Even the best of compliance management systems are not perfect, and non-compliance with product regulatory regimes such as RoHS may still happen. What is important is how a company responds.
No compliance management system is perfect, and non-compliance with product regulations such as the EU Directive on the restriction of hazardous substances (RoHS) in electrical and electronic equipment can still happen despite the best of intentions. What is important is how a company responds. The consequences of a business’s initial response can be significant, because as well as regulatory action (which may fall under a criminal code), there is the potential for:
- business disruption
- reputational damage
- contractual claims, and
- exposure to wider civil claims.
Liability can attach to officers and directors as well as to companies. In the event of regulatory action or civil claims, decisions taken in good faith, but under significant pressure and in short timeframes, can be subject to intense scrutiny later down the line.
In this article, I will look at some of the key lessons that we have learned in acting for clients over a number of years on how best to handle the discovery of a non-compliance. I will focus on the RoHS regime, but many of the lessons can be applied to other EU product regimes.
Lesson one: be prepared
This is a lesson that many businesses learn too late. That may be because there are lots of other competing demands on time, and it is easy to persuade yourself that ‘it won’t happen to us’. However, in the event of an incident, having a plan is invaluable because it saves time at a moment when time is a precious commodity; it helps to avoid mistakes or missteps in dealing with the incident; and it helps provide the company leadership with comfort that everything is under control.
Furthermore, many regulators recommend putting in place a formal product safety incident plan. Not having a PSIP, or any plan at all, could result in criticism after the event, even if the incident response was otherwise handled reasonably well.
Sometimes there can be concern that a plan isn’t perfect, or that it cannot capture all possible eventualities. However, the point of a plan is simply to record some degree of forward thinking: of course any plan will need to adapt to actual circumstances, but the fact that you have mapped out a process means you have somewhere to start. Simplicity is often best: an overly-complex plan could be difficult to follow, and difficult to flex in the circumstances.
Some companies also road-test their plan using fictional incident support scenarios, partly to build comfort that it works, but also to discover its deficiencies before being used for real.
Lesson two: be vigilant
In the event of a non-compliance, customers and regulators may be more forgiving if the non-compliance is discovered by their own diligence.
In my work I have seen non-compliance identified by all types of market actors. Examples include:
- rival companies carrying out tests and publishing results in the trade press to rubbish the competition
- NGOs making noise about non-compliant products through media channels
- customers doing their own testing and asking awkward questions
- market surveillance authorities acting on a tip-off, conducting tests
Obviously, companies doing their own testing is the best form of diligence, and a sensible, proportionate and proactive test plan (that is actually followed!) is good mitigation even if it fails to spot a non-compliance. It is also worth being clear with suppliers that their products will be tested: it helps to keep minds focused and prevents surprises if they need to be challenged on the results.
Lesson three: get your facts straight
In the event of an incident it is vitally important to establish the facts. That sounds obvious, but there can often be a number of assumptions being made under pressure, especially in circumstances where internal leadership and external stakeholders may be demanding answers. Communication should be crystal clear and distinguish between a working assumption and a fact. I have seen cases where early theories have been presented to regulators as fact and, perhaps unsurprisingly, the regulators have taken those as fact even when subsequent evidence casts doubt on the theory. In one case, the narrative stuck so firm that the disagreement went all the way into the criminal courts, at great expense.
Often, to determine the facts, further testing will be required, or expert advice will be needed. It is important to allow time for establishing the facts, even if the situation requires preventative action in the meantime on a precautionary basis. Just be clear what the evidence is and why the action is being taken, so that the actions are not misconstrued after the event.
Lesson four: understand the risk
To answer the question 'what do we do about this non-compliant product' we first need to answer the question 'what risk does this non-compliance product pose?' To answer this, we need a recognised, robust risk assessment. It may be a marginal exceedance of RoHS limits, with no immediate threat, but it might be more significant, and the process of assessing the risk is critical to determining the next steps. Sometimes a business will have sufficient in house expertise to do this, and sometimes external expertise may be needed. Again, some businesses may be nervous about not getting a perfect answer, but what is most important is that the business is asking the right questions and making sensible judgement calls on the evidence before it.
Given that the risk assessment may be scrutinised at a later stage (for example, during regulatory investigations and enforcement, or civil claims) it is important to document not just the answer, but also the process that was followed, the evidence upon which it was based and the assumptions made in the absence of evidence.
It is also important to revisit the risk assessment if facts emerge that challenge the assumptions made.
Lesson five: understand the law
Understanding the legal regime is the only way to ensure compliance with it, and of course ignorance of the law is no defence. Questions should include:
- Do you need to report and when? The RoHS regime has a duty to report non-compliance upon discovery, for example (and in the UK, at least, failing to report is itself a criminal offence). The precise timing then becomes a judgement call. In other regimes, there might not be a duty to report, but there may be a duty to take other action, such as corrective actions, and so it may be prudent to enter into a dialogue on corrective actions with the regulator in any event.
- To whom do you report? Knowing the regulator and any prescribed methods of communication is clearly important. It is also worth remembering that first impressions count, so the message in the first communication is also very important.
- What is the enforcement regime? Different EU member states have different enforcement approaches. In the UK, for example, the regime is criminal, although not every non-compliance is prosecuted as a criminal matter. There are implications, however, for the gathering of evidence and the role of the regulator, who will investigate under the criminal code.
- What other legal risks arise? The regulatory breach is just one aspect: there may be contractual claims, insurance claims and (in some cases) civil liabilities to address. It is important to understand the whole picture.
Lesson six: know your regulator
Local knowledge is important. For example, although I advise on EU product regimes such as RoHS, when it comes to enforcement, I have made it my job to know our UK regulators, and rely on a network of legal experts across the EU who know the regulators in their own jurisdictions. Where opportunity allows (and it is not always possible) businesses should consider building a relationship with regulators, so that there is already a degree of familiarity if an issue arises. For product regimes such as RoHS, that is not so easy, but businesses are often surprised at the warm reception regulators will give them if someone shows an interest in working with them to avoid problems arising in the first place.
Lesson seven: present solutions, not problems
In the event of non-compliance, the real question is 'what are you going to do about it?' These are the ‘corrective actions’, which can range from a full product recall all the way to simply learning lessons and taking steps to make sure it does not happen again. The nature of the corrective actions will depend a great deal on the risk assessment, but also on an assessment of the efficacy of the potential corrective actions. Under RoHS, for example, it may be that a short lifespan, low cost electronics would be predicted to provide a low rate of return, making a recall campaign an ineffective option.
Again, it is important to document not just the final decision on corrective actions but also the decision-making process that was used to arrive at the conclusions. This serves both as evidence in case of challenge in the future, but also as a tool to persuade the enforcement authority that the company is in control and is doing the right thing. This not only ensures acceptance and agreement with your corrective action plan, but also presents the business in the best light, which is worth a great deal if and when the regulator turns to the question of whether enforcement action or sanction is needed.
Lessons from real life
The seven lessons here are based on real cases. What is particularly interesting is comparing and contrasting the different outcomes.
Let’s take two examples, both concerning US manufactured products which turned out not to be compliant with RoHS. In both cases, the businesses were reacting to outside intelligence that their products were not compliant: one was reacting to the publication of a competitor’s testing and the other was reacting to the regulator’s own testing, albeit that testing was also on the back of a competitor’s tip-off.
In the first case, the business reacted swiftly, prepared a comprehensive plan of corrective actions and presented this to the regulator, along with a carefully reasoned justification for the approach. The regulator accepted the plan wholesale, and the file was closed with no further action.
In the second, the business was on the back foot from the start, with the regulator dictating much of the corrective action plan, and the corrective actions themselves had a significant impact on the business. The business was also required to accept a ‘caution’ – a formal sanctioning process in which a business signs to accept it breached the law and which forms part of the criminal record.
In part, this demonstrates how difficult it is when you are reacting to a regulator, but it is also a lesson in preparation: the business in the latter case was simply not prepared and, as such, struggled to present itself as ‘on top of the issues’ when the issue came to light.
The views expressed in this article are those of the expert authors and are not necessarily shared by Chemical Watch.
Copyright Chemical Watch. Reprinted with the permission of Chemical Watch www.chemicalwatch.com