The continuing impact of Sarbanes-Oxley on EHS compliance programs

The Sarbanes-Oxley Act of 2002 was born out of a need to ensure corporate accountability to shareholders and to prevent corporate and accounting fraud.

Back to overview

The Sarbanes-Oxley Act of 2002 was born out of a need to ensure corporate accountability to shareholders and to prevent corporate and accounting fraud. It was drafted in the wake of scandals such the collapse of Enron.

However, the Act covers any “material” aspects that can have an impact on a company’s financial liabilities, thereby going beyond mere financial compliance and looking at wider corporate liabilities.

Section 805(a)(2)(5) of the Act and the related U.S. 2010 Federal Sentencing Guidelines are explicit on the issue of compliance infractions, and specifically including those around environmental, health and safety (EHS) issues. Regulators can target any person in the chain of command from the CEO to the EHS manager for non-compliance and a number of Enhesa clients cite Sarbanes-Oxley as one of the core reasons behind their global EHS compliance program (and the use of Enhesa services).

In the 17 years since the Act was adopted, there has been a steady increase in the focus on the ethical, corporate governance, risk and social responsibility performance of companies; the Act’s impact is now as important as ever.

The need for an EHS Compliance Program

In order to comply with the Act, the high-level personnel of a company must ensure that the company has an effective compliance program.

EHS Compliance Program standards

A company must exercise due diligence to prevent and detect criminal conduct—and promote a corporate culture that encourages commitment to regulatory compliance. Such compliance programs should be reasonably designed, implemented and enforced so that the program effectively prevents and detects criminal conduct.

  • The Board of Directors must exercise reasonable oversight with respect to the implementation and effectiveness of the compliance program.
  • The company’s senior management must ensure that the company has an effective compliance program.
  • Specific individuals within the company must be delegated day-to-day operational responsibility for the compliance program.
  • Individuals with operational responsibility must periodically report on the compliance program’s effectiveness to high-level personnel and, as appropriate, to the governing authority. To carry out such operational responsibility, such individuals must be given adequate resources, appropriate authority and direct access to the governing authority.

Even the best compliance programs cannot prevent the fact that sometimes things go wrong—but they can substantially reduce the risk and effects of mishaps and give you some defense when facing enforcement penalties and legal actions.

An EHS Compliance Program must be a living program

An EHS Compliance Program is not a paper manual hidden away in a drawer; it should be an ongoing program that delivers a constant view of compliance performance and improvement.

Putting in place an effective compliance program inevitably includes going through the basic elements of every management system: Plan – Do – Check – Act. Plan your compliance program or its improvement, roll it out and then check how things work in practice. It may seem like common sense, but many companies still work on the blind assumption that local staff know and understand the applicable regulations. Some companies assume that following corporate standards based on the U.S. Code of Federal Regulations will be sufficient to avoid trouble. However, knowing what the local regulations require is essential for both the local manager and the corporate auditor.

The aforementioned Sentencing Guidelines are also very explicit on the issue. They require any company to take reasonable steps to:

  • Ensure that the company’s compliance program is followed, including monitoring and auditing to detect criminal conduct.
  • Periodically evaluate the effectiveness of the company’s compliance program.
  • Have and publicize a system, which may include mechanisms that allow for anonymity or confidentiality. The system should allow the company’s employees and agents to report or seek guidance regarding potential or actual criminal conduct without fear of retaliation.

A company’s compliance program should be promoted and enforced consistently throughout the organization. Everyone has a role. There should be incentives to perform in accordance with the compliance program as well as disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct.

Subscribe to stay on top of emerging EHS issues with our latest resources

Sign up to receive updates on what’s happening in environmental, health and safety regulations – and what to do about it, including: today’s risks and safeguarding against them, changing regulatory developments and your requirements, trends to get ahead of in your program…