Written by Isha Pinto, Consultant
In talking about duty of care, we often fall into a trap wherein we exclusively focus on the actions that need to be taken in order to fulfil our obligations. As a result, what ends up happening is that we forget one of the most essential aspects of duty of care: risk communication. If risk communication and action don’t go hand in hand, you will be unable to live up to your duty of care. In the following article, I will explore what effective risk communication between employer and employee means and present concrete applications of how risk communication could be implemented in organisations.
One of my favourite parables about communication is that of the elephant and the five blind men. Five blind men happen upon an elephant, a creature that they have never come across before. The first man grasps the elephant’s trunk and promptly declares that what they have in front of them is a snake. The second, feeling the elephant’s sturdy side, argues no, what they have in front of them is indeed an immovable wall. This continues as the men encounter the different parts of the elephant — its tail, tusks, legs, ears — none of them able to come to agreement on what this is. I love this parable because it demonstrates the challenges of subjective experience and perspective, and highlights the importance of a communication culture.
As in the parable, the criticality of effective risk communication within organisations lies in risk perception: the very personal manner in which individuals interpret risk. Often, you will find that an employee who is travelling to London will be more afraid of being impacted by a terror attack, when in reality, traffic accidents present a much higher risk. To put this in perspective, in 2017, 18 people died and 137 were injured as a result of terrorism in London, while 131 people were killed and 3750 people were seriously injured due to traffic accidents. People have a tendency to ascribe a high level of risk to threats which have a low likelihood and high impact, while ignoring risks which are often more consequential. In other words, people are much more likely to direct their attention to radical events such as terrorism, kidnapping, or plane crashes. When these events occur they get a lot of airtime, giving the impression that they occur frequently.
When we perceive risk, we make snap judgements about the likelihood vs. impact of a threat. This is often influenced by one’s experiences, disposition, and exposure. And because risk perception is not always congruent with objective reality, risk thus becomes a highly subjective object. Once again, going back to the example of traffic accidents, globally, a person has a 1 in 112 chance of dying in a motor vehicle crash, compared to a 1 in 95,566 chance of dying in a commercial plane crash. However, traffic accidents almost never rank as highly in terms of risks that people are concerned about.
Risk perception is significant because it is something that people model their behaviour on. In terms of risk mitigation, people will direct their attention and resources to treating the risks that they are most concerned about, while consequently ignoring or de-prioritising those they see as insignificant. If this dissonance is not addressed, not only will it result in misallocated resources, but more crucially, a failure to manage the risks at hand.
The upside in all of this is that risk perception is malleable. Risk communication — or the articulation of risk — bridges the gap between a travelling employee’s risk perception and the assessed risk to the traveller. Effectively done, this allows your organisation to make decisions on the risk mitigation measures that need to be taken in order to ensure that your employees are appropriately equipped. This articulation also enables your employees to make informed decisions about the risks that they are willing to undertake. In other words, they can provide informed consent, the bedrock that duty of care is built upon.
A recurring theme in our Duty of Care Series has been the importance of embedding duty of care into the culture of the organisation, as this improves the overall efficacy of the program. The risk that arises with compliance is that the program becomes a passive activity of ticking boxes. However, in my experience, people are much more willing and likely to follow meaningful rules. This is where the importance of duty of care lies and where it differs from traditional security. You do not fulfil your duty of care by simply implementing hard security measures. People need to understand the risks that they face, what is being done to mitigate them, and why. It needs to make sense to people. It needs to have meaning. When we have a why, and when this why is well communicated, people are empowered to make engaged, active choices.
So what does this all mean in practise? In the following, I will outline some concrete applications of risk communication that you can apply to duty of care within your organisation.
Conduct thorough risk assessments so that you are aware of all the known risks that your travelling employees face. Evaluate the threats that your employees could face and assess the likelihood and impact that this could have. Determine which risks are acceptable and which risks need to be mitigated in order to become acceptable. Put a mitigation plan in place that clearly describes what measures will be implemented to decrease the risk and to what extent this risk will be decreased. Clearly communicate what the residual risk is so that employees can make an informed decision about whether they are willing to undertake this risk or not.
Take threats seriously. Collect the best knowledge that you can and actively disseminate this information to your employees. Uncertainty will always exist, and unknowns will come into play, but no one can fault you for doing your best.
Standardise your risk communication, for example through levels such as low, medium, high, and extreme. These levels should be simple to understand and clearly defined so that all employees can understand them, not just security or risk managers. By standardising your communication and encouraging everyone to ‘speak the same language’, you provide employees with a frame of reference which helps to manage some of the challenges that arise from differing perceptions of risk.
Create a pragmatic culture where employees are educated and trained to identify the risks that they face, rather than those that are sensationalised in the media. Contrary to feeling too scared to travel anywhere, employees should be empowered to understand the risks that they face and how to manage them. A strong risk culture is one that encourages people to evaluate the risks at hand and take appropriate measures to reduce the risk to an acceptable level.
Train employees to take security seriously. Often, there is a lot of bravado associated with risk-taking — whether this is frequently travelling to high risk destinations for work or skydiving. However, this kind of thinking within an organisation can quickly become very toxic. As an employer, it is important to facilitate open discussions about risk to prevent a culture where people feel pressure to take unnecessary risks. For instance, if you have an employee travelling in Shanghai who gets into a taxi and finds that there are no seatbelts, they should be trained to know that they should refuse to ride in it.
Understand that risk is personal — both in the way that we understand it and experience it. In order to live up to your duty of care, you need to take this into consideration when treating risk, as well as when communicating it. What this means is that you cannot ignore risk perception. You need to accommodate perception in your risk management and communication strategies. A customised approach that takes interests, concerns, and habits into account is one that will benefit your travellers and your organisation.
Risk communication is an element that will make or break your provision of duty of care. Give it the attention and consideration it needs.
If you have questions or comments, please contact Søren Bisgaard Vase (firstname.lastname@example.org), Head of Analysis at Guardian-srm or Isha Pinto (email@example.com), Consultant.