Who Owns Implementation of California’s New Workplace Violence Prevention Law?
Employers in California had a 1 July deadline to comply with SB 553, the state law mandating that employers establish workplace violence prevention programs. The question is: Who in an organization is responsible for developing the plan, implementing it, and ensuring all the requirements are met?
Compliance with this new policy has become a game of capture the flag at many organizations, with the result being slow or sluggish implementation. Legal teams claim responsibility and approach it from a compliance and privacy perspective. Human resources executives argue for ownership because it directly affects workers. However, the reality is that several different departments generally have responsibility for ensuring workplace safety. Managing compliance takes a collaborative effort from several different departments, but it is security teams that are uniquely positioned to lead the collaboration.
Security has come a long way since it was primarily gates and guards. Security leaders have a key role in risk management, emergency planning, business continuity, and other areas, so when you consider the requirements of the California law, security is at the nexus of all of them.
Security teams have a long history of acting as connectors across an organization. As a corporate function that has always required extensive stakeholder input, security has an ingrained cross-business perspective and specialized knowledge of protective methods. These skills can help them facilitate compliance, adopting processes that make it easier to share information across the business.
What the Law Requires
At a headline level, the law requires that employers develop a workplace violence plan and designate an employee or group of employees to implement the plan. Those requirements are relatively straightforward. Dig a little deeper, though, and you’ll find that other aspects require more planning and resources—there are record-keeping requirements, reporting requirements, and training needs. In each case, security is well-positioned to lead.
The records and case management requirements of the job involve logging incident reports and investigative findings—the exact types of reports security already generates. The law also requires that the records be available to employees or employee representatives, which underscores the need for collaboration. In addition, the plan needs an annual review.
Employees must be trained on what needs to be reported and how they need to report it. The law also says employees must have an understanding of how what they report will be investigated.
These are the sorts of things that can be added seamlessly to security awareness training if they are not already part of it.
Adding to the complexity is that, just as in the ASIS standard, the law defines workplace violence as both actual violent actions as well as threats of violence that can cause psychological distress and other harms.
Getting an employee to understand what to report, even if a direct threat isn’t obvious, and be willing to file the report is a key first step to an effective workplace violence prevention program. For example, an ambiguous statement from a customer like, “You’ll be sorry,” might be brushed off. But in an office setting where an employee may be upset about a poor performance review or being passed over for a promotion, the same comment becomes more concerning. In each case, reporting the incident is a giant step toward workplace safety, and the challenge for security teams and their colleagues is knowing what to do next.
Once a report is made, organizations should conduct additional investigations, which could require pulling records from human resources, getting input from legal teams, and log reports from the information technology department. This is where a security professional’s skills as a connector are vital.
In many cases, security teams are already gathering this type of information as part of the threat assessment process for hostile terminations or when conducting harassment investigations. Security interfaces with cybersecurity teams during insider threat investigations. These teams also manage relations with the C-suite for executive protection and travel purposes. In short, security works cross functionally, often with the very teams from which they need to gather data.
And then there’s the strategic analysis element—after you’ve spent months collecting and logging data, at the end of a year, what does that data tell you? How can you use this information to improve safety at your organization in the future?
This ongoing analysis is key, but it can generate greater value outside of a vacuum. The insights that human resources, legal, and cybersecurity team members can provide—and the collaboration and communication such consultations foster—help security professionals rise as leaders driving tangible business change.
Getting The Process Right
Recordkeeping is the backbone of SB 553 compliance. Effective compliance means good data collection, so it’s imperative to get the data collection process right. More than anyone else in the organization, security professionals know the complexity of important insights that can be hidden in data intelligence. This means they can, and should, take the lead in guiding a company to go beyond simply reporting incidents to the recordkeeper. Security professionals should consider the following when working to ensure their organizations are compliant with SB 533 or working in general to ensure they have an effective workplace violence prevention plan.
Governance. Communicate your understanding that an organization must protect sensitive employee information, maintain confidentiality, and comply with other regulatory requirements while allowing thorough investigations of incidents or threats. With this as a baseline, offer to collaborate with colleagues to define the scope and limitations of what information the security team can access during investigations and outline clear and detailed guidelines.
Tools. Voice the need for accuracy, efficiency, and speed—security professionals innately operate this way. The law is agnostic on how businesses keep their records, but most large companies will benefit from software that manages the data collection, case management, and investigations. With this data, security will be able to identify and address problem areas, such as places with a high volume of incidents, threats made by people following an organization’s social media posts, or whether there has been an increase in aggressive behavior under a new supervisor.
Analysis. Showcase the actionable insights that only security analysts can glean from collected data—identify common characteristics of high-risk incidents, assess the effectiveness of current intervention strategies, and optimize resource allocation to areas with the greatest need. This can and should inform strategic decisions and policy revisions.
People. Security requires teamwork—and lots of it. Advocate for removing organizational silos that get in the way of teamwork. Instead, support processes that facilitate information exchange and alignment across departments. Cross-functional collaboration is key to implementing a robust workplace violence prevention plan.
Rather than allowing departments to compete against each other concerning who owns compliance, companies can foster a safer, more resilient workplace culture. Proactive collaboration and consistent evaluation of workplace violence prevention plans will ensure a safer environment for all employees, making compliance with SB 553 a shared and strategic effort.
Cynthia Marble is the senior director of threat management operations for Ontic.