Skip to main content
Gruv.ai logo

How to Run Duty of Care as a Global Business of One

By Gruv Editorial Team
Contributor
Updated on
21 min read
How to Run Duty of Care as a Global Business of One - hero image

Quick Answer

Start by treating duty of care for global employees as your operating system: run Compliance Resilience, Operational Security, and Professional Fortitude on a recurring cadence. Keep a single decision log, track travel days, and preserve filing evidence, including checks for FinCEN Form 114 when foreign-account reporting triggers are met. Then protect continuity with clear MSA/SOW terms, tested emergency contacts, and concentration monitoring so one disruption does not stop delivery or cash flow.

Why Corporate 'Duty of Care' Fails the Modern Global Professional#

Corporate duty-of-care guidance is built for employer-led teams, so it can break quickly when you run a business of one. In many employer settings, HR, legal, and operations share most risk decisions. In your model, you do.

In the U.S., OSHA frames safety duties as obligations employers owe employees, and UK health and safety law follows the same structure. U.S. labor guidance effective March 11, 2024 also treats independent contractors as being in business for themselves rather than as employees covered by the FLSA. If you copy an employee framework, you start from the wrong owner of risk.

IssueCorporate duty of careSolo global professional duty of care
OwnershipEmployer owns policy, support, and responseYou own decisions, records, and follow-through
Risk prioritiesWorkplace safety, employee welfare, travel supportTax filings, contract exposure, travel continuity, client data handling
Response modelEscalate to HR, legal, security, travel deskMonitor, decide, document, and act yourself
Decision speedLayered approvalsOften faster decisions, but no internal fallback if you miss something

Where the employee model breaks#

Tax is the clearest mismatch. In employer settings, payroll or mobility teams may handle parts of compliance. You do not have that buffer. If you are self-employed, you generally owe self-employment and income tax, and FBAR reporting can apply when foreign accounts exceed an aggregate $10,000 at any point in the year. Even when you qualify for the foreign earned income exclusion, filing duties still remain.

Travel risk breaks the same way. Corporate programs often assume someone is actively tracking advisories and escalation triggers. For you, that capability has to be explicit: check official Travel Advisories before trips and decide in advance when you will leave. Official U.S. crisis guidance is clear on the direction of travel: leave while commercial options are still operating.

Contract and data risk follow the same pattern. A company may have counsel, security, and privacy owners. You may be the contracting party and the data controller in one seat. UK GDPR guidance places compliance responsibility on the controller, and CISA warns small businesses often lack the resources to absorb major cyber incidents. That is why you need a personal model for risk ownership, not a borrowed employee playbook.

We covered this in detail in How to Handle Tax Equalization for Expat Employees.

The Duty of Care Flywheel: A New Framework for Your Business-of-One#

Use this flywheel to run risk as a repeatable practice, not a string of emergencies. In practice, each trip, invoice, client change, or near miss should leave a usable record so your next decision is faster, clearer, and less reactive. The point is simple: your own decision history should improve your next move.

Diagram showing The Duty of Care Flywheel: A New Framework for Your Business-of-One for How to Run Duty of Care as a Global Business of One.

A flywheel only works if you run it on purpose. If you review risk only after something breaks, you are still operating incident to incident.

DimensionReactive approachFlywheel approach
OwnershipYou react after a failureYou maintain decision records, triggers, and review points before issues escalate
CadenceIrregular and incident-ledPlanned check-ins plus trigger reviews when travel, clients, or financial facts change
Decision qualityDriven by memory and urgencyDriven by saved evidence, prior decisions, and visible patterns

Your core artifact is a decision record: one secure file, notes page, or folder that logs what changed, what you decided, what evidence supports it, and when to revisit it. That record becomes your institutional memory. If you cannot quickly find the last decision, supporting document, or next review point, the setup is weak.

Pillar 1: Compliance Resilience#

This pillar is about cash-flow and filing readiness. It keeps routine cross-border admin from turning into avoidable disruption and rework. It is usually weak when you cannot clearly explain where you worked, how income was received, which accounts need attention, or which records support your position.

Start by building the core deliverables: a country and day tracker, filing calendar, invoice archive, and a simple evidence pack for tax, account, and residency records.

Pillar 2: Operational Security#

This pillar is about keeping your business operable when conditions change. It is designed to reduce the chance that a medical event, lost device, account issue, or travel disruption turns into a full business stoppage. It is weak when backup access is unclear, emergency contacts do not have what they need, or your travel decisions have no pre-set triggers.

Build the practical pieces next: emergency contacts, secure document copies, account-recovery steps, insurance details, and trip notes with clear go or no-go and exit criteria.

Pillar 3: Professional Fortitude#

This pillar is about revenue continuity and a defensible working position with clients. It is designed to reduce the risk that one weak client relationship, unclear scope, or concentrated revenue source destabilizes the business. It is weak when scope lives in chat, payment terms drift, or late-payment and dispute responses are improvised.

That means you need a contract baseline, client and revenue visibility, standard payment language, and a reserve plan tied to your risk profile.

Run this as a loop you can keep: review on a regular rhythm, and also on trigger events like country changes, new clients, new contract terms, new financial accounts, or upcoming travel. At each review, answer four questions: what changed, what did you decide, what evidence did you save, and which pillar needs attention next.

Related: How to Create a Disaster Recovery Plan for Your Freelance Business.

Pillar 1: Building Your Financial Fortress with Compliance Resilience#

This pillar gets stronger when you treat compliance as a year-round operating practice, not a tax-season scramble. Run three maps in parallel: where you live and work, where you invoice, and where you hold accounts. Then assign an owner action to each risk area so every decision ends with a next step and saved proof.

Control areaTrackFileReview
Tax residency and dual residencedays present; workdays versus personal days; visa category; housing pattern; supporting presence recordsjurisdiction-specific residency and tax filings after verification for each country in your mapon every country change, stay extension, or local-footprint change
Invoicing and VAT mechanicsclient country; B2B or B2C status; service date; invoice date; tax details used on the invoiceVAT registration, invoice-content, and reporting obligations after verification in each relevant jurisdictionnew client country, service-type changes, or a shift into recurring billing
U.S. foreign account reportingeach non-U.S. account; highest yearly value; signature-authority statusFinCEN Form 114 when the filing trigger is met after verificationmonthly and again before April 15, using a saved aggregate-balance worksheet and statements
Permanent establishment exposurewhere work is performed; how fixed that location is; whose facilities are used; what authority your contract or conduct gives youtreaty-specific or local actions after jurisdiction-specific verificationbefore long stays, before using stable local workspace for one client, and when your role starts to look embedded in the client's operations

Map first, then file#

Keep one working file with four parts:

  1. Where you live and work: country, city, entry and exit dates, visa basis, and actual workdays.
  2. Where you invoice: client country, service type, B2B or B2C status, and invoice-rule checks you still need to confirm.
  3. Where you hold accounts: bank, payment platform, brokerage, opening country, and who has financial interest or signature authority.
  4. Owner action checklist: for each issue, list what to track, what to file, and when to review.

Your records need to agree across passport stamps, travel records, calendar entries, invoices, and account activity. If those records conflict, resolve that before filing.

AssumptionWhat can go wrongSafer action
"If I stay under 183 days, I am fine everywhere."Rules differ by jurisdiction, and dual residence can apply.Track days per jurisdiction and verify local residency rules before filing.
"One invoice template works everywhere."EU has baseline VAT invoicing rules, but Member State requirements can differ.Check country and transaction type before issuing each invoice format.
"Small foreign balances mean no U.S. reporting."FBAR uses aggregate foreign-account value during the year, not one account or year-end only.Maintain a rolling aggregate balance log across all relevant foreign accounts.
"Remote work abroad cannot affect my client."Facts can raise permanent-establishment questions tied to fixed-place and work pattern analysis.Review contract scope, authority, and location pattern before long stays or setup changes.

Tax residency and dual residence#

Start here, because residency affects everything downstream. Do not rely on a single global day-count rule. Different domestic systems can produce dual residence.

What to track: days present, workdays versus personal days, visa category, housing pattern, and supporting presence records. What to file: jurisdiction-specific residency and tax filings after verification for each country in your map. What to review: on every country change, stay extension, or local-footprint change.

If U.S. residency is in scope, the substantial presence test includes both a current-year minimum and a weighted three-year count: 31 days in the current year and 183 days across the three-year period, using 1/3 of days from the first prior year and 1/6 from the second prior year.

Invoicing and VAT mechanics#

This map protects cash flow and compliance quality. In the EU, baseline invoicing rules exist, with Member State differences, and invoices are generally required for most B2B supplies and some B2C transactions.

What to track: client country, B2B or B2C status, service date, invoice date, and tax details used on the invoice. What to file: VAT registration, invoice-content, and reporting obligations after verification in each relevant jurisdiction. What to review: new client country, service-type changes, or a shift into recurring billing.

U.S. foreign account reporting#

If you are a U.S. person with financial interest in, or signature authority over, foreign financial accounts, this is a core control area. FBAR (FinCEN Form 114) applies when aggregate foreign-account value exceeded $10,000 at any point in the calendar year; it is due April 15 with an automatic extension to October 15.

What to track: each non-U.S. account, highest yearly value, and signature-authority status. What to file: FinCEN Form 114 when the filing trigger is met after verification. What to review: monthly and again before April 15, using a saved aggregate-balance worksheet and statements.

Permanent establishment exposure#

Treat this as a practical pre-check, not a theoretical debate. Under the OECD model, permanent establishment is tied to a fixed place of business through which business is carried on, and updated OECD guidance in 2025 addressed short-term cross-border remote work.

What to track: where work is performed, how fixed that location is, whose facilities are used, and what authority your contract or conduct gives you. What to file: treaty-specific or local actions after jurisdiction-specific verification. What to review: before long stays, before using stable local workspace for one client, and when your role starts to look embedded in the client's operations.

If you want a deeper dive, read Canada's Digital Nomad Stream: How to Live and Work in Canada.

Pillar 2: Forging Your Personal Shield with Operational Security#

Your operational shield should do one job: if you are sick, stranded, locked out, or unreachable, work and communication still continue in a controlled way.

Build a solo response protocol#

Keep the plan short enough that someone else can actually use it. FEMA CPG 101 (May 2025, Version 3.1) supports a practical structure: a base plan, focused add-ons, risk analysis, and clear roles.

Assign two contacts: a primary decision-maker and a backup. Define what they are allowed to do, when escalation starts, who they contact first, and what they should tell clients if you go silent.

Keep a core emergency file with:

  • identity and travel context (ID page copy, visa or residency basis, current location or itinerary)
  • key business context (priority clients, where active work lives, short status note)
  • insurance and critical account references (policy or account identifiers and support channels)

Store access details separately from credentials. Use a secure method your contacts can actually use under stress, and test it before you need it.

Before you rely on the plan, verify what each institution requires to speak with your designated contact. A plan is only useful if your contact can complete the next action in real conditions. Keep the protocol flexible: FEMA is explicit that plans should adapt to the situation, not be followed like a rigid script.

Buy insurance by gap, not by label#

Choose coverage by the loss you need to absorb, then confirm the scope in the policy wording. Do not assume the policy label tells you what is covered.

Coverage reference in your filePrimary role in your planCommon overlap confusionWhat to verify in policy wording
Any policy you may need during disruptionBackstop for a specific loss scenarioAssuming the policy name alone defines coverageterritory, exclusions, notice requirements, and claims process

Save policy wording, declarations, support numbers, and claim instructions in your emergency file so your contacts know what to use first.

Set a client-facing digital baseline#

Keep this short and repeatable. The National Cybersecurity Strategy (March 1, 2023) notes that too much cyber burden falls on individuals and small organizations; your answer should be operating discipline, not tool sprawl.

AreaBaseline actions
Deviceskeep core systems and apps current; use a strong screen lock; remove unused software
Accountssecure email, banking, cloud storage, and recovery paths first; use unique passwords and MFA where available; keep recovery access available if your phone is lost
Fileskeep client materials in controlled locations, limit sharing access, and clean up permissions after projects
Travel and coworkingtreat unknown networks as untrusted, verify network details, disable auto-join, and avoid sensitive admin actions on shared networks

For legal-sensitive data handling, verify current obligations from official legal editions. FederalRegister.gov document 2024-24582 states it is not an official legal edition and points to a newer final-rule publication, so do not rely on the proposal page alone for compliance changes.

Minimum viable personal shield#

  • Name a primary and backup contact, with clear escalation triggers.
  • Keep a usable emergency file with identity, travel, client, and policy context.
  • Separate secure access methods from stored credentials, and test access.
  • Evaluate insurance by risk gap and retain full policy and claims documents.
  • Apply a repeatable digital baseline for devices, accounts, files, and travel network hygiene.

That is a workable floor. The next pillar is about keeping the business stable when your personal shield is under pressure.

You might also find this useful: How to Create a Travel Policy for a Remote Team.

Pillar 3: Digging Your Business Moat with Professional Fortitude#

Your business moat is a continuity plan. It should keep work, cash flow, and operations viable when disputes, delays, churn, or interruptions hit.

Tighten your MSA before the next problem lands#

Use your Master Services Agreement, with each SOW, to prevent predictable losses before they start. Confirm your MSA, SOW, and any purchase order clearly state which document controls if terms conflict.

Clause areaWhat to confirm
Scope controldefine deliverables, acceptance, timeline, financial value, territory, and any exclusivity; require written approval for changes before you start extra work
Payment protectionset invoice timing, due dates, expense handling, and any deposit or milestone structure; confirm billing entity name, invoice route, and notice address before kickoff
Dispute venuechoose court litigation or arbitration deliberately; if you use arbitration, keep it in writing and use placeholders for governing law, seat, rules, and language for local counsel to review; cross-border arbitral award recognition and enforcement can rely on the New York Convention framework where applicable; court-judgment enforcement follows a separate treaty lane with scope limits
Liability boundariesdefine liability caps, exclusions, and indemnity terms so you are not absorbing risks you did not price
IP and confidentialitystate what is pre-existing IP, what transfers on payment, what is licensed, and what remains yours; match confidentiality and security commitments to what you can actually perform

Use that checklist before renewal, not after the dispute starts.

Protect against overreliance and interruption#

Client concentration is not an abstract planning issue. It is a continuity risk, and you should monitor it monthly. Public-company rules use a 10 percent major-customer disclosure signal. For your business, use that as a warning indicator, not a legal limit.

Business riskProtective controlWhat happens if you skip it
Scope creep, payment delay, cross-border disputeClear MSA hierarchy, payment terms, and dispute clauseYou deliver first, argue later, and collection can become harder
One client becomes operationally dominantMonthly concentration tracking and active pipeline reviewA budget cut or termination can become a cash crisis
Illness, outage, or work stoppageContinuity file, backup communication path, and cash reserveProjects stall, handoffs fail, and revenue can stop before expenses do

Run a short monthly routine: review concentration, flag contracts that can end quickly, and maintain a transition note for each major client with status, next deliverable, required access, and handoff steps. If one client starts dominating revenue or calendar time, build replacement pipeline before renewal or budget decisions land.

Self-fund the protections employment used to hide#

You need to build your own protection stack: emergency cash, retirement funding, and disability planning. An emergency fund is cash reserved for unplanned expenses, and even small balances improve financial resilience.

For retirement, pick one tax-deferred structure you will consistently fund, for example SEP, 401(k), or SIMPLE. Then review disability exposure as an income-continuity risk and compare actual policy terms before assuming you are covered.

This quarter, execute in order:

  1. Update your MSA and mark governing-law, venue, arbitration, liability-cap, and IP-transfer placeholders for local legal review.
  2. Set up a one-page concentration tracker using trailing 12-month revenue and next-90-day booked work.
  3. Open or separate your emergency reserve and define which interruptions it covers first.
  4. Start automatic retirement contributions in one plan, then gather disability quotes and compare coverage terms.

For related compliance context, see A Guide to Background Checks for Employees.

Before your next client renewal, pressure-test your scope, payment terms, and dispute language with the Freelance Contract Generator.

You Are the CEO of Your Own Security#

Treat this as an operating discipline, not a mindset exercise: identify foreseeable risks, act before they become incidents, and keep proof of what you checked and changed.

What you control#

You cannot control every border change, client demand, or travel disruption, but you can control three outcomes:

  • Compliance visibility: you can see your current locations, upcoming cross-border changes, and the contract or policy terms that apply right now.
  • Personal incident readiness: you maintain a usable emergency path, a current document pack, and a response order someone else can follow if you are unreachable.
  • Business continuity protection: you protect delivery with clear written terms, clean records, and backup access so one incident does not stop operations.

Legal duties vary by role and jurisdiction, but for a business-of-one, this is the practical operating model: early risk management, risk assessment, and mitigation before an incident.

Run it monthly#

Pick a fixed monthly review date so the process stays repeatable. Review current country and travel plans, active client work that changes exposure, policy and contract wording that affects responsibilities, and emergency contact details. Update what changed, and escalate in the same week when a new country, a new client setup, or bleisure travel alters your risk profile.

Use an execution standard#

Track each risk item with four fields: owner, trigger, action, evidence.

  • Owner: who is responsible, usually you.
  • Trigger: what changed risk, for example new travel, new client, or a policy renewal notice.
  • Action: what you decided or completed.
  • Evidence: the file that proves it, for example an updated itinerary, policy document, contract version, or contact sheet.

If evidence is missing, the item is not complete. Use that standard, then return to the checklists and FAQ to execute your next actions.

This pairs well with our guide on Using Deel for Payroll for a US Company with Canadian Employees.

To keep your duty-of-care system current across borders, maintain a live travel-and-tax log with the Tax Residency Tracker.

Frequently Asked Questions

What is the first practical step if you are building your own protections from scratch?

Start with one control setup you will actually maintain: a travel-day log, a deadline list, and one folder for contracts, invoices, and policy documents. The goal is not a complex setup. It is a weekly habit that turns risk into dates, files, and decisions you can verify. Do this now: create one tracker and enter your current location, next move date, next filing deadline, and next renewal date.

What insurance should you review first, and how do you avoid buying the wrong thing?

Match each policy to the risk you want covered, then rely on the full policy wording, not the summary page. The approved sources for this section do not confirm exact coverage boundaries, exclusions, or payout amounts for health, travel, or professional liability policies. For any public guidance you use during claims or appeals, confirm it is an official .gov site and uses HTTPS before sharing sensitive information; if you use U.S. Marketplace resources, CMS has an FAQ hub with an “External Appeals” entry as a checkpoint. Do this now: pull your current policy PDFs and mark each point as “confirmed in wording,” “not stated,” or “needs written confirmation.” | Policy type | What to confirm in your wording | What not to assume | |---|---|---| | Health insurance | Covered care, territory, provider and claims rules | Any boundary, exclusion, or payout not explicitly stated | | Travel insurance | Trip timing rules, assistance path, claim notice steps | Any coverage outside what your wording explicitly states | | Professional liability insurance | Covered services, notice duties, defense terms | Any risk outside the written professional scope |

How do you make a solo emergency plan that still works when you are offline or unreachable?

Write a short checklist another person can execute without interpretation, and use placeholders for timing until you verify them. Keep one secure document pack ready, including ID copies, policy cards, emergency contacts, medication list, itinerary or lodging details, and define a clear escalation order. When an agency is involved, share sensitive information only through official, secure websites. Do this now: send the checklist to your primary contact and test access to every file they would need.

What are your core legal responsibilities to clients when you work across borders?

From the approved sources for this section, jurisdiction-specific legal thresholds, required contract clause sets, and country-by-country enforceability outcomes are not confirmed, so treat this as contract-control work rather than country-by-country legal advice. Document scope, deliverables, acceptance, invoice timing, confidentiality, and change-approval authority in writing, and state any limits on acting on the client’s behalf unless they authorize it in writing. Do this now: redline your current MSA or SOW for missing scope, invoicing, confidentiality, and authority terms before your next kickoff.

How do you protect yourself if a client pays late or does not pay at all?

Use a dated response sequence with placeholders you verify before signing, and keep your evidence pack complete from day one. One practical sequence is: send the invoice to the exact contract billing path with proof; send reminder at [reminder window after verification]; escalate at [escalation trigger after verification]; follow your agreed pause or collection path at [suspension/collection trigger after verification]. If approval, delivery, or submission records are missing, you may have less support for escalation or collection. Do this now: add your reminder window, escalation path, and payment triggers to your template and calendar them when each invoice is sent.

Gruv Editorial Team

Researched and edited by the Gruv editorial team. Gruv builds cross-border billing, payouts, and finance-operations software for global businesses.

Sources

  1. bidenwhitehouse.archives.gov/wp-content/uploads/2023/03/National-Cybersec...trusted
  2. cbp.gov/trade/programs-administration/trade-remedies...trusted
  3. cisa.gov/news-events/directives/homeland-security-pre...trusted
  4. cisa.gov/cyber-guidance-small-businessestrusted
  5. consumerfinance.gov/an-essential-guide-to-building-an-emergency-...trusted
  6. csrc.nist.gov/pubs/ir/7621/r2/ipdtrusted
  7. dol.gov/agencies/whd/fact-sheets/13-flsa-employment-...trusted
  8. federalregister.gov/documents/2024/10/29/2024-24582/provisions-p...trusted

Educational content only. Not legal, tax, or financial advice.

Related Posts

Canada Digital Nomad Visa Planning for Visitor Status and Work Permits
Visa Guides32 min read

Canada Digital Nomad Visa Planning for Visitor Status and Work Permits

The phrase `canada digital nomad visa` is useful for search, but misleading if you treat it like a legal category. It is shorthand for existing Canadian status options, mainly visitor status and work permit rules, not a standalone visa stream with its own fixed process. That difference is not just technical. It changes how you should plan the trip, describe your purpose at entry, and organize your records before you leave.

canada work permitvancouvertoronto
Read
How to Create a Disaster Recovery Plan for Your Freelance Business
Risk Management36 min read

How to Create a Disaster Recovery Plan for Your Freelance Business

Build this as a baseline to create a freelance disaster recovery plan you can run under pressure: clear recovery targets, a restore order, client-ready messages, and one restore proof record. This helps reduce improvisation during an outage.

disaster recoverybusiness continuitydata backup
Read
How to Create a Travel Policy for a Remote Team
Risk Management15 min read

How to Create a Travel Policy for a Remote Team

A travel policy for a remote team works only if it tells you what to verify, what to log, and when to stop and ask for advice. The job is simple: do not rely on generic travel lore when tax, immigration, or contractor-status rules may change from one country to the next.

travel policybusiness travelexpense reimbursement
Read