How to deal with crises and civil emergencies: the 'legals' (Part 1)

Dan Gardner in his book, Risk: The Science and Politics of Fear, notes that the media typically ensures that, 'the dramatic, the frightening, the emotional and the worst-case are brought to the fore'.

In other words: panic! Panic now! Upend your desk and run for your life.

That's what many new stories make us want to do.

So how do businesses ignore unwarranted fear in order to deal with the risks posed to them in a rational and methodical way?

It is clear that companies should be aware that human beings aren’t always good at understanding and evaluating risk. For example, type ‘Ebola’ into Google News and millions of results are returned. Do the same for ‘space weather’ and you get a paltry 16,000 results. Yet, according to the government the likelihood of a severe space weather event, which could fry satellites and snuff out electricity networks on the ground, is greater than the risk posed by infectious diseases such as Ebola.

Below, we set out below excerpts from Lexis®PSL Commercial’s Practice Note on what businesses (and those legal practitioners that advise them) can do to understand and deal with the risks posed by unexpected crises and civil emergencies.

Today, we set out the part of the note dealing with:

  • key risks for businesses
  • regulatory compliance, and
  • HR considerations

Next time, we’ll look at:

  • contractual considerations, and
  • business continuity planning

Civil emergencies or crises--implementing risk mitigation strategies for good corporate governance

Key risks for business

High profile instances of influenza pandemics, haemorrhagic fever epidemics (eg Ebola), ash clouds; other natural disasters, civil unrest, and other civil emergencies or crises have highlighted the need for businesses to implement appropriate risk mitigation strategies as a matter of good corporate governance.

This Practice Note considers the key legal risks for businesses posed by such events. It outlines what mitigation strategies businesses should be putting in place to safeguard themselves should the worst happen.

Risk from what?

The National Risk Register of Civil Emergencies (2013 edition) outlines various risks to which businesses may be vulnerable in respect of which risk mitigation strategies should be considered:

  • risks of terrorist and other malicious attacks: eg catastrophic terrorist attacks, attacks on infrastructure (including cyber attacks), small-scale CBR attacks (ie chemical, biological or radiological attacks), attacks on crowded places, attacks on transport systems and cyber attacks (on confidential data), and
  • other risks: eg major accidents (transport and industrial), coastal flooding (coastal and inland), volcanic eruption, infectious diseases, animal diseases, drought, public disorder, severe wildfires, pandemic influenza, severe space weather, low temperatures and heavy snow, storms and gales and disruptive industrial action

The so-called 'Arab Spring' and social unrest in certain countries in the Eurozone have shown that businesses can also be drastically affected by civil unrest, whether or not it results in malicious attacks of the type referred to above.

Risk to what?

The Civil Contingencies Secretariat (CCS) of the Cabinet Office recommends that all businesses should undertake a business impact analysis and a risk assessment analysis in respect of these risks. The Cabinet Office, in partnership with the Business Continuity Institute and Emergency Planning Society, has published a Business Continuity for Dummies guide in 2012 which is of particular interest to small and medium-sized enterprises (SMEs).

A business impact analysis typically considers the following issues:

  • what are the business's most important products and services?
  • what are the critical resources needed to support these?
  • how might these resources be put at risk?
  • how will these resources be kept in place in the event of a disaster/civil emergency?

The risk assessment analysis which follows is based on the results of the business impact analysis. The risk assessment analysis would typically consider the risks which could occur to the critical resources which would impact on a business's ability to deliver its key products and services.

Both types of analysis typically involve qualitative and quantitative elements, and are intended to result in a discrete output--a business continuity management (BCM) strategy for the business going forward. The BCM would find tangible expression in a business continuity plan (BCP) (discussed in more detail below).

For more information on developing plans see the Cabinet Office's guidance: Resilience in society: infrastructure, communities and businesses (under the heading 'Business Continuity'). There is also a link to the CCS' Business Continuity Management Toolkit.

A business impact analysis and a risk assessment analysis inevitably focus on the products and services of a business. In other words, their concern is to protect whatever generates a business's revenue. However, a BCM strategy should also take into account other factors which can impact upon a business's long term viability (even if, on an emergency basis, they do not call into question immediate business operations or prejudice current revenue generation).

Accordingly a BCM strategy should also consider the impact of a disaster or other civil emergency on, eg:

  • regulatory compliance
  • liability to claims, including employment and contractual claims
  • other businesses relied on in the supply chain, and
  • business reputation

These matters are considered below.

It is also worth checking the GOV.UK website from time to time as government departments often provide specific guidance for specific events, such as certain types of epidemic. For example in September and October 2014, the government has produced guidance (eg to UK airports, aerodromes, airlines, ports and shipping operators) on the Ebola virus.

Regulatory compliance

Financial services

What type of regulatory compliance will be an issue for a business depends, of course, on the sector within which it operates.

For businesses regulated by the Financial Conduct Authority (FCA), the FCA has prescribed various generic obligations requiring such businesses to plan for business continuity and disaster recovery in order to manage operational risk. The FSA (the predecessor to the FCA) has published a Business Continuity Management Practice Guide to provide general guidance to regulated businesses.

When applying for authorisation, firms must provide a brief description of business continuity and disaster recovery plans for the firm and IT systems. Firms must also include the details of any third-party involvement. Firms should follow the relevant rules and guidances in the FCA Handbook including the Senior Management Arrangements, Systems and Controls sourcebook of the FCA Handbook (SYSC).

The Financial Sector Continuity (FSC) website was established by the UK's financial authorities (HM Treasury, the Bank of England and the FCA) to provide a central point of information about work on continuity planning which is relevant to the UK's financial sector. Further resilience information is also set out on the FSC's website (now hosted by the Bank of England).

Generic regulatory requirements

There is, of course, a whole range of generally applicable regulations and laws that may be relevant during a disaster or other business disrupting event. A business needs to ensure on-going compliance with the Data Protection Act 1998 (DPA 1998), for example, even when its systems have been the subject of, say, a malicious attack. Similarly confidentiality of its business arrangements and proprietary data will need to be maintained. Requirements to report and account for National Insurance Contributions and PAYE will continue to apply in relation to payroll processing. Statutory reporting requirements applicable to companies and limited liability partnerships will continue to apply.

In addition, a business will need to comply with any emergency legislative or regulatory requirements put in place. For example, measures may be implemented under the Civil Contingencies Act 2004 (CCA 2004) on an emergency basis.

HR considerations

During a pandemic or other civil emergency, employee absenteeism is likely to become an issue due to safety concerns amongst the workforce. Businesses need to be aware that employees have certain, limited, rights in this regard.

Time off for dependants

For example, in certain defined circumstances, employees have a right to be permitted to take time off during working hours:

  • to care for, or arrange care for, 'dependants', or
  • when a 'dependant' dies

Where an employer has unreasonably refused to permit an employee to take time off as required by the right, the employee may have rights to bring a claim in an employment tribunal. For more information on the rights of employees in this regard, see Time off for dependants.

Employee claims

The central focus of any BCP should be early consultation about work contract changes to avoid making unilateral revisions which might result in litigation.

Employment contract changes should look at each of the following to ensure that enough staff are available to cover essential roles:

  • rearranging previously planned absence
  • redeployment and retraining
  • carry-over of annual leave, and
  • use of overseas personnel from group operations

For more information on the legal liability associated with unilateral changes to employment contracts, see Changes to contractual terms.

Employers will need to consider the impact of reduced worker numbers on their remaining employees and ensure that any risks resulting from such changes are assessed and controlled to meet the duties placed on them. Employers have a duty to ensure the health and safety of all of their employees and to provide a safe place and system of work. These duties exist under both the common law and statute--eg, in the Health and Safety at Work Act 1974. See, for more information on the heath and safety requirements applicable at work, the Health and Safety--overview and Practice Notes: Introduction to health and safety law, The structure of UK health and safety law, Summary of key health and safety regulations, Management of health and safety at work, and Breach of statutory duty--health and safety.

Employers who do not take steps to reduce the risk of employees developing, for example, pandemic flu may face employee claims for personal injury and negligence. This could be in addition to potential claims for breach of contract for failure to protect employees' health and safety and possibly breach of the implied term of trust and confidence--see The term of trust and confidence.

Of course, the business response needs to be proportionate to the risk. It may be difficult to prove that an individual became infected at work and that it was the employer's fault. The employee would need to show that, but for the employer's failure to protect them, they would not have contracted the relevant disease. This will be a difficult hurdle for many employees to overcome.

Other types of claim could also arise, such as litigation under discrimination legislation. Such litigation would be more likely where employers have applied their discretion as to flexible working or sick and dependent leave in an unequal manner. For more information in relation to discrimination claims, see the Overview Document.

Employers should properly consider working from home and flexible working requests, and promulgate and advertise internally the policies on this as well as the sickness policy. It is important that such policies are applied consistently.

If a vaccine against a pandemic disease were to become available, employers are not under any duty to provide this to staff. Businesses with offices overseas in areas affected will need to consider whether they should introduce quarantine measures for those returning from such areas.

Where there is concern as to whether an individual is unwell, it may be appropriate for them to work from home until the position is clear.

Policies will need to be developed and promulgated in relation to whether it is safe to send people on business trips to affected areas, or whether it is preferable to make use of video conferencing or other work around solutions.

Disciplinary action?

When staff remain away from the office, or refuse to work with someone whom they believe has been in contact with a pandemic disease, employers will need to be pragmatic. Arrangements can be made for some staff to work from home.

Whilst employers may be entitled to take disciplinary action against staff who stay away from work without authorisation, or who refuse a reasonable instruction, any benefit to the business in pursuing such a course of action will, of course, need to be balanced against any adverse reputational impact (internally and externally) which could ensue from doing so.

Employers should in such cases consider the advice provided by the Department of Health, Department of Trade and Industry and the World Health Organisation.  If an employer followed such advice and an employee still refused to come to work, disciplinary action might well be considered to be a proportionate response.

Redundancies?

In some sectors (healthcare in particular), the effects of a pandemic are likely to significantly increase the demand for services, and consideration needs to be given as to how these peaks in demand will be met. In other sectors the converse will be true. For example, in the travel and entertainment sectors there is likely to be a reduction in demand. Businesses which involve public gatherings could even be closed compulsorily by government order.

If such a fall in demand were sustained, this may lead employers to consider cost cutting measures and even redundancies. If this is the case, employers will need to balance the costs of retaining staff during a slow period against the cost of making them redundant and losing their skills and experience.

Employers will find it useful to discuss their contingency plans and proposals with employee representatives and trade unions so that a clear and joined up message can be passed down to employees.

So what systems do you have in place? Or do you think that this is just a distraction? Do let us have your thoughts below.

Area of Interest