Faced with a corporate attorney who obsessively invokes “attorney-client privilege” on all EHS audits, a colleague recently asked my opinion regarding this “privilege” being used as a “practice.” In the spirit of full disclosure, I am not an attorney; however, I have worked with both EHS and non-EHS attorneys throughout my career.

For the most part, corporate attorneys or outside counsel invoke “attorney-client privilege” when an EHS audit is being conducted for a specific purpose of providing legal advice. Examples may include circumstances when a fatality(s) or significant injury(s) has occurred, where it is highly likely that litigation is imminent, responding to notices of violation or consent decrees from regulatory agencies, or when preparing or responding to a lawsuit brought against the company or a plant site for whatever reason.

The ideal EHS auditing structure

There is general agreement among colleagues I spoke with for this article that the most ideal EHS auditing programs are structured as a separate, stand-alone and independent group with direct reporting responsibility to the CEO or the board of directors’ audit committee. Typically, these auditing groups are staffed with EHS professionals who are certified auditors through such groups as the Board of Environmental, Health and Safety Auditor Certifications (BEAC). A lead auditor normally heads the group and is the person responsible for reporting to the CEO or board on a routine (e.g., quarterly) basis. Rarely, if ever, is the “attorney-client privilege” applied to EHS audits.

U.S. audit EHS policy

In 2000, the EPA1 and OSHA2 addressed the issue of encouraging regulated entities to voluntarily self-police (EPA’s term) and self-audit (OSHA’s term) in policy form. Both audit policies provide varying degrees of leniency in civil and criminal penalties toward regulated entities if the entity has discovered, disclosed, and corrected a violation of federal EHS laws. 

EHS auditing practice

As a rule-of-thumb, attorneys with whom I have worked who are skilled in EHS laws and regulations do not apply the “attorney-client privilege” for work EHS pros consider being a routine business practice (i.e., conducting EHS audits). When I worked at DuPont, EHS audits were administered, controlled, and overseen by line operations groups (i.e., at the business level). There was no corporate EHS audit group in DuPont. For those EHS audits that addressed significant or sensitive issues, a safety and health attorney or environmental attorney was on the audit team; however, the attorney did not lead the audit. The use of “attorney-client privilege” was limited to the types of circumstances mentioned earlier.

Pros and cons

The pros and cons of where and how an EHS auditing activity is administered, controlled, and overseen are given here from the perspective of various venues in an organization.

Corporate EHS auditing function: Pros: Auditors will likely be EHS professionals. They may have better access to EHS resources when it comes to corrective action. Their EHS regulatory knowledge is high, they are independent, and their role is often viewed as a career path position for advancement. Cons: Operating units being audited expect help with addressing findings versus finding fault. Auditors are potentially less knowledgeable of the unit’s operations.

Legal department: Pros: Independence is achievable and it is easier to protect reports from discovery; especially, if the “attorney-client privilege” is applied to EHS audits. Attorneys gain greater insight into the business’ EHS operations. Cons: Typically, hired third-party consultants conduct EHS audits. The auditors have a narrow focus and shy away from giving advice or recommendations. It is not unusual for the auditors to become “conference room jockeys” during an audit, spending little time in the field. Most third-party auditors do not have any operations experience and have difficulty relating to the EHS issues from an operations perspective. They are very “rules and regulations” focused with a compliance-centric and box-checking mindset. Often they miss the “big picture.” They rarely, if ever, document risk issues.

Business group auditing function: Pros: Independence is achievable, as long as auditors come from different locations. They usually have a deep knowledge of applicable EHS auditing protocols and high credibility. Auditors will likely be EHS professionals from the business and are knowledgeable of operations with a high level of EHS knowledge. Cons: It is difficult to protect audit work products from discovery. Generally, the functional leaders have a limited amount of EHS knowledge and can impose pressure on how auditors report their findings. 

Closing remarks

Using Richard MacLean’s3 transitional phases of EHS auditing from compliance-based, to risk-based, to systems-based, to enterprise-based, attorneys exhibit varying degrees of tolerance for each. Attorneys will strongly gravitate toward compliance-based EHS auditing, which is in their comfort zone. Lawyers shy away from risk-based auditing programs because there are too many “maybes.” Few lawyers understand what a true EHS management systems audit entails or even what a good EHS management system looks and acts like. Rarely is a lawyer familiar with an enterprise-based audit involving long-term business threats and opportunities.

Certainly, the “attorney-client privilege” veil affords a company a level of protection with respect to audit work papers and final reports, but I have seen where this veil can easily be pierced making all audit documents available for public scrutiny. Bottom-line, the “attorney-client privilege” is good, but it is not impenetrable.

Using the “attorney-client privilege” as a routine business practice can lead to attorneys being very heavy-handed when it comes to editing audit documents and, in some cases, intimidating EHS auditors into agreeing with their point of view for the sake of the corporation or client. When faced with attorneys who insist on using the “attorney-client privilege” for EHS audits, my advice to you is to insist on having the attorney explain his or her reasoning. By the way, “because I say so” is not a reason.

With the few exceptions noted above, the general practice of covering all EHS audits under “attorney-client privilege” can lead to a great deal of problems for senior management, especially, if they find themselves in front of a judge and jury.

1 U.S. EPA. April 11, 2000. Incentives for Self- Policing: Discovery, Disclosure, Correction and Prevention of Violations. Federal Register. 65.70: 19681- 19627.
2 U.S. OSHA. July 28, 2000. Final Policy Concerning the OSHA’s Treatment of Voluntary Employer Safety and Health Self-Audits. Federal Register. 65.70: 46498-46503.
3 MacLean, R. 2006. Auditing – Moving through four transitions. In Environmental Protection. 4/1/2006: 13-14.