The beginning of required workplace violence programs: are you ready?
On July 1, virtually every employer in California will be legally required to have a Workplace Violence Prevention Plan (WVPP).
This is a watershed moment for corporate security. Never before has such a broad swath of private sector businesses faced such prescriptive statutory requirements for corporate security programs. What’s more, given California’s reputation as a national trendsetter in legal matters, workplace violence prevention programs may soon be mandatory in other states and across the country.
What Does the New Law Require?
California’s new law (referred to as SB 553) requires almost every employer in California to establish, implement, and maintain a WVPP.
This includes measures and supporting documentation related to workplace violence hazard identification, evaluation, and correction; incident reporting; incident logging; emergency response; post-incident response and investigation; training and instruction; recordkeeping; and communication and coordination with employees and other employers – among other requirements.
This is not a simple check-the-box exercise, as California’s new law will fundamentally reshape how businesses approach security. The law requires robust planning, policies, procedures and systems to mitigate a wide range of security threats that could impact the workplace.
Robberies, active shooter incidents, terrorist attacks, sexual assaults, violent customers, and verbal threats all fall under the broad definition of workplace violence articulated in the law.
Key Challenges
Based on guidance provided by California’s Division of Occupational Health and Safety (Cal/OSHA) in a model plan, a few requirements are likely to be particularly challenging for businesses to implement:
- Identifying and evaluating workplace violence hazards: Through periodic inspections, businesses must continuously evaluate all potential workplace violence hazards. This includes a review of threat and risk history, physical security measures (e.g., cameras, access control, duress alarms), and emergency procedures among other security controls. Because the law is so broad, this is a de facto requirement for continuous evaluation of the organization’s security program.
- Investigating and logging violent incidents: Every workplace violence incident must be investigated and recorded in a violent incident log. Log entries require enough detail (location, type of violence, detailed description, circumstances, consequences, etc.) that some companies may find it difficult to complete them without the use of staff or contracted investigators. The log must be maintained for a minimum of five years and must be available to Cal/OSHA inspectors upon request.
- Developing emergency response procedures: Every business will need specific measures for handling workplace violence emergencies, including mechanisms to alert employees (e.g., alarm systems), evacuation and shelter plans, and plans and procedures to seek emergency assistance from law enforcement. Given the wide range of types of emergencies covered, there may be a need for branching or alternative procedures (e.g., run-hide-fight in the event of active shooter, but different procedures in the event of a robbery).
- Actively involving and training employees: Plans cannot be developed by management and placed on a shelf. Businesses are required to engage their employees in the development of their WVPP and conduct training after the plan is established, annually, whenever a new hazard is identified, and when changes are made to the plan. Given the sensitivity of the subject matter, businesses will need to tread carefully in how they engage employees on violent threats that could trigger emotional or traumatic responses.
What To Do Now
As you’ll see in the above decision tree, now is a good time to evaluate your security posture, whether or not you operate in California. If you are a California employer, you need to be compliant with SB 553 in a matter of weeks.
If you already have a security program, it is time to conduct a gap analysis against SB 553 requirements and remediate issues immediately. If you don’t have a security program, you need to rapidly develop one in line with SB 553.
On the other hand, if you’re not a California employer, you should view SB 553 as a leading indicator on legal trends across the country. If you have a security program, you should review SB 553 closely to consider proactive enhancements to make now ahead of potential future legislation.
And if you don’t have a security program, now is a good time to consider investment in such a capability. SB 553 -- and what it indicates for future legal requirements -- should be used as part of a business case for management support and investment.
Given its fairly innocuous “workplace violence” nomenclature, it can be easy to overlook the broad and dramatic impact of SB 553 for the corporate security field as a whole. But make no mistake, SB 553’s requirement of robust security measures for private sector businesses is likely to shape the security industry for years to come.
About the Authors: Mark Freedman is Principal and Chief Executive Officer of Rebel Global Security, which provides security risk management, geopolitical, and national security consulting services to private sector companies. Mark is a trusted advisor to his clients, providing insights and strategies to help executives anticipate threats, reduce corporate risk, and enhance commercial value in a complex global and domestic security environment. Mark was previously Chief of Staff for the U.S. State Department’s Counterterrorism Bureau. He is a Certified Protection Professional (CPP).
Rick Mercuri is Senior Advisor for Corporate Security at Rebel Global Security. Rick has served as senior security executive at two of the largest U.S. banks. For four decades in corporate security, Rick has demonstrated strong leadership and strategic decision-making for global and domestic organizations. Rick is a trusted advisor to C-level executives and a thought leader with expertise in mitigating complex physical security risks and developing threat intelligence capabilities. Rick is a Certified Protection Professional (CPP).