When I meet with Chief Security Officers (CSOs) and begin to learn about their programs and priorities, one of the questions I sometimes ask – especially if we are exploring the scope of security risk to their employees or discussing a specific threat case – is this: “Are you in touch with your Employee Assistance Program Office?”

That may sound like a snoozer of a question, but it’s a tremendously critical one.  For risk monitoring for security risk management and for threat assessment, among many  other areas. Over hundreds of meetings, I’ve only had a handful of Chief Security Officers respond affirmatively.  Most CSOs give me a blank stare.  One security leader laughed out loud, thinking I was kidding him about his personal health.

The EAP Program: A Key CSO Channel for Risk Monitoring

Confidential referrals to Employee Assistance Programs – which are frequently structured by employers as an outsourced service – typically reside within the HR domain. And that’s appropriate for lots of reasons that stand outside the scope of this blog. For even more important reasons, the vast majority of information about  employees and their family, health, financial or economic circumstances are appropriately subject to strict privacy protections. But these realities do not – and, in fact, should never – preclude a senior security leader from regularly reaching out to his or her company’s Employee Assistance Program manager and asking two questions enormously important to the CSO’s mission and the security and safety of the organization’s employees.

#1: “Are you aware of the EAP’s ‘duty to warn’?”

The important point here is that EAP confidentiality is legally inviolable except in cases where state law mandates certain reporting of child abuse and imminent safety threats. If this is unfamiliar territory, look up Tarasoff v. Regents of the University of California, which was decided by the California Supreme Court in 1976. (17 Cal. 3d 425, 551 P.2d 334, 131 Cal. Rptr. 14 [Cal. 1976]) Originally, in 1974, the California Supreme Court stated in Tarasoff that therapists have a “duty to warn” prospective victims that they are at risk of falling prey to some violent act. The court issued its subsequent ruling in 1976 and the ruling now reads that when a therapist determines “that his patient presents a serious danger of violence to another, he incurs an obligation to use reasonable care to protect the intended victim.” The court further ruled that, “The discharge of this duty may require the therapist to … warn the intended victim or others likely to apprise the victim of the danger, to notify the police or to take whatever steps are reasonably necessary under the circumstances.”

#2: “How many referrals does your EAP program receive per month?”

While your Chief Security Officer does not have the right to ask for the names of employees referred to the EAP program, he or she can and should expect to receive information from EAP staff, whether the program is internal or outsourced, on how many referrals are received on a monthly basis.

  • Why is this information important? Because this allows your CSO to calculate referral rates as a percentage of your company’s total employee population – and compare it to that of other organizations. If this number is low, then either (1) your organization has an extraordinarily healthy, happy and financially strong workforce or (2) your EAP program is underutilized because employees are not bringing their concerns to referring sources.
  • Why does this matter to the security risk management of your business and require the top-line attention of your Chief Security Officer? Because a small but crucial percentage of referrals to the EAP program may concern the behavior of individuals with the potential for violence – violence against themselves or others within your corporate community. And if the HR team and the EAP group aren’t tracking this metric, then you can help prevent several impacts to your organization imminently and over the long term.
  • What are these potential negative impacts to your organization? Let’s take the worst case scenario first. It’s mathematical: if you have a large workforce then your risk of a workplace violence incidence tracks along with national averages. Lesser consequences include other outcomes that don’t involve loss of life – and stand outside the circle of responsibility normally tasked to your Chief Security Officer. Like what? Your employees are not getting the support they should from your EAP program due to under-utilization. And your company is spending a lot creating opportunities for employees that few are tapping.

The Big Picture Take-Away

There are many lessons here. But this is a blog and not the best platform for covering the full breadth of the implications. Given that constraint, I’d like to place the emphasis on two messages. The first one is that your CSO needs to communicate on a regular basis with your corporation’s HR function and Employee Assistance Program staff. The second is a broader challenge: a best-practice approach to security risk today requires that the CSO partner and collaborate continuously and in real time not just with HR but also with other business unit and functional leaders across the business – from facility security teams to IT, compliance and risk management.

What’s Your Take?

Do you agree? Does this make sense?