Security crises of multiple kinds loom as credible threats to UK organisations and their employees. From emergency repatriation and being caught up in a terrorist attack to kidnap while travelling overseas and extortion, almost every company faces the possibility of suffering dramatic, disruptive events that can also have unsettling, damaging and potentially long-lasting effects on their people.
In today’s fast-evolving climate of security threats, the risk is tangible. In a recent YouGov poll for Arthur J. Gallagher, two in five (40 per cent) large UK companies reported already experiencing a security threat in the past 24 months, and accepted that the risk is rising. Small organisations can just as easily be affected, and are often more vulnerable, but the research found that UK SMEs are underprepared – only 17 per cent had tried to assess their exposure.
To ensure any organisation maximises its resilience and employees’ wellbeing, they must proactively engage and coordinate the efforts of all key functions to successfully anticipate, prevent, respond and recover from these threats. HR departments have a central role to play in these resilience-building efforts, not least because every company has a legal duty of care to its employees.
HR must work alongside risk, security, finance, IT, communications, legal and real estate with planning, preparation and training lying at the heart of the process.
To help satisfy your duty of care to employees who may be involved in an incident, HR teams should:
- ensure all employees know which colleagues are involved in crisis response, and require them to provide and regularly update their emergency contact details and personal information;
- maintain real-time information about colleagues’ movements, and provide them with an effective information flow regarding safety critical issues;
- provide situational awareness training, such as what to do if caught up in civil commotion or a marauding terrorist attack, incorporating the UK counter-terrorism police’s ‘run, hide, tell’ recommendation;
- create a robust process and clear awareness of travel emergency response, including medical assistance information, evacuation and repatriation procedures, together with contact details; and
- offer access to post-incident trauma counselling and other return-to-work support for those caught up in and negatively affected by security events.
Employers must avoid a ‘box ticking’ approach to anticipating and preventing security threats. From the top down and the bottom up, everyone must understand the importance of resilience-building measures. This is where cross-functional coordination is key.
The first step is to anticipate. What threats might the business face? From an HR perspective, the question should be recast: what threats may employees face? Being small, remote or low profile does not make you immune — many of today’s security threats are often not targeted at any particular organisation or industry. HR departments should brainstorm these questions, perhaps with support from risk specialists.
The second step is prevention. Appropriate training and regular updates are a good example of preventative measures. Simple communication can often avert a crisis. When employees are on the road, for example, they can be required to check in at intervals, alleviating concerns that, should a terrorist or other security incident suddenly occur, they are affected or involved.
The third step, to respond, has its foundation in excellent planning. Cool heads should prevail in times of crisis, and that is much more likely when delegated individuals take the lead and follow carefully prepared crisis response plans. Everyone in the organisation should be aware of these leaders’ responsibilities.
Unfortunately, Gallagher’s research found that only two-thirds of large UK companies have either a business continuity or disaster recovery plan, with only half of those regularly testing them. Fewer still (59 per cent) have a crisis management plan. Among SMEs, the picture was worse – 43 per cent have no crisis or continuity plans at all. This reveals a large gap in UK companies’ crisis resilience and, ultimately, employee welfare.
The final step is recovery. When events do happen, a swift return to business-as-usual is a key goal. From a people perspective, that means ensuring every employee affected has the post-incident help and support they need to recover and return to work.
Paul Bassett is managing director for crisis management at Arthur J. Gallagher