Guide to Ensuring Worker Wellbeing During a Crisis

Critical events pose risk to worker safety and compromise duty of care

Critical events – whether violent acts, natural disasters, or public health incidents – overwhelm crisis-hit organizations – often swiftly. Nevertheless, the organizations in question remain PCBUs (Person(s) Conducting a Business or Undertaking), meaning they maintain a legal obligation to ensure the health and safety of their staff to the extent practicable.

Crises, emergencies, or other business continuity incidents don’t suspend that employer duty-of-care obligation. But they do make complying with the legal mandate that much harder, especially for Safety departments.

Why Safety, in particular? Safety teams often find themselves at a structural disadvantage when responding to a certain class of critical event. Specifically, Safety departments have traditionally focused on internal, unintentional workplace hazards, namely risks arising from unsafe work practices, hazardous industrial conditions, or exposure to harmful chemical, biologic, or physical agents. Indeed, the duty of care obligation itself comes from a case of unintentional negligenceⁱ.

On the other hand, externally-originating hazards – again, violent acts, natural disasters, and public health events come to mind – have long been the provenance of other departments, whether Crisis, Security, or HR. Because of siloing effectsⁱⁱ, those teams don’t often share relevant information efficiently with the Safety function, even if the hazards they seek to prevent, respond to, and recover from can and do impact employee safety.

How, then, to get everyone on the same page so as to more effectively manage all incidents, risks, and hazards that might impinge worker wellbeing and compromise duty of care? The guide outlines the strategies, capabilities, and protocols needed to uphold the duty of care mandate during critical events that too often fall outside of the Safety department’s remit. 

Safety protocols to prepare for and respond to violent acts

While safety managers have primarily focused on the unintentional, non-malicious threats to people, processes, systems, and the environment caused by human error, Security teams have managed malicious threats to physical assets and people perpetrated by intentional human actorsⁱⁱⁱ. Of course, those violent acts, including a broader category of security incidents, such as vandalism, theft, fraud, and protest, can compromise employee safety and wellbeing, as well.

Nor is the risk of intentional, malicious acts hypothetical, either. Security crises now count among the top ten business continuity threats and disruptions^iv.

What’s more, it appears orthodox, safety and security protocols have proven insufficient to prevent major loss and uphold duty of care. A staggering 62 percent of organizations acknowledge feeling less confident in their capabilities to respond to location-specific incidents involving physical security^v.

Jurisdictions, in their turn, aren’t looking the other way. To the contrary, they are increasingly putting at-risk PCBUs in at-risk sectors under stricter regulatory regimes. What those regimes entail largely varies from jurisdiction to jurisdiction. But generally, Safety teams at PCBUs must at minimum ensure that their workplaces are free of hazards causing or likely to cause death or serious physical harm, i.e. identifying, understanding, and controlling what have traditionally been security risks liable to cause security crises.

Here, the case of the healthcare sector is instructive. Healthcare workers face significant risks of client-initiated, occupational violence, so the industry as a whole has been under a fine microscope. How has the industry responded and what lessons can Safety actors in other industries take from it?

Let’s look at the response of Christchurch Hospital during the 15 March 2019 Christchurch shootings at the Al Noor Mosque and Linwood Islamic Centre. Unsurprisingly, the shootings quickly became a major safety and security event for organizations outside of the immediate perimeter of the incidents.

Christchurch Hospital, located a mere two kilometers from Al Noor Mosque, proved no exception. So close to the incident was the Hospital that witnesses of the shooting actually ran across the Park to warn Hospital staff to expect an influx in victims^vi.

And come those victims did. This sharp uptick in patients was enough for the Emergency Room to activate its major incident plan, a pre-planned response triggered when the Department has to treat ten or more patients. 

Facilitating the medical intervention during a such a stark public safety incident was the fact that Christchurch Hospital remained under emergency lockdown, a heightened safety and security posture. The public could not attend Christchurch Hospital. Nor could staff or patients enter or leave the building. 

Major security events, like the Christchurch shooting, can trigger lockdowns even at facilities that are not themselves the site of the mass-casualty incident. Since healthcare facilities carry elevated work safety risk^vii, the lockdown posture factors heavily in their crisis plans. 

Safety protocols to prepare for and respond to natural disasters

But, of course, the safety risk of violent acts isn’t unique to the healthcare sector, though risk might be higher there. For that matter, security crises aren’t the only critical events that might compromise a PCBU’s ability to maintain its duty of care obligation, either. Natural disasters also stand out as critical events that can have a deleterious impact on worker wellbeing.

And like physical security incidents, weather-related disasters are also increasing in kind, cost, and intensity. According to The Economist, disasters around the world have more than quadrupled to around 400 year since the 1970s^viii.

Business leaders have long considered this sharp uptick in major natural disasters, like Hurricane Katrina, the earthquake at Kaikoura, and the 2019-20 Australian bushfires, from a business continuity and viability perspective. After all, 40 to 60 percent of small businesses close permanently after a disaster; and among businesses that are closed for at least five days after a disaster, 90 percent fail within a year^ix. But the very ubiquity of natural disasters and other safety-impacting emergencies has meant that jurisdictions have stepped in, tying emergency preparedness to safety compliance.

What does safety compliance entail? Again, compliance varies from jurisdiction to jurisdiction. But typically, PCBUs of ten employees or more must, at least, have a written emergency action plan (EAP). Safety regulators also urge senior management at those PCBUs to review that plan with employees, as well as re-evaluate and amend the plan periodically.

Taking its cue from regulators, the safety industry has also revised its best-practice standard, ISO 45001, so as to enable compliant PCBUs to better respond to emergency situations, like natural disasters, that compromise the wellbeing of employees, customers, and other stakeholders.

Safety protocols to prepare for and respond to public health events

PCBUs have at least begun to factor the weather-related disaster threat into their safety protocols. Not so when it comes to the risk of public health events, though.

Indeed, it appears that organizations have largely failed to plan for the potential impact major health incidents, like epidemics, might have on business viability writ large. That is even though no less a body than the World Economic Forum (WEF) has cautioned that health systems in advanced economies, like the U.S., U.K., and Australia, are becoming “unfit for purpose,” introducing downstream risk for worker safety.

The outbreak of the 2019/2020 novel coronavirus (COVID-19) has shaken many organizations from their torpor, a clarion example of the systemic risk public health still poses, especially to businesses with complex supply chains that reach into emerging and developing markets. But it’s not yet clear that firms have folded the public health risk into their safety plans.

Considering the epidemic risk, though, constitutes part of a PCBU’s duty of care obligation to continually think about threats that may harm its workers. And not just consider. PCBUs must take reasonable steps to control and/or mitigate those threats. What would reasonable safety risk control measures look like in the case of an ongoing epidemic?

Well, with regards to the coronavirus, specifically, expert consensus has leaned towards immediately activating the PCBU’s existing crisis management plan, while making and socializing return to work policies, as well as stocking up relevant personal protective equipment (PPE) and safety
supplies, including hand-hygiene products, tissues, and
receptacles for disposal.

A PCBU should also revisit its existing epidemic response plan, if it has one, to review safety management actions, which might include any of the following:

• Design and prepare to implement a daily staff health status reporting procedure for all management teams.
• Review and modify corporate policy and/or contracts related to staff and external workers who might be at higher risk of exposure, e.g. cleaners and security staff.
• Define a corporate-wide management process for ensuring the safe transport home or to health facilities of workers who become sick.
• Define a corporate-wide policy on work from home strategies to support social distancing.
• Define and implement a corporate decision-making authority, infrastructure, health and safety support model for teams who need to work during “silent hours” to keep up with workload and support social distancing during peak hours.
• Define and implement corporate-wide plans to deal with potential shortage of security and cleaning staff due to high absenteeism.
• Determine corporate response to requests from staff for everyone to use masks and gloves even if it is found that these are not effective deterrents to infections.
• Approve resources required to design and exercise corporate-wide pandemic plan, including the development of a manager’s guide to pandemic response with samples situations and scripted messaging.

Technology capabilities to ensure employee wellbeing during a critical event

To what do these protocols all amount? Well, managing work safety risk throughout the lifecycle of crisis – be it a violent act, natural disaster, or public health incident – takes a systemic approach, not a single intervention. And that kind of approach can only be operationalized via a flexible, integrated safety and crisis management software
platform that enables PCBUs to report and manage major events, risks, and operations.

Of course, not all technology is created equal. Here are the specific supporting capabilities you will need to ensure employee wellbeing and maintain duty of care during a crisis:

• Mass notification and collaboration.
  PCBUs need technology that integrates safety and risk functionality (more below) with mass notification tools. Mass notification is often a key component of duty of care during a crisis. So, the solution should also come with relevant incident notification report templates, in addition to other pre-configured safety templates, forms, and dashboards.
  
  PCBUs often have legal requirements to keep track of workers during a crisis, as well, i.e. when it’s hardest to find people. To reliably check up on worker wellbeing, PCBUs should invest in integrated technology that includes duress alarms.
  
  Additionally, team collaboration during a crisis drives efficiency and ensures better outcomes, like staff safety. Facilitate better team collaboration during a crisis with in-built communications for email, SMS, broadcasts, alerts, reminders, and app notifications. 
• Efficient crisis response and situational awareness.
  On that note, integrated safety and crisis management platform eases the incident management burden on frontline workers, by enabling planned, controlled, and automated
  incident response. 
  
  Automatic tasking and dispatching of staff also make crisis response more efficient; so too does the ability to assign actions to individual roles manually or automate, according to the incident in question. The same goes for robust workflows to automate, guide users through, and/or enforce business process through a designed series of tasks or actions with a logical flow, decision point, and outcome. 
  
  The technology should offer best-practice libraries, as well, including plans and checklists for likely crises, from which PCBUs can create tailored crisis strategies and action plans. Then, when critical events do occur, the plan comes to life, and the relevant teams know what to do, while progress is tracked in real time.
  
  For instance, for coronavirus response, a PCBU will need a dedicated response module, encompassing dashboards for business continuity, crisis management, travel risk
  management, and, of course, worker safety that provide situational awareness, authoritative guidelines, best-practice plans and checklists, the ability to log updates, tasks, and decisions, as well as case management for affected workers.
  
  What’s more, the integrated safety and crisis management platform should enable teams to visualize the location of the crisis (as wellas that of risks, people, and other assets) via fully integrated mapping features. Situational awareness dashboards for monitoring operations, facilities, and people also help teams achieve a common operating picture. 
• Assess risks. Control hazards.
  Integrated risk management helps ensure an efficient crisis response, too. Yet, standalone safety management solutions often don’t provide much more than just analytics, which crucially undercuts a team’s ability to control identified hazards. Not just teams, either. Without robust mechanisms for assessing risk and controlling hazards, the ability of senior leaders to make informed decisions before and during the crisis is also weakened.
  
  The right, integrated safety and crisis management system should, therefore, enable the cross-listing of hazard information with the resulting incident or crisis. This capability lets teams relate incidents, risks, and hazards to their organization’s structures, buildings, sites, equipment, materials, and other assets, giving managers the data points they need to trigger necessary changes and more easily identify where risk controls failed to achieve desired outcomes. 
• Leaves an auditable trail.
  Safety risk management policy generate tons of documentation and not just during and after a crisis or emergency. There are the policies themselves, but also the documented accountabilities, roles, and responsibilities, registers and records, as well as the safe work method statements and procedures. That documentation must all be tracked carefully: tasks, checklists, and corrective actions must be set against it. Otherwise, the evidentiary trail goes fallow, and costs and liability mount when stakeholders come knocking.
  
  Providing this evidence of proactive safety protocols requires integrated safety and crisis management technology that tracks and manages all information, including key documents, tasks, checklists, and corrective actions, in one single source of truth. The integrated system should also display that information where it’s needed, via flexible dashboards, analytics, and reporting that meets the needs of all relevant stakeholders
• Responds to all hazards.
  Just as security crises, like public shootings, compromise employee wellbeing whether the target organization is directly or indirectly impacted, so too do natural disasters, which can also damage assets and affect the continuity of operations.
  
  IT infrastructure events, data breaches, and other ICT incidents, the traditional remit of Business Continuity, can affect the provisioning of essential services, as well, especially in the healthcare sector, and so can supply chain events (involving food and linens).
  
  Integrated safety and crisis technology should, therefore, let teams prepare for, respond to, and recover from all threats and hazards liable to cause injury, illness, property damage, business disruption, and environmental impact within the same, flexible platform. 
  
  Safety teams have long understood integrated health and safety to lie at the intersection of health protection and promotion, developing programs to enhance employee wellbeing and prevent work-related injuries and illnesses on that basis.
  
  Nevertheless, crises like workplace violence, natural disasters, and public health incidents have increasingly become leading occupational health and safety issues. And so, even the most innovative programs to achieve safety and wellbeing aims are insufficient without robust provisions for crisis response throughout the lifecycle of a critical event.
  
  Fortunately, integrated crisis and safety management software gives teams and decision makers the tools they need to prepare for, respond to, and recover from major crises, thereby mitigating risk, ensuring employee safety, and maintaining regulatory compliance.

Citations

i Richard Castle, Cambridge University: Lord Atkins and the Neighbour Test: Origins of the principles of negligence in Donoghue v Stevenson. Available at https://www.cambridge.org/core/services/aop-cambridge core/content/view/CBCF36E5E5998EB037E232CAAE3317ED/ S0956618X00005214a.pdf/lord_atkin_and_the_neighbour_test_origins_of_the_principles_of_negligence_in_donoghue_v_stevenson.pdf.

ii Safety and security managers specifically have each built strong portfolios in the enterprise. Indeed, reporting hierarchies often reflect the importance the C-suite places on topline safety and security priorities, objectives like keeping employees safe at work or mitigating threats to facilities and people. In turn, businesses of all shapes and sizes, in all vertical markets, have implemented standalone safety and security management systems to pursue those objectives.

iii Sabarathinam Chockalingam et al: Integrated Safety and Security Risk Assessment Methods: A Survey of Key Characteristics and Applications. Available at https://www.researchgate.net/publication/318315890_Integrated_Safety_and_Security_Risk_Assessment_Methods_A_Survey_of_Key_ Characteristics_and_Applications.

iv Security Magazine: Cyber Tops List of Threats to Business Continuity. Available at https://www.securitymagazine.com/articles/87856-cyber-tops-listof-threats-to-business continuity.

v Ibid.

vi New Zealand Herald: Inside Christchurch Hospital on the day of the mosque shootings. Available at https://www.nzherald.co.nz/nz/news/article. cfmc_id=1&objectid=12228072.

vii The worst-case thinking informing those plans goes that suspects might come to hospitals in the event of a public shooting to inflict further harm on victims. The public at large might also retaliate against injured perpetrators who’ve been taken to the hospital for treatment. The crisis itself also creates second-order business continuity challenges for hospital staff in the form of crowding. For instance, big crowds might rush to emergency rooms. This convergence of publics also exacerbates the challenge of treating other emergency patients who show up at the hospital in private cars and on foot, rather than in ambulances.

viii The Economist: Weather-related disasters are increasing. Available at https://www.economist.com/graphic-detail/2017/08/29/weather-relateddisasters-are-increasing.

ix Chris Morris, CNBC: Hurricane alert: 40 percent of small businesses never recover from a disaster. Available at https://www.cnbc.com/2017/09/16/hurricane-watch-40-percent-of-small-businesses-dont-reopen-after-a-disaster.html.