The last three years have been a show-stopping, re-orienting series of events that fundamentally changed how many of us view the world. First the pandemic, then civil unrest, natural disasters, cybersecurity threats, the war between Ukraine and Russia.
In response, companies have zeroed in on risk management in an effort to protect employees and preserve business in a time of sustained uncertainty. If you are a risk manager, you’ve felt the pressure more than anyone else. If you were behind the scenes before, you — and the policies you create — are now in the spotlight.
That’s why we want to share the four crucial policies every risk manager needs. None of these policies can replace each other, and they can’t operate sufficiently on their own. They build on one another, making your company more prepared and more able to respond to crises.
One: Standard Operating Procedure
Standard operating procedures (SOPs) are the bones of business operations. They shape company culture by outlining how everyday practices should be performed so service and products are delivered consistently and employees and customers are safe. SOPs are a step-by-step guide for all personnel to ensure tasks are performed the same way across an organization.
Documented SOPs for a corporate office could be as basic as new employee orientation, background checks, building entry safe guards or a list of travel expenses covered by the company.
“The better your initial standardized everyday policies and procedures are, the safer and more effective your organization will be,” said Harding Bush, manager of security operations at Global Rescue. “It’s about creating a culture that effectively balances productivity with safety.”
In the past, SOPs may not have included specific cybersecurity protocols, like frequent password updates or two-step verification. They may have had less extensive pre-travel planning and limited during-travel risk monitoring.
But these days, updating existing SOPs to include such measures has become critical. For example, the pandemic opened the floodgates on remote work, forcing companies to amp up their SOPs to cover a remote workforce, digital nomads and bleisure travel. These updates weren’t just about employee perks, they also beefed up cybersecurity measures to protect their assets while employees worked out of the office and put measures in place to ensure staff work product was safe while traveling.
Policies should now include extensive pre-trip analysis. Global Rescue members can take advantage of Global Rescue’s in-depth destination reports as a part of their SOPs in this new era of remote work and travel. Reports tip off travelers and risk managers to potential risks on the ground and how to avoid them. Alerts, issued during travel, keep everyone apprised of current events — and potential health and safety risks.
[Related Reading: What Are Travel Alerts?]
SOPs are the most foundational of the four policies. But they can’t fully protect from an unexpected emergency.
“Risk managers need to plan ahead and lead the charge,” Bush said . “An effective SOP will reduce the likelihood of an emergency and an effective emergency action plan (EAP) will lessen the impact and consequences of an emergency.”
Two: Emergency Action Plan
Emergency action plans are more important than ever these days. For many, COVID-19 was the unexpected emergency that couldn’t be avoided — the very reason EAPs are created.
EAPs are procedures around safety that go into effect when an emergency actually happens and the standard operating procedures fail or are no longer sufficient.
“Some emergencies, like contracting COVID or suffering a heart attack during a work trip, cannot be avoided,” Bush said. “But a good EAP will lessen the impact and consequences of the emergency.”
While SOPs are proactive procedures that can help avoid an emergency, EAPs are reactive, dealing directly with a situation.
Take a classic example: An employee is on a business trip abroad and gets food poisoning following a client lunch. There needs to be a plan in place to make sure they can get medical care should things go south. Dehydration, if not addressed, can quickly lead to a hospital visit. Does your employee know where they can get clean water to help them stay hydrated? How can they assess if a hospital trip is needed? And where can they go to get the right medical care? The answers will come from following the EAP.
These days, EAPs provide a depth to duty of care that employees are beginning to expect. Especially if employees are traveling for your company, they want to know there is a plan in place should an emergency arise. Global Rescue helps its clients plan for travel emergencies, often going ahead of the company to do a risk assessment on the ground.
In the case of conference planning, “the process starts months ahead,” Bush said. “We liaise with organizers, review, assess and assist with development of medical and security protocols, visit the site, and look at all the involved entities: airport, transportation companies, hotels, various restaurants. We’ve made the appropriate relationships with everyone involved to identify and avoid any escalating security situations.”
When creating your EAP, widespread involvement is imperative. At a corporation, risk managers will need to build their EAP team with colleagues from human resources, operations, finance, legal and logistics. These leaders can identify potential emergencies across geographic locations, types of worksites, structural features and local emergency resources and response time. The earlier this involvement happens, the more successful planning, creation and implementation will be.
Does your organization have an EAP? If not, it’s time to get one, and the security experts at Global Rescue can help.
“From creating an emergency action plan or blueprint for best practices to reduce the risk of liability and keep people safe during an emergency, Global Rescue provides intelligence capabilities customizable to your business needs,” Bush said.
[Related Reading: Legal Duty of Care]
Three: Business Continuity Plan
Unexpected emergencies happen. They can be scary for employees and disruptive for business operations. But they don’t have to shut everything down. With a strong business continuity plan (BCP), businesses have specific protocols to get them back on track.
BCPs include systems of prevention and recovery to maintain operations during or just after an emergency, like a natural disaster.
What if a city needs to be evacuated due to a Category 4 hurricane on the horizon — and it is the location of your business headquarters? Do you have a plan to scale up IT to quickly secure the influx of remote workers? If your work must be done in person, can it happen at an interim location? Is there any company support for the hardship your employees are experiencing, such as gas mileage reimbursement, funds for housing, etc.?
Having a BCP doesn’t mean there won’t be gaps in productivity. It means those gaps don’t have to be permanent because there is a clear path to full business function, even if you are not yet back in the office.
Most importantly, a BCP must be rehearsed in advance.
“The business continuity plan should be carefully reviewed and validated,” Bush said. “An example is a company rehearsing work-from-home protocols department by department, on a regular basis, so they are ready for such a situation.”
Four: Disaster Recovery Plan
The hurricane hit, and it hit hard. Your employees followed the BCP that they rehearsed several times before and business has stabilized. But what is your plan to return to the office and get things back to normal? That’s when your disaster recovery plan sets in. It helps companies get back to work after a major disruption. It provides guidance and sets rules around the re-opening of your facility and the return of employees to the office.
What if a portion of your building was flattened during the hurricane and needs to be rebuilt? A disaster recovery plan will set a timeline for the build, allowing employees back into the office when it is repaired and safe again. This could happen all at once or in phases, depending on the building and the type of work. The disaster recovery plan will guide your company through that process.
Disaster recovery plans must be made inherently flexible so employers can respond nimbly to situations — like delays in building repairs. It must have buy-in from all responsible parties so updates can be communicated clearly and promptly to employees.
“The plan and its procedures must be current,” Bush said. “Its effectiveness must be validated and it needs to be understood and acknowledged throughout the organization, especially those with key roles and responsibilities during an emergency.”
Travel Risk and Crisis Management
The challenges companies face today are great. But your strength as the risk manager is in being able to turn those challenges into opportunities for your organization.
These policies will empower you to do just that. An enhanced standard operating procedure with more IT support for remote work allows your organization to offer perks like bleisure travel — which can help retain employees — while protecting yourself from cybersecurity threats. An emergency action plan helps your employees feel safe to take business trips in today’s complicated world — a real competitive advantage against other companies who don’t create safe environments for their traveling employees. Your business continuity plan will keep your business alive through the next disruption. And your disaster recovery plan will help you restore business to normal.
Don’t have a risk manager? Need extra support? Global Rescue can help you create, communicate and execute on these policies with our customizable travel risk and crisis management services. Every day, we help companies large and small around the world to stay prepared and stay safe. Let us help you, too.
If you are traveling with a disability, planning a trip—especially intern...
Contracting COVID-19 is nothing to shrug off. It’s a serious disease, esp...
Let two pro family travelers share their family travel tips and stories on ...