The COVID risk assessment (RA) is central in enabling organisations country-wide to re-open and provide service. But it is a limited RA. Quite rightly, managers are not expected to be epidemiologists. They are not expected to get into the detail of the risk posed by COVID-19, or to understand its transmission and mitigation. Such detail is provided for the manager by Government scientists.

Ordinarily (before COVID-19 took over our lives), managers were expected to state the ‘assets’ affected, identify the threat to those assets, evaluate the risk and develop the controls to keep the risk under a determined threshold. Under COVID-19, this philosophy – this flow from asset to control – is taken out of the manager’s hands.

In every sector, the Government has developed mandatory guidelines.

This point is critical. Because the Government has dictated threat, risk and controls, it has taken responsibility for the outcomes. It has made its resources, such as the NHS and the local government health organisations, available to support managers. And it has accepted liability for success or failure of those controls.

Provided, that is, that managers follow the guidelines.

And there’s the rub.

Liability transfers neatly to the Government, provided that the manager is compliant.

In order to discharge their local responsibility, it’s imperative that managers implement a COVID-19-guidelines-compliant plan. This will involve the now-familiar controls such as limited numbers, distancing, screens, face-coverings and contact details for track and trace.

In all such corporate, public-sector and charity cases, it’s senior management who are ultimately responsible for making sure the plan is adhered to. And for developing and improving the plan. It’s the senior managers who would ultimately be liable for any negligence.

But how can senior managers be sure that the plan is adhered to? And that experience is used to improve safety for staff, customers and other stakeholders?

We noted above, one part of the flow. There are a couple of steps missing. Under ‘normal’ risk management (of all risks other than COVID-19), the start point is the organisation’s strategy: what is it that senior management want to achieve? Senior management can set their expectations, but once set, it’s those activities that are to be protected.

And normally senior management would keep the whole risk management system under review.

Review is the idea of comparing what is, with what was wanted. In the COVID-19 sense, it is comparing the COVID-19-compliant plan with what’s actually happening on the ground.

But what’s compared?

The answer is the plan itself – a number of pages detailing the controls – and data from actual events.

Many people will shudder when I use the term audit. Simply, audit provides data from events. Data is provided when someone actually attends the event, goes into the shop as a customer, or goes onto the building site and observes.

Often audit conjures up the idea of an officious jobs-worth busy-body holding a clip-board and wearing a frown, moving about and noting every little non-compliance. It doesn’t have to be like this. Audit is there to close the loop – to allow everyone in the organisation to be confident that the controls are in place and that everyone is safe. Auditors are the managers’ friends! Both should work together for everyone’s benefit. It’s not about the auditor catching the manager out, proclaiming NIGYYSOB!

But without audit, the risk management system is operating in ‘open-loop’. Senior managers don’t know if the organisation is compliant.

Remember that the Government has taken responsibility for the management of this pandemic – but in return, managers must follow the guidelines. And that’s not just about making a plan, making some changes and getting on with activities. The loop must be closed to prove compliance.

In closing, I do need to say more about audit, though.

Audit has a bad name, perhaps because of its history. Modern audit is, more often than not, done internally. An engineer perhaps audits the operatives on the production line, or the call-takers in sales audit the housekeepers. Of course, those auditors need to be trained, but you’d be surprised how little actual time and effort that takes.

Many professional audit firms offer their services, issuing certificates of conformity to compliant organisations in return for fees. The Health and Safety Executive also mandates audit as a method in verification.

Auditing can be done by simply walking through the activities, experiencing and observing, then feeding back directly to the staff being audited so that they can comment and learn.

Auditing can be a friendly, happy activity. And it is absolutely critical to COVID-19 risk management.

So, implement audit. Close your loop today.