Regulatory offences are usually strict liability. This means there is no need for the prosecutor to prove that the offence was committed deliberately or even negligently. The occurrence of an event, be it an accident, a pollution incident or a misled consumer, is enough to establish guilt. Many of the regulations also allow individual directors, managers or others in control to be convicted as individuals if they consented, connived or were negligent in the commissioning of the offence by the business or public body.
The penalties can be considerable – imprisonment in the worst cases, fines (which remain a personal liability – there's no insurance for that risk), costs (prosecution and defence) and disqualification of directors. Add the reputational damage and personal and family angst endured during an investigation and prosecution, regardless of outcome, and the consequences are high.
Directors and senior managers should consider the following practical suggestions to control both their individual risk and that faced by their organisation:
- Understand how easily liability for an offence can arise. "Consent" requires some positive action encouraging the offence that occurs. "Connivance" is a passive "don't tell me – just get it done" type attitude. "Negligence" arises from a failure to discharge a duty of care which leads to the offence complained of. Clearly, busy directors and managers are most at risk of being accused of connivance or negligence.
- Take responsibility. Each individual board member, manager or those in control of the organisation should be encouraged to accept responsibility for all areas of risk. Manage it with a single voice. Make it clear to all that the organisation is serious about achieving regulatory compliance. Decisions taken and internal publications produced should reflect this. Set improvement targets and measure whether they are achieved. Follow up defaults.
- Lead by example. Directors and managers should themselves follow the systems and procedures in place to manage risk. If those on the shop floor have to wear protective equipment, then those visiting should also wear it and should not ignore breaches. Do not, for example, as the finance director, behave as if health and safety or quality control procedures don't apply to you.
- Involve the workforce. The best placed people to tell you whether an activity is dangerous, equipment is defective or safety clothing is ineffective are those who do it, use it or wear it every day. Cultivate a working environment where employees' concerns can be raised without fear of comeback, are seen to be considered and lead, where appropriate, to change. Encourage an atmosphere where people are comfortable taking responsibility because they are supported. This will help avoid the development of a blame culture where everyone distances themselves from an event and points fingers because they feel vulnerable and that the business does not take compliance seriously.
- Review risk assessments. This should be done on a rolling, diarised basis and also whenever there is a material change to work systems or processes. Consider the risk management implications of decisions the organisation makes. If a new piece of equipment is purchased think about all the consequences – maintenance, servicing, training, operation and repair. Document both the discussion and the outcome.
- Allocate adequate resource to manage the risks. Obtain competent specialist advice whether internally or externally, invest in training and keep a close eye on suppliers and contractors. They need to behave to your standards so let them know what they are and what is expected of them. Don't forget to refresh training too, or test to check continued awareness of key messages.
- Monitor performance. Gather data, analyse near miss reports, sickness records, customer complaints and audit reports. Ask questions of each other and within the organisation and challenge those responsible for delivery. Again, record decisions and the outcome of discussions.
- Review your performance regularly. From time to time stand back and look afresh at risk and your record of managing it. How could you do better? If needs be, and the nature of your business merits it, consider instructing an independent organisation to do this for you: an outsider's objective view will usually consider matters from a different perspective and give reassurance if nothing material emerges from such an examination.
Effective regulatory risk management is closely allied to behavioural management. If you can create a risk conscious culture and a risk management culture then there will be clear long-term benefits in terms of efficiency and productivity and the chances of an event occurring will be drastically reduced. If the chances of the organisation committing an offence are reduced then the chances of a director or manager being convicted will likewise be reduced.