Employee Risk Management: Protecting your business reputation and reducing your legal liability

Employee risk management

Presentation overview:

Explain what employee risk management is

Describe who an ‘employee’ is in this context

Outline the assessment process

Avoiding common problems.

Employee risk management

Why bother with this concept? Rev Paul Flowers, disgraced ex Chairman of Co-op

JP Morgan Stanley fined £572 million (‘London Whale Trades’)

Nick Leeson, ‘rogue trader’ brought down Baring’s Bank in 1995

Edward Snowden, stole state secrets from NSA on a memory stick

Chris Jarvis settled with Sony for unpaid wages (recruited as an unpaid intern but carried out actual work).

Employee risk management

Its purpose is to identify and manage:

Threats to your organisation’s business reputation

The potential to damage your brand as an employer

Weaknesses that can lead to costly litigation

Problems that could damage profit margins

Emerging threats and vulnerabilities.

Employee risk management

Is a systematic process that:

Uses a traditional risk assessment approach

Focuses on identifying, managing and reducing threats

Puts the workforce at the heart of the assessment

Applies to a wide range of threat/vulnerability

Covers the lifecycle of employment

Can lead to innovative work practices.

Employee risk management

Internal audit can use this approach:

To assess its own future audit priorities

As a recommendation to those being audited

To help comply with the UK Corporate Governance Code 2014

C.2 – Main principle: Risk Management and Internal Control

‘The board is responsible for determining the nature and extent of the principal risks it is willing to take in achieving its strategic objectives..’

Who is an ‘employee’?

In this context, it’s someone who:

• Is an insider to an organisation

• Performs tasks associated with being an employee

• Has access to varying levels of information

• Is assumed by customers/ third parties to work for you.

Who is an ‘employee’?

The more obvious candidates:

Directors

Employees

Ex-employees

Self-employed consultants

Contractors

Who is an ‘employee’?

But don’t forget:

Secondments

Agency/bank staff

Interns

Volunteers

Outsourced staff.

Types of ‘employee’ threat

Non-malicious and unintentional:

Individuals are blameless

Sub-standard recruitment practices

Poor induction process

Insufficient training .

Types of ‘employee’ threat

Non-malicious and intentional:

Individuals are blameless

Business processes and policies not aligned

Insufficient/lack of guidance

Staff left to make their own judgement calls

Increasingly caused by blurring between home and work life.

Types of ‘employee’ threat

Malicious and intentional:

Exploiting weaknesses between processes and security

Increasingly likely to be working with outsiders

Still a lack of awareness of people risk at board level

Many personal factors behind it…

Malicious insider threats

Personal motivation – 1:

Resentment – poor engagement, lack of recognition

Revenge – anger to the point of wanting to retaliate

Ideology – loyalty to a particular belief or cause

Opportunity – the chance presents itself

Financial – greed or high levels of personal debt.

Malicious insider threats

Personal motivation – 2:

Blackmail/coercion – victim being held to ransom

Personality trait – thrill-seeking, rule-breaking persona

Other loyalties – allegiance to a competitor or country

Self-advancement – trade-off for favours, e.g. new job.

Employee risk management

Increased likelihood of employee risk due to:

Globalisation

Highly Competitive marketplace

Mergers and acquisitions

Outsourcing.

EMPLOYEE RISK OVERVIEW

Employee risk

Source of threats

IT

Workforce health

Organisational Factors

Recruitment

Document review

Ex-employees

Agency staff

Volunteers

Bank Staff

Unhealthy lifestyle

Obesity

Presenteeism

Employment contracts

Confidentiality agreements Staff handbook

Cyber-crime

Cloud computing

Data protection

Reference taking

Hiring policies

Pre-employment screening

Reward

Views on HR competence

Employees

‘

Self-employed

Social media

Who can post? Ageing workforce

Ethics

Type of media

Secondments

Interns

Directors

Sickness absence

Managing performance

Outsourcing contracts

Reputation risk

Stress/bullying

Drafting job descriptions

Illegal file downloading Protecting

‘know-how’

Remote working

Workload BYOD

Libel law

Culture

Silo mentality

Interviews

Talent shortages

On-boarding

Employee risk management

Choose the areas to be reviewed

Identify the threats & vulnerabilities

Decide who/what may be harmed and how

Evaluate risk and decide control measures

Record the findings

Schedule reviews and updates

Employee risk management

Step 1. Choosing the areas to be reviewed:

Can look at:

departments, e.g. HR

functions, e.g. recruitment

type of ‘employee’

areas of concern, e.g. pre-employment screening

a combination of these.

Employee risk management

Step 1. Choosing the areas to be reviewed:

Scope will be influenced by the type of:

organisation (public/private/third sector)

areas of concern

resources available

Can link to ISO 31000: 2009 and TQM

May form part of a wider SWOT/PESTLE analysis.

Employee risk management

Step 1. Choosing the areas to be reviewed – recruitment:

Recruitment may interest Internal Audit because:

employees are the root of many business risks, e.g. fraud

poor quality staff increase risks even further

processes only as good as those creating/operating them.

Employee risk management

Step 1. Choosing the areas to be reviewed - example:

Initial review examines lifecycle of recruitment

This starts from when a recruitment need is identified

It ends once induction is completed

Three areas of concern arise from this review:

candidate/job mismatch

pre-employment screening

induction process.

Employee risk management

Step 2. Identify the threats/vulnerabilities:

Job descriptions oversells/misrepresents the role

Pre-screening fails to weed out dodgy candidates

Problems in vetting foreign applicants

Increased likelihood of insider threats

New starters unprepared following poor induction.

Employee risk management

Step 3. Who/what may be harmed and how:

Organisation may be harmed due to:

higher staff turnover

reduced productivity

increase in grievances/dismissals

potential for reputation damage

result = increased costs.

Employee risk management

Step 4. Evaluating risk/deciding control measures:

High – check job descriptions to ensure that they reflect what the job is now (don’t oversell a role) and analyse exit interviews for patterns of employee discontent

High – insist on seeing original qualification certificates and check professional memberships direct with institutions

Medium – use vetting companies for foreign candidates

Medium – survey departments to identify what they need from induction and incorporate into a revised programme.

Step 5. Record the findings

Issue Threat/problem Risk L/M/H

Proposed control measures

Done by whom

Deadline

Candidate/job mismatch

Poor quality/unsuitable staff being recruited Leads to disengagement, low productivity and higher staff turnover

High

• Check job descriptions to ensure

that they reflect the job as it is.

• Review staff exit interviews for

recurring themes and identify

solutions to common problems.

• Avoid temptation to embellish

and oversell a role.

Poor pre-employment screening

Increased likelihood of insider threats These may damage business reputation and hit the bottom line

High

• To check original qualification

certificates and professional

memberships with institutions.

• Engage screening companies to

vet foreign candidates.

Weak induction process

New starters unprepared following poor induction Reduces productivity and hampers integration

Medium

• Survey departments to identify what they need from process and incorporate into revised programme.

Employee risk management

Employee risk management

Step 6. Schedule reviews and updates:

Formal reviews usually annual/bi-annual

But it also depends on number of high-risk activities found

External events may influence frequency of assessments

Emerging risks should be included

Consider adding a Step 7. for ‘horizon scanning’.

Employee risk management

Horizon scanning:

Is a proactive risk management strategy

Looks beyond the next one-three years

Especially useful for those operating globally

Converts what’s learned into a competitive advantage

Best done by a multi-disciplinary team.

Employee risk management

Horizon scanning:

Sources of intelligence include:

planned legal changes – law reports/newspapers

employment trends – ONS, HR websites

demographic changes

technology developments

futurology reports (study of social, political and technical developments to understand what may happen)

Employee risk management Choose the areas to

be reviewed

Identify the threats & vulnerabilities

Decide who/what may be harmed and

how

Evaluate risk and decide control

measures

Record the findings

Schedule reviews and update

Horizon scanning

Employee risk management

Implementing assessment recommendations:

For larger projects this will involve culture change

Requires buy-in and leadership from the top

Employee risk must be pro-actively managed

Encourage a culture where staff can report concerns

Integrate it into enterprise risk management initiatives.

Employee risk management

Avoiding problems – project management:

An employee risk assessment can present unique project challenges:

set boundaries on what will be covered early on as it’s easy to get carried away with this topic

actively look for opportunities instead of focusing solely on threats and vulnerabilities.

Employee risk management

Avoiding problems – not managing culture change:

Embedding employee risk management requires a culture change:

accept that this will require change management

be honest about the current culture’s shortcomings

identify what a good risk culture looks like

map out how to get from the current to the desired culture

break the process down into several stages.

Employee risk management

Avoiding problems – poor communication:

Add employee risk into an existing communications structure by:

adding it to board meetings as part of corporate governance

feeding concerns into risk team/internal audit meetings

encouraging discussions on the subject at team meetings

building it into in-house training sessions, including induction

incorporating this revised structure into your risk policy.

Any questions?