In recent years, the concept of duty of care has firmly established itself in the lexicon of international NGO risk management. But what exactly is duty of care? And more importantly, what can organizations do to maximize duty of care for their personnel around the world?
First, a definition:
The responsibility or the legal obligation of a person or organization to avoid acts or omissions (which can be reasonably foreseen) to be likely to cause harm to others.
Perfectly clear, right? Well, maybe not. As this definition illustrates, duty of care is a broad concept rather than a precise standard. At its core, duty of care is focused on the need to provide reasonable measures to address foreseeable risks. To successfully meet duty of care obligations, organizations should have a broad-based, holistic approach to risk management for their global operations. Key elements include:
Assess risk. Organization-specific assessments identify those foreseeable risks, forming the foundation of risk management upon which all plans are built. Comprehensive baseline assessments are important, but risk is dynamic and ever evolving, so ongoing updates are essential, especially prior to travel, new or significant activities or following major changes in the environment.
Gather info & build culture of awareness. Good decisions require the most timely and accurate information available. Establish an information network of diverse sources, including embassies, security firms, peer organizations, local partners and staff. Share information to avoid the “why didn’t anyone tell me that road was dangerous” moments.
Integrate risk management into project planning. All too often, risk management is an afterthought in project planning, resulting in incongruent procedures that appear to hamper activities. Weaving it into planning early increases awareness and buy in and allows risk management to serve as an enabling element.
Communicate, train & educate. Inform and warn prior to travel and deployment, then periodically update since risk is dynamic. Provide training based on risk environment and role – for example, senior staff expected to assist in an emergency should be trained in incident management and drivers should actually receive training (don’t just assume they “know how to drive”). Include experienced staff and those with training from prior roles (US Government, other companies or organizationss) since procedures and systems vary across different organizations.
Build risk-based plans & procedures – update, communicate & enforce. Plans should be living documents built around the risks identified in assessments and updated as the environment evolves. Nicely bound, multi-volume plans may look great but they are easily outdated, quickly becoming irrelevant. And if no one follows the plan, it may be worse than not having one, so communicating and enforcing plans and policies are essential.
Incorporate community best practices. Benchmarking your risk management systems to peer groups is an effective way of understanding if your systems are reasonable and helps reduce the chance you’ll be confronted with the question: “no other organizations were driving that road at night, why were we?” Peer networking groups like the Overseas Security Advisory Council’s International Development Working Group (IDWG) and the International NGO Safety and Security Association are great starting points.
Plan for and practice crisis management. Don’t wait for a crisis to think through response. Build a plan tailored to your organization, identify internal and external resources and conduct training with key personnel.
Track personnel. Knowing who is where helps understand risk exposure and assists with accountability and communication in the event of an emergency or incident.
Implement & test emergency communications. Communication is critical for sharing information about specific risks, as well as to account for staff and pass along instructions in the event of an emergency.
Align resources to risk. Ensure internal and external resources have the capacity to address organizational risk. Internally, this includes security, legal, human resources, finance and IT. Key external resources:
- Insurance – Business Travel Accident (BTA), Workers Compensation, Defense Base Act (DBA), Special Risks/Kidnap, Ransom, Extortion
- Medical and security assistance companies
- Crisis response providers
- Staff resiliency and trauma support
So, if an organization does all of these things, they “achieve” duty of care? Unfortunately, it’s not that easy. Not only is risk dynamic, but how organizations encounter risk changes as they take on new programs in different environments. And risk management best practices are ever evolving. Meeting duty of care obligations to a global workforce requires plans, procedures and resources that are tailored and adjusted over time to an organization’s specific risk exposure. While nothing provides immunity from risk, appropriate systems prepare organizations and companies for the challenges they face operating internationally and lay the foundation for effective duty of care.
 Business Dictionary, http://www.businessdictionary.com/definition/duty-of-care.html