As we continue into 2021, it's no secret we are still reeling from the aftermath and impacts that 2020 unleashed across the globe. That's why—now more than ever—it is critical that companies prioritize their duty of care plans, or risk falling behind for good. Below, we speak to Hugh Dunleavy, Senior Vice President, U.S. Operations and Chief Security Officer of Crisis24, a GardaWorld company, about crafting a robust duty of care program.

Security: What is your background and current role and responsibilities?

Dunleavy: I am the Senior Vice President, U.S. Operations and Chief Security Officer of Crisis24, a GardaWorld company. Crisis24 is a large corporate risk management company, providing a full spectrum of open-source business intelligence, risk management, executive protection, crisis security consulting services, and evacuation support to many of the largest and most complex international organizations in the world. I bring in an excess of three decades of U.S. Federal law enforcement, U.S. military, and private sector corporate security and risk management expertise to Crisis24.

Security: Why is continuous people risk management and Duty of Care more important than ever?

Dunleavy: “Duty of Care” is a legal term generally referring to an evolving standard of care that a reasonable and prudent organization, risk manager, or executive is expected to take in order to mitigate potential risk to their staff. “Duty of Care” is not a static term; it is an evolving definition which is broad in scope and includes the extended workplace, including business travel and expat assignments.​ Duty of Care may include employee awareness, training, safety, physical security, medical and mental health support. Employer obligations under the Duty of Care standard routinely extend beyond the workplace and traditional work hours and likely includes extended responsibilities to dependents, contractors, business partners, etc.​

Global events present dynamic challenges to organizations and their workforce. Incidents that may affect organizations and staff may occur at any time of day, anywhere on the globe, often with little or no advance warning, and, as is often the case, outside normal business hours. This continually changing threat environment requires a continuous approach to assessing, mitigating, and managing risk. An effective Continuous Risk Management (CRM) program relies upon a well-established process, driven by high-quality, accurate, and timely intelligence, supported by sophisticated technology and professional risk management staff intended to provide proactive and responsive mitigation solutions. A robust Continuous Risk Management (CRM) program is an integral component and provides direct support to an organization’s Duty of Care for its staff.

Duty of Care comes in many forms. In July 2020, Crisis24’s Response Operations Center was notified by a client, a faith-based organization, that one of their missionaries in Nigeria and his family were targeted by Boko Haram and required immediate support. We were able to secure their location, assess their medical condition, and arrange for safe evacuation back to the United States.

One month later, we supported another client, a global NGO, with locating more than 200 expats, traveling staff, and dependents during the explosion in the Port of Beirut. Our security team, using advanced notification technology, began reaching out to these individuals within minutes of the explosion, provided updates to the clients on their status and wellbeing, and in some cases, facilitated medical response.

“Duty of Care” does not always have to be quite as dramatic as these examples. This past January 6th, for example, Crisis24 used its mass notification technology to effectively communicate with our staff working and living in the metro Washington DC area, to avoid the violent protest activity unfolding at the U.S. Capitol. With a number of our team working from home during the COVID-19 pandemic, our Duty of Care extends to ensuring their wellbeing at their home office locations as well.

Security: What are the essential elements of a robust Duty of Care program?

Dunleavy: Effective Duty of Care is directly supported by a robust Continuous Risk Management (CRM) program. Organizations require situational awareness into their global risk exposure, and Continuous Risk Management provides the framework for organizations to assess and manage risk. CRM is a process, and as the name implies, a continuous cycle of evaluation that can enable organizations to quantify risk metrics unique to their organization, monitor and assess those risks on an ongoing basis and inform critical decision makers. The intent is to support sound business decisions to mitigate or avoid risk from all hazards that may adversely impact staff and operations.

Essential elements of effective Duty of Care include a robust Continuous Risk Management (CRM) process, intended to support a number of critical components:

• Monitoring – (timely, accurate, and effective intelligence)
• Notification
• Communications
• Preparation / Avoidance (Training, Pre-Incident Planning, Exercises)
• Response / Recovery
• Post-incident Critical After-Actions / Lessons Learned

It is crucial that organizations learn from and improve incident response procedures. Regardless of the scale and impact of a disruption or incident, and the effectiveness of existing control measures, it is essential to take the opportunity to learn from your organization’s response and improve your program.

Security: How can businesses evaluate their TRM policy and trainings, and the most common gaps in existing policies?

Dunleavy: Routine evaluation of an organization’s Travel Risk Management (TRM) program and policies is critical to insure effectiveness and support Duty of Care. Benchmarking corporate TRM policies with trusted industry partners is a well-established and effective mechanism of self-evaluation of TRM policy and guidelines. However, semi-annual external TRM policy audit and policy review by a qualified external crisis security consulting provider is the preferred mechanism of TRM program evaluation.

Effective TRM policy consists of proactive and reactive elements, fundamental concepts essential to develop, implement, assess, evaluate, and maintain a formal, organizational-wide TRM program. A robust TRM program establishes a capacity to proactively plan, train, monitor and establish event triggers for travel restrictions. A robust TRM program includes established reactive capabilities and resources to notify, communicate, and respond to traveling staff. A well-established TRM program further supports the recovery of traveling staff impacted by a given incident, and their subsequent potential medical and mental health recovery requirements. The effectiveness of a TRM program depends on strong leadership and requires the support and commitment of senior management and active participation from all staff, to ensure its adoption and integration into the governance of the organization.

Security: Why is implementing a Duty of Care program so vital for the long-term survival of a business?

Dunleavy: Providing reasonable safeguards for the most essential assets of any organization to the greatest extent possible is critical. Organizations go to considerable lengths to protect their intellectual property, business and information systems. Companies take significant effort to secure their facilities from all manner of hazard – physical security, fire protection, access control, and information technology security.

The core of all organizations is its people, its staff, contractors, consultants, vendors, and supply chain providers, etc. These critical human capital assets create and drive business; they are the key to the long-term success and survival of any organization.

Aside from the legal requirements and ramifications associated with Duty of Care, which holds organizations, and their executives, responsible to provide reasonable and prudent safeguards for their staff, it is just sound business practice to safeguard your organization’s “crown jewels” – its people.

Organizations, regardless of the nature of their business – defense, energy sector; faith based; academia; food industry, humanitarian, etc.--routinely send their staff to regions where the security situation is marginal at best or the environment has been compromised. Organizations have a legal requirement to insure the “Duty of Care” for their most important assets. Employees are keenly aware of an organization’s responsibilities to its staff. Training, intelligence, 24/7 multi-factor communications with redundancies, geo-location technologies and an effective response plan are integral to providing Duty of Care. Organizations that effectively provide for the security and well-being of its staff, are better able to retain quality staff and accomplish its mission, ensuring a robust capability to provide for the Duty of Care of an organizations staff directly support its success and long term viability.