Corporate social responsibility in crisis management is more important than ever. Whether it’s looking after clients or taking the right steps to protect employees, organizations have a legal and moral duty to look after their people when a crisis happens. Dr Liz Royle explores this subject, explaining how organizations can prepare for and respond to a ‘Psychological Critical Incident’.

In the age of social media, an organization that doesn’t prioritise the wellbeing of staff and customers will quickly find itself the next viral scandal – whether it’s a data breach that puts customers’ financial lives at risk or a violent incident that has left staff traumatised.

The new ISO 22330 guidance for managing the people aspects of business continuity, states the importance of putting people first during a workplace crisis.

This can be broken down into four key stages:

  1. Preparation through awareness, analysis of needs, and learning and development;
  2. Coping with the immediate effects of the incident (respond);
  3. Managing people during the period of disruption (recover);
  4. Continuing to support the workforce after returning to business as usual (restore).

ISO 22330 states that ‘An employer can be deemed to have breached their duty of care by failing to do everything that was reasonable in the circumstances to keep the employee safe from harm.

Keeping employees safe from harm begins before anything has happened. In the UK, the Management of Health and Safety at Work regulations require a suitable and sufficient assessment of risk and a record of significant findings.

Although preparation begins with awareness, many organizations simply fail to consider the risks of psychological harm. They either don’t see it as relevant or have a total blind spot. However, you can’t rule out, or address, risks without first doing a risk assessment! This is important to do for both generic and role-related risk assessments.

So, how does this relate to people? ISO 22330 talks about a ‘Psychological Critical Incident’ (PCI) as being ‘An event or series of events that may cause significant emotional or physical distress, psychological impairment or disturbance in people’s usual functioning.

A generic risk assessment would consider any factors that contribute to the likelihood of a PCI occurring at work, for example

These risks could be in the workplace itself or in close proximity to it.

A role-specific risk assessment would consider whether particular duties carry an inherent risk of exposure to PCIs, for instance:

The events can be high impact or involve lesser but repeated exposure that can subtly and chronically erode psychological resilience. This can make the risk for cumulative distress or psychological burnout a significant one that warrants proactive measures.

The likely severity, frequency and impact of incidents needs to be considered and only by having done a suitable and sufficient assessment of risk, can it be determined whether any control measures are reasonably practicable.

According to a European Survey of Enterprises on New and Emerging Risks, there is a market trend towards considering emotional and psychological risks. It found that 79 percent of European managers were concerned about stress in the workplace. At the same time less than 30 percent of organizations in Europe had procedures for dealing with workplace stress, harassment and third-party violence. The survey reported that in many organizations there is an erroneous perception that addressing psychosocial risks is challenging and will incur additional costs when, in fact, the evidence suggests that failure to address these risks can be even more costly for employers, workers and society in general.

With the rise in cyber crime, terrorism and natural disasters, it is entirely necessary to expect disruption. The terror threat in the UK is currently ‘Severe’ and with the string of tragic attacks in London and Manchester last year, no one is unaware of the possibility of a crisis affecting their business. Surely it is then ‘reasonable’ to expect employers to have a plan in place to communicate with all of their staff during an emergency?

As Richard Stevenson CEO of YUDU, the advice notification and crisis management service, says:

“For too many companies, crisis preparation involves managers in hi-vis vests ticking off names after a fire drill. But employers should be doing better than that. If they can bring innovation into their products or services, there’s no reason why they can’t look at their crisis management protocols and think “How can we do this better?” It is certainly ‘reasonable’ to expect them to have something more robust in place than simply a fire drill evacuation plan.”

When we think about responding to an incident, the focus is often around a large-scale event with the capacity to directly affect the psychological wellbeing of large numbers of employees.

As Richard explains:

“Communication is absolutely key in a crisis. Part of a company’s duty of care to staff is having a system in place to be able to roll call in an emergency; to be able to alert next of kin and keep them informed; to be able to inform of changes to the plan as the situation develops so that everyone is kept as safe as possible. Social media means that news inevitably travels fast, and companies owe it to their people to ensure that the information they are getting is faster and accurate to avoid further stress.”

As well as providing potential exposure to distressing events, major incidents usually require longer, more demanding shifts and therefore put a great strain on employee resilience. A major incident may last for several days, weeks or even months. Although non-essential operations are usually temporarily suspended, this can lead to a backlog and pressure of these duties that ultimately need to be picked up. The management of this type of event requires careful planning and coordination to avoid internal and external support resources being overwhelmed and to ensure that all those psychologically impacted receive the correct level of care.

Duty of care continues during the restore and recover phases. The latter can last for some considerable time and be very costly to the organization. According to the HSE (2018), the total number of UK working days lost due to work related stress, depression and anxiety in 2016/17 was 12.5 million days. This equated to an average of 23.8 days lost per person. Working days lost per worker due to self-reported work-related stress, depression or anxiety has remained broadly flat but has shown some fluctuations. In 2016/17 stress, depression or anxiety accounted for 40 percent of all work-related ill health cases and 49 percent of all working days lost due to ill health.

Sickness absence (short and long term) costs £2,380 per person on average. Where an organization is perceived to have failed in its corporate social responsibility (whether legally or morally), additional costs come from the loss of skilled employees, reduced productivity and low morale, reputational damage and legal action.

In the recovery phase, surely an aspect of this duty of care is to ensure that support interventions are appropriate and effective? However:

If somebody’s employment has resulted in a physical or psychological injury then the corporate social responsibility should extend to ensuring that treatment provided by the organization is safe, effective and appropriate.

The author

Dr Liz Royle is director, KRTS International Ltd, the workplace trauma consultancy. KRTS offers ‘Power to Respond®’ a workplace trauma intervention, and provides Critical Incident Stress Management for strategically preparing for and responding to workplace trauma. Contact Liz at

Liz will join other experts in HR, cyber security, crisis management and workplace trauma counselling at a free breakfast event on 24th October in London. The session will offer insights into how an organization can put its people first. More details and register at