AMERICAN SOCIETY OF SAFETY ENGINEERS
COUNCIL ON PRACTICES AND STANDARDS (CoPS)

TECHNICAL REPORT ADDRESSING

IDENTIFICATION OF RISKS AND OTHER ISSUES SARBANES-
OXLEY ACT OF 2002 PUBLIC LAW 107-204

NOTICE: This technical report and set of recommendations was produced by the ASSE Council on Practices and Standards (CoPS) of the American Society of Safety Engineers (ASSE). CoPS is a council of ASSE, which provides technical insight to ASSE leadership addressing the practice of the safety profession, its specific disciplines, and the standards of practice impacting our members.

The ASSE Council on Practices and Standards is structured to provide balanced and sound assessment of matters related to the effectiveness and efficiency of the standards of practice in the safety profession. The contents of this report, and its recommendations, do not represent the views of any organization other than ASSE. The mention of trade names, companies, or commercial products does not constitute any recommendation or endorsement for use.

The information and materials contained in this publication have been developed from sources believed to be reliable. However, the American Society of Safety Engineers (ASSE) accepts no legal responsibility for the correctness or completeness of this material or its application to specific factual situations. By publication of this paper, ASSE does not ensure that adherence to these recommendations will protect the safety or health of any persons, preserve property, or ensure compliance with the law

PRACTICE SPECIALTY TECHNICAL REPORT
Sarbanes-Oxley Act of 2002 (Public Law 107-204)

This technical report is not a critique of the legislation and does not offer any position about its viability. The legislation is enacted and is now a law of the United States. The only intent is to communicate to members regarding this issue and offer a basic review of what has taken place.

Introduction
On July 30, 2002, President George W. Bush signed into law legislation that changed the corporate landscape in the United States in regard to financial reporting and auditing for publicly traded companies. The Sarbanes-Oxley Act of 2002 (Public Law 107-204) was written with the intent of addressing some of the issues brought to light during the incidents with Enron and Arthur Andersen. An offshoot of this legislation is the impact that it could have on SH&E Professionals, who work at companies subject to SEC (Security and Exchange Commission) reporting requirements. The Council on Practices and Standards through its Business of Safety Committee has put together the following report as a way of assisting the membership in understanding the implications of Sarbanes-Oxley. The members departments, their organizations, and even their jobs may depend on it.1

Basic Outline of the Law
The law has far reaching effects into the financial reporting systems of American companies subject to SEC reporting requirements. In addition to establishing records retention requirements for audit papers, the law creates a new oversight board for accounting firms auditing publicly traded companies. This public law also addresses auditor independence, corporate responsibility at publicly traded companies, financial disclosures of publicly traded companies, and conflicts of interests of financial analysts. The new law also creates protections for "whistleblowers" applicable to private and public companies and imposes new criminal penalties relating to fraud, conspiracy, and interfering with investigations.2
1. Heller-Ehrman, Labor and Employment Law Bulletin, 9/2002
2. Employment Law Review, 1/2003

Potential Impact
While the expectation is that there will be a series of legal proceedings to address SH&E issues under this Act, the position has been taken by some legal scholars that the new Act will go further than financial reporting and require disclosure of a series of company operations, including safety, health, and the environment. The Act itself addresses compliance management from a high perspective and does not indicate whether SH&E performance is excluded. It is a fact that a significant SH&E incident certainly has the potential to impact a company's operations or organizational structure, which would lead to the assumption that SH&E exposures meeting a still yet to be determined criteria or standard would also need to be disclosed.

The point has been made that an organization will be required to report an operation that has a failure (safety, environmental or property) that may "significantly impact" the organization's financial soundness. For example, if there were to be a spill of some sort of chemical on company property, requiring extensive time and money to clean up, it could trigger the reporting element. However, if during the normal course of business a key production tool in a manufacturing plant was damaged beyond repair, and replacement was necessary, this may not necessarily require reporting. It may require reporting if the same scenario has a substantial impact on the total production capacity of the plant and the operations' financial underpinnings were at stake.

The Act also places a higher level of scrutiny on Chief Executive Officers and Board of Director members. Since the enactment, there have been a series of inquiries to ASSE asking for insight about the communication of significant SH&E exposures and hazards up the chain of communication to senior management. The Act itself reinforces that ignorance of a law does not excuse the violation. Companies and corporations can still be cited and face penalties to the full extent of the law. The point has also been made that under such circumstances it would be incumbent upon this organization to prove compliance as the burden of proof is on the organization.

Whistleblower Protections
Of additional importance to SH&E professionals is that Sarbanes-Oxley has language requiring companies to set up procedures for anonymous reporting of fraud allegations. This is of significance to our profession as the view has been expressed on numerous occasions that there is not yet a culture in many organizations where SH&E issues, complaints, and allegations are taken seriously. Sarbanes-Oxley does include employees being able to file lawsuits that have been fired, demoted or even threatened or harassed for reporting such allegations.

The worker can disclose his or her concerns within the company or to regulators, law-enforcement officials or Congress and doesn't have to have proof that a crime has occurred, merely a "reasonable belief" that a law or regulation? has been violated. The law also includes criminal penalties for retaliation for reporting concerns about illegal conduct to a public official. There have been a number of publications where Legal scholars have pointed out this is an important facet of the law since the creation of an atmosphere conducive to exposing financial crimes is important because workers have no legal obligation to take such information to public authorities.3 This law would provide additional protection to those whistle blowers who make public officials aware of such exposures.

In fact, OSHA has already had fifty complaints from whistleblowers about management retaliation under the Sarbanes-Oxley Act and has ruled on about a dozen of them. In one of the most recent, the U.S. Department of Labor ruled against an employee of Duke Power Company who claimed he was discharged in retaliation after tipping off regulators for claiming irregularities at the utility. The DoL/OSHA claimed that there was not sufficient evidence to take further action under the Act.4 SH&E professionals are waiting to hear more about the additional cases for enhanced guidance regarding this issue.
3. Career Journal of the Wall Street Journal, 10/2002
4. Charlotte Observer, "Feds Find no Retaliation by Duke" 3/8/03

Impact on the SH&E Profession
What does this public law mean for SH&E professionals? It means that new procedures and policies may have to be implemented by SH&E professionals in public companies in order to safeguard their employers, employees, colleagues, and themselves. From the perspective of the Council on Practices and Standards, the following is suggested:

1. Obtain a copy of this law, background materials about it, and discuss it with senior management and legal counsel so that all parties are aware of what is expected. A legal opinion written by corporate counsel would also be a prudent action to take.

2. Write and publish a policy addressing SH&E disclosure in regard to how it fits in with the Act.

3. Write, implement, and document communication structures detailing how information is passed up the communication chain to senior management.

4. Conduct through assessments to identify significant SH&E exposures and the means used to communicate them to those in a position of authority.

5. Ensure that SH&E audits are independent and that the results are reported and acted upon. Those ES&H practitioners who author/sign those audit reports and who fail to follow-up on the recommended actions may be subject to sanctions such as listed under the new law. The point has been made that they now have a duty that goes beyond just informing management.

6. Follow the ASSE Code of Conduct.

Conclusion
SH&E professionals with compliance responsibilities are going to be placed into the position of navigating uncharted waters in regard to this act. There is little doubt that a series of legal proceedings will provide more frameworks for the reporting/disclosures requirements included in the Act. However, until this additional guidance is available it is incumbent upon all safety professionals to be aware of this Act and what potentially could play a very significant role in the practice of the profession.