People related risks are critically important to every organisation and to manage people risk a strong culture and conduct risk management framework is essential.
The business world is scattered with the carnage of people related risks. The demise of most organisations come back to people related risks. Most recently, the failures of a handful of US banks, including Silicon Valley Bank can be traced back to people related risks where perhaps the pull of financial incentives clouded the judgement against sound risk and banking practices. Going back in history, it shows not much has changed, with Barings Bank being brought to its knees by people related risks, especially from the trader Nick Leeson.
One of the most fundamental effects of people related risks is poor decision making. The quality of all decisions that affect an organisation fundamentally drive the success of that organisation. As most business decisions are ultimately made by humans, perhaps supported by some decision-making tools, the impact of people related risks that lead to erroneous or suboptimal decisions is enormous. It is estimated that a typical human makes over 30,000 decision each day, many which will impact the organisation they work for. Risks that can degrade these decisions ultimately have huge impacts.
The impact of people related risk
The impact of people on risk, or “people related risks” are many and varied. Risk (the effect of uncertainty on objectives1) is made up of a number of components being Risk Causes, Risk Events and Risk Impacts. People related matters arise and manifest in any one of these three components.
Firstly, “People” is one of the four recognised root causes of all risk, together with: Systems, Processes and External events. The people category of risk causes includes such things as:
· Poor Culture
· Greed
· Inadequate Capability
· Biases, heuristics etc.
These risk causes lead to a wide range of risk events.
Many risk events are people related and these are usually captured under the risk event category of Human Resource Risk, or People risk. This risk event category usually covers such things as:
· Inadequate quantity of human resources
· Inadequate quality of human resources
· Human resources that are not fit for purpose
· Misconduct etc.
Lastly, there are several people related risk impacts. Risk impacts are when the risk impacts on the organisation’s objectives. The key people related objectives of most organisations are:
• Ensure employee safety and wellbeing
• Achieve employee satisfaction
These give rise to the two main risk impacts being:
· Negative impact on employee safety and wellbeing
· Negative impacts on employee satisfaction
Influencing factors of risk
People related risks are ever evolving, some increasing, some decreasing. Some of the key factors influencing these changes are:
1. Increased focus on employee physical wellbeing and safety. This is leading to a decrease in this impact as we develop better and safer working environments.
2. A major increase in focus on employee mental wellbeing and safety. This has been rapidly accelerated due to covid where the level of risk shot up exponentially and has led to this create focus.
3. A growing recognition of the importance of good culture, and especially risk culture, on the sustained success of an organisation. Culture to be “What goes on around here when no one is looking”. This increased awareness and focus is also driven by the increase in “wokeness” in society meaning organisations need to focus better on managing people related risks in order to gain and maintain their “social licence to operate”.
4. However, technology advances such as Artificial Intelligence (AI), Machine Learning (ML) and Robotics may decrease the prominence of people related risks and replace them with AI, ML and Robotics Risk. However the fear with many is that AI could lead to other more serious risks, which needs to be considered too.
Understanding the key drivers is the first step.
In order to manage people-related culture, which is highlighted by the gap between actual and desired culture, we need to understand the drivers. What makes people behave a certain way? For example, some of the key drivers include: Incentive schemes, both financial and non-financial; social norms within the organisation and social norms of employees; external personal pressures and weak leadership.
Once the drivers of culture are understood, relevant levers should be identified as ways to influence, change and control culture. Typical levers to influence culture and conduct risk include: deliver a clear and strong mandate from board and senior management for risk management; set a strong tone from the top; communicated through actions as well as words and define well-articulated; easily understood and well-communicated risk appetite and tolerances.
Insurance strategies must involve ensuring that adequate insurance coverage is obtained for people related risks and that the exclusions and small print does not exclude a range of people related risks. Do we have cover for deliberate actions, negligence, and accidental events?
Maturing a culture and conduct risk management framework
The number one focus to manage people risk should be to ensure you have a strong culture and conduct risk management framework.
There are a number of steps to consider for maturing that framework. These include:
1. Education: Achieve clarity and consistency across your organisation as to what culture and conduct Risk is.
2. Analyse, understand and document your culture and conduct (misconduct) risks. The Risk Bow Tie method is one effective way to analyse and communicate risk.
3. Determine, articulate and communicate your desired culture and conduct. This should align with your strategy and objectives and be articulated across your values and commitments, code of conduct, policies, incentive schemes etc.
4. Be able to measure your actual culture and conduct on an ongoing and consistent basis. This is where a strong suite of metrics is critical and a methodology that turns the metrics into meaningful intelligence that is reported as part of your risk reporting using Culture and Conduct Risk Dashboards.
5. Determine and apply risk appetite to the risk metrics to facilitate reporting, prompt escalation and response.
6. Understand how culture and conduct can be controlled, managed and influenced. This requires a strong understanding of the drivers of culture and conduct risk. Risk Bow Tie Analysis is critical for this understanding.
7. Build your culture and conduct risk management as an integral part of your Enterprise Risk Management (ERM) Process rather than as a standalone, siloed capability.