Legal compliance audits delay some health and safety files, and block some contractors from vendor management systems. Is the scope of Sheq expanding?
The domain of compliance audits raise the question of the scope of authority of Sheq practitioners to evaluate the validity of legal compliance audit results, writes Rudy Maritz.
Legal compliance audits became a business tool in South Africa after the release of the first King Report on Corporate Governance, twelve years ago. It was designed for organisations listed on the Johannesburg Stock Exchange.
At that stage, many listed corporations, banks, and state-owned enterprises consulted legal practitioners to get their governance assessments done, and plans developed to align to the King Code recommendations, and JSE listing rules.
Over the years, the legal and financial fraternity have progressed on compliance issues, to triple bottom line reporting, to measure how stakeholder relationships are managed.
The use of legal compliance audits eventually spilled over into supply chain management, and is now often applied to new entrants to the supplier database.
Sheq departments typically integrate their wide range of issues into general management, and took an ever more active role in supply chain management, including safety, health, environment, quality, governance, and anti-corruption issues. Meanwhile accountants started integrating many Sheq issues into the financial management system.
What is the scope of legal compliance?
Both sides of the risk coin, operational risk, and pure or financial risk, consult lawyers. Some employers appoint compliance officers, whose work includes all items on the legal register, and in all audits.
However Sheq officers now habitually evaluate a wide range of legal issues, which is a daunting task, and sometimes outside the scope of their authority.
At the risk of commercial suicide, a company who is blocked from a client or a principal’s supply chain, based on the opinion of a Sheq practitioner about their legal compliance, have the right to lodge a complaint with the Competition Commission against this practice.
Legal audits are a legal function
Conducting and evaluating a legal compliance audit requires specialised legal knowledge. It is therefore the role and function of a legal practitioner, such as an attorney.
But there are also some pitfalls where the scope of the audit is not properly defined.
I recently discussed with a colleague the impact of the Consumer Protection Act (CPA) on a contractor. I asked about the role of the CPA in protecting a contractor’s employees. There is no relevance, yet the scope of the audit was to include the Consumer Protection Act! This is outside the role and function of Sheq compliance.
Sadly, the contractor in question had already spent resources on a compliance audit, only to have it rejected by the principal.
This kind of creeping responsibility should not expand the already wide field of Sheq practice.
People without a law degree, are not competent to conduct or evaluate legal compliance audits.
Which legal compliance elements are in the Sheq scope of services?
From a criminal law perspective, some Acts and Regulations require a principal to ensure contractor compliance. The most common reference is in the Construction Regulations, which insists on a valid Letter of good standing from a compensation insurer.
And a client or principal must be “reasonably satisfied” (not 100% certain) that the contractor has the resources and experience to perform the work safely.
In essence, there are no valid grounds for a Sheq practitioner to insist on a legal compliance audit for approving a contractor or supplier in terms of occupational health and safety, or environmental compliance.
Who performs a legal compliance audit?
The point of departure for any compliance audit is to identify the standard against which compliance is required. If we are conducting a “Legal” compliance audit, the “standard” would thus be all relevant statutes in South Africa. Likewise, if we do a quality compliance audit, the standard will be ISO 9001.
A legal compliance audit is intensive and requires special skills, including access to case law. The duty of Identification of relevant statutes lies with the principal or client who requires the compliance, based on a comprehensive legal register, compiled by an attorney or legal practitioner.
The legal register should at least contain:
- A list of Acts, National, Provincial and Local Ordinances and by-laws applicable to the business of the client or principal
- A summary of which sections /clauses are relevant, and the extent of relevance to the organisation
- A list of stakeholders affected by the relevant statutes
- A summary of the means of access to the relevant statutes, such as an online law library.
The most common items in a corporate legal register are:
- Company laws; Companies Act, Income Tax Act, VAT Act
- Labour and Equality laws; OHS Act, BCE Act, LR Act, BBEEE Act
- CMT laws; Prevention of Organised Crime Act (POCA), Prevention and Combating of Corrupt Activities Act
- Protection laws; Protected Disclosures Act, Protection of Personal Information Act (POPI Act).
In addition to these general statutes, companies may also be required to comply with a range of specific statutes; National Health Act, National Road Traffic Act, Hazardous Substances Act, Explosives Act and Regulations, Telecommunications Act, etc, etc.
A legal compliance audit requires detailed knowledge of the Statutes of South Africa. Very few statutes fall within the scope of competence and education of the average Sheq practitioner.
Legal risk assessments
From the legal register of the client, the supply chain should be evaluated in terms of the risks it poses to the business.
Where, for example, the client provides telecommunication devices and infrastructure to the public, there is a relationship between the client and the consumer.
Where the client also employs contractors to perform construction work, such as the installation of base stations and fibre optic networks, there is a relationship between the client and the contractor. But there is no relationship between the consumer and the contractor, and the Consumer Protection Act becomes irrelevant.
There must be a legal relationship or nexis between two parties before non-compliance by one party becomes a risk to the other. This relationship can exist either by statute or contract, or both.
For example, if the contractor fails to comply with the Income Tax Act, would the consumer be affected, and the relationship with the client tarnished? No.
But if the contractor fails to comply with the Construction Regulations, the client may be liable for any damage or injury to the public.
It is therefore important to define the scope of the legal compliance audit and maintain relevance and applicability to the parties concerned.
In the absence of a properly defined scope, employers may create unfair barriers to entry to business.
Unlike the common HIRA conducted by Sheq practitioners, a legal compliance risk assessment is a different kettle of fish. It is not within the scope of competence of the average Sheq practitioner.
In a recent article by the Institute of Risk Management of South Africa (IRMSA), companies are warned that “customers view the organisation as the provider of a solution, and they do not differentiate the organisation from its suppliers.
“If a problem occurs, they hold the organisation responsible and it is the organisation’s reputation that may suffer. Given this, organisations today need to broaden their risk focus to also include oversight of their suppliers’ health, safety and environmental practices, compliance with labour laws, use of intellectual property, practices around the sourcing of raw materials, corruption, and more.”
The Institute further advises employers to “determine how and where suppliers and their activities could potentially expose the organisation, by developing a comprehensive view of the entire vendor risk universe, including where and how those risks are concentrated in terms of suppliers, products, commodities, geographies, and other factors.
“In areas of extreme concentration, organisations need to consider steps to diversify their supplier relationships.”
Clearly the context of legal risks exceeds the ambit of Sheq practice, and is not limited to incidents, injuries, and environmental degradation, pollution, or quality service. To this extend, the Institute asked a number of pertinent questions relevant to supplier risk assessment:
- Do you have a clear view of the key risks embedded in your supply chain?
- Do you have a common standard of assessing the maturity and capability of vendors and suppliers in managing risk on your behalf?
- Do you monitor and track vendor risk exposures and responses as part of vendor management and performance?
- How prepared is your organisation to deal with risks that materialise, including the potential reputational; risk and stakeholder management to resolve?
Risk assessment standard
ISO 31000 sets the international standard for risk assessments and the process to be followed. One of the key elements in a legal risk assessment is the issue of timing, which means duration of exposure to a particular risk.
For example, a person committed a murder 20 years ago. The person can still be held liable despite the lapse of time. When it comes to suppliers, these “after-effects” of non-compliance must be carefully analysed as the statute of limitation of 20 years does not apply to all offences. We have seen this in the recent silicosis case in the Northern Cape as well.
Besides normal Sheq risks, there is also the risk of civil claims, reputation risk, financial risk in respect of share price, such as seen in the recent VW product recall.
Commonly speaking, legal risk to a business lies in the vicarious liability established in statutes, such as Section 332 of the Criminal Procedures Act, Section 37 of the OHS Act, Section 36 of the COID Act, Section 33 of the Drugs Control Act, to mention only a few.
When it comes to product liability, Johann Basson wrote in a peer reviewed paper in the South African Journal of Industrial Engineering: “Legal liability may arise from, among others, a breach of contract or from delict. A delict is an unlawful act or omission, causing damage (patrimonial damage) or harm to the aggrieved person. Such act can be intentional or may arise through negligence. The law of delict is part of our common law, which is customary law as further developed by our higher courts and followed by the lower courts (the doctrine of precedence).
In terms of our law of delict, a person can only be found products liable if the following five requirements are all met:
- There must have been a voluntarily, although not a willed, act or omission to act.
Such act must have been, at the time of the act, susceptible to will control. Such act can be intentional or may arise through negligence;
2. The act or omission must have been unlawful. The unlawfulness is to be found in the infringement of the plaintiff’s subjective right(s) as measured against the common law doctrine of “duty of care”, that is, the sense of justice of the community. For the purpose of this article, let us ignore the grounds for justification;
3. The defendant must be blameworthy for the damage or harm. He must be at fault.
Fault means that the defendant acted intentionally or negligently. As in the case of unlawfulness, negligence is measured against the doctrine of duty of care. The doctrine applies the test question: ‘Could a reasonable prudent man under the particular circumstances have reasonably foreseen the likelihood that his act could cause damage and / or injury, and could he have taken reasonable precautions to prevent it?’ It is not a requirement that the extent or precise nature of the actual damage / harm or the exact manner in which the damage / harm had occurred should have been foreseen by the defendant. The exception to the fault principle is faultless liability called ‘strict liability’ or ‘risk liability’. Risk liability is based on the wrongful causation of damage / harm through a juridical relevant risky activity, the activity as measured against the doctrine of duty of care;
4. There must be a causal link between the act, the impairment on the subjective rights and the damages and / or harm. Whether such a causal link exists is a factual question to be answered from the evidence and to be proved on a balance of probabilities; and
5. Patrimonial damages and / or harm on the side of the plaintiff.”
Compliance advice to employers
Before embarking on the development of a vendor risk management program, seek the advice of a legal practitioner to compile a legal register and legal risk assessment. It would save a lot of time and money in doing it properly from the outset.
Define the scope of the “compliance audit” and ensure the purpose thereof is to satisfy the risk assessment and not some unsubstantiated wish-list drafted out of fear of liability.
Ensure that all suppliers are advised in advance that a legal compliance audit is a requirement of the business’ standard conditions of commerce or trade.
Too often suppliers are audited ex post facto and then subjected to costs not allowed for in their proposal or tenders.
Make a detailed assessment of the competence required to validate the level of compliance of a particular supplier and provide a “transitional” arrangement to get them to the desired level where the risk is low enough.
Ensure that a dynamic approach is taken and continual audits performed on the supply chain at predefined intervals.
Sheq Practitioners should follow one simple rule: stay within the ambit of your competence, and leave the legal stuff for the lawyers.
The function of Sheq in compliance is specific, and part of the overall compliance management of a supply chain. The focus of the Sheq practitioner must remain on matters relating to Safety, Occupational Health, Environment and Quality (Product Liability).
This in itself poses huge challenges as environmental compliance alone has more statutes and regulations that need to be assessed than any of the other Sheq laws.
Occupational Health compliance should also not be left in the hands of a practitioner without proper medical training and experience.
Part of the problem which results in the ‘scope creep’ of the Sheq practitioner is the perception that Sheq practice is a function of Sheq practitioners, while they are only advisors and administrators to the management line, and they should also take advice from other specialists.
There is nothing wrong to admit when a function falls outside the scope of Sheq.
Sheq scope creep is supported by some OHS professional bodies, who recently introduced discounted subscription to an online law library of 850 Acts. This may encourage Sheq people to act in a legal advisory capacity, which their training and appointments do not cover.
Sheq practitioners are limited in their scope to assess the compliance of a supplier to its own management systems and approved H&S plans or ISO standards such as ISO 45000.
They are not supposed to assess the level of compliance with the law. That remains the function of the legal fraternity.
The OHS Act and its Regulations alone, and the criminal process, is work enough. Acting outside the scope of Sheq authority, exposes practitioners to some risks outside Sheq risks.
- Rudy Maritz is the MD of the Cygma Group, incorporating Cygma SHEQ, a consulting company that employs associate legal specialists in construction law, engineering law, environmental law, and OHS compliance.