This article is also available as a PDF

After the Prime Minister’s announcement and his presentation of the 5 stage / 3 phase plan, it is clear that coronavirus measures will be with us for the foreseeable future. As we move into phase 2 (‘Smarter Controls’) we will see more, and different measures announced.
At the same time, companies will now need to make sure that they can protect their employees and clients – the government has said it expects businesses to conduct a COVID-19 risk assessment and share it with employees.

To help you understand the measures the government has announced (and will announce) and establish sensible measures for your organisation, this guide will

• In part 1, set out some basic concepts behind controlling the spread of COVID-19,
• In part 2, explain how to conduct a risk assessment in your organisation, and
• In part 3, provide some sources for further information and measures you can and should implement to control the risks identified in part 2.

Part 1: Introduction to COVID-19 risks and measures

Generally, measures and policies will fall into two categories:

I. Reducing infection
II. Improving response to infection

Reducing infection

As far as we currently know, COVID-19 has three modes of transmission:

1. Direct infection through droplets
This appears to be the main form of infection according to a multitude of studies. Measures to reduce this include

  • Distancing; generally, 1.5 to two meters is considered sufficient to reduce the risk,
  • Social Distancing; this is to reduce the number of encounters and thus limit the possibility for the virus to spread
  • Wearing of masks (both the protective types to protect the wearer and the ‘community’ masks to protect others)
  • Isolation of infected persons

2. Aerosols / micro-droplets
There have been studies both on aerosol transmission of COVID-19 and studies that show elevated concentrations of virus in the air, especially in highly frequented and/or badly ventilated spaces. Prof. Drosten, a leading German virologist specialising in coronaviruses, currently estimates that this type of transmission is very likely significant (as high as 40-50% of infections) . This type of transmission has not been specifically targeted by measures in most countries, but reducing the number of shoppers in supermarkets, or improving ventilation, for example, could help in reducing infections via this route.

3. Environmental infection from contaminated surfaces and items
This is mainly infection through touching contaminated objects or surfaces and then transferring the virus to the mouth or nose. It currently seems that this route of infection is responsible for fewer cases than the other two routes described above.
Measures to reduce environmental infections include:

  • Social Distancing; clearly fewer people ‘out and about’ means fewer people touching potentially contaminated surfaces and objects
  • Hygiene measures such as washing hands
  • Disinfection, both of hands and surfaces / objects
  • Wearing of protective gloves (to a degree. There is significant discussion around the utility of this and whether wearing gloves can make things worse in some circumstances)

Improving response to infection

These measures are aimed at detecting, isolating and treating infection as effectively as possible and include contact-tracing, testing and medical interventions. How quickly and effectively you respond to a case among their workforce is also a key component of improving response to infection.


Part 2: Risk Assessments / Risk Management

The government currently requires all businesses to conduct COVID-19 risk assessments and expects them to share these with employees (and potentially customers).

The main concept behind risk assessments and risk management is to evaluate the potential damage (impact) and likelihood of an event, in this case contracting COVID-19, and design, implement and manage measures to reduce this risk to an acceptable level.

This risk is likely to vary for different activities being carries out – a supermarket will very likely see a higher risk to cashiers during the check-out process than to IT staff when configuring a server.

The government has set out a list of required measures for several sectors but advises that a risk assessment can both identify the need for additional measures and help in planning alternative, equally effective measures where government guidance can’t be followed.

The guidance below is based on the HSE risk assessment process.

You will need to go through 6 initial steps:

  1. Identify which processes / activities / locations need to be assessed separately
  2. Assessing the impact
  3. Assessing the likelihood
  4. Decide which measures to take to reduce the risk
  5. Record findings
  6. Implement measures

This should be followed by frequent and regular monitoring and re-assessment.

It is important, especially in larger organisations, that this process is centrally managed and supported. An understanding of risk management and SARS-CoV-2/COVID-19 is vital to ensure the risk assessment is performed effectively and consistently and measures are appropriate.

You should designate a lead for the risk assessment. Those who have a risk manager should draw on their expertise – others should designate a suitable person, for example the business continuity manager or COVID-19 response lead. Support from an occupational health physician, health and safety manager, etc. will be very useful.

It is good practice to set up a project team to include experts and stakeholders as necessary.
Being transparent about risks and measures is vital as your employees and clients need to be confident that all is being done to keep them safe. Current guidance specifically recommends involving employees in discussions as far as possible – including employee (or, where relevant, client) representatives in the project team and the risk assessment process can be a very effective way of ensuring buy-in.

Identifying relevant processes

This can be done, for example, by department and by location. Processes should be broken down as necessary to ensure that the people assessing the risk understand the practicalities of the process involved. A good rule-of-thumb is that when an activity requires two very distinct sets of measures to manage the risk they should be seen as distinct activities.

Assessing impact

Assessing impact is quite straight-forward. In this scenario, the impact is the consequences of COVID-19. As we know, the worst-case consequence is death, so the impact is certainly high and measures should reflect this.
It will be very useful to also assess the impact on the organisation should activities be ceased or reduced, and to define the minimum acceptable performance level for this activity.

Assessing likelihood

Assessing likelihood is more complex. We continuously learn more about the virus and how it spreads, so assessments need to be adjusted when new information comes to light.

Some useful questions to ask in order to assess likelihood are:

  • Does the activity require personal interaction?
  • How many people are involved?
  • Does the interaction require close physical contact (e.g. cutting hair)?
  • Does the interaction take place inside or outside?
  • If inside, what space is available?
  • If inside, is the space well ventilated?
  • Does the activity involve physical activity, shouting or anything else that would increase the intensity of exhalation?
  • Does the activity involve individuals sharing a space, even if not at the same time?
  • Does the activity involve individuals sharing items or coming into contact with surfaces, even if not at the same time?

We would suggest dividing likelihood into four categories: None, low, medium and high. Some companies may, however, find it easier to only use none, low and high.

Measures to reduce the risk

The easiest measure to reduce (or in this case eliminate) the risk is to avoid performing the activity altogether.
An alternative would be to perform the action in some limited way that reduces the risk of infection, for example an HR function could conduct interviews remotely or a restaurant only offer take-away.
The feasibility of this approach depends on the outcome of the impact analysis.

If the above is not feasible, the next step is to look at the measures recommended or required by the government and asking

  • Are these measures applicable to me?
  • Do these measures allow for my business to operate?
  • Will they reduce the impact and likelihood far enough to meet the requirements and be acceptable to employees and clients?
  • Are there measures that are equally effective but easier to implement and maintain, and are we allowed to substitute these for the government mandated measures?

When deciding which measures to implement, it is important to consider the environment the action takes places in and the most likely mode(s) of transmission.

Measures should be aimed at reducing transmission, by reducing direct contact (through remote working, face-masks, shields, distancing, etc.), reducing aerosol concentration (through ventilation, outdoor activities, face-masks, etc.), and transmission via contaminated surfaces or items (for example through disinfection).

If, for example, the activity takes place in a confined space, it may be necessary to limit the use of the space to one person at a time and to ensure adequate ventilation.
(See also our guide to pandemic preparedness)

Recording findings

The government expects or requires organisations to share the risk assessment with employees and/or clients. It has also published a notice for display (see here)

We recommend using our slightly modified version of the HSE template, the official HSE template or any suitable template already in use in your organisation to record your COVID risk assessment.

Documenting your findings and actions is not only required, but helps demonstrate that you take your COVID-19 risk seriously and have a sound, structured approach to safeguarding employees, clients and partners.

Implementing actions

Every action should have a defined completion date and be assigned to an individual accountable for completion. Progress should be tracked centrally and reported to management (and employees/clients where applicable).
One key aspect is awareness – measures need to be communicated clearly and compliance should be monitored.

Assessing effectiveness

Actions should be monitored for effectiveness and HR should monitor and report on coronavirus related absences. Employees and managers should be actively encouraged to report problems and concerns.

Questions to consider are, for example:

  • How are clients / employees reacting to the measures? Do they feel safe and confident to work / engage with the organisation?
  • Are measures being followed? If not, is this due to a lack of awareness or are measures too difficult to follow?
  • Are measures effective? Do we have workplace-acquired cases of COVID-19 among our employees (see also next paragraph)?
  • Have circumstances changed or has new guidance or scientific evidence come to light that means we need to review our measures?

As the pandemic subsides, organisations should consider (following official guidance) whether measures are still required or whether ‘lighter’ measures can sufficiently reduce the risk.

Any reviews, modifications to your measures and the rationale for those modifications should be documented.

What happens if someone does fall ill?

You should assist employees with (suspected) COVID-19. This includes:

  • Making employees aware of the symptoms of COVID-19,
  • Where possible, organise testing for employees with COVID symptoms and their close contacts,
  • Telling employees to stay home if they show symptoms,
  • Advising employees to stay home if someone in their household has fallen ill – this depends on the risk assessment.

You will need to use the risk assessment to decide which measures can and should be implemented. Questions to ask include:

  • How can we support the individual infected?
  • What is the likelihood they have infected others?
  • Can we isolate people who have come in close contact with the individual, even before they show symptoms? (e.g. the other member of a 2-man team in constant close contact)
  • How did they become infected? Are our measures effective enough? What can we improve?


Part 3: Sources and resources

Government guidance “Working safely during coronavirus”:
(Includes guides for individual sectors)

HSE guidance “Working safely during coronavirus outbreak”

HSE risk assessment guidance

HSE risk assessment template
Our suggested risk assessment template based on the above

Our guide on coronavirus preparedness and measures

Government guidance on which organisations can reopen / have to close

Notice of COVID compliance for display

(Unofficial) translation of the German COVID occupational safety standard

WHO guidance

Good summary of relevant scientific papers on COVID-19 / SARS-CoV-2

About the author

Dennis Martin is the principal consultant at Protereon Ltd. He has worked and taught extensively in cyber security, risk management and privacy. For over 15 years, he was involved in the German civil protection (most recently as deputy head of operations in charge of operational readiness for the Order of Malta in Bonn). He organised and led a large variety of operations responding to flooding, mass-casualty incidents and other medical emergencies like the swine flu and bird flu pandemics.


While we do our best to ensure the information and guidance here is accurate, the author assumes no responsibility or liability for any errors or omissions in the content of this document. The information contained in this site is provided on an “as is” basis with no guarantees of completeness, accuracy, usefulness or timeliness.

Image credit: US CDC