Upload
duongnga
View
218
Download
3
Embed Size (px)
Citation preview
Employee risk management
Presentation overview:
Explain what employee risk management is
Describe who an ‘employee’ is in this context
Outline the assessment process
Avoiding common problems.
Employee risk management
Why bother with this concept? Rev Paul Flowers, disgraced ex Chairman of Co-op
JP Morgan Stanley fined £572 million (‘London Whale Trades’)
Nick Leeson, ‘rogue trader’ brought down Baring’s Bank in 1995
Edward Snowden, stole state secrets from NSA on a memory stick
Chris Jarvis settled with Sony for unpaid wages (recruited as an unpaid intern but carried out actual work).
Employee risk management
Its purpose is to identify and manage:
Threats to your organisation’s business reputation
The potential to damage your brand as an employer
Weaknesses that can lead to costly litigation
Problems that could damage profit margins
Emerging threats and vulnerabilities.
Employee risk management
Is a systematic process that:
Uses a traditional risk assessment approach
Focuses on identifying, managing and reducing threats
Puts the workforce at the heart of the assessment
Applies to a wide range of threat/vulnerability
Covers the lifecycle of employment
Can lead to innovative work practices.
Employee risk management
Internal audit can use this approach:
To assess its own future audit priorities
As a recommendation to those being audited
To help comply with the UK Corporate Governance Code 2014
C.2 – Main principle: Risk Management and Internal Control
‘The board is responsible for determining the nature and extent of the principal risks it is willing to take in achieving its strategic objectives..’
Who is an ‘employee’?
In this context, it’s someone who:
• Is an insider to an organisation
• Performs tasks associated with being an employee
• Has access to varying levels of information
• Is assumed by customers/ third parties to work for you.
Who is an ‘employee’?
The more obvious candidates:
Directors
Employees
Ex-employees
Self-employed consultants
Contractors
Who is an ‘employee’?
But don’t forget:
Secondments
Agency/bank staff
Interns
Volunteers
Outsourced staff.
Types of ‘employee’ threat
Non-malicious and unintentional:
Individuals are blameless
Sub-standard recruitment practices
Poor induction process
Insufficient training .
Types of ‘employee’ threat
Non-malicious and intentional:
Individuals are blameless
Business processes and policies not aligned
Insufficient/lack of guidance
Staff left to make their own judgement calls
Increasingly caused by blurring between home and work life.
Types of ‘employee’ threat
Malicious and intentional:
Exploiting weaknesses between processes and security
Increasingly likely to be working with outsiders
Still a lack of awareness of people risk at board level
Many personal factors behind it…
Malicious insider threats
Personal motivation – 1:
Resentment – poor engagement, lack of recognition
Revenge – anger to the point of wanting to retaliate
Ideology – loyalty to a particular belief or cause
Opportunity – the chance presents itself
Financial – greed or high levels of personal debt.
Malicious insider threats
Personal motivation – 2:
Blackmail/coercion – victim being held to ransom
Personality trait – thrill-seeking, rule-breaking persona
Other loyalties – allegiance to a competitor or country
Self-advancement – trade-off for favours, e.g. new job.
Employee risk management
Increased likelihood of employee risk due to:
Globalisation
Highly Competitive marketplace
Mergers and acquisitions
Outsourcing.
EMPLOYEE RISK OVERVIEW
Employee risk
Source of threats
IT
Workforce health
Organisational Factors
Recruitment
Document review
Ex-employees
Agency staff
Volunteers
Bank Staff
Unhealthy lifestyle
Obesity
Presenteeism
Employment contracts
Confidentiality agreements Staff handbook
Cyber-crime
Cloud computing
Data protection
Reference taking
Hiring policies
Pre-employment screening
Reward
Views on HR competence
Employees
‘
Self-employed
Social media
Who can post? Ageing workforce
Ethics
Type of media
Secondments
Interns
Directors
Sickness absence
Managing performance
Outsourcing contracts
Reputation risk
Stress/bullying
Drafting job descriptions
Illegal file downloading Protecting
‘know-how’
Remote working
Workload BYOD
Libel law
Culture
Silo mentality
Interviews
Talent shortages
On-boarding
Employee risk management
Choose the areas to be reviewed
Identify the threats & vulnerabilities
Decide who/what may be harmed and how
Evaluate risk and decide control measures
Record the findings
Schedule reviews and updates
Employee risk management
Step 1. Choosing the areas to be reviewed:
Can look at:
departments, e.g. HR
functions, e.g. recruitment
type of ‘employee’
areas of concern, e.g. pre-employment screening
a combination of these.
Employee risk management
Step 1. Choosing the areas to be reviewed:
Scope will be influenced by the type of:
organisation (public/private/third sector)
areas of concern
resources available
Can link to ISO 31000: 2009 and TQM
May form part of a wider SWOT/PESTLE analysis.
Employee risk management
Step 1. Choosing the areas to be reviewed – recruitment:
Recruitment may interest Internal Audit because:
employees are the root of many business risks, e.g. fraud
poor quality staff increase risks even further
processes only as good as those creating/operating them.
Employee risk management
Step 1. Choosing the areas to be reviewed - example:
Initial review examines lifecycle of recruitment
This starts from when a recruitment need is identified
It ends once induction is completed
Three areas of concern arise from this review:
candidate/job mismatch
pre-employment screening
induction process.
Employee risk management
Step 2. Identify the threats/vulnerabilities:
Job descriptions oversells/misrepresents the role
Pre-screening fails to weed out dodgy candidates
Problems in vetting foreign applicants
Increased likelihood of insider threats
New starters unprepared following poor induction.
Employee risk management
Step 3. Who/what may be harmed and how:
Organisation may be harmed due to:
higher staff turnover
reduced productivity
increase in grievances/dismissals
potential for reputation damage
result = increased costs.
Employee risk management
Step 4. Evaluating risk/deciding control measures:
High – check job descriptions to ensure that they reflect what the job is now (don’t oversell a role) and analyse exit interviews for patterns of employee discontent
High – insist on seeing original qualification certificates and check professional memberships direct with institutions
Medium – use vetting companies for foreign candidates
Medium – survey departments to identify what they need from induction and incorporate into a revised programme.
Step 5. Record the findings
Issue Threat/problem Risk L/M/H
Proposed control measures
Done by whom
Deadline
Candidate/job mismatch
Poor quality/unsuitable staff being recruited Leads to disengagement, low productivity and higher staff turnover
High
• Check job descriptions to ensure
that they reflect the job as it is.
• Review staff exit interviews for
recurring themes and identify
solutions to common problems.
• Avoid temptation to embellish
and oversell a role.
Poor pre-employment screening
Increased likelihood of insider threats These may damage business reputation and hit the bottom line
High
• To check original qualification
certificates and professional
memberships with institutions.
• Engage screening companies to
vet foreign candidates.
Weak induction process
New starters unprepared following poor induction Reduces productivity and hampers integration
Medium
• Survey departments to identify what they need from process and incorporate into revised programme.
Employee risk management
Employee risk management
Step 6. Schedule reviews and updates:
Formal reviews usually annual/bi-annual
But it also depends on number of high-risk activities found
External events may influence frequency of assessments
Emerging risks should be included
Consider adding a Step 7. for ‘horizon scanning’.
Employee risk management
Horizon scanning:
Is a proactive risk management strategy
Looks beyond the next one-three years
Especially useful for those operating globally
Converts what’s learned into a competitive advantage
Best done by a multi-disciplinary team.
Employee risk management
Horizon scanning:
Sources of intelligence include:
planned legal changes – law reports/newspapers
employment trends – ONS, HR websites
demographic changes
technology developments
futurology reports (study of social, political and technical developments to understand what may happen)
Employee risk management Choose the areas to
be reviewed
Identify the threats & vulnerabilities
Decide who/what may be harmed and
how
Evaluate risk and decide control
measures
Record the findings
Schedule reviews and update
Horizon scanning
Employee risk management
Implementing assessment recommendations:
For larger projects this will involve culture change
Requires buy-in and leadership from the top
Employee risk must be pro-actively managed
Encourage a culture where staff can report concerns
Integrate it into enterprise risk management initiatives.
Employee risk management
Avoiding problems – project management:
An employee risk assessment can present unique project challenges:
set boundaries on what will be covered early on as it’s easy to get carried away with this topic
actively look for opportunities instead of focusing solely on threats and vulnerabilities.
Employee risk management
Avoiding problems – not managing culture change:
Embedding employee risk management requires a culture change:
accept that this will require change management
be honest about the current culture’s shortcomings
identify what a good risk culture looks like
map out how to get from the current to the desired culture
break the process down into several stages.
Employee risk management
Avoiding problems – poor communication:
Add employee risk into an existing communications structure by:
adding it to board meetings as part of corporate governance
feeding concerns into risk team/internal audit meetings
encouraging discussions on the subject at team meetings
building it into in-house training sessions, including induction
incorporating this revised structure into your risk policy.