David Tattam, chief research & content officer and co-founder, Protecht, explores the key people-related risks facing organisations and how risk managers can tackle them
What is people-related risk?
The impact of people on risk, or ’people-related risks’ are many and varied.
Risk is made up of several components including Risk Causes, Risk Events and Risk Impacts. People-related matters can arise in any one of these three components.
Firstly, ’People’ is one of the four recognised root causes of all risk, together with: Systems, Processes and External events. The people category of risk causes includes such things as:
- Poor culture
- Inadequate capability
These are the causes of a wide range of risks.
In addition, people-related risk events are many and varied, usually captured under the risk event category of human resource risk, or people risk.
This generally covers such things as:
- Inadequate quantity of human resources
- Inadequate quality of human resources
- Human resources that are not fit for purpose
Lastly, there are several people-related risk impacts including:
- Employee safety and wellbeing
- Employee satisfaction
Dealing with poor culture and conduct
Many people-related risks arise from and are manifested in poor culture and conduct.
In describing the difference between culture and conduct, we typically consider culture to be “what goes on around here when no one is looking” and conduct to be “what goes on around here, which affects our customers when no one is looking.”
Culture is internally focused and conduct is externally focused.
”Silicon Valley Bank is a recent high-profile example of a business that could have been saved by better people-related risk management”
The two are obviously connected and poor culture usually drives poor conduct. It affects the way people and groups make decisions and interact with each other, with clients, and with all stakeholders.
Silicon Valley Bank is a recent high-profile example of a business that could have been saved by better people-related risk management – and highlights how important it is to have an effective risk framework in place, with an organisation-wide team of people that share and take the responsibility for the risk burden, enabling CROs to focus on what’s around the corner.
The consequences of ignoring people-related risks
As mentioned previously, “people” is one of the four generally accepted root causes of all risk. It is therefore one of the key drivers of all the risks an organisation typically faces.
Secondly, managing people-related causes is not easy and usually takes time due to the need for people change management. Poor culture is not fixed overnight!
Thirdly, people-related causes have a major impact on many of the risks we face.
”Poor culture is not fixed overnight!”
For example, the number one cause of cyber risk is human behaviour/culture. We can have the best cyber security controls in place but if humans override them, we are in trouble.
Lastly, we value the people-related impacts of risk above all others. The safety of employees is paramount compared to our financial objectives.
On top of this, people-related risks are some of the hardest to manage as they are difficult to measure, often involving subjective judgement. Many of the root causes are intangible and related to the psychology, upbringing, belief system and social culture of the individual.
How risk managers can manage, mitigate or transfer people-related risk
Understanding the key drivers is the first step
In order to manage people-related culture and conduct risk, which is highlighted by the gap between actual and desired culture and conduct, we need to understand the drivers.
What makes people behave a certain way?
For example, some of the key drivers include incentive schemes, both financial and non-financial; social norms within the organisation and social norms of employees; external personal pressures and weak leadership.
Once the drivers of culture are understood, relevant levers should be identified as ways to influence, change and control culture and conduct risk.
Typical levers to influence culture and conduct risk include: delivering a clear and strong mandate from the board and senior management for risk management; setting a strong tone from the top; communicating through actions as well as words and defining well-articulated; easily understood and well-communicated risk appetite and tolerances.
Insurance strategies must involve ensuring that adequate insurance coverage is obtained for people-related risks and that the exclusions and small print does not exclude a range of people-related risks.
Do we have cover for deliberate actions, negligence and accidental events?
Maturing a culture and conduct risk management framework
The number one focus to manage people risk should be to ensure you have a strong culture and conduct risk management framework.
There are a number of steps to consider for maturing that framework. These include:
- Education: Achieve clarity and consistency across your organisation as to what culture and conduct Risk is.
- Analyse, understand and document your culture and conduct (misconduct) risks. At the Protecht Group, we use the Risk Bow Tie method to analyse and communicate risk.
- Determine, articulate and communicate your desired culture and conduct. This should align with your strategy and objectives and be articulated across your values and commitments, code of conduct, policies, incentive schemes etc.
- Be able to measure your actual culture and conduct on an ongoing and consistent basis. This is where a strong suite of metrics are critical and a methodology that turns the metrics into meaningful intelligence that is reported as part of your risk reporting using Culture and Conduct Risk Dashboards.
- Determine and apply risk appetite to the risk metrics to facilitate reporting, prompt escalation and response.
- Understand how culture and conduct can be controlled, managed and influenced. This requires a strong understanding of the drivers of culture and conduct risk. Risk Bow Tie Analysis is critical for this understanding.
- Build your culture and conduct risk management as an integral part of your Enterprise Risk Management (ERM) Process rather than as a standalone, siloed capability.
No comments yet