This post first appeared on Risk Management Magazine. Read the original article.
One of the most challenging aspects of maintaining duty of care is convincing employees to actually follow the risk management policies you have established. You can put together a comprehensive safety program to protect their health and welfare, but if they simply ignore it, then it is just not going to be very effective in practice. Who is then at fault? Is it the employee for not doing what you asked them to do? Or is it your fault for not issuing the right kind of guidance? As with most complicated questions, the answer generally lies somewhere in the middle.
The Duty of Care Contract
In most countries, duty of care is not an actual legal obligation. Rarely do we find specific statutes that spell out exactly what constitutes a violation of duty of care and what the penalties are for falling short of such obligations to employees. Despite this ambiguity, there can be real legal, financial and reputational ramifications for organizations that fail in their duty of care obligations.
Duty of care is a legal concept based on the general principles of negligence—that is, someone alleges there was a duty owed, that duty was somehow breached, and the result was an injury. In this instance, duty of care presumes that organizations have a moral and legal responsibility for the health, safety and security of their employees, and that they should avoid risks that are reasonably foreseeable.
If there is a duty owed to an employee, however, it is important to note that the employee also has a duty to act in a prudent manner. At its core, duty of care is a social contract between the employer and employee—the employer agrees to take care of the employee, and the employee agrees not to take any unnecessary risks.
Safety vs. Privacy
Agreeing on what constitutes an unnecessary risk is one of the main reasons employees do not adhere to safety policies. An unnecessary risk to an employer does not always seem risky to an employee. Lack of privacy is another major employee concern as policies and technology designed to protect employees can also feel intrusive and controlling.
“Piggybacking” or “tailgating” is a great example of the employer-employee disconnect around unnecessary risk. Swiping your access badge and holding the office door open to let a colleague in without swiping his or her own access card does not sound like risky behavior to most people. In fact, it probably seems like the customary and polite thing to do. You know this person, you know where he or she is headed, and you know why he or she is there. It would probably feel awkward not to hold the door open for them. But, in reality, piggybacking is an unnecessary risk. Knowing which employees are in a building or on campus is critical if an emergency arises. If there is a fire and a building needs to be evacuated, for example, you can confirm who has actually left and whether emergency responders need to spend critical time and resources searching for people.
Workplace violence can also be abetted by piggybacking as most incidents are committed by current or former employees. A locked door can be a significant deterrent to a disgruntled ex-employee. Most people, however, are probably not thinking about their personal safety as they politely hold they door for someone they recognize.
Although employees often seem indifferent about following protocols to protect their health and welfare, they can become quite passionate when they feel their personal privacy is compromised. Technology is an essential component of any modern security program, but some of the most effective tools to protect employees may capture information employees do not feel their employers have a right to know.
Smartphone applications are a prime example. Many companies require employees to download a communication app so their security teams can send alerts and notifications when there is a crisis. These apps often allow employees to check in with the company if they are working outside the office or allow security to track their location to ensure their safety in an unpredictable region. More often than not, however, employees either forget to use the app or deliberately turn it off because they do not want the organization to know where they are.
This can be a particularly sensitive issue when dealing with senior management. You cannot really tell your CEO that you need to know where he is going to be at all times on his upcoming trip to Mexico City, but if there is a kidnapping and his app is active, it could provide vital information to the authorities and provide an enormous head start to successfully resolve the situation.
Sending the Right Message
It may seem nearly impossible to convince employees that “Big Brother” is not watching their every move, or that seemingly minor policies can have a large impact on their health and welfare. However, when employees have a reasonable level of concern for their safety and a reasonable level of confidence in the effectiveness of duty of care policies, they are much more likely to follow security protocols and turn on the device or app designed to protect them.
First, it is important not to downplay risks when briefing or training employees. Avoid using phrases like “this will probably never happen, but…” As soon as a safety issue is seen as highly unlikely, employees become complacent about taking steps to mitigate against it. The goal is not to terrify employees but to try to convey to them that they are susceptible to whatever situation you are trying to protect them from and that the consequences are potentially serious.
Providing examples of scenarios can highlight the importance of complying with your policies—for example, “What if there is a natural disaster and the phone doesn’t work?” or “What if there is a high casualty event and cell service is interrupted?” Thinking through possible scenarios will help employees understand the value of safety protocols and, consequently, drive greater compliance.
Likewise, make sure employees know why you require the use of any technology that might be perceived as infringing upon their privacy. Let them know you have no interest in tracking where they are going all the time, but explain to them that turning on the app can benefit them while they are traveling on business by providing, for example, protection in the event of typical travel hazards, such as a car accident or an infectious disease outbreak.
Ideally, putting employees through some sort of training program can pay enormous dividends. It can be a wake-up call for anyone who has never been involved in a crisis or traveled to an unpredictable area of the world, and it can turn employees into additional eyes and ears for your security program. Raising employee capacity for situational awareness allows them to feed quality information back to you as a dynamic situation changes rapidly. Employees then become your partners and are much more likely to take responsibility for their own personal health and welfare.
Security Operations as a Strategic Asset
The role and expectations of security operations is undergoing a dramatic change. Today, there is greater sensitivity to the risk of a violent incident happening at work or in a public space, and most people are looking for ways to continue on with business as usual and still feel secure. This can elevate the role of security operations within an organization to that of a strategic asset that provides greater organizational resilience.
There is a receptive audience out there for your message. This gives you an opportunity to partner with new parts of your organization and improve how your employees manage their duty of care responsibilities. If your company has a marketing or HR newsletter, see if you can contribute security-related content like how-to tips. Speak to other departments about including personal safety within their security training programs. Share success stories with senior management. To make duty of care the responsibility of everyone within the organization, it is up to you to find new ways to engage and educate employees.