· Features

Risky business: how HR and risk can work together

A few weeks ago, HR magazine attended a conference. On the agenda: culture, engagement, values, trust. Nothing new there. But this wasn’t an HR event. In fact, there weren’t even any HR professionals there. This was a risk-management seminar.

So, what the heck were we doing there? Well, as Tim Payne, head of people at professional services firm KPMG, puts it: "Risk is a huge space for HR to play in." Quite simply, HR should be getting involved with enterprise risk management. And if it isn't, then it's a massive missed opportunity for both functions.

But before we get into the why, it's worth giving a bit of background around what risk management actually is. "Enterprise risk management (ERM) is still a relatively new capability in organisations," explains Mary Young, principal researcher, human capital, at New York-based research association The Conference Board, who has carried out some of the most seminal research in the field she calls 'human capital risk'. "ERM is the process that identifies potential risks across the organisation and engages business leaders to prioritise them."

By that logic, having people risks on that list is surely a no-brainer, right? After all, if, as many CEOs are wont to trot out, people are your biggest cost centre or biggest asset, why would you not prioritise the risks surrounding them? Peter Cappelli, professor of management at Pennsylvania's The Wharton School and director of Wharton's Center for Human Resources, puts it succinctly when he says: "In risk management, everything you can imagine comes back to what's up with people." And as Will Davies, a director in Deloitte's HR advisory practice, warns more starkly: "Any one person can bring a company down."

However, the reality of how people risks are seen is somewhat different. When Young started doing her research into the relationship between HR and risk management a couple of years ago, she was surprised by her findings. "People risks were just not on the map," she recalls. "It was incredible to me that they were not factored in. In most companies, there is not a lot of communication between HR and ERM. We saw significant gaps in the views of risk people and HR people."

Cappelli agrees that people risks are not being taken seriously enough. "Some areas, such as finance, are taken more seriously than other areas. We go from incredibly sophisticated risk management, to nothing. But with both HR and business topics, everything comes down to people issues, and we are just not thinking about them systemically enough."

Young's initial research backs this up. Despite finding that people risks were not on the map, her research did find that people risks are hugely significant to any business. According to her report 'Managing Human Capital Risk', human capital risk ranks fourth among 11 risks in terms of its impact on business results. That puts it ahead of many other risks that companies rigorously manage, such as financial, supply chain and IT risks. And even more worryingly, human capital risk ranks 10th (out of 11) in how effectively it is managed by organisations.

There are of course some obvious superficial differences between HR and risk people, which could explain why a dialogue between the two functions has not so much broken down as never even got off the ground. "Risk people can talk Klingon," admits Alex Hindson, head of group risk at insurance firm Amlin. "And the thing about HR professionals is that they are often in the job because they like dealing with people, not filling in forms."

Ellen Hexter, senior advisor, ERM at The Conference Board, who worked with Young on the human capital risk research, adds that risk people "often don't want to engage with HR people. They still see HR as obstructions."

But if both HR and risk can get over that (and more on how later), a mutually beneficial relationship emerges, because both sides can gain much from the other, improving the business for everyone. First, what does risk have to gain from the conversation? At the risk culture seminar that HR magazine attended, it was obvious that what risk managers are beginning to become interested in is the culture of risk: how to make sure that people don't behave in an excessively risky fashion and how to embed the right values to encourage ethical behaviours. The problem is, from many of the discussions at the conference, they are not quite sure how to get there.

Enter HR, with its (hopefully) strong knowledge base about how to encourage positive behaviours, creating and embedding values and aiding cultural change. "Risk culture is clearly in the HR domain," says Tim Thompson, risk analytics partner at Deloitte. "HR has a responsibility for setting the vision and making sure it happens and is consistent through communications, training and hiring."

Harvey Francis, EVP HR at construction company Skanska, agrees that HR has a big role to play in ensuring the ethical health of an organisation. "If HR is serious about being a true business partner, it needs to stand up for what it believes in, do the right thing and hold a mirror up to the organisation," he says. At Skanska, Francis has been instrumental in setting up an ethics committee, on which he now sits. "We ensure the organisation has the relevant policies, training and processes in place to make sure we are as ethically good as we can be," he explains.

At Iron Mountain, an information management services company, security is so important it's one of the organisation's key values, with emphasis put on thoroughly training staff to understand the importance of looking after information. "We have an advantage as it's our core business, but in any company, when you think about your strategy, there will be an information element," says Anne Best, Iron Mountain's SVP HR. "It's an education process. We make sure staff learn the value and potential risk and exposure of having information go missing or get into the wrong hands."

And of course, helping to mitigate behavioural risks will have a positive knock-on effect for an HR department. "A safety incident, for example, can have legal, financial, reputational and customer impact," says Eugene Burke, chief science officer at talent management and analytics company SHL. "It's a ripple effect, as any negative incident flows out to HR. It can result in disengaged staff or sudden higher levels of turnover or absenteeism. HR can't avoid risk, it's going to happen, and HR is already part of the risk equation. You might have the structures and regulation in place, but it all comes down to people, so HR has to be in the game. Risk people don't really know about the behaviours. HR needs to be the mentor."

According to KPMG's Payne, there's a trade-off to be done here between HR and risk, with HR offering its behavioural expertise in exchange for something else. "HR departments have to be more tactically savvy about working with colleagues in risk management as a way to get their issues discussed at the right level in the business," he explains. "Most risk functions, when they think about risk, they think: 'how can I get people in the business to be more risk-conscious?' They need to rely on HR to help them do it. There's a bit of bargaining and negotiation to be done between the two functions. And HR can take the lead. Tell risk: we can help make your workforce more risk-conscious, but we need help too. Ask to see the enterprise risk map. Most HR professionals will never have seen one before. Once seen, you can ask for help getting people issues on the map."

So, how does HR go about defining these people issues? Which ones should it be prioritising and fighting to get on the risk agenda? In Young's opinion, it all comes down to strategic workforce planning. "Strategic workforce planning is people-risk management," she says. "Talent challenges are front and centre. Simply not having the right talent, at the right price, at the right time, in the right place, is a huge risk. All the issues HR is concerned with on a day-to-day basis are potential sources of human capital risk. It's just a different way of framing the issue."

KPMG's Payne agrees, listing other issues such as succession planning, key-person dependency and potential future skills gaps as areas that HR needs to be getting discussed at board level as part of the risk conversation. While Francis lists his number-one concern as "an ethical breach", he also includes talent management and succession planning as part of his organisation's risk-management plan. "We are doing it to minimise risk," he reasons.

Young warns that HR needs to be careful not to let the business wrongly define what human capital risk is. "Yes, it is things like reputational risk and supply-chain risk, but don't let that define it," she says. "The language is much broader." Stavroula Leka, associate professor, Occupational Health Psychology at the University of Nottingham, who is doing research into behavioural risk and HR, agrees: "Is HR strategic enough in its approach to risk?" she asks. "A lot of the time, HR is only looking at the risks around behaviour, but if you look at everything that is people-risk related, it also includes things such as high staff turnover and absenteeism. People risk is very multifaceted. There are so many different elements."

Deloitte's Davies adds: "People risk shouldn't be enveloped into another risk area. It needs to be elevated to top table. In terms of capability, if you get it right, HR and ERM working together allows for responsive planning and improves change management, as HR can be proactive. If you get it right, strategic risk management should also be able to engage all employees across the organisation."

Once HR has defined what it considers to be its most pressing people-related risks, there comes the more challenging step of starting the conversation with ERM and getting HR a seat on, or at least a say in, the board-level risk committee. "The path between HR and risk is not a well-worn path," says Young. "If companies aren't talking about HR risk holistically, it's probably the fault of risk management more than HR," adds The Conference Board's Hexter. "But senior leaders are missing a huge trick."

And if the bigger barrier to conversation and even potential partnership is on the risk side, the onus is on HR to try to overcome that. "It is really incumbent on HR people to explain the story to the risk-management guys, because risk management doesn't understand HR," says Cappelli. "HR has to be able to explain all the aspects of people risk and spell it out. But at the moment, it seems the HR guys aren't jumping up and down saying this is important. They are not thinking about tying it to business strategy at all."

As ever, it comes down to language. "To get more visibility [around people risks], HR needs to change its language to the language of business," says Young. "You need to be able to talk about these issues not in HR terminology, but the language of the business. Businesses are used to risk management, so if you can frame people issues in risk, you automatically get people's attention. Talk risk, and there will be visibility right to the top of the board."

In order to "talk risk", as Young puts it, HR directors need to realise that they have at their fingertips the one thing that is almost certain to make risk managers sit up and take notice: data. "HR has a big element of data," says Deloitte's Thompson. "But historically I don't know many organisations that have fed it into the mix [when it comes to risk management]. HR can be woolly and not quantitative, so the risk guys will say it's not worth the paper. But if you make it more intuitive for them, they will pay attention."

And for risk to take people risks seriously, that means hard, quantitative data. "HR has something else [aside from an understanding of culture] that is important," says Young. "It has data that will impress and interest risk. It's not resistance so much as lack of awareness that HR really has the numbers. If HR shows some of the data and insight they have, a risk person will see that it will help them to be more successful. HR would be interested to see the data that HR has, and risk has the framework that HR can use."

In today's volatile business climate, opening a dialogue and starting a partnership between HR and risk management can only be a good thing. "HR can only do good by taking this seriously and helping other functions, such as risk and finance, think about the people dimension," says Best from Iron Mountain. Ultimately, sharing expertise and realising how each function could help the other, whether to create a culture where staff are respectful of risk or to get people-related risk higher up the business agenda, will create a more sustainable organisation for everyone. And what kind of company wouldn't want that?

Tomorrow: HR explores top eight HR risks and how to handle them