Developing a Prevention Policy
The corporate headquarters for Purdue Pharma is a 15-story high-rise in Stamford, Connecticut. Though Purdue Pharma owns the building and is the main tenant, other companies share space in the facility. “We provide security for the landlord responsible for the building; a Purdue associated company,” notes Glenn Faber, CPP, senior director of corporate security for the company. “We have to know the policies of other companies, especially when some of those companies don’t have a security department."
Of particular concern was whether those tenant companies had a workplace violence policy. After talking to tenants, Dan Arenovski, CPP, associate director of security for Purdue Pharma and head of security for the Stamford facility, found that recent events reported in the news made them more receptive to getting advice on how to develop a workplace violence policy. But before giving guidance to others, Faber wanted to be sure that his company’s policy was comprehensive. So he turned to the ANSI/ASIS Standard on Workplace Violence Prevention and Intervention. Published in 2011, the standard provides an overview of policies, processes, and protocols that organizations can adopt to help identify and prevent threatening behavior and violence affecting the workplace. The standard is also designed to help organizations better address and resolve threats and incidents of violence that have actually occurred as well as implement a workplace violence prevention and intervention program.
Faber began by narrowing the scope of the project by applying the standard to the existing workplace violence program at the headquarters facility. If the project was successful, the company would expand it to other sites such as research and manufacturing facilities. “The reason we took this approach was because it was easier to adopt for one site rather than to make it fit at all sites at the beginning,” explains Faber.
Arenovski was the first person Faber turned to when starting the program. Arenovski knew the tenants well and could bring them on board. “No matter how comprehensive our program, there was still that opportunity for a crisis or for a workplace violence incident with other tenants,” says Arenovski. “Our goal was to assist them in developing a workplace violence program that met the standard.”
The first step was creating a team of stakeholders to undertake the task of implementing the standard. Then, that team was tasked with examining existing policy, establishing a methodology for comparing that policy with the standard, conducting a gap analysis, implementing any changes, and conducting follow-up.
To make changes to the existing workplace violence policy, buy-in from senior management was critical. CSO F. Mark Geraci, CPP, led the team with the senior VP of HR serving as the second in command. The threat of workplace violence, with its potential to devastate the company on a personal and professional level was enough to bring them on board. “These two individuals were involved in almost every meeting,” says Faber. “They were involved at every level. This was a key factor in keeping the project on track.”
With critical endorsements in hand, Faber and Arenovski followed the standard and identified the appropriate members of the team such as HR, General Counsel, and EHS.
After the first few meetings, an additional HR representative was asked to join the team because that person specialized in the employee assistance program (EAP). It was critical to include multiple persons from multiple domains in order to have protection-in-depth.
Once the team was assembled in February 2012, it set a goal to have the workplace violence policy reviewed and a new policy in place in six months.
The company’s existing workplace violence policy was a one-page policy in the employee handbook, says Faber. “We had a policy that basically said violence is not tolerated; a simple broad statement,” he explains. “But, the standard says you are going to create a program to get ahead of and prevent opportunities for workplace violence.”
Once team members had examined the existing policy, they were instructed to read through the standard twice; the first time for a general overview, the second time from their domain expertise. “We asked each team member to read the standard cover to cover and then read it again,” says Arenovski. “The second time, members were urged to understand how the standard related to them and how it overlapped into other domains. For example, security was asked to review sections that cover HR and consider how they might affect security operations.”
To rewrite the company’s one-page policy, the team would have to compare it to the standard. This would entail a line-by-line review of the standard. To do this, the team had to establish a methodology that would allow members to contribute ideas in an organized manner.
Corporate security took the lead. The department coordinated the meetings, facilitated notes, and established a SharePoint system to track changes.
A key point in setting up meetings was to even the playing field. “We left our rank outside the door and spoke freely to set up goals and objectives,” says Arenovski.
Another goal was to keep each meeting focused. Members were told to read the portion of the standard the team would be working on and highlight areas that affected them to discuss at the next meeting. Then, any assignments, which were called “deliverables,” would be given out, and the person would have a set time frame within which to accomplish it. At the next meeting, the past deliverables would be first on the agenda, followed by the next section of the standard. “We were very structured in how we started and ended the meetings,” says Arenovski. “We conducted smart meetings by beginning with past deliverables, focused discussions, and ended with assigning new deliverables.”
The team initially met every two weeks, then switched to every three weeks. Meetings were kept deliberately short and rarely lasted an hour. Discussions took place outside the meeting, through e-mail, so that in-meeting discussions would be focused. “There was an opportunity to discuss an issue at length, but that was rare,” says Faber.
Security also kept minutes of the meetings, which would be delivered to each team member via e-mail before the next meeting. “Minutes were absolutely necessary to keep us on track,” says Faber. “One department might be assigned a small piece of the puzzle, but it touches everyone else and may impact the process.”
Meeting deadlines was a priority. “It’s easy to get caught up in the minutiae and easy to let things fall by the wayside,” says Faber.
With the team assembled and the methodology established, the work began. The team began conducting a gap analysis to identify those areas in the existing program that needed to be enhanced to meet the standard. “It is difficult to get where you’re going if you don’t know where you are,” explains Arenovski. “We needed to identify what we thought we had, what we knew we had, and then what we needed to have.”
A key point the team needed to understand before beginning the gap analysis, however, was how items were organized in the standard. The standard uses the terms “can, may, should, shall.” These key terminologies were used throughout the process to determine which items were required and which were recommended or optional. For example, if the standard said “training shall be conducted,” the team members knew this was critical. If the standard said “training can be conducted,” that item was optional.
Security set up shared documents for the team in SharePoint. The main document was an Excel worksheet. Each line of the standard was given a field on the worksheet. This allowed team members to easily identify which line was currently under discussion and to see which section of the standard it was tied to. “The gap analysis needs to become a living document in order to keep improving the program,” says Faber.
Within the gap analysis, we color coded the lines to identify who completed the section. For example, security might be represented by light blue and HR by light green and so on. “This was helpful because we could identify and sort by domain or section to review progress and open items. We knew who was involved and which items each group identified as a gap,” says Arenovski.
Each section of the standard identified with a gap was represented by a line in the spreadsheet. That line spread across columns that provided answers to questions such as, “Was there a gap?” “Who is the Stakeholder?” “What is needed to fill the gap?” “What training will be required?” and so forth.
For example, a line in the gap analysis might deal with terminations. Since terminations cross several domains (Security, HR, General Counsel), those would be represented individually on different lines, each having their own conclusions. The gap analysis would then be reviewed and discussed and possibly a single solution would be chosen.
The next column was used to indicate, based on the answers from departments, whether there was a procedure in place. For example, on conflict resolution, a line of the standard dealt with training security officers to deal specifically with a workplace incident that could potentially turn violent. Security was not trained to deal with these issues on the scene so this column would indicate that there was no procedure in place.
The next column would indicate what the standard required—a can, may, should, or shall. In the case of conflict resolution training, the standard listed the item as a “should,” meaning it was a recommendation. Additional columns would indicate whether there was a gap, description of that gap, and mediation. Once a gap was identified, the team immediately began taking action as it related to the “can,” “may,” “should,” or “shall” and decided how to proceed to close that gap. In the end, the team decided to meet a majority of the recommendations in the standard.
Additional fields were added for notes and comments. For example, action items would be listed here as well as items for discussion.
As departments took actions to meet each line of the standard, the information in the previous columns would change until the final column read that no gap remained and the standard was met. In the case of training, meeting the standard would require working with contractors to provide training for the company’s contract guard force.
Other documents were posted to the SharePoint site as necessary. For example, the company’s termination policy from HR and OSHA guidelines were both available at the site. If members of a department, like HR, wanted to add notes, they would sign out the gap analysis, add their notes, and sign the document back in, thusly sharing their notes with the rest of the team. Then the team would discuss the changes at the next meeting.
Momentum was important to the process. Each action was tagged as easy, moderate, or difficult and as low, medium, or high hanging fruit. The team started with easy items and low hanging fruit and moved to the more difficult ones as gaps were closed. This kept the team moving and motivated. An example of low hanging fruit would be communication. For example, a behavioral profiler was on retainer; however, contact information had not been communicated to all members of the team.
A difficult task would be establishing on site drills with law enforcement agencies and first responders. Stamford had a new police chief, so new relationships had to be established between the head of security and the police. Recent building construction in a multi-tenant facility meant that a process needed to be developed that ensured floor plans were updated and delivered to the appropriate municipal personnel.
The gap analysis revealed that the company’s policy did not meet the standard. Some of the issues that had to be addressed were minor ones that required only a change in language. For example, the existing policy said that threats made by “employees” were unacceptable. The standard mandated that the policy prohibit threats by “any individual.” However, other changes were more substantial and included issues such as communication, domestic violence, training, and partnerships with law enforcement.
Communication. One of the first things that became apparent when conducting the gap analysis, according to Faber, was that communication among departments needed to improve. For example, when assessing how terminations of company employees were handled, security indicated that the company did not have a best practice for handling high-risk terminations. However, HR did have such a policy, and it met the recommendations of the standard.
The team that had been assembled to assess the workplace violence policy became the company’s official Threat Management Team. The team meets regularly and communicates any problems or policy changes. The team will also reconvene to address any potential or actual incidents of workplace violence.
Domestic violence. Domestic violence and intimate-partner violence has the greatest potential to spill over into the workplace says Arenovski. It wasn’t originally addressed in the policy, however, that gap has been closed with new language.
The training program established now includes sections dealing with domestic and intimate partner violence and protective orders. “We let employees know that there’s an avenue to report domestic violence and that the company may provide additional appropriate security measures in the workplace,” says Arenovski.
Security also maintains files that provide information regarding the end-dates of protective orders. Arenovski stresses that such situations are often fluid; couples get back together or the aggressor becomes incarcerated, so the situation must be updated. It is the practice of security to check back with the affected employee at regular intervals to get updates.
Training. The team also recognized training as a gap that needed to be addressed. Conflict resolution training is now mandated for contract security personnel and offered to the appropriate employees. The program is designed to help trainees recognize key indicators of workplace violence behaviors. Annual refresher training is required for security.
It was discovered that Purdue’s current supplier of compliance-related online training videos, such as sexual harassment, business ethics, and conduct already had a training module for workplace violence prevention. This training also includes information on other issues such as recognizing and reporting workplace violence incidents. The module was customized with bulletins, FAQs, knowledge check, and a final test specific to the company’s policy.
Partnerships. The most difficult gap that was identified was improving partnerships with law enforcement and first responders.
The company offered to provide their space to train police on how to gain entry during an incident. “Law enforcement might look at the facility and think it’s simple to gain access; however, we are a secure facility with multiple layers of physical security. We need to expose and train the entry teams just how to maneuver into the building and understand how many options there are to do so,” says Arenovski.”
The company now provides police and the fire department with floor plans, hard keys, and access cards. The hard keys are provided to inner doors because the access control cards beep when activated and might alert a perpetrator prematurely to the movements of the entry team(s).
Security has ongoing red teaming discussions with the police and fire departments. The groups liaise to address the latest technology or discuss research on workplace violence issues. Some discussion topics have included how to clear the facility quickly and how an insider would approach the building. These issues affect how the fire department will respond, where they will triage, and which elevators they will recall, for example. Other issues include how police procedures could be exercised remotely in the case of an active shooter.
Security also conducts scenario training with law enforcement and first responders as frequently as possible. The scenario is different each time, but the goals are to understand what tools are available to security and how to use them. Tasks include using access control, cameras, elevators, and two-way radios to deal with a situation as well as communicating with law enforcement.
Security’s goal, which was reflected as part of an end-of-year performance review, was to complete the project by the end of September. Within seven months, a final workplace prevention policy had been developed, and in September 2012, the Threat Management Team under the cover of Human Resources sent it out to all Purdue colleagues.
The policy was also shared with the other tenants in the building. Arenovski met with each company and explained the policy and how it affected their employees.
Security is currently rolling out the standard to other Purdue Pharma locations. When appropriate, corporate pushed out some of the policies it developed. Security at all company locations have been trained in conflict resolution, for example. However, site teams are now undertaking their own gap analysis to identify issues that are unique to manufacturing or research facilities.
The Corporate Threat Management Team is now conducting an ongoing post gap analysis to ensure that all the policies put in place are working as intended and to adjust those policies if necessary.
“You do a lot of work on a program like this,” says Faber. “It’s important not to put our new Workplace Violence Prevention and Intervention Program on a shelf and leave it there. Something as important as this needs to be constantly revisited.”
“This is why we feel the gap analysis is the [living document],” says Arenovski.