Organisations need to involve people management and development professionals in order to implement effective strategies to identify and control business risks, but a recent UK report has found that HR professionals still have a way to go in contributing effectively to organisational risk management
Organisations need to involve people management and development professionals in order to implement effective strategies to identify and control business risks, but a recent UK report has found that HR professionals still have a way to go in contributing effectively to organisational risk management
High absence rates, staff turnover and poor performance are just some of the problems that employers can expect when people management and development issues are not on the risk agenda.
The Chartered Institute of Personnel and Development (CIPD) report, Risk and performance: HR’s role in managing risk, is based on a UK study of nine large organisations and institutions across a range of sectors. It discusses what risk management means in a practical context and includes case studies showing how people management and development professionals can add value to the process.
HR’s current risk agenda
The evidence of HR involvement in strategic risk management presents a somewhat mixed picture. In many cases, HR seems to be peripheral to, or not fully engaged in, the risk agenda for their organisation.
However, a different and more positive picture emerges when the focus of discussion switches to the people management agenda. Asked to identify the key HR-related risks they deal with regularly, practitioners were able to provide some solid information. In some cases, what was described was the control measure or mitigation of the risk rather than the risk itself, but the picture drawn is interesting both in its breadth and in the degree to which issues are shared between organisations.
The following risk areas featured strongly in the majority of interviews: brand and reputation; employee engagement and commitment; management behaviour; legislative and regulatory compliance; recruitment, retention and skills shortages (current and future); pensions; performance and absence management; and health and safety.
Some anecdotal examples demonstrated the link between these risk issues and the corporate governance framework. For example, in at least one organisation with a prominent institutional investor profile, HR directors had been increasingly engaged in developing arrangements that demonstrate greater transparency in how companies select their leaders and align objective-setting, performance management processes and reward strategies for senior executives.
In many of the organisations, there was an emphasis on having properly trained employees committed to their teams and organisations, thereby minimising risks to the organisation from losing key employees, failing to attract talented individuals or not having the right range of skills for the future. This suggests that a risk management strategy can usefully help reinforce a focus on key areas of people management and development.
There were also interesting contrasts between the US and UK responses to regulation. For companies with US listings, compliance with Sarbanes Oxley rules is seen as a priority. Key HR processes, monitoring and board-level reporting have formed part of the new frameworks and this is an area of work expected to grow in importance (though it remains unclear how far this increased volume of material will contribute to effective risk management). In the UK, in contrast, more forward-thinking HR directors have a more pragmatic approach, building on the Government’s preference for statutory frameworks and voluntary codes rather than detailed regulation. The need to accommodate new regulation is seen as an opportunity to review and transform how HR processes are delivered, and efforts are made to avoid adding to the burden of compliance.
In the public sector, where HR is often seen as seeking to catch up with best practice in the private sector, the function was nevertheless central to developing strategies to deal with target-setting and ever-increasing initiatives and demands on departments and agencies.
This ranged from regular checking of employees’ identity to ensuring the professional or technical competence of staff engaging directly with the public. In both cases, a number of recent events had moved this from being a matter of just good HR practice to one of contributing to reducing risk and increasing public confidence.
Becoming more closely involved
The research evidence confirms that when people management issues are seriously addressed in a risk management context, they come high on the agenda. For example, mergers frequently fail because management is unable to reconcile divergent cultures. Organisations underperform because employees lack commitment, or are absent from work.
Problems occur in senior management where succession planning has been ineffective. These are all people management issues and the way they are tackled – or neglected – will be reflected in the bottom line. They are also strategic in that their effects are felt mainly in the medium or longer term, rather than in the short-term. The risk management process can highlight the fact that these and other HR issues are fundamental to the long-term health of an organisation.
It will be clear that adopting a strategic risk management approach requires people management issues to be placed squarely on the mainstream business agenda, in many cases with a high priority for attention and action. The risk agenda doesn’t necessarily mean HR people adopting a wholly different agenda or dramatically changing policies and practices. Essentially, risk management provides a framework for linking HR policies and practices with wider business outcomes.
This is another opportunity for HR to show its understanding of the way the business works, and how action in one area has repercussions in another. CIPD survey findings confirm there is a strong relationship between a positive psychological contract and performance. At the same time, the findings show that many employees are reluctant to place high levels of trust in the organisation. This is clearly one of the major long-term threats to employers’ ability to maximise employee commitment and engagement. Although commitment and engagement emerge from the interviews with organisations that have implemented a strategic risk agenda as high on their list of risk priorities, the same cannot be said for employers generally. Building and maintaining employee trust is clearly a key issue for most organisations.
Risk management or risk avoidance?
So, getting more closely involved in risk management can produce real benefits for HR. But there are also some possible downsides that are equally real. The HR function has an important role as ‘regulator’ of the employment relationship and this means it is sometimes charged with having an unduly negative mindset. Might this charge be given more substance if the function is too closely involved in managing a risk agenda?
HR professionals responding to a major CIPD survey talked about the need for HR to look for ways of saying ‘yes’ to requests for support, rather than imposing unnecessary or bureaucratic controls.
This is not only an image problem for HR. Too strong a preoccupation with risk can lead to an organisational culture characterised by caution and risk avoidance, which can undermine rather than support performance. CIPD research has highlighted the critical role of employees displaying ‘discretionary behaviour’ across the organisation so as to enhance business performance. There must be a real possibility that, if employees are constantly reminded about the negative consequences of taking risks, this will counteract the positive messages managers are giving, aimed at encouraging discretionary behaviour, in order to reach and exceed performance goals. How can the risk of institutionalising a negative, risk-adverse culture be minimised? There are significant financial and opportunity costs in failing to see particular risk issues in their proper perspective and giving them disproportionate management attention.
In general, the objective has to be not to remove all risk but to target a level of control proportionate to the seriousness of the particular risk involved. And some companies are actively training their managers to use their discretion to improve customer service in new and innovative ways, drawing on their judgment and ability to assess the likely risk and return.
Organisations need to decide how much risk they are prepared to take: in other words, what is their ‘risk appetite’? Organisations in the finance sector, for example, will justifiably be anxious to minimise any risk that might appear to put in question their probity or reliability, but different levels of risk appetite may apply to different areas of business, and higher levels may be appropriate where there is the prospect of higher returns. HR can help to influence the organisation’s judgment about its risk appetite in key areas such as reputational risk, where failure to manage diversity issues effectively can seriously damage the business.
In the end, risk management is about identifying and prioritising risks to organisational performance. The best judgment will often be that of local units and people closest to the ground. But HR needs to be fully involved in the process of identifying and prioritising risks and in implementing action to guard against them.
The benefits of closer association between risk management and HR professionals are not a one-way street: HR can gain visibility and influence but the risk management process itself will be immeasurably strengthened by a better appreciation of how the people dimension can contribute.
The HR risk basics
"Managing risk is not just about limiting short-term financial loss, it's about systematically addressing all those issues that can impact on organisational outcomes," says Mike Emmott, employee relations adviser for the UK-based Chartered Institute of Personnel and Development (CIPD).
There appears to be a huge gap between the risks that have been identified and what organisations are actually doing to manage them, according to Emmott, with research showing that senior executives feel some of the key areas of risk that are not being adequately addressed relate to the way people are managed.
HR professionals have the skills and knowledge to identify the risks associated with people and gather the evidence necessary to create a balance between resources required and the benefits to the business. Emmott says they need to be fully involved in helping organisations control people-related costs and take opportunities to improve service delivery.
