The Seven “Deadly Sins” of OSHA Compliance – Why Most Prosecutions are Self-Inflicted

The Reckoning

Since the legislative reforms to the Occupational Safety and Health Act 1994 (“OSHA“) came into force on 1 June 2024, enforcement by the Department of Occupational Safety and Health (“DOSH“) has shifted decisively. Investigations have become more assertive, matters are escalating more quickly from inquiry to prosecution, and there is a greater willingness to pursue personal liability against directors and senior management. Taken together, these developments mark a move away from a corrective compliance model towards a deterrence-driven enforcement regime.

Against this heightened enforcement landscape, this Update forms Part One of a three-part advisory series examining OSHA risks from compliance failure through to enforcement and governance outcomes.

Part One: The 7 Deadly Sins of OSHA Compliance focuses on the systemic and governance failures that most commonly lead to incidents and regulatory exposure across all sectors.

Part Two: 7 Strategic Moves after an OSHA Incident examines how organisations should respond once an incident has occurred and DOSH investigations are underway, including incident management, information control, and legal risk containment.

Part Three: 7 Hard Truths about OSHA Prosecutions addresses the realities of enforcement action, director and senior management exposure, prosecution strategy, and how incident response intersects with corporate governance and sustainability disclosures. 

OSHA Failures Rarely Begin with Bad Intentions

Across industries, most occupational safety and health prosecutions do not arise from blatant disregard for safety. They arise from complacency, misplaced assumptions, and a misunderstanding of where legal responsibility truly sits.

While most OSHA prosecutions in Malaysia arise after an occupational incident, the trigger to prosecute is not the incident itself but the conclusion that the incident resulted from preventable and systemic failures. These failures are rarely unique. They follow familiar patterns across industries, investigations, and court proceedings.

This Update sets out the seven most common “deadly sins” of OSHA compliance seen repeatedly in practice. 

Sin #1: Treating OSHA as a Documentation Exercise

Many organisations equate OSHA compliance with paperwork: policies exist, Hazard Identification, Risk Assessment, and Risk Control (HIRARC) forms are prepared, safety manuals are printed and filed. The assumption is simple: documentation equals compliance.

Regulators take a very different view. They examine whether the documented system was actually implemented on the ground. For example, in manufacturing, machine guarding procedures may be formally documented, but operators bypass guards to meet production targets. In construction, method statements may exist, but supervisors allow unsafe shortcuts under time pressure.

When an incident occurs, paperwork that is not reflected in actual practice becomes evidence against the organisation, not in its favour.

Key takeaway: OSHA compliance is judged by behaviour and enforcement, not by binders and templates. 

Sin #2: Delegating Safety and Walking Away 

A frequent misconception is that appointing a Safety and Health Officer (“SHO“), consultant, or specialist contractor transfers responsibility from the organisation to these individuals. It does not. Under the OSHA, responsibility flows upward to those who have control, authority, and decision-making power, and this duty remains even where safety functions are delegated. Organisations must still exercise active supervision and due diligence over how safety responsibilities are discharged.

In logistics, senior managers often rely entirely on warehouse safety teams yet approve unrealistic delivery schedules that encourage unsafe loading practices. In healthcare, hospital administrators may delegate infection control to committees but underfund staffing or equipment.

When prosecutions arise, regulators ask: Who had the power to allocate resources, set timelines, and stop unsafe work? That answer rarely points to the SHO alone.

Key takeaway: Delegation without oversight is abdication, not compliance. 

Sin #3: Ignoring Early Warning Signs

Near-misses, minor injuries, internal complaints, and unsafe condition reports are often treated as operational noise. “No one was hurt” becomes the justification for inaction.

Regulators see these warning signs very differently. In aviation ground handling, repeated near-misses involving equipment and aircraft are clear indicators of systemic failure. In property management, repeated tenant complaints about faulty lifts or fire systems establish prior knowledge.

When an incident finally occurs, earlier warnings are used to show that management knew or should have known of the risks, transforming a simple breach into an aggravated one.

Key takeaway: Near misses are not harmless. They are advanced notice from the future.

Sin #4: Poor Contractor and Subcontractor Control

Outsourcing work does not outsource liability. Organisations frequently assume that contractors are solely responsible for their own safety systems. Regulators focus instead on who had control over the work environment.

In oil & gas, principals are prosecuted for contractor failures within controlled facilities. In construction, developers and main contractors are charged despite accidents involving subcontractors’ workers. In facility management, building owners face liability for contractor maintenance failures affecting occupants.

The more integrated the contractor is into operations, the weaker the argument that responsibility lies elsewhere.

Key takeaway: If the work is within your control, the risk is yours to manage. 

Sin #5: Mishandling the Post-Incident Response

After an incident, panic and indecision often follow. Initial responses are frequently reactive rather than structured, driven by the urge to resume operations, manage reputational fallout, or provide immediate answers. In the absence of a clear incident-response framework, scenes may be disturbed, instructions are issued verbally, internal discussions take place informally, and engagement with regulators becomes delayed, fragmented, or inconsistent. What begins as well-intentioned crisis management can quickly turn into a series of uncoordinated actions that create further legal and regulatory exposure.

In manufacturing, machinery is sometimes restarted before investigations conclude. In transport and logistics, drivers are interviewed informally without proper documentation. In corporate offices, human resource department (HR) handles incidents without understanding regulatory reporting obligations.

These missteps undermine credibility and often eliminate opportunities for mitigation, cooperation, or plea negotiations later.

Key takeaway: The first 24-48 hours after an incident often determine the legal outcome months later. 

Sin #6: Underestimating Personal Liability

Many senior officers still believe OSHA penalties stop at the corporate level. This assumption is increasingly dangerous. Enforcement trends show a clear shift toward personal accountability.

In construction and infrastructure, project directors and managers are named personally. In manufacturing, plant managers face individual charges. In services and hospitality, general managers are prosecuted for systemic failures.

Courts focus on whether individuals exercised due diligence, not whether they intended harm. Reputational damage, court appearances, and criminal records are consequences few anticipate until it is too late.

Key takeaway: OSHA compliance is no longer just a corporate risk. It is a personal one. 

Sin #7: Treating OSHA Only After an Accident

The costliest mistake organisations make is reactive compliance. Safety measures are strengthened only after a fatality, a serious injury, or direct regulatory intervention. By then, the risk has already materialised, harm has occurred, and the organisation is responding under scrutiny rather than exercising foresight.

Across sectors, this pattern is familiar. In construction and infrastructure, fall-prevention systems are upgraded only after a serious accident. In manufacturing, machine guarding or lock-out procedures are tightened only following amputations or fatalities. In transport and logistics, fatigue management and vehicle safety protocols receive attention only after collisions or enforcement action. What is often presented as post-incident improvement is, in regulatory terms, confirmation that the risk was always foreseeable.

Regulators view reactive compliance as evidence of governance failure, not diligence. Improvements made only after an incident rarely mitigate liability and may instead reinforce the conclusion that reasonable preventive steps were available but not taken earlier.

Key takeaway: Fixing safety after an accident is compliance at its most expensive.

Conclusion: From Legal Exposure to Organisational Resilience

Across all sectors, OSHA enforcement follows a simple logic: those who control risk must manage it. The seven deadly sins are not technical failures. They are governance failures.

Organisations that embed safety into decision-making, budgeting, scheduling, and leadership culture do more than avoid prosecution. They protect lives, preserve leadership credibility, and safeguard long-term business continuity.

OSHA compliance is not about avoiding fines. It is about ensuring that when scrutiny comes, your organisation can demonstrate foresight, diligence, and leadership