How to manage the people side of risk
Peter Cleverton, General Manager, EMEA at HireRight, on how organisations can adopt the right risk culture
Cybersecurity, fraud and “fake news” often dominate the headlines in today’s world. Risk has increasingly become a part of everyday vernacular, putting us as a society and as a business community on high alert.
A report issued by PWC revealed that in 2018, 34% of companies in the Middle East reported that they’ve fallen victim to acts of fraud and economic crime, up from 26% in 2016.
Still fresh in people’s minds is one of the biggest data breaches of the decade in the first half of 2018, when Dubai-based ride-hailing firm Careem admitted the theft of personal data of up to 14 million of its customers.
However, whilst businesses are increasingly acknowledging the importance and potential of risk, it’s only in recent years that many have begun to consider risk as an internal challenge. We’ve long recognised the impact that cyberattacks can have on an organisation – but what about when it’s your employees that expose you to risk?
In a report issued by BeyondTrust last year, 64% of those asked believe they’ve likely had either a direct or indirect breach due to misused or abused employee access in the last 12 months, and 62% believe they’ve had a breach due to compromised vendor access. Just four years ago, the UAE was ranked top for the most employee data leaks in the Middle East.
This is a real dilemma – because people and risk are intrinsically linked. They’re both your greatest asset and your biggest weakness – you can never fully eliminate it.
But then again, do you need to? After all, it’s also a risk that gives way to new frontiers, innovations and ideas that shape our world.
A discussion paper developed by the Corporate Research Forum (CRF) earlier this year argued that risk is about taking a balanced approach – and having a strategy and process in place to evaluate the potential pay-off against the risk being taken.
The paper also suggested that having the right risk culture means that we need to consider the perspectives of different business functions. For example, finance will be aware if a strategy exposes the firm to foreign exchange risk, marketing will point out anything that risks undermining the brand, and legal will assess any compliance risks. HR, in its role as both recruiter and the creator of company culture, perhaps plays the most intelligent and holistic role in risk management. So, should the mantle not fall to them to determine what a company’s risk lens should look like?
Of course, you don’t always see integration between HR and risk functions, so it might be best to start within the department and look at the top HR-specific risks – be it reputation, key technical positions or even hard to fill high-volume roles. Then, evaluate each risk starting from the time horizon – when will the risk have an impact and what kind of decisions might be affected by this risk? Will the new hires from the last cycle be affected? Or is the risk something that will occur a few years from now? Other important elements include being specific about where the risk lies and the magnitude, as well as considering mitigation options. You can then look to expand from there.
It is, however, important to remember that a risk-savvy culture isn’t just about key decision-makers – it should permeate throughout all employees and across all levels. It’s only by having the whole team on side and preparing themselves for risk, that you’ll develop resilience.
Businesses have a tendency to stress the importance of being robust – but something is only robust to the point where forces are so strong it breaks. And, inevitably, things will break – maybe not today or tomorrow, but the storm will hit at some point.
A resilient organisation is able to roll with the punches, adapt to the changing landscape and overcome the challenges.
As a collective organisation, each employee should have the right mindset when it comes to risk and resilience by:
- Ensuring mistakes and near misses aren’t hidden or brushed aside and instead are regarded as signals for risk;
- Avoiding blame and focusing instead on solving problems;
- Understanding that setbacks are part of the learning journey; and
- Being willing to do things differently when it is called for
For years now, the world has been calling HR to the board, as talent was seen as key to a company’s success. The same still rings true today but we should be measured and recognise that talent too should be considered through the risk lens, whether that’s screening candidates for rogue actors, or developing a company-wide mental fortitude that’s ready to battle through an evolving landscape. HR has never been more of an integral, strategic function to a business than it is today, so it more than deserves its place at the table when risk is being discussed.