DVR and Security: what risks to analyze?

Among the many aspects covered by Legislative Decree 81/2008, also known as the Consolidated Occupational Safety Act (TUSL), is that concerning the obligation for companies with at least one employee to prepare the Risk Assessment Document (DVR), which is the main tool for the protection of the health and safety of workers wherever they operate. According to the provisions of the aforementioned legislative decree, the DVR must accurately assess the totality of risks and, consequently, define measures to prevent and/or mitigate them. In this sense, it is of fundamental importance to incorporate in the DVR both safety threats (events of a culpable nature closely related to the production process that could cause damage to property or injury to persons) and security threats (i.e., arising from the voluntary, and therefore malicious, action of a source external to the company even outside the work context) which, by way of example, can be traced back to phenomena of a geopolitical, sociopolitical, criminal and terrorist nature as well as events related to Cyber Security, the centrality of which goes hand in hand with the growing process of digitalization underway.

Although both macrocategories of risks require careful discernment and analysis, it cannot but be stated that the changing and unpredictable nature of security threats makes their treatment particularly complex, especially in the case of work transfer abroad where, especially in certain countries, the pitfalls can amplify out of all proportion, so that it is extremely difficult for those charged with drafting the DVR (i.e., the employer, the competent physician, the Prevention and Protection Service Manager, the Workers' Safety Representative, and any outside consultants) to accurately delineate the true extent of the dangers; think, for example, of the assessment in the DVR of criminal risk, which may be affected by a lack of sources, even open sources, from which to draw information or, on the contrary, by an excess of data that perforce need to be selected and analyzed by professionals or companies specializing in the field. Such an issue may also arise when one has to assess risks related to the sociopolitical framework of the country in which the employee will be going to work or those of a terrorist nature, which not infrequently can manifest themselves in contexts considered safe (think, for example, of the terrorist attack that occurred in Vienna in November 2020, when an Islamic State militant caused the death of 5 people and 23 wounded) or unexpectedly (see the attack perpetrated on October 7, 2023 by the political organization Hamas against the State of Israel).

When traveling abroad, security risk assessment is not confined to the types just mentioned, but must be expanded to include issues related to the cultural and religious framework of the destination country, climate, natural disasters, the health care environment, and travel to and from the airport, hotel, or work location. It follows that the DVR must include, among other things, mission-specific threats as well as contingency plans to be activated if necessary. Facilitating the identification and assessment of travel risks in the DVR may be aided by companies' adherence to the ISO 31030 standard, issued in September 2021 by the International Organization for Standardization and consisting of guidelines designed to protect the safety of personnel to be sent abroad.

The extreme changeability of security threats requires the employer to constantly update the DVR, which must be promptly adapted to any new risk situations. For companies, assessing and updating security hazards in the DVR in addition to being a moral duty is a real legal obligation, as has been unequivocally enshrined in recent court rulings. Any non-compliance, in fact, can cause companies to incur administrative penalties, criminal liability and even the suspension of business activity.

How risk assessment has changed as a result of the Covid-19 pandemic

In the aftermath of the COVID-19 pandemic, the importance of understanding which work activities should have updated their Risk Assessment Document (DVR) was highlighted. As is well known, Title X (art.266) of Legislative Decree 81/08 refers to the risk of exposure to biological agents or, to be more precise, "to all work activities in which there is a risk of exposure to biological agents." However, since the pandemic affected any industry, there was some debate as to whether the virus, although not present in the production process, should be assessed as a risk at work because it could be introduced externally through a visit from a customer or other personnel.

Risk assessment is defined in the TUSL as "the comprehensive and documented assessment of all risks to the health and safety of workers present within the organization," and, therefore, every work activity should update its DVR. However, Lorenzo Maria Pelusi, a lawyer specializing in labour law and occupational safety, in the essay, "Workers' Health Protection and COVID-19: A First Critical Reading of Employer Obligations," talks about the obligation to update the DVR only for four hypotheses, namely:

1. Changes in the production process or work organization that impact the health and safety of workers;
2. Technological evolution that enables better prevention;
3. occurrence of significant injuries;
4. Health surveillance outcomes that highlight the need for an update of the document.

So, among the causes from which the obligation to rework the DVR arises, environmental circumstances unrelated to specific business risks such as an epidemic are not mentioned. Pastucci also states that "Faced with the appearance of a generic biological risk that threatens public health, it is up to the public authorities - as they institutionally have the necessary instruments (scientific expertise and powers) - to detect it, give notice of it, indicate preventive measures and have them observed. The employer will have to comply with them, obviously having to comply with the general precept, without having to distort his or her normal prevention project in the company for that purpose. These measures will temporarily- for the duration of the emergency phase-join the ordinary ones, retaining their distinct nature and function."

According to these interpretations, in the event of a pandemic, risk assessment is the responsibility of the competent authorities, who draw up and establish the precautionary measures to which everyone must adhere; nevertheless, work activities that are not required to update the DVR must create a kind of appendix to the DVR to trace the measures implemented "to demonstrate that they have acted to the best of their ability, even beyond the specific precepts of Legislative Decree No. 81/2008." If, on the other hand, we are referring to workplaces where "biological risk is an occupational risk already present in the company's exposure context," it must be the employers themselves who promptly proceed to carry out and update the DVR, beyond the intervention of the competent authorities.

How was this done?

In order to compile a proper DVR , it was necessary to establish an accurate COVID-19  safety plan that contained all the specific measures to be taken, such as:

• controlling how workers enter the office, performing daily cleaning and periodic sanitization, and setting up protocols for handling a symptomatic person, as well as an information and training plan and health surveillance;
• Establish access routes, identify rooms for sanitation, pedestrian routes, and monitor restrooms, locker rooms, offices, and facilities;
• the adoption of clear information on access preclusion, control of body temperature, mechanisms for certifying negativization for positives, presence of dedicated toilets, and rules for visitor access (thus with cleaning and sanitization of instruments and devices, personal hygiene precautions, requirement of personal protective equipment, and remodelling of work rooms).

Despite the subtle distinctions quickly explained here, the DVR remains the most important tool for protecting the health and safety of workers and, therefore, should be prepared in the best possible way, that is, taking care to assess any risk, including pandemic risk. For this reason, it is increasingly necessary for companies to engage highly specialized companies that can make the process of threat assessment and mitigation more efficient, to ensure high levels of safety for employees.

Bibliography:

• ISO 31030 – Travel Risk Management
• Risk Management 360
• Lorenzo Maria Pelusi, Tutela della salute dei lavoratori e COVID-19: una prima lettura critica degli obblighi datoriali
• Pascucci, Saggio: Coronavirus e sicurezza sul lavoro, tra “raccomandazioni” e protocolli. Verso una nuova dimensione del sistema di prevenzione aziendale?
• INL – Nota n. 89/2020
• D’Apote Michele, Oleotti Alberto, Manuale per l'applicazione del D.lgs. 81/2008, EPC Editore, V edizione settembre 2021
• Risk & Compliance