How far does your duty of care go?
Part VII: How fare does your duty of care go?
As we have argued in our previous articles, there are both legal and moral aspects to duty of care. A corporate policy will always be subjugated to legislative requirements, i.e. it is not possible to ‘write yourself out’ of your legal responsibility to protect your employees from harm. When it comes to travel security, the recognised practical solution is to obtain ‘informed consent’ from your employees. This means that the employee has access to clear and validated information about the risks he or she will face in the location where the work is taking place and accepts any residual risk after proper security measures have been taken.
To give an example, two technicians go to Mexico to install a new machine in a hospital in Tijuana. Due to the high risk of express kidnapping in the city, it is agreed that the travellers should be picked up in the airport by a local English-speaking driver, who will take them directly to their hotel. Every day, he will pick them up and drive them to the hospital, and he will also bring them back. This does not provide a full guarantee that nothing will happen to the technicians, but it brings the risk level down to a level that is acceptable to them and the organisation.
What if they are kidnapped anyway? Let’s say one of the travellers asks the driver to stop at an ATM on the way back to the hotel, so he can withdraw some cash. Three armed men assault him, take the money, throw him into a car and drive him out of the city, where he is forced to wire transfer even more money to an online wallet. Legally, the employer cannot shirk the responsibility of having put him in that situation. This is part of the operational risk that comes with conducting global business. But by providing the travellers with adequate information about the risk and implementing reasonable measures to mitigate it, the employer has lived up to their duty of care. Of course, a subsequent investigation and after-action review should determine if the measures taken were reasonable, whether the employee was properly trained, and if the organisation was able to assist the traveller with repatriation, insurance compensation, and reintegration.
Now to the central question in the article: ‘How far does your duty of care go?’ We ask this question every time we develop a corporate security policy for a client. The question constitutes one of the most difficult, messy, and important steps in all of security risk management. The problem is that the moral and legal aspects of duty of care become entangled to such a degree that they become indistinguishable. In the end, you end up making a non-decision, i.e. either ignoring the question or writing a definition so vague that it becomes meaningless. Not only does this not add any value, it could result in even more problems, as I will demonstrate below. First, however, I would like to qualify the question by analysing it in two dimensions:
1. Who is covered by your duty of care? (The width)
2. What are your responsibilities under the duty of care? (The depth)
These are difficult questions, and there are almost certainly no correct answers. However, asking them is crucial, as it serves the purpose of displaying your risk exposure in a new light. Below, I will give my view on how you could go about answering them, but in the end, the right answer depends on your organisational context, risk appetite, and more. Common for both questions is that they must be posed to your strategic management, as these decisions are an integral part of the duty of care, which cannot be whisked away through the miracle of outsourcing. It is not only important what the decision is, but also who makes it and how it is communicated. Otherwise, you have failed to live up to your duty, it’s as simple as that.
Let’s look at the questions one by one.
1. The width: Who is covered by your duty of care?
Most managers would not be surprised to know that they have a duty of care for their employees, when they are at work. If you sent the technicians to Mexico, you also have the responsibility to prepare them for it. And obviously, if you have operations abroad, such as a country office or regional sales department, well, those employees are also yours to care for. 3
But the responsibility is not always so clear. You may have contracted local partners or consultants on short-term assignments. Maybe your local operations are actually run by a subsidiary in the country, which is co-owned with another firm? Or there could be a visitor, you have brought to the local office? Perhaps you have interns or volunteers? Not to speak of drivers, caretakers, guards, translators, and guides. There are a million forms of employment, contractual and non-contractual, and it can be extremely unclear what the relationship is.
The first step for the manager should be to create an overview of all these associations and the types of associates that could potentially be under their duty of care umbrella. Our experience is that by visualising it, most managers become surprised at how many people are involved in their operations. Essentially, they are principals who do not know the full extent of the number of agents they employ. After obtaining the full list, the manager should categorise all these associates to create an overview of the different employee types. Now, this process is lengthy and probably requires input from all corners of the organisation, which can be collected at headquarter level – often with HR. Moreover, this overview must be continuously updated as the organisation evolves and sprouts new relations.
The second step is perhaps even more challenging, as it requires the strategic management to sit together and discuss each of the employee categories. Begin with the easy ones: those with a contract. Then work your way through all the various channels of the organisation and make a decision for each type of associate. Do they fall under our duty of care? If not, whose ‘umbrella’ are they under?
The third step is all about communication. Your organisation should reach out to the relevant partners and collaborating entities to agree on the split in duty of care for those agents that are not fully under any single umbrella. A recurring problem is when managers transfers their duty of care to local partners or contractors but fail to set explicit requirements for providing adequate security. For freelancers, there is a need to communicate that they fall under your duty of care whenever they are on duty for your organisation, including when they are travelling for work.
2. The depth: What are your responsibilities under the duty of care?
Now that you have an idea of who falls under your duty of care umbrella, an equally difficult and important task is to define what that then means. The common definition, to ‘prevent foreseeable harm’, is problematic in two ways. First, it is vague and begs questions about both foreseeability and harm, as I mentioned in the introduction to this article. Second, it only mentions prevention and not the work that must go into training at-risk employees, providing emergency response, and ensuring professional post-incident care. These are essential elements of duty of care, as accepted by most.
To be more specific, it is my experience that there are five key responsibilities when it comes to duty of care (NB: remember that I only look at duty of care relating to travel security):
1. Safety & security training for travellers
The purpose of the training should be to increase the level of security awareness among the employees and to provide them with tools to cope with difficult situations while travelling. Crucially, training should be adapted to fit the profile of the traveller. A traveller going to remote villages should receive training in CPR, whereas the office worker should be taught to use the defibrillator on the wall. The same applies to all aspects of security. The important thing is to invest in employee resilience and enable them to be in charge of their own security while they are travelling.
2. Risk advice & preparation before journey (informed consent)
As mentioned in the introduction, informed consent is at the centre of duty of care. The employer must provide the traveller with a reasonable basis for giving their consent to the risk they undertake. Creating a risk assessment can sometimes seem a bit of a chore, but it is an excellent way of making a common understanding between the traveller and the manager. Unless it is specifically agreed, the employer cannot expect that the traveller is able to make such an assessment alone. We often see risk assessments that just line up a list of threats without providing adequate measures of mitigation. Finally, if the assessment calls for certain security measures, the employer should – as a minimum – be able to refer the traveller to a trusted provider.
3. Travel management system, incl. communication 4
By this, I mean a system that enables the organisation to monitor its travellers. Many choose to comply with this requirement by having all employees book travels through a single travel agency, which gives HR or others access to lists of travellers at any given time. This system, called Passenger Name Record (PNR) tracking, makes it possible to draw a list of employees who have entered any given country in case of a major incident. However, it does not provide any information about where the traveller actually is at the time of the incident. For higher-risk locations, more fine-grained monitoring, such as GPS tracking or regular check-ins, should be considered. Of course, any monitoring system is worthless without a possibility to contact the travellers. An essential part of the system is therefore to ensure that the traveller leaves contact information (e.g. a local phone number or contact to local counterpart) before going on the journey.
4. Special insurance
It falls on the employer to ensure that all travelling employees are properly insured. This is a legal requirement. However, it also features in the duty of care debate, as it is often necessary to go above and beyond what the law requires. This could for example be medical expenses incl. repatriation and kidnap-for-ransom coverage. Moreover, many are often surprised that their ‘worldwide’ insurance policy does not cover extreme-risk locations or countries where the Foreign Ministry advises against entry. Many insurance companies have collaborations with security and medical response companies, so a package solution will often be the most sensible.
5. Crisis management procedures & preparedness
Finally, the manager is obligated to have plans in place in case of a contingency. A professional setup consists of a Crisis Management Team (CMT) at headquarter level and Incident Management Teams (IMT) at a local level. Both teams should base their work on clear procedures with clear role distribution and a pre-determined mandate. These procedures should be updated and rehearsed at least annually. In my experience, these exercises both induce preparedness into the crisis handlers and serve to expose weaknesses in the procedures.
I would like to finish off this article by emphasising that there really is no one-size-fits-all when it comes to duty of care. You must look into your own organisation and create the necessary overview of both the width and the depth of your duty of care, then write it down and communicate it to the relevant stakeholders.