The need for companies to implement a management sys-tem capable of ensuring business continuity (Business Continuity Management System or BCMS) arises from an analysis of their new needs in the so-called "Phase 2". These needs are not only related to safety issues but they involve the entire company organization.
Safety is in fact just one of the aspects related to the con-sequences of the COVID-19 outbreak: nowadays, companies are mainly in crisis both because they suffered business interruption, which caused severe economic damages threatening their own survival, and because of the sudden need to adopt new working processes (e.g. application of strict safety protocols in the workplace, rational manage-ment of human resources, rethinking of shifts and working hours, application of smart working and implementation of the Internet of Things, just to name a few of the most significant changes), which involve additional organizational and legal compliance issues.
Therefore, companies need to build a management system suitable to make them resilient to disruptive events related to biological threats, in order to avoid that (i) future lock-down periods, (ii) the consequences of breaches of con-tracts, (iii) the application of penalties for non-compliance with mandatory rules and (iv) organizational inefficiency, may cause adverse and uncontrolled effects on the company's business.
The guidelines for implementing a business continuity sys-tem are already provided by the international standard ISO 22301:2019 "Security and resilience - Business continuity management systems - Requirements". This regulation, which involves all the operational and management areas of the company, aims at identifying the requirements for planning and implementing a management system capable to prevent risks and protect the company from disruptive events.
So far, the ISO 22301 standard has been applied mainly to prevent the consequences of natural events (such as earth-quakes or floods) or in the IT industry (to prevent, for ex-ample, service interruptions). However, the scope of the standard depends on the risks that the BCMS aims to pre-vent: companies having their productive units in areas where earthquakes are likely to happen will take care of calculating the seismic risk, companies offering digital services will aim at preventing the risks connected to cyber-attacks, but from now on all companies will also have to take into account the biological risk. This need is also strengthened by a legal argument: under Italian law, at pre-sent, companies could -theoretically- rely on force majeure to avoid the consequences of their breaches of contracts due to the COVID outbreak. In the future, on the contrary, a new pandemic emergency could no longer be considered as an unforeseeable and/or inevitable event (which are the indefectible requirements for the application of force majeure under Italian law) and, consequently, in defect of the adoption of all the appropriate measures to avoid its consequences (such as the implementation of a Business Continuity Management System), force majeure will unlikely protect nonperforming companies.
It is a fact that the creation and implementation of a BCMS could not be achieved through a merely legal activity. To assist companies in the process of implementing the business continuity system, our firm has entered into a collaboration agreement with a first-level partner in the international market of certification bodies, able to guarantee qualified assistance also from a technical and operational point of view.
The legal aspects involved in the creation of a BCMS are very significant, and we mention here below the most important ones.
- Under Italian Labour law, according to the Legislative Decree no. 81/2008, any company having at least one employee shall adopt the so-called "risk assessment document". This document detects the possible risks for workers in the workplace and, after evaluation on how to prevent dangerous situations, indicates the measures to be implemented to ensure occupational safety. The Legislative Decree no. 81/2008 provides, among others, the indications of the measures to be taken and the obligations upon employers and managers responsible for the safety of the company's workplace. In case of a breach to the provisions stated therein, employers and managers could suffer the imposition of sanctions, or even be arrested, in case such a violation is related to a crime. After the COVID outbreak, the risk assessment document shall be duly updated to any risk, including the new biological risk, as provided by articles 17 and 28 of Legislative Decree no. 81/2008.
- The implementation of safety measures has also an impact on Italian criminal law: the Legislative Decree no. 231/01 states that corporate liability occurs in case a company omits to put in place the needed measures to prevent its employees from committing crimes in the interest of the company itself. Even though it is (still) not mandatory, from an organizational standpoint, many companies are adopting a document collecting the internal procedures adopted by the management to prevent committing crimes (the so-called "model pursuant to Legislative Decree no. 231/2001"). Between such crimes, article 25septies of the Legislative Decree no. 231/01 includes the involuntary manslaughter or injuries com-mitted in violation of the rules on occupational health and safety. That is to say, in case a COVID infection is suffered by an employee for the lack of adopting appropriate safety measures, the worker's eventual injury or death could cause civil and criminal consequences both for the managers (according to the Legislative Decree no. 81/08) and for the company itself (according to the Legislative Decree no. 231/01). Then, developing a management system which takes into account the risk of contagion, implementing all the appropriate measures to prevent employees, suppliers, auxiliaries and customers from being infected, means not only protecting people's health but also restricting the scope of the criminal liability of entrepreneurs and companies, as well as preventing the imposition of severe sanctions (including the activity suspension, limitation or even closure).
- Another important legal aspect related to the implemen-tation of a BCMS is the assessment of the management model adopted by the company in relation to personal data processing in accordance with the GDPR and the Italian Code of Privacy, the legal and organizational pro-tection measures of corporate know-how required by Articles 98 and 99 of the Industrial Property Code and the security of IT systems. Smart working (but also the intensive use of e-commerce), exponentially increased the risk of data loss and cyber-attacks, which brings with it a considerable risk of sanctions and reputational risk.
- Finally, a further decisive aspect of the legal due diligence related to the BCMS is represented both by a careful analysis of existing contracts with suppliers and customers, and by drafting new contractual models to properly regulate future business relationships. On the other hand, regarding pending agreements, especially those having object continuous or periodic execution, whenever possible, it would be appropriate to renegotiate them with the contractual counterparts, to regulate the consequences of eventual new lockdown periods and/or a strong limitation of the operational activity, also considering the above mentioned inapplicability of force majeure in the future.
Currently, the additional value of implementing a valid business continuity system is to offer companies an integrated solution to cope with future biological emergencies and beyond: a well-organized structure, in fact, is more responsive in providing solutions to new risks, and the BCMS has the advantage of being able to adapt itself over time to future needs.
Getting an ISO 22301 certification grants several side bene-fits:
- it guarantees companies a competitive advantage, which can be applied in every industry (particularly for listed companies, since it enhances investors' confidence);
- it could be relevant also for insurance purposes, since the risk assessment activity that is required for constructing a BCMS, other than ensuring greater accuracy in the choice of the most appropriate insurance products, is valorized by the major companies in the form of a reduction in policy premiums for specific risks;
- it represents a valid preventive defense with respect both to controls on compliance with the prescriptions contained in the government security protocols (the violation of which leads to the suspension of the activity and to the imposition of sanctions) and to any claim from employees/their insurers/third parties for contagious injury.
The Firm, with its diverse expertise, together with the certifying partner, is able to lead clients in the process of building and implementing a valid business continuity sys-tem, resilient and COVID-proof, in order to protect the entrepreneur and the future of their companies.
Originally published 8 May, 2020
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.