Continuity plans for chosen strategy: comprehensive, simple and flexible;

– Communication strategy: identify and communicate to stakeholders;

– Training, maintenance and testing plans: ensure plan ready to implement;

– Activation and development of plans: identify triggers;

– Monitor and review: ensure current, comprehensive and correct.

Why is business continuity relevant to OHS incident response?

• OHS incidents entail commercial, legal and reputational risks

• Addresses operational vulnerability to the disruptive impact of an incident to

commercial operations

• Contains commercial impacts of incident

• Business continuity is therefore part of a comprehensive approach to OHS incident response, considering commercial, legal and reputational aspects of an incident

Incident Management lifecycle Incident Response:

•Initial response

•Notification and dealing with regulators

•Communication strategy

•Investigation

•Business continuity plan (implement, manage)

Post-incident: •Inquiries

•Prosecutions

•Litigation

•Business continuity plans (implement, review, update)

Pre-incident: •Emergency preparedness

•Business continuity plans (supply chain, training)

•Legal team preparedness

Phases of OHS incident response

Incident Management

•Emergency response

• Incident notification

• Interim preventative actions

Communication Management

• Regulator liaison

• Stakeholder liaison

Incident Investigation

• Root cause investigation

•Liability assessment

•Learning and dissemination

Business Continuity

Integrated Management Systems

• To be effective, OHS management systems must become an integral part of doing business

• Must incorporate OHS management into operational and governance decision making systems – Embedded in supervision structures and management processes – Defuse tension between production and OHS

• Business continuity linkage helps facilitate this integration

– Create synergies – Encourage information exchange

Legal and policy drivers

• Work Health and Safety Act, 2011

• Key topics

– General duties

– Incident notification and site preservation

– Emergency response

– Major hazards facilities and critical infrastructure

This is a criminal regime (for primary duties) Category Description Maximum penalty

Category 1 Most serious cases Breach of the primary duty involving recklessness and serious harm to a person or risk of such harm.

Corporation: $3 M Officers: $600,000 Gaol up to 5 yrs Workers & other persons: $300,000 Gaol up to 5yrs

Category 2 Breach of the primary duty where serious harm or the risk of it without the element of recklessness.

Corporation: $1.5 M Officers: $300,000 Workers & other persons: $150,000

Category 3 Breach of the duty that does not involve high risk of serious harm.

Corporation: $500,000 Officers: $100,000 Workers & other persons: $50,000

12

“Reasonably Practicable”

Duty of Care of PCBU – “Reasonably Practicable” Standard

• Work Health and Safety Act, 2011, Part 2

• Person conducting business or undertaking

– Duty to manage “risks to health and safety as far as is reasonably practicable” – Duty to ensure health and safety of workers and other persons from work carried out

• Reasonable practicability = Weighing up – Likelihood of risk – Degree of harm that might result – What person concerned knew or ought to have known about risk and eliminating it – Availability of ways to eliminate or minimise risk – Costs associated with eliminating or minimising risk, and whether cost is “grossly

disproportionate”

Reasonable practicability

Not Reasonably Practicable

Reasonably Practicable

Duty of Officers

• Work Health and Safety Act, 2011, Part 2, Division 4

• Officer defined in relation to Corporations Act 2001

• The duty:

– Put simply, to interrogate OHS management system through a process known as “due diligence”

– Elements of due diligence set out in section 27

Who is an officer?

Officer

Company Secretary

Director

Trustee of a compromise

or other arrangement

Administrator, Liquidator, received or

receiver manager

Affects financial standing

Shadow directors -

instructions or wishes

accustomed to act

Makes, or participates in,

decisions affecting the whole or a

substantial part of business

Due Diligence

Due diligence includes taking reasonable steps to…

These six elements fall into two categories: 1. Knowledge and understanding and 2. Management action

Verify the use of these resources and processes

Ensure work health and safety & legal compliance

Monitor information on incidents, hazards and risks and respond in a timely way to that information

Provide and use appropriate resources & processes to minimise WHS risks

Gain an understanding of the nature, hazards & risks associated with the operations of the PCBU.

Acquire and keep up-to-date knowledge of WHS matters

18

The Workers’ duty

Take reasonable care for own health and safety

Take reasonable care that his or her acts or omissions do not adversely affect health and safety of others

Comply, so far as worker is reasonably able, with any reasonable instruction that is given by PCBU to allow the PCBU to comply with the WHS Act

Co-operate with any reasonable policy or procedure of the PCBU relating to health and safety at the workplace that has been notified to workers

Worker Duty

Incident Notification and Site Preservation

• Work Health and Safety Act, 2011, Part 3

• A notifiable incident: – Death of a person – Serious injury or illness of a person – Dangerous incident

• Duty to notify

– Must be done “immediately after becoming aware that a notifiable incident…has occurred”

– Must use “fastest possible means”, including by telephon or in writing (e-mail or facsimile included)

– Penalty for failure to notify = $10k individual, $50k corporate

• Need Business Continuity for this to happen!!

Incident Notification and Site Preservation

• Work Health and Safety Act, 2011, Part 3

• Duty to maintain records of notifiable incidents for 5 years – Penalties = $5000 individual; $25000 corporate

• Duty to preserve incident sites

– Person with management or control of workplace where notifiable incident occurred must ensure so far as reasonably practicable that site not disturbed until an inspector arrives or any earlier time that an inspector directs

– Penalty = individual $10k; corporate $50k

• Does not prevent action to assist injured person, remove deceased person, essential to make site safe or minimise risk of further incident, associated with police investigation, or where inspector permits

• Need Business Continuity plan to ensure this!!

Emergency Response

• Work Health and Safety Regulation 2011, Division 4

• PCBU must ensure that an emergency plan is prepared for the workplace

• Must provide – Emergency procedures, effective response, evacuation procedures, notifications,

medical treatment, effective communication, testing, training and instruction – Penalties for non-compliance = $6k individual, $30k corporate

• This is Business Continuity planning – required by law

Major hazard facilities

• Work Health and Safety Regulation, 2011, Chapter 9

• Includes certain facilities, particularly involving Schedule 15 chemicals – Must be licensed

• “Major incidents” involve risks of exposure to such chemicals

• Duties of operators include hazard risk and safety assessment, control of risk

and emergency plan – Addresses health and safety consequences of major incident – Consults with local authorities, fire and rescue – Be tested – Notification requirements

• Business continuity essential for major hazard facilities

Critical Infrastructure

• Those facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for extended period, would significantly impact on the social or economic well-being of the nation or affect Australia’s ability to conduct national defence and ensure national security – Up to 90% is privately owned – National Critical Infrastructure Protection Guidelines

• Legislative requirements and trends: – Subject of legislative and policy reviews – Major Hazard Facilities regulations, NSW, Terrorism Act 2003 (Victoria) – Rail transport, maritime transport, banking, telecommunications

• Critical Infrastructure Resilience Strategy, 2010 – Trusted Information Sharing Network (TISN)

• All about Business Continuity

Case Study: Influenza Pandemic

• Workplace OHS issue – Represents workplace risk and hazard – Obligations to manage such risks on PCBU and officers – Duty of workers to cooperate

• Business Continuity issue

– Financial implications – Emergency measures – How to continue business without workers?

• See “Being Prepared for a Human Influenza Pandemic: A Business Continuity Guide for Australian Business” – Illustrates necessary inter-linkage between OHS and Business Continuity in this context

Case Study: Terrorist Attack

• June 30, 2007 – Glasgow Airport – vehicle attempted to gain access to main check-in are of the terminal building, vehicle on fire, two suspects (one on fire) arrested at scene

• Fire rescue notified and arrived within 15 min, planes grounded, terminal evacuated to local convention centre, all travellers interviewed

• Flights resumed and terminal re-opened within 24 hours

• How was this achieved? – Airport owners had plans in place for crisis management team and business recovery team – Team assembled and operational within 45 minutes of incident – Critical success factors identified in advance, short, medium, long term – Leadership from the top – Coordination and communication with airports and stakeholders – Media strategy implemented – “business as usual” message for next 4 weeks

Case Study: Terrorist Attack

• Key lessons:

– A business continuity plan was in place, personnel and resources were mobilised to respond to the incident

– Emergency response plan was triggered as soon as the incident occurred, teams were assembled and operational in very short timeframes

– Importance of first 24 hours was recognized

– Stakeholders and media were managed effectively to limit damages to business and reputation

– Culture of safety leadership was demonstrated with leadership of incident coming from the top

• Business Continuity and OHS incident management – a critical partnership

27

Discussion and Questions

?

About the Presenters

29

Our international practice

30

Disclaimer The purpose of this presentation is to provide information as to developments in the law. It does not contain a full analysis of the law nor does it constitute an opinion of Norton Rose Australia on the points of law discussed. No individual who is a member, partner, shareholder, director, employee or consultant of, in or to any constituent part of Norton Rose Group (whether or not such individual is described as a “partner”) accepts or assumes responsibility, or has any liability, to any person in respect of this presentation. Any reference to a partner or director is to a member, employee or consultant with equivalent standing and qualifications of, as the case may be, Norton Rose LLP or Norton Rose Australia or Norton Rose Canada LLP or Norton Rose South Africa (incorporated as Deneys Reitz Inc) or of one of their respective affiliates.