Worker Protection Act 2023 · Module 3

The Heatmap

A plan that responds to the actual shape of the workplace's risk.

You are Jo Merrick, HR Director at Kelmar Group. One week ago, an HR Business Partner on your team handled a disclosure against a Regional Director. The handling was clean. The post-mortem revealed something else: Kelmar has no documented risk assessment for sexual harassment. After the Lidl GB 2025 tribunal, the Audit Committee has asked you to fix that — in fourteen days, on a forty-thousand-pound budget, with a plan that can be evidenced to a tribunal as the organisation's reasonable-steps programme.

The Audit Committee commissioned this work after the Lidl GB 2025 tribunal finding — the specific failure point cited was ‘no documented risk assessment.’
CEO Marcus Bellweather signed off the scope with one instruction: ‘make it defensible, not expensive.’ Budget sign-off is £40,000.
Your direct reports for the project: Nathan Boateng (Head of Retail Operations) and Natasha Hartwell (Head of Hospitality Operations). They have the operational data you do not.
Audit Committee Chair Priti Rao will scrutinise the plan at day 14. Her questions are board-standard, not courtesy.
Kelmar's s40A position: the preventative duty applies. EHRC Technical Guidance Step 3 is the risk-assessment step. How you scope, prioritise, and fund the plan is what a tribunal would later review.

Kelmar Group · 22–28 minutes

§1Day 1, 08:45

Day 1, 08:45

HR Director's office, Kelmar HQ Manchester

Empty office. A printed Audit Committee letter on the desk. Manchester daylight through the window on a mid-week morning. No dialogue.

§2The CEO's brief

Day 1, 09:10

Marcus Bellweather“Jo — the committee wants a defensible plan, not an expensive one. Forty grand. Fourteen days. Fourteen days is Priti's number, not mine — I'd have given you six months, but she's right that post-Lidl we can't sit on it.”

Marcus Bellweather“What I'm paying for is evidence. I want something I can hand to an auditor, a tribunal, a shareholder, and say: we looked, we prioritised, we acted, we documented. I don't need a gold-standard programme. I need a defensible one.”

Marcus Bellweather“Nathan and Natasha are yours. Ask them for whatever data they've got. Come back to me on day eight if you need to push the scope. Day fourteen, you present to Priti.”

NarratorJo writes the numbers down: 14 days, £40k, defensible not exhaustive. She underlines defensible.

You have your scope. EHRC Step 3 breaks the workplace into seven risk zones. The first work is mapping Kelmar against each one — which requires you to look before you plan.

Kelmar Group · Risk HeatmapDay 2, 11:00

Severity →

Likelihood →

MinorSevere

Place each of the seven zones using the selectors opposite. 0 / 7 placed.

§Activity — The Seven-Zone Heatmap

Place each zone by likelihood and severity.

Seven risk zones from the EHRC guidance. Use the evidence in each card to place Kelmar's position on the five-by-five grid — likelihood, from rare to almost certain, against severity, from minor to severe. The live heatmap updates as you place each one.

A heatmap a little conservative or a little aggressive, but sitting on written evidence, discharges the duty better than a perfect heatmap with no evidence trail.

§The heatmap against the expert view

Where you agreed, where you may have diverged

Your heatmap sits beside the one the external consultant produced on the same evidence set. Where you agreed: Zones 4, 5, 6 all in the red-amber quadrant. Where you may have diverged: Zone 3 (digital) — the consultant marked it higher than most HR Directors initially do, because incidents on Teams and WhatsApp are under-reported rather than rare.

The point of the heatmap is not to be right — it is to be evidenced. A heatmap that is a little conservative or a little aggressive, but sits on written evidence the organisation can produce, discharges the preventative duty better than a perfect heatmap with no evidence trail.

The Lidl failure was not a wrong heatmap. It was the absence of one.

For the organisation: today's exercise is now the first artefact in the reasonable-steps defence file.

Why risk assessment is the keystone step

The EHRC Technical Guidance, Step 3 treats the risk assessment as the step every subsequent reasonable-step flows from. Without it, the organisation cannot show it prioritised rationally; with it, the organisation's budget choices and control decisions become defensible as proportionate to the assessed risk.

The Lidl GB 2025 tribunal made this finding explicit: the organisation's failure to conduct a documented risk assessment was cited as a material shortfall of the preventative duty. The EHRC's subsequent binding agreement with Lidl required one as a condition.

Nathan Boateng, Head of Retail Operations

§3Nathan brings the retail data

Day 3, 14:15

Nathan Boateng“I've pulled the eighteen-month retail log. Six informal complaints, one formal — the Deansgate case. Two of the informal ones are customer-facing: one in Leeds, one in Liverpool. Both were Friday night, both retail hospitality-adjacent.”

Nathan Boateng“One thing I'll flag. The log is what got reported. In my honest opinion the real number is higher. Store managers handle things at store level unless it gets to a threshold.”

Nathan Boateng“If you want my view: Zone 5 and Zone 6 are where you'll see the next incident before the end of this calendar year. Zone 4 is where the expensive incident will happen — the one that goes to tribunal.”

NarratorYou thank Nathan. He has told you something your heatmap already showed, and something it did not: the difference between frequency and severity is a line the budget has to respect.

Nathan's framing — frequency versus severity — matters for Decision 1. Zones 5 and 6 are where incidents are most likely. Zone 4 is where the most damaging incident is most likely. A reasonable plan has to answer both. The question is what you prioritise first.

§4Decision — Prioritisation strategy

Day 4, 10:30

Given the heatmap, Nathan's framing, and the £40k budget — which prioritisation strategy do you take into the control work?

Budget is finite. Every prioritisation is also a de-prioritisation. What a tribunal will later ask is: was the ordering rational given the evidence?

The EHRC reasonableness factors — size, cost, effectiveness, proportionality — apply here, not only to the controls you choose, but to the zones you choose to fund first.

§What happened next

Frequency-first — briefed to the team

You brief Nathan and Natasha on the frequency-first approach, with Zone 4 scoped for a documented phase-one assessment and year-two spend escalation. Both are comfortable with the ordering. You write the rationale into the plan document — frequency-first, with severity flagged and budget path identified.

For the workforce: the zones where incidents are most likely to land get the most protection first. That is where prevention bites.

For the board: a prioritisation rationale that a tribunal could not characterise as arbitrary.

For the organisation: the most defensible posture — proportionate, evidenced, and framed around the actual shape of Kelmar's risk, not a template.

Proportionality as a rational ordering

The EHRC reasonableness factors are not a checklist. They are a sense-check: given size, cost, effectiveness, and proportionality, can the organisation defend the prioritisation as rational? Frequency-first, with severity phased, is the ordering a well-run employer would take when the evidence pattern matches Kelmar's.

§What happened next

Severity-first — defensible, not optimal

You load Zone 4 with the heaviest spend. You're betting that the Big Incident is what tribunals punish. You may be right — but the six informal retail-floor complaints this year will land on thin cover.

For the workforce: thinner cover where they actually work. The incidents most likely to recur are under-resourced.

For the board: a defensible rationale exists (severity-led), but the Audit Committee is likely to ask why frequency was not co-funded.

For the organisation: not unreasonable — but harder to defend than a frequency-first or hybrid approach.

Severity-first as a defensible, not optimal, pattern

Severity-first prioritisation is not unreasonable. It misses the frequency-versus-severity test the EHRC guidance treats as central: both axes require response. A tribunal examining the plan would find this defensible but ask whether the most-frequent zones were adequately covered.

§What happened next

Uniform cover — arithmetic, not proportionality

You allocate £5,700 to each of the seven zones. It looks like comprehensive cover at the surface. Nathan's quiet response: ‘so we're not really doing anything anywhere.’

For the workforce: no zone gets cover strong enough to materially reduce the risk.

For the board: a plan that looks thorough at a glance and is difficult to defend on effectiveness.

For the organisation: the appearance of prevention without the substance. This is the pattern EHRC guidance explicitly warns against — proportionality-by-spreadsheet, not proportionality-to-risk.

Why uniform spend is not proportionate

The reasonableness test asks whether spend is proportionate to risk, not to the number of zones. Even spread across high-risk and low-risk zones is not proportionate — it is arithmetic disguised as proportionality. A tribunal can distinguish the two easily.

§What happened next

Policy-first — the Lidl pattern

You spend £28k on a policy refresh, e-learning for all staff, and a poster campaign for store backrooms. The remaining £12k goes into an all-staff communication plan. No zone-specific control goes in. Nathan emails: ‘Jo — I don't want to press this, but Lidl already had a policy and e-learning.’

For the workforce: same level of actual protection they had last month.

For the board: a plan the Audit Committee will recognise as the specific pattern the Lidl tribunal found unreasonable.

For the organisation: maximum tribunal-uplift exposure. Policy-plus-training without risk-differentiated control is the named failure mode.

The Lidl pattern

The Lidl GB 2025 tribunal found that Lidl already had a harassment policy, e-learning, and a poster campaign. The reasonable-steps defence failed because none of these constituted risk-differentiated action. The subsequent EHRC binding agreement required risk assessment and zone-specific controls.

A plan that re-runs the specific handling Lidl was found liable for, against the same statutory duty, materially increases the compensation uplift risk under s40A.

§Activity — Controls within the envelope

Day 7, 09:45

Spend the £40k. Build the plan.

Three priority zones each carry a set of candidate controls — cost tag (£ / ££ / £££) and effectiveness tag (weak / moderate / strong). Select the controls you want to fund. Running total shown. £40k cap enforced. Weak controls still count as action, but score less than strong ones.

Spent: £0 of £40,000

£40,000 remaining

Zone 5 — After-hours & alcohol-adjacent

Zone 6 — Customer & third-party interfaces

Zone 4 — Off-site work events

Before we lock the plan — three calibration questions

Short calibration on what ‘reasonable’ means in practice.

§The plan on paper

Walking distance from the Audit Committee room

You print the plan. Three priority zones, a set of funded controls, budget tracked, contingency held. Every control is traceable back to a zone in the heatmap, which is traceable back to the evidence set in Nathan's log. The plan is walking distance from the Audit Committee room.

For the workforce: specific, site-level action where risk is highest.

For the board: a defensible artefact that shows the money went somewhere specific, for a specific reason.

For the organisation: the opposite of the Lidl pattern — risk-assessed, prioritised, controlled, documented.

Controls as the evidence of the duty

EHRC Step 3 is not satisfied by having a risk assessment. It is satisfied by the risk assessment driving action. The control selection is the bridge between the assessment and the duty: it is what turns ‘we looked’ into ‘we acted.’

Under the Employment Rights Act 2025 — enforceable from October 2026 — the ‘reasonable’ standard is upgraded to ‘all reasonable steps,’ a higher bar. A plan like this one, documented now, is the baseline against which the October 2026 uplift will be measured.

§5Decision — The budget conversation with Marcus

Day 8, 08:30

How do you frame the budget conversation?

Day 8. Before the Audit Committee presentation, you have to brief Marcus on the plan. You can cover roughly £38,400 of action within his £40k. Two Zone 4 controls you'd rated as ‘strong’ but couldn't fund at this budget.

Marcus will ask one question: does this hold up? Your ethical obligation is to be honest about what £40k does and does not buy. Your political obligation is not to oversell the unfunded as catastrophic. Your legal obligation is to create a record of what was flagged and when.

§What happened next

Accept, deliver, flag

Jo Merrick“Marcus — plan covers £38.4k. Two Zone 4 controls are named in the board paper as phase-two, £12k, year-two ask. I'm flagging them as residual risk so the record is clean either way.”

Marcus Bellweather“Fine. Flag them. I'd rather know.”

NarratorHe signs the cover page. The plan, with residual risk named, is on its way to the Audit Committee.

For the workforce: the plan lands on Monday — and the unfunded items are on a documented path to year-two.

For the board: an HR Director who told them what £40k buys and what it doesn't. That posture is what a non-exec wants from a senior function.

For the organisation: the strongest possible reasonable-steps posture — action where the budget allows, named residual risk, no surprises downstream.

Naming residual risk is itself a reasonable step

The EHRC Technical Guidance treats a dated, written acknowledgement of residual risk as part of the reasonable-steps evidence base — not an admission of failure. An organisation that says ‘we acted here, we could not act here, we flagged here’ has a materially stronger defence than one whose plan is silent on what was not done.

§What happened next

Formal uplift request

You present the £40k plan and a £12k additional ask, with a written quantification of the unfunded Zone 4 exposure. Marcus pushes back twice, agrees on the third conversation to take £6k from the HR training budget to cover one of the two. The other stays on a year-two path.

For the workforce: marginally more cover than the £40k alone, at the cost of a slower plan launch.

For the board: a strong evidence trail — quantified ask, quantified residual risk, CEO's exact response in writing.

For the organisation: slightly more defensible than Option A if a tribunal ever scrutinises Zone 4; slightly slower to launch. Both are strong reasonable-steps postures.

When a formal uplift request is the reasonable step

Where residual risk in a specific zone is material and the organisation has capacity to act, a formal budget escalation — with written quantification — creates the strongest possible evidence that the duty was treated as operational, not symbolic. The ERA 2025 ‘all reasonable steps’ uplift makes this posture more important from October 2026.

§What happened next

Silent completeness

You present the plan as comprehensive. Marcus signs off without friction. The two unfunded Zone 4 controls are now Jo's private knowledge, not the record's knowledge. If a Zone 4 incident occurs in the next year, the file shows a plan that claimed completeness.

For the workforce: a plan that silently underfunds a known-high-severity zone.

For the board: not told what they needed to be told. A governance breach if it later emerges.

For the organisation: the specific handling pattern that turns a solid plan into an evidential liability. If a Zone 4 incident goes to tribunal, the file will show the plan claimed coverage the organisation internally knew it didn't have.

Concealing residual risk is not a reasonable step

The s40A preventative duty is not a ‘do what you can afford quietly’ duty. It is a documented-action duty. Concealing known residual risk from the board — particularly where the board signs off the budget — weakens every downstream reasonable-steps argument, because it shows the organisation had information it did not act on.

§What happened next

Counsel-cleared framing

Lena Forsyth reviews the framing in an hour. She tightens two sentences in the residual-risk section for privilege and suggests naming the quantification methodology in a footnote. You brief Marcus the next day with a legally-cleared position. Marcus signs off; Lena's footnote is in the board paper.

For the workforce: same on-the-ground action as Option A — a day later.

For the board: a board paper that has passed Counsel review. Higher downstream defensibility.

For the organisation: the most evidenced posture at the cost of a day. A sensible reflex where the respondent's seniority is Board-adjacent, or the plan's residual risk is quantitatively material.

Counsel-cleared framing as a reasonable-steps enhancer

Counsel review of the plan's residual-risk language does not change the duty; it changes the evidence quality. A plan that has passed legal review before board signoff is marginally more defensible than one that has not — at the cost of a day of process. Proportionate where the stakes warrant it.

§6The Audit Committee

Day 14, 14:00

Priti Rao“Jo. Thank you for the paper. I have three questions. I will ask them in order, not for difficulty, but for sequence.”

Priti Rao“First — what exactly will have changed about the day-to-day experience of a Kelmar employee in a hospitality venue on a Saturday night, six months from now, because of this plan?”

Priti Rao“Second — what would you not be able to say to a tribunal that you can say now?”

Priti Rao“Third — if we had to do this again in twelve months, what would we do differently?”

NarratorShe watches you. She is not hurrying.

Priti's three questions are a single posture test. There is a data-led way to answer (counts, volumes, controls), a principle-led way (why this plan discharges the duty), and a hybrid. Each has costs. The plan you built is the answer — what you say now is how the plan reads.

§7Three decisions, one plan

The file is the record.

Across fourteen days you produced a heatmap, a prioritisation, a controlled plan, a budget conversation, and an Audit Committee defence. The record your organisation carries forward is what you built. Every artefact — the heatmap, the rationale, the control list, the residual-risk flag, the Counsel-cleared framing — is a specific reasonable-steps reference a tribunal or EHRC review would look for.

Your evidence score

0

—

What to carry forward

1. Risk assessment is the keystone. Without it, no downstream reasonable step is defensible. With it, proportionate choices become traceable.

2. Proportionality is an ordering, not a spread. Frequency and severity both matter. Uniform spend is arithmetic, not proportionality.

3. Named residual risk is stronger than silent completeness. A plan that says what it does and what it does not do is more defensible than one that claims coverage it hasn't built.

4. Policy-plus-training is the Lidl pattern. If that is your plan in October 2026, the ERA 2025 ‘all reasonable steps’ uplift will find you where Lidl stood.

How fourteen days shaped the record

Kelmar Workforce (1,200 staff)

Audit Committee (Priti Rao)

CEO (Marcus Bellweather)

Kelmar Group (s40A defence)

Module 4 picks up the following Friday night, at The Kelmar Rosewood, when Ciara Donnelly — a Venue Manager — faces Zone 5 and Zone 6 in the same room at the same time.

Continue to Module 4 → Replay Module Course Home