Part V: Organisational Challenges
“Every business and every product has risks. You can’t get around it.” This quote is from the former President of Ford Motor Company and CEO of Chrysler, Lee Iacocca. Although the message is simple, it conveys strongly that we cannot and should not attempt to protect ourselves fully against adversity. Risk management and duty of care is about making deliberate choices about the risks that you run and instilling layers resilience and competence in your employees to make them robust to adversity.
In this article, I will focus on some of the obstacles that prevent organisations from implementing solid duty of care programmes – or even from making inquiries about their current practices. In a nutshell, I will argue that uncertainty is the main impediment to change. Uncertainty of the legal, financial, and operational requirements, and, not least, of where the responsibilities lie. The article is structured around three of the most common challenges against commitment to duty of care: costs, resistance from management, and a ‘slippery slope fallacy’.
Although most medium and large organisations in a Nordic context are factoring duty of care into their operations, there is still a widespread perception that it only adds a layer of complexity and costs; that it comes ‘on top of’ the existing organisation. However, this hides the fact that most organisations already spend considerable resources on risk management, security, HR, crisis management, and all the other elements, but in a fragmented manner and without oversight. In other words, duty of care activities hide among the operational costs of individual projects or business units. Good duty of care practice is therefore less about creating new processes, than about discovering and validating existing ones.
I am not out to discredit the notion that duty of care costs money. Indeed, as most will know, the operational context, including the conditions for employees and affiliated personnel, is a major component in the total cost of a project. Moreover, it is often the most volatile and unpredictable factor, which can make the difference between success and failure. A risk-based approach and clear lines of communication and decision-making can greatly diminish this uncertainty by turning ‘unknown unknowns’ into ‘known unknowns’. By taking a strategic look at duty of care, the management can allocate resources to where they create the highest impact or keep them in reserve for unforeseen events.
This leads me to the second line of resistance, which is a lack of commitment to duty of care from the top management. A common phrase is: ‘Well, I can see that this could make sense to others, but I think we are fortunate, as proven by the fact that nothing has ever happened to us’. In many instances, top-managers cannot base this assumption on actual evidence or knowledge, as often past incidents have not been recorded and therefore their lessons have not been incorporated into the organisational learning and decision-making process. Or they are soon forgotten or discarded as anomalies beyond the control of the organisation. But there is an even graver problem at play here. The statement runs in straight opposition to risk-based thinking, which implies looking at the past to determine the likelihood of future events. This is logical for all competent managers in their everyday operations, but too frequently replaced by a ‘it won’t happen here’ mindset when it comes to duty of care.
There is another variant to this challenge: when the management is of the impression that duty of care in its different guises is taken care of by somebody else. Either explicitly or implicitly, the expectation is that the individual projects or business units manage on their own and, if something unexpected should happen, the risk is transferred away through an insurance policy. In practical terms, this is how most operations are run. What is missing from this equation is that the responsibility ultimately lies with the top management. The key principle here is accountability, i.e. that the leadership makes active and conscious decisions based on knowledge.
Lastly, there is the idea that duty of care is the latest term in an insatiable demand for more security. After a century with ever-increasing requirements in health and safety legislation, we have long ago entered the golden age of CCTV, access controls, and security guards. On top of this comes a plethora of IT-related security systems to 3
protect intellectual property and data. More and more effort is spent on controlling the workplace environment and keeping an (often undefined) adversary away. This has been referred to as a slippery slope, where accepting one more layer of security means lowering the bar for the next layer. If we accept video cameras in the workplace, why not facial recognition? Why not registering whether the workers smile or frown when they do their job? And when we know, why not require a certain number of smiles per day? This may be slightly exaggerated, but not overly dystopian; similar ‘logical’ excursions are frequently heard as counter- arguments against new and unfamiliar practices. However, the ‘slippery slope’ argument is flawed, as it only accepts a linear trail of events and leads the discussion away from the original purpose of the practice.
Where duty of care differs from traditional security thinking is through its focus on the people involved. Good practice is less about control and more about being aware of the risks and infusing employees with a dose of resilience towards adverse shocks. On one hand, whatever the organisation, the employees will always be in the front line, so managers should not fool themselves into believing that everything can be controlled centrally. On the other hand, careful management is needed to cultivate the right responsiveness across the organisation.
Duty of care is a strange beast in the jungle of management vocabulary. It has a degree of softness to it (‘care’), but also invokes a hard, unavoidable responsibility (‘duty’). I believe that the uncertainty and the three above-mentioned ‘lines of resistance’ originate in this paradox. Few will oppose that a manager should take precautions to prevent foreseeable harm to his/her employees, but how do I show that ‘I care’? The best answer I have found is that duty of care is about knowing what risks you run and documenting your decision-making relentlessly. By its nature, negligence is rarely discovered until after something goes wrong, and by then, we are biased by hindsight and can only see fault where there used to be uncertainty. Through meticulous documentation, it is possible to retrace the process and explain why a particular decision was logical at the time.
To summarise, the resistance against introducing duty-of-care practices in organisations stems in large part from uncertainty. Uncertainty of the costs involved and of what we get out of it. Uncertainty of the responsibilities involved and what that means for the top management. And uncertainty of the unintended consequences of adopting yet another new concept. In the above, I have laid out the argument that these lines of resistance in peculiar ways become the very argument for adopting a duty-of-care perspective: to systematically and deliberately investigate the risks your employees face and empower them to mitigate them. Duty of care is not a device for control, but for decision-making. It cannot be ‘managed away’ to others, it needs to permeate the organisational culture all the way to the top brass.