Are companies ignoring the risk that matters most?

It is easy to blame a rogue employee for a crisis but the real cause is often deeper

When organisations seek to manage risk, are they looking in the right place? Most corporate crises are complex events with multiple causes. Research commissioned by Airmic, however, has revealed one common thread—human behaviour. 

People risk takes many forms. At a basic level there is human error—think of the Equifax employee who allegedly failed to communicate the need for a software patch, leading to one of the largest data breaches of all time. Sometimes, however, a crisis is triggered by gross misconduct—think Kweku Adoboli whose unauthorised trades cost UBS about $2 billion. And of course, there is the risk from an over-extended and unchecked leader—think Fred Goodwin, RBS chief executive before its collapse in 2008.  Diverse as these examples are, an out-of-step employee (deliberate or otherwise) is at the heart of each event. 

Unfortunately, the role of individuals in crises is often overlooked or dismissed as one-off, “rogue” behaviour. Business leaders are natural optimists. They rightly recognise that the talent of their employees is one of their organisation’s greatest assets; however, this can lead to a tendency to put too much faith that the staff will always follow the handbook. In reality, a company’s greatest asset can also be one of its most significant threats. 

Furthermore, “human behaviour” is a difficult concept to define and measure, and its relationship with profitability is not immediately obvious. As a result, people risk can be brushed into the “too hard” category, and risk management efforts are instead focused on more tangible assets with a clearer link to the balance sheet. 

Traditional risk management tools – controls and procedures – can certainly play a role in managing people risk effectively. For example, organisations can take practical steps to minimise the opportunity for employees to deviate from company policy, while making clear there will be repercussions in the event of misconduct. 

Meanwhile, treating employees well will remove incentives for wrongdoing. A disgruntled employee can be the most dangerous – just ask Amazon, which has had a string of employee leaks to the press about allegedly poor working conditions. 

Insurance also has a role. There may not be such a thing as “people risk insurance”, but there is a whole suite of covers and associated services that can mitigate some of the impact. This includes medical cover to minimise employee absence; general liability to protect relationships; services that fulfil the duty of care to employees abroad such as travel insurance; and directors and officers insurance to protect leaders and businesses from costly legal battles. 

However, traditional risk management techniques and insurance purchase are only half the story. The trouble with people is that they think!  Traditional tools and controls are not likely to be effective in preventing threats or vulnerabilities from people who are endlessly creative, dynamic and unpredictable. If incentivised to do so, individuals can quite easily bypass the system. 

No company wants to stifle their talent with endless controls. The biggest risk to any business is not taking risk at all

Traditional risk management techniques are even more limited in the modern business environment where the line between the internal workings of an organisation and the outside environment are increasingly blurred. Business travel, flexible working, an influx of connected devices and extended supply chains make organisational structures more porous than 25 years ago, thus reducing the effectiveness of internally-focussed controls. There is another risk which must not be forgotten: no company wants to stifle their talent with endless controls. The biggest risk to any business is not taking risk at all. 

Organisations must therefore create an environment in which positive risk-taking is allowed to thrive, while reckless risk-taking is stamped out. This means nurturing a culture of entrepreneurial but responsible risk management: a culture in which employees respect their responsibilities and understand the risk tolerance of the organisation. In such a business, challenge is encouraged, mistakes and near-misses are openly reported and the lessons learnt in a no-blame environment – from junior staff to the chief executive. 

Checks and controls are important, and insurance has a useful role to play, but when these prove inadequate, it is culture that will determine how people behave. Only once this is recognised and acted upon can a business be truly resilient, successful – and profitable. 

John Ludlow is CEO of Airmic, the UK association for risk managers and insurance buyers. www.airmic.com

What is risk culture?

On the surface

Policies

Strategy documents

Human resources and pay structures

Values statements

Governance procedures

 

Hidden beneath the surface

Attitudes and beliefs

Assumptions

Understanding

Habits

Trust

Confidence

Openness to challenge

Fears

Motivations

Relationships

Personal values

Also found in Managing Risk