Duty of Care and Security

Written by Isha Pinto, Consultant

It is very easy to conflate the concept of duty of care with security. For the casual observer, it can seem like duty of care and security are one and the same. This leads one to wonder: Is duty of care just the latest in a long series of management buzzwords? And, why don’t we just call it security? In this article, I am going to seek to address these fundamental questions and see if we can get closer to understanding the core of our responsibilities under duty of care.

If you look at the practical application of duty of care, you’ll find that it often comes in the form of added security — assessing the risks at hand and then implementing the appropriate measures (sometimes in layers) to ensure that travelling employees have the tools required to carry out their jobs safely and effectively. For instance, if you have a traveller heading to Nigeria, you might assess that there is an increased risk to the traveller in the form of kidnapping, terrorism, and health risks. In response, you might provide them with training on how to survive hostile situations and how to maintain a low profile, provide them with a trusted driver and car, create an evacuation plan in case of medical emergency, and inform them of where internationally accredited hospitals are located, amongst other measures. When you boil it down to the basics, these measures are largely just a way of ensuring the traveller’s physical security. So why, or how, is duty of care distinct from security?

Well, security is imposed from the top down, following the logic that it needs to protect a given asset by creating a barrier around it. This works very well when you are protecting a facility, for instance. Depending on the level of risk, you employ a fence, CCTV cameras, guards and other forms of access control. However, when it comes to travelling employees, this top-down logic will not suffice. Duty of care acknowledges that all risk cannot be transferred. In other words, risk mitigation measures can never reduce the risk to zero. And while an organisation can accept a certain amount of risk, they cannot directly do so on behalf of an employee. Duty of care necessitates that an employee must provide informed consent. Therefore, contrary to the top-down logic of security, duty of care is an iterative process that requires active engagement from employees. In this way, duty of care also means that the responsibility of employee wellbeing is diffused.

An employer has the responsibility to ensure that their employees have the information and tools necessary to stay safe, and that employees are empowered to make choices that ensure their wellbeing. However, an employee also holds responsibility in the sense that he or she must then use the tools and information as an active participant in the provision of their own security. For instance, in relation to the risk of kidnapping, an employer has the responsibility to ensure that, first of all, the employee provides informed consent. Following that, the employer then has the responsibility to ensure that the employee has appropriate security; that there is a communication plan in place wherein the employee maintains frequent contact with a trusted contact; that proof of life forms have been correctly filled out and safely stored; and, that adequate insurance has been bought in case the worst happens. However, an employee also has a responsibility here. As active participants in their own security, employees must ensure that, in accordance with their training, they keep a low profile, vary their routines, and keep their itineraries confidential.

While the security department is a big player in the provision of duty of care, all parts of the business play an active role and the responsibility is diffused across the entire organisation. For instance, employees need to have a safe place where they can voice their concerns if they feel uncomfortable taking a trip or if they need to debrief after an incident has occurred. Depending on the make-up of the organisation, the responsibility here lies with the HR department. Another essential element of duty of care is ensuring that travellers have the right insurance in place, as well as the correct documents required to enter and operate in a country. This would likely involve the legal or compliance teams. Similarly, all departments within an organisation have a role to play. Duty of care is not just security; it is ensuring that an organisation is not negligent towards their employees.

Though we have discussed this before, I can’t underline how important it is that the meaning and intent behind duty of care is ingrained in the entire organisation. Because the responsibility is so diffused, the imperative (read: culture) for duty of care must come from the top. The C-suite or executive management is responsible for setting the tone and ensuring that the provision of duty of care is seen as integral to the fabric of their organisation. Duty of care is far less efficacious if people fail to understand the role that they have to play in its provision; and the responsibility for this can only be imbued from the top.

I’d like to leave you with two main conclusions:

  1. Security is an integral aspect of duty of care. BUT, it is just one part. While it might seem like semantics, it is important to draw a distinguishing line between the two. Duty of care is distinct from, and extends past, security. While an organisation employs security to ensure business continuity and fulfil their broader financial obligation to shareholders, duty of care is essential to ensuring that the organisation fulfils its social responsibility to employees by ensuring that their wellbeing remains a focus and priority.
  2. The responsibility for duty of care lies with the whole organisation. Unlike security, which can be outsourced to external providers, duty of care must be managed and prioritised internally. While security is the protection of assets, duty of care concerns responsibility; therefore, it cannot be relegated or treated as simply another business cost.