The four crucial policies every risk manager needs

The last three years have been a show-stopping, reorienting series of events that fundamentally changed how many of us view the world. First the pandemic, then civil unrest, natural disasters, cybersecurity threats, and the war between Ukraine and Russia.

In response, companies have zeroed in on risk management to protect employees and preserve business in a time of sustained uncertainty. If you are a risk manager, you”™ve felt the pressure more than anyone else. If you were behind the scenes before, you ”” and the policies you create ”” are now in the spotlight.

And that spotlight can be hot unless you have the four crucial policies every risk manager needs in place. None of these policies can replace each other, and they can”™t operate sufficiently on their own. They build on one another, making your company more prepared and more able to respond to crises.

Standard Operating Procedures (SOPs): These are the bones of business operations. They shape company culture by outlining how everyday practices should be performed so service and products are delivered consistently, and employees and customers are safe. SOPs are a step-by-step guide for all personnel to ensure tasks are performed the same way across an organization.

The better your initial standardized everyday policies and procedures are, the safer and more effective your organization will be. It”™s about creating a culture that effectively balances productivity with safety, like frequent password updates or two-step verification in the past. Today, the pandemic opened the floodgates on remote work, forcing companies to amp up their SOPs to cover a remote workforce, digital nomads and bleisure travel. These updates weren”™t just about employee perks, they also beefed-up cybersecurity measures to protect their assets while employees worked out of the office and put measures in place to ensure staff work product was safe while traveling.

Emergency Action Plans (EAPs): These seem more important than ever. For many, Covid-19 was an unexpected emergency that couldn”™t be avoided ”” the very reason EAPs are created is so that procedures can go into effect when an emergency happens and SOPs fail or are no longer sufficient. While SOPs are proactive procedures that can help avoid an emergency, EAPs are reactive, dealing directly with a situation.

EAPs provide a depth to the duty of care employees are beginning to expect. Especially if employees are traveling for your company, they want to know there is a plan in place should an emergency arise like an illness, injury or local catastrophe. When creating an EAP, widespread involvement with colleagues from human resources, operations, finance, legal and logistics is imperative. These leaders can identify potential emergencies across geographic locations, types of worksites, structural features and local emergency resources and response time. The earlier this involvement happens, the more successful planning, creation and implementation will be.

Business Continuity Plans (BCPs): These are for unexpected emergencies that threaten business operations, like a natural disaster. Does a city need to be evacuated due to a Category 4 hurricane on the horizon? Are your headquarters, satellite offices or suppliers”™ facilities in the storm path? Do you have a plan to scale up IT to quickly secure the influx of remote workers? If your work must be done in person, can it happen at an interim location? Is there any company support for the hardship your employees are experiencing, such as gas mileage reimbursement, funds for housing, etc.?

Having a BCP doesn”™t mean there won”™t be gaps in productivity. It means those gaps don”™t have to be permanent because there is a clear path to full business function, even if you are not yet back in the office.

Disaster Recovery Plans (DRPs): These are designed to plan for the return to the office and get things back to normal. They help companies get back to work after a major disruption. It provides guidance and sets rules around the re-opening of your facility and the return of employees to the office.

What if a portion of your building was flattened during the hurricane and needs to be rebuilt? A disaster recovery plan will set a timeline for the build, allowing employees back into the office when it is repaired and safe again. This could happen all at once or in phases, depending on the building and the type of work. The disaster recovery plan will guide your company through that process.

The plan and its procedures must be current. Its effectiveness must be validated regularly and it needs to be understood and acknowledged throughout the organization, especially those with key roles and responsibilities during an emergency.

The challenges companies face today are great. But the strength of risk manager is in the ability to turn those challenges into opportunities for your organization.

Harding Bush is a former Navy SEAL and the manager of security operations for Global Rescue, a Lebanon, New Hampshire-headquartered provider of medical, security, evacuation and travel risk management services. Bush is an expert in procedures for high-risk travel, cultural awareness, crisis preparedness and operational planning.