Health and Safety Due Diligence: What the Gibson Decision Means in Practice
Health and safety due diligence is no longer a concept New Zealand executives and directors can treat as background noise. Gibson v Maritime New Zealand [2026] NZHC 813 changed the landscape. Not because it established an impossible standard, but because it confirmed what the standard actually is - and made clear that good intentions, large safety teams and active board oversight are not enough if the information reaching decision-makers is not the right kind of information.
If you have not read the full breakdown of that case, I published a detailed analysis on LinkedIn when the appeal was dismissed. This article is about what happens after you understand the ruling. It is about what I have been seeing in real businesses since the High Court handed down that judgment, and what it means if your board is in the same position POAL's board was in.
Quick Answer
Health and safety due diligence under the Health and Safety at Work Act 2015 requires officers to take active steps to verify that their critical controls are actually working in practice - not just to ensure that a safety system exists on paper. The Gibson decision confirmed that monitoring activity levels is not the same as obtaining credible information about real operational risk. Boards and executives need reporting that shows what is actually happening, not just what the system says is happening.
What the Gibson Ruling Actually Confirmed
Anthony Gibson was not a bad CEO. The High Court went to lengths to acknowledge what he did right: a specialist safety team, external audits, board-level steering committee, mandatory leadership training, a computerised reporting system and personal workshop sessions with frontline workers. The prosecution's own expert called him "dedicated, conscientious and diligent."
He was still convicted. His appeal was dismissed. His fine of $130,000 plus $60,000 in costs was upheld.
The court's focus was on the gap between what the system said was happening and what was actually happening on the ground. POAL had a critical exclusion zone rule. That rule was being routinely breached on night shift. Safety observations were being recorded - but those observations were counting numbers, not surfacing real non-compliance. Mr Gibson was monitoring whether observations were occurring. He was not verifying whether those observations were revealing the real picture.
That gap - between work as imagined and work as done - is what this case is about.
Paragraph 162 of the judgment, drawing on WorkSafe guidance, confirmed that officers must "obtain credible information" and "follow up and challenge the information they are given where necessary." That is the standard. Not presence in the business. Not activity data. Credible information about whether critical controls are actually working.
What I Found on a Recent Site Visit
Shortly before the High Court issued its ruling, I spent a full day on site at a mid-size New Zealand manufacturing business. I am not going to identify the company, the industry or the individuals involved. None of that matters for what I want to show you.
The in-house health and safety advisor at this business had made genuine progress. Training completion had risen from 44% to above 85%. An outstanding action backlog had been reduced from 23 items to 6. Supervisors were raising safety concerns in team meetings without being prompted. Real improvement.
None of it had reached the board in a meaningful way. What the board was receiving was a standard lag-indicator dashboard. Training completed. Actions closed. Inspections done. Historical activity.
What was actually happening on the ground was something different.
The document that looked authorised but was not. A task analysis for a high-risk field operation - work conducted adjacent to a live highway - had signatures, dates and names. It looked complete. It was not authorised. It was not marked as a draft. Workers were using it as the operative procedure. The residual risk score was the highest category available. The only controls in place were behavioural. No engineering controls. No elimination. No substitution.
If you ran an activity report on that document, it would show as complete. It was not controlling anything.
Two different risk matrices on the same wall. Different scoring scales. No one had reconciled them. Any risk score produced using either was effectively meaningless, because there was no common reference point. The board had been receiving risk scores. Those scores were not measuring against a consistent standard.
A hazard register with 200 items, not reviewed in close to ten years. The majority of controls listed were administrative rather than physical. No one had ever defined what risks, if left uncontrolled, could kill someone at this site. Without that definition, there is no way to prioritise. Everything looks equally important, which means nothing is treated as urgent.
A confined space entry with no controls in place. Grain silo cleaning, occurring four or more times a year. No task analysis. No formal permit. No spotter protocol.
A management system approved but never implemented. The board had approved an enterprise-wide health and safety system nine months earlier. No go-live date had been set. No one had been assigned to drive it.
And a capable advisor who was structurally blocked. The in-house advisor had no pathway to get his own documents approved. His checklists, policies and task analyses were sitting in draft folders for weeks and months. He had been excluded from management meetings. The site manager had not actioned an executive instruction to include him. He was competent. He was committed. And he was blocked at every point where his competence needed to connect to authority.
The board was receiving reports. Those reports described activity. They did not describe any of this.
The Governance Gap That Most Boards Have Not Closed
Here is the specific failure the Gibson case identifies, and that I see repeated across New Zealand businesses of all sizes.
The board's job is not to audit the hazard register. It is to define the standard against which the hazard register is scored.
This business had never formally decided what an acceptable level of residual risk looked like for their operations. They had risk scores. They had matrices. They had reports. But they had never asked: at what point would we stop an operation because the residual risk is too high?
That question - the risk tolerance definition - is the single most powerful governance lever available to a board. Without it, every risk score in the business is measuring against an undefined standard. The number is real. The benchmark is not.
The Gibson judgment confirmed this is not just a management problem. It is an officer-level accountability question. If the board has not defined the threshold, and the reporting is not designed to surface whether that threshold is being breached, then the due diligence obligation under HSWA is not being met.
Advanced Safety's Officer Due Diligence Check is a practical starting point for boards and executive teams who want to understand where their current obligations sit and what gaps need to be addressed.
The Pattern That Did Not Make It Into the Report
This business had been audited in September 2024. That audit identified 46 high-risk and 69 medium-risk findings. A board presentation on officer duties followed in October 2024. A 90-day governance plan was agreed. February 2025 was the deadline for all governance action items.
Every February 2025 deadline was missed. There was no consequence.
In March 2025 - one month after those missed deadlines - a lost-time injury occurred at the site. The specific risk that caused it had been identified in the September 2024 audit.
The board received a report on that incident. It described what happened. It did not surface the pattern: that the exact risk had been flagged six months earlier, that the deadline for addressing it had been missed and that the governance gap allowing both had not been closed.
That is the Gibson problem made real. Not that bad things happen. That the reporting reaching people responsible for governance is not designed to surface the pattern behind the bad things.
Common Mistakes New Zealand Boards Make With Health and Safety Reporting
Most boards are not failing because they are indifferent to safety. They are failing because their reporting systems were not designed to answer the questions that matter.
The most common mistakes I see include:
Receiving activity data and treating it as risk intelligence. Knowing that 14 inspections occurred last month is not the same as knowing whether those inspections are finding what matters.
Approving systems without verifying implementation. A board that approves a management system and does not track whether it is actually implemented has not discharged its obligation.
Never defining risk tolerance. If the board has not said what an unacceptable residual risk looks like, every risk score in the business is measured against nothing.
Accepting documents as evidence of control. A signed document is not a controlled risk. The Gibson case, and the site visit I described above, both demonstrate this clearly.
No critical risk framework. If the business has never formally identified the risks that could kill someone, it cannot prioritise its controls. And the board cannot ask the right questions about them.
Excluding the safety function from decision-making. When the H&S advisor has no seat at the table and no authority pathway, the information that should reach the board gets filtered out before it arrives.
Three Questions Your Board Should Ask of Every H&S Report
If your board cannot answer these three questions from your current reporting, the reporting is not fit for purpose.
Does this report tell me what might go wrong next - or only what happened last month?
What is the highest uncontrolled risk in this business right now and what is being done about it?
Is the residual risk on our most critical operations within the threshold we have defined as acceptable?
The third question is the one most boards cannot answer. Not because the information does not exist somewhere in the business, but because the reporting has never been designed to surface it at governance level.
The Advanced Safety View
At Advanced Safety, we work with boards and executive teams across New Zealand and Australia who are doing a great deal right. The Gibson ruling has prompted a lot of calls from organisations that believe they are compliant but want to be certain.
What we consistently find is not negligence. It is the same gap the court identified in the Gibson case. The system is producing information. It is not producing intelligence. Activity data reaches the board. Emerging risk does not.
Our Compliance Compass assessment is designed specifically to identify that gap. It reviews documentation aligned with ISO 45001, culture and engagement including officer duty awareness, work practices - whether procedures match what actually happens - and emergency response planning. The output is not a list of findings. It is a clear picture of where your organisation's exposure is and a roadmap for closing it.
The Gibson standard is now set. The question is not whether your board intends to meet it. It is whether your current reporting gives you any way to know if you are.
Frequently Asked Questions About Officer Due Diligence and the Gibson Decision
What did the Gibson ruling actually decide? The High Court confirmed in Gibson v Maritime New Zealand [2026] NZHC 813 that an officer's due diligence duty under the Health and Safety at Work Act 2015 requires more than active engagement with health and safety. Officers must take steps to obtain credible information about whether critical controls are actually working in practice, and must be prepared to follow up and challenge the information they receive.
Does the Gibson ruling mean I can be prosecuted even if I have a safety system in place? Yes. The ruling confirmed that having a safety system does not automatically satisfy the due diligence duty. The court acknowledged Gibson's extensive safety programme and still upheld his conviction because the system was not producing credible information about real operational risk. General guidance only - businesses should seek specific advice on their own obligations.
What is the difference between monitoring safety activity and obtaining credible information? Monitoring activity means tracking whether safety processes are happening: inspections completed, training finished, observations logged. Obtaining credible information means verifying whether those processes are actually revealing and controlling real risk. The Gibson case turned on that distinction.
What should health and safety reporting to a board include? Board reporting should go beyond activity data. It should identify the highest uncontrolled risks in the business, explain whether critical controls are working in practice, surface emerging risk patterns and make clear whether residual risk is within the organisation's defined tolerance. If your reporting does not include those elements, it is not providing what the Gibson standard requires.
What is a critical risk framework and does my board need one? A critical risk framework identifies the specific risks in your business that, if left uncontrolled, could cause a fatality or serious harm. Without this framework, the board has no basis for prioritising its attention or defining an acceptable residual risk level. The Gibson ruling makes it clear that boards need this kind of structured, credible information - not just activity summaries.
How can Advanced Safety help? Our Compliance Compass assessment reviews your documentation, culture and engagement, work practices and emergency response planning, then gives you a clear picture of where your system is strong, where it is exposed and what to fix. If you want to know whether your board reporting meets the Gibson standard, that is the right starting point.
What to Do Next
The Gibson judgment is not a warning to reckless organisations. It is a signal to well-run ones that good intentions are not the same as due diligence.
If your board is receiving reports full of activity data but has never asked whether those reports tell you what might go wrong next, you have the same gap the court identified. That is worth addressing before it becomes a legal question.
If you are not sure whether your current health and safety reporting gives your board the credible information the Gibson standard requires, Advanced Safety can help. Our Compliance Compass assessment gives you a practical view of your documentation, culture, work practices and emergency response planning - then turns the findings into a clear improvement roadmap.
This article provides general guidance only and does not constitute legal advice. Businesses should seek specific professional advice when applying health and safety duties to their own operations.
About the Author
Matt Jones is the founder of Advanced Safety Ltd, a Christchurch-based health and safety consultancy that works with boards, executives and safety professionals across New Zealand and Australia.
With a background in high-risk industry and executive advisory, Matt helps organisations move from reactive compliance to structured safety governance that holds up under scrutiny.
He is a keynote speaker, the founder of the New Zealand Health and Safety Professionals network and the Safety Summit and a regular commentator on officer due diligence and critical risk. His work focuses on the gap between what boards think is happening and what is actually happening on the ground.
