Critical Risk and Contractor Supply Chains: Where Liability Lives

Your controls stop at your boundary. Your liability doesn’t.

Key takeaway: Under New Zealand’s health and safety framework, a principal’s duty of care extends to work carried out by contractors – including contractors they haven’t directly engaged. For organisations in high-risk industries, the greatest exposure is often in the supply chain, where controls are hardest to see and easiest to assume are working.

Where your duty of care extends

The Health and Safety at Work Act 2015 requires principals to manage risks arising from work carried out by contractors, not just their own workers. Where multiple parties share a workplace or influence how work is done, they share overlapping duties. Having the right contracts in place is not sufficient – principals need reasonable confidence that their contractors’ critical controls are actually functioning.

Picture a construction principal whose own site runs well. Incident rates are low, audits are clean, and the H&S team has good relationships with the site supervisors. The board receives quarterly reports that reflect all of this, and they’re satisfied.

Somewhere in the contractor supply chain – a subcontractor two layers deep, engaged by a subcontractor who was engaged by the primary contractor – a critical control isn’t working. It might be an isolation procedure that workers have found a faster workaround for. It might be a piece of equipment that should have been inspected last month and wasn’t. Nobody at the principal’s level knows, because nobody has looked, and because the reporting that flows back up the chain describes what should be happening rather than what is.

This is the supply chain blind spot. And for principals in high-risk industries, it’s where some of the most significant exposure lives.

Where the boundary of duty actually sits

There’s a tendency in critical risk governance to think primarily about what happens inside your own operations. Your workers, your site, your controls. That’s understandable – it’s what’s most visible and most directly manageable. But under New Zealand’s health and safety framework, the duty of care for a principal doesn’t stop at the organisation’s edge.

The Health and Safety at Work Act 2015 requires principals to manage risks arising from work carried out by contractors – not just work carried out by their own workers. Where multiple parties share a workplace or influence how work is done, they share overlapping duties. A principal who engages contractors for high-risk work can’t fully discharge their obligations simply by requiring contractors to have their own H&S systems. They need to have reasonable confidence that those systems are actually functioning.

That’s a harder thing to have when the work is being done by someone you haven’t directly engaged, on a site you may not regularly visit, using procedures you’ve never observed in practice.

Why the supply chain is where controls are hardest to see

Inside your own operations, you have direct lines of sight – managers who observe work being done, reporting systems that surface problems, audit processes that check whether procedures are being followed. These aren’t perfect, but they exist.

In the contractor supply chain, those lines of sight get progressively weaker with each layer of engagement. A primary contractor may have reasonable visibility into their own workers’ practices. They may have less visibility into their subcontractors’. By the time you’re two or three layers deep, the controls that exist on paper and the controls that are being applied in practice can diverge significantly – and that divergence is largely invisible to the principal sitting at the top of the chain.

This matters particularly for critical risks, because critical risks are exactly the situations where a gap between documented controls and actual practice is most likely to result in serious harm. The risk that gets someone killed isn’t usually the one that everybody knows about and is actively managing. It’s the one that was assumed to be under control.

What “reasonable confidence” actually requires

The Health and Safety at Work Amendment Bill, expected to pass before September 2026, sharpens this further. It introduces a formal definition of critical risk and requires PCBUs to prioritise, monitor, and verify controls for those risks more rigorously than for others. For principals with contractors in their supply chain, that verification obligation extends to work that their contractors are doing on their behalf.

Verification is a different thing from documentation. A principal can document their contractor prequalification process, their contractual H&S requirements, and their audit schedule, and still have no real confidence that a critical control two layers down is functioning today. Verification requires some form of evidence – observed practice, confirmed compliance, or real-time visibility into control status – not just a record that the right procedures were agreed to.

The Port of Auckland conviction is instructive here too. One of the central findings was that Tony Gibson hadn’t adequately verified that critical controls were functioning in practice, despite having systems and documentation in place. The same logic applies to supply chain oversight: having a contractor management process isn’t the same as knowing whether your contractors’ critical controls are working.

Supply chain visibility checklist

If you’re responsible for H&S in an organisation that uses contractors for high-risk work, supply chain visibility is probably one of the harder problems you’re managing. Contractor prequalification gives you a snapshot of capability at a point in time. Contractual requirements set expectations but don’t confirm compliance. Periodic audits tell you what was true on the day the auditor visited.

None of these give you a continuous picture of whether critical controls are in place and working across your supply chain – and that’s what the current legal environment is increasingly asking you to have.

Some questions worth working through with your team:

• Where does your critical risk exposure actually sit? For many principals, the highest-risk work is being done by contractors, not employees. If your critical risk register is built primarily around your own workforce, it may not reflect where the real exposure is.
• What visibility do you have below the first layer? Primary contractors are often visible to principals. Subcontractors, and the subcontractors they engage, frequently aren’t. If a critical control failure two layers down could result in a fatality on work being done on your behalf, what would you know about it and when?
• What does your contractor assurance process actually verify? There’s a difference between a process that confirms contractors have the right documentation and a process that gives you confidence their critical controls are functioning. Which one do you have?
• What are your contractual obligations requiring, and are they being met? Contractual H&S requirements are only as useful as the verification that sits behind them. If you can’t answer whether your contractors are meeting the requirements you’ve set, the requirements aren’t doing the governance work you’re relying on them to do.

Rethinking where the boundary is

The supply chain blind spot isn’t a problem that most organisations have deliberately created. It’s a problem that emerges naturally from the way principal/contractor relationships are structured, and from the fact that traditional H&S governance tools were mostly designed to manage what’s directly visible.

What’s changing is the expectation. The legal framework, the direction of case law, and the reforms currently before Parliament are all moving toward a standard where “we had the right contracts in place” isn’t sufficient. The question being asked is whether you had genuine visibility – and whether the controls that matter were actually working, including the ones you couldn’t directly see.

For principals in high-risk industries, that’s the gap worth closing.

Critter is built by IMPAC – 27 years of health and safety expertise, purpose-built for the critical risk governance challenge. Learn more about IMPAC.