top of page

The due diligence dilemma

You cannot read health and safety commentary on social media, or go to a health and safety conference, without the topic of due diligence coming up. Unfortunately, much of this discussion is anchored in the due diligence provisions of WHS legislation.

There is no doubt that limiting the context of due diligence to WHS legislation is naïve and fundamentally misguided. Due diligence – even if not specifically named – has always underpinned health and safety. The basic tenants of due diligence permeate every major accident inquiry and go to the heart of management obligations.

I mean, I think it is pretty amazing that this is the decision that had enormous consequences and you can't even tell the committee who made the decision on behalf of your company.

And the reason I am asking you these questions is because your industry is different than many. You are not the CEO of a department store chain where it is fine to leave decisions about running the store to branch managers. You know, if a department store middle manager makes a mistake, there are no life‐or‐death consequences.

What you do is different. You are drilling far below sea level into a region that is more like outer space than anything else. The consequences of that drilling are huge. If a mistake or misjudgment is made, workers on the rig can get killed and an environmental catastrophe can be unleashed.

The best minds in the senior leadership of a company should be paying close attention to those risks. But it didn't happen here. And now we are all paying the consequences because those of you at the top don't seem to have a clue about what was going on on this rig. (My emphasis added)

This is, at its heart, a commentary on due diligence. A commentary on the level of oversight given to critical risk.

So, what do we mean when we talk about due diligence? And what are the challenges confronting us in trying to map the concepts of due diligence onto our safety management?

I think we can say from the outset that "due" diligence is finite – it is not all knowing. It is not "absolute" diligence. Individuals and organisations are not expected to be omnipresent nor omniscient.

Due diligence is limited in the same way that "due" care and attention, or "due" regard are limited.

Of course, that opens the immediate concern of how much is enough? What level of "diligence" constitutes "due". While this article does not lend itself to a detailed examination of this question, I think in the context of health and safety the level of diligence needs to be aligned to the level of risk: the greater the risk, the more diligent management is expected to be.

Without going into too much detail here, one of the problems we see in executive oversight of health and safety management is the lack of focus on critical risk. Due diligence, to the extent which it exists, tends to gravitate towards things which are easy to understand – injury rates, personal protective equipment, housekeeping and so on.

Due diligence, and by implication senior management, are less likely to confront the far more important, but equally more difficult, health and safety issues around things like training, supervision, management of change, risk assessment and so on. I cannot point you to a major accident investigation anywhere on earth where senior managers have been challenged around the minor, markers of health and safety performance (lost time injury rates and so on). I can direct you to any number of inquiries where the critical risk issues (training, supervision, understanding of critical health and safety risks, management of change and so on) have been thoroughly canvassed.

While there is certainly a structural/strategic element to due diligence, I think at a practical level there are three core elements addressed:


  • Aligning

  • Evidencing.

Being diligent: What sort of conduct constitutes diligence?

What does it actually mean to "be" diligence?

Certainly, diligence requires a level of pro-activity. It is abundantly clear that due diligence requires more than simply assuming everything is okay unless you are told otherwise. It requires more than simply being reactive to health and safety concerns.

In the Pike River Royal Commission, the Royal Commission noted:

The board did not verify that effective systems were in place and that risk management was effective. Nor did it properly hold management to account, but instead assumed that managers would draw the board’s attention to any major operational problems. The board did not provide effective health and safety leadership and protect the workforce from harm. It was distracted by the financial and production pressures that confronted the company (volume 1 page 18) (my emphasis added).

Similarly, more than 20 years earlier the Commission of Inquiry into the Piper Alpha disaster noted, when commenting on failures in the Permit to Work system:

The managers who had responsibility for the correct operation of the ATW system were all where that the safety personnel undertake were expected to monitor the daily operation of the system. All of them assumed that because they received no reports of failings the system is working properly. However none of them check the quality of that monitoring nor did they carry out more than the most cursory examination of permits when they had occasion to visit Piper [paragraph 14.28] (my emphasis added).

Clearly, due diligence means managers are not entitled to assume critical safety processes are working effectively.

Due diligence also requires independence. It is not enough to simply and uncritically accept health and safety information. It requires challenge and confirmation.

In R v Bata Industries Ltd, a Canadian decision which considered due diligence in the context of environmental legislation, the Court, speaking about the role of one manager, noted:

He attended on site in Batawa once or twice a year to review the operation and performance goals of the facility. He was a walkaround director while on the site. The evidence … establishes that the plant managers could not orchestrate a site visit for [him].

“You never knew where [he] was going to go, believe me. He had a habit of trying to out guess where you wanted him to go.” [Paragraph 154 – 155]

While emphasis is often placed on management interactions in the workplace as an important component of due diligence, in my view they are overrated. While these visits might communicate management commitment and make some contribution towards “culture”, seldom will they give any meaningful insight into the management of critical health and safety risks in the business.

Due diligence requires management to understand and identify the critical health and safety risks in the business, and then collectively as a management group and individually test those health and safety risks. While this can include personal management interactions, where managers have enough expertise to understand the issues they are addressing, more often than not useful due diligence will include:

  • Concerted efforts to be informed about the critical health and safety risks in the business.

  • Ensuring health and safety reports address the critical health and safety risks, not just window-dressing items like injury rates and the number of corrective actions closed out or the percentage of training completed.

  • Commissioning third-party experts to test the efficacy of safety management through targeted audits, inspections and investigations directed to critical risk – not high level system audits.

  • Critical challenge of health and safety information during management meetings.

Aligning diligence: What do I need to be diligent about?

Due diligence is not an exercise in happenstance. It is not just “doing the right thing”.

In a general sense (and certainly in a legal sense) people are not “randomly” diligent. They are diligent about “something”. It is perfectly possible, and not uncommon, for activities done in the name due diligence to fail as an exercise in due diligence, because the activities are not aligned with either:

  • The safety management system; or

  • The critical risks in the business.

In other words, due diligence can involve doing a lot of activity but not gaining any insight into the efficacy of safety management or critical risks.

If we accept the reality of finite resources – both individual and organisational – you cannot be diligent about everything. You cannot be diligent about every safety risk in your business. So, what do you need to pay attention to - what “things” - and what do you need to know to understand if the “things” are being managed to an acceptable level?

You cannot practice Random Acts of Diligence. You need to be diligent about something.

One way of thinking about what you should be diligent about is to consider the sorts of issues managers get asked following workplace accidents. It is also worth noting that difficult management conversations about safety (at least with third parties and regulators) usually start with fatalities. The more public and serious the event, the higher up the management chain the conversations go.

What we can say with some confidence that it is very unlikely senior managers will be asked questions about:

  • Lost time injury rates

  • Personal protective equipment

  • Housekeeping

It is likely they will be asked questions about:

  • The quality of risk assessment in the organisation

  • How effectively training and competence is managed in the organisation

  • The quality of supervision in the organisation

  • How well senior management understand the critical health and safety risks in the business

To quote again from the Pike River Royal Commission:

The statistical information provided to the board on health and safety comprised mainly personal injury rates and time lost through accidents. Mr Dow was comfortable with the information provided to the board. The information gave the board some insight but was not much help in assessing the risks of a catastrophic event faced by high-hazard industries. Pike had not developed more comprehensive measures which would have enabled the board and executive managers to measure what was being done to prevent catastrophes, such as the analysis of high-potential incidents (near misses which could have caused serious harm) and the steps taken to prevent their recurrence. The board appears to have received no information proving the effectiveness of crucial systems such as gas monitoring and ventilation. (Volume 2, page 53) (my emphasis added).

The lesson? Be diligent about the things that matter. Be diligent about crucial systems. Understand them. Know how they are meant to be managed.

Evidencing diligence: how do you show you are diligent?

If I am being diligent and I have aligned my activities to what matters, does it really make any difference if I can prove it?

In many ways, evidencing due diligence is probably the least important contribution to a safer workplace – until it isn’t. When you need to answer difficult questions about your understanding of the health and safety risks in the business, and your level of oversight of them, evidencing your activity in the name of health and safety suddenly becomes very important.

Having said that, it is extremely unlikely in Australia that a manager, especially a senior manager, or a manager of a large organisation who does not have hands on, day-to-day involvement in the work of the business, will ever be asked to explain themselves in the context of due diligence (see for example Neil Foster, Personal liability of company offices for corporate occupational health and safety breaches).

The current fascination in the health and safety industry in terms of evidence, is documentary evidence. It is a fascination which, in many cases, has led to horrendously bureaucratic and dehumanising processes for capturing data about health and safety activities. While this documentation does constitute evidence, in many cases it is evidence for the prosecution. More often than not, documentation collected in the name of protecting an organisation’s legal position creates their biggest legal liability.

Notwithstanding, documentary evidence is only one part of the puzzle. Generally speaking, there are three core areas of evidence we need to explore when considering health and safety in a legal context, including due diligence. The evidence we need to explore is:

Your own evidence – what do you have to say about what you did for safety?

This is self-explanatory, and sounds reasonably straightforward, but is surprisingly hard in practice.

If you want to test this element of evidence, and what you might be able to say in your own defence, just consider the last serious incident investigation your organisation and write down everything you can recall in the 12 months prior to that event which:

  • You did in the name of health and safety; and

  • Informed you about how well-managed the health and safety risks leading to that event were.

My expectation (and personal experience) is this would be an extremely difficult task.

Other people’s evidence – what do they have to say about you?

We saw in the Bata decision above how important another person’s evidence was. In the case it was the evidence of other people explaining how a particular manager behaved himself on a site visit which was crucial in establishing the managers independence.

What would other people say about you?

Again, this is not difficult to test – although you might find it somewhat uncomfortable.

The next time you have an incident investigation, simply include a term of reference which requires the investigation team to find out what people have to say about your commitment to safety. Alternatively, you could commission on anonymous, independent survey on the subject.

As uncomfortable as these processes might be, it is far more comfortable to understand these issues in the controlled context of your own process, rather than the uncontrolled environment of the witness box following a multiple fatality event.

What you can show – what documents do you have in support of your oversight of safety?

As I touched on previously, documentation cuts both ways. It is as much a sword for the prosecution as it is a shield for the organisation.

Consider for a moment incident investigation. It is often perceived by managers that participation in, and signing off on or approving, incident investigations is a good way to demonstrate due diligence.

While this may be true in theory, it is only as good as the investigations. Your signature on poorly constructed or confusing documentation is often evidence of a lack of due diligence.

Below is a link to cross examination from the Pike River Royal Commission considering a manager’s participation in the incident investigation process. I would urge you to read it carefully and consider the documentation in your organisation with your name or signature on it.

Final thoughts?

Each of the elements I have discussed in this article could be the subject of a further article in it’s own right.

What I would leave you with, is hopefully a recognition that due diligence is not a simple matter of going through the motions. Doing a monthly management site visit or attending a monthly health and safety committee meeting is not due diligence.

Due diligence requires conscientious, independent attendance to the critical health and safety risks in the business and a rigorous challenge to understanding whether those critical health and safety risks are being managed to an acceptable level. Due diligence requires managers to bring independent thought to the question of health and safety management and to have positive assurance, based on reasonable and credible information, that health and safety management is operating effectively.


Dr Robert Long and I will be running a due diligence workshop in Sydney on 28 and 29 November 2018. You can find more information about the program at the links below, as well as a video presentation of a discussion between Dr Long and myself on due diligence:

568 views0 comments


bottom of page