Risky business: now is the time to make risk management part of company culture
The pandemic, and the far-reaching repercussions it has had on the world of work, should prompt businesses to update risk management policies and procedures as they look to a future beyond COVID, finds Beau Jackson
Speaking in December last year, our HR lunchtime debate panel focused on the topic of risk. In the past year, risk management has come to the fore as organisations not only grapple with an unseen virus, but also with teams operating on a more remote basis.
Cyber attacks, for example, have been on the rise as opportunists seize on home internet connections without corporate protection. For some organisations, new employees will also have been onboarded without ever meeting colleagues in person.
As many elements of remote working are expected to remain once the pandemic has passed – is there a case for making risk management part of your culture? Could such an attitude also help HR teams prepare for more curveballs to come?
Rapidly reassessing priorities when the pandemic hit made a lot of internal processes more challenging, said Caroline Smith, deputy general counsel international, at HireRight, yet organisations must continue.
She said: “While the pandemic has impacted hiring, people still have day-to-day business needs. Our clients have been wanting to make sure they can still onboard their teams safely and manage their risk by understanding what those individuals’ backgrounds are.”
Businesses void of integrated risk management processes have potentially exposed themselves to risks. As panellist Dan Peyton, partner in labour and employment at McGuireWoods, said: “Because of the nature of the pandemic, and how it incrementally affected the workplace – the fact we didn’t know how long this would last – I think it’s true to say that there’s not been a moment when clients took a risk audit and took the long-term view [on the situation].”
Health and safety risk assessments and a consideration of data security when working from home may have fallen by the wayside for many organisations Peyton added, as only the most important decisions, such as immediate employee health, could be handled in the circumstances.
What this high-stakes situation demonstrated, was a limitation of the mantra of “policies and practices.” He said: “You can have all policies in the world, but ultimately you are reliant on reducing risk on people who work with you.
“And actually, that has much more to do with creating a compliance culture within a business.”
Although the majority (74%) of our webinar audience said that they had reassessed the risks to the workforce during the pandemic, Smith questioned to what extent HR teams had readjusted to new risks due to the reactive nature of many decisions.
Panellist David Frost, group organisational development director at Total Produce, added: “Businesses have obviously had to react very quickly and had to assess how they’re going to operate safely.
“In our business for example we’ve had to put into place new policies and new systems of working, very quickly but actually formally as well.”
View HR magazine's lunchtime debate: Why managing risk should be part of your company's culture here.
Though it remains uncertain when and how exactly workers will be brought back to, or introduced to a physical workplace, panellists suggested the climate may encourage some leaders to approach with more care and caution.
In a relatively even split across our webinar audience, 24% said they would be screening employees on their return to work, 24% said they would not, 20% were unsure and 32% said they had not considered it.
Making the case for screening employees on a return to work, Smith argued that some methods may be a good way of checking in on employees’ personal situation.
She said: “Things like a credit or a criminal check could give you an indicator if someone’s been going through a hard time – that doesn’t mean that as an employer you would be taking any action against that but what you can do is manage things […] or put welfare return-to-work programmes in place for those folk that have been more impacted. It can be a really useful data point.”
Frost advocated formal one-to-ones with all staff before they come into a new working situation to make sure employers understand how personal situations may have changed and can make adjustments where possible.
He said this will include conversations covering the permanent shift in attitudes to where people work.
“We also have a lot of colleagues who travel as part of their day jobs…that’s absolutely going to change,” he added. “I think what it points to is that everyone needs to agree [on new practices].
“There needs to be a consistency that everyone is comfortable with and supports.”
It can be a minefield if colleagues do not agree on risk management policy in a post-COVID workforce, said Peyton.
As employee screening can take on a number of forms, from criminal background and credit checks, to medical screening, there will be no one-size-fits-all for businesses, or different categories of employees within a business.
Peyton said: “I think it is another illustration of one point that is important, which is that everybody looks at what has happened over the last nine months as something that is exceptional.
“And it has been exceptional. But in some respects, in legal terms – it’s not.”
Though people have in many instances been away from the workplace for longer than usual, Peyton said HR will have to think carefully about their justifications for introducing screening on employees’ return.
If screening is already part of company culture though, as at HireRight, he added there is more of a case for it to be conducted on a return to work.
A positive approach to risk
One of the complications of risk assessments all panellists agreed upon is that they ironically require risk assessment themselves.
Smith said: “Risk assessments generate risk assessments, they’re a little bit like gremlins…it kind of all gets out of control. But you do need to sit down and think about – who has been out [of the workplace] and the reasons they’ve been out.
“If a small proportion have been out and that has been for reasons such as health then it’s probably a no-go.”
To understand where screening may be appropriate for employees, Smith said HR professionals should look at all the different categories of employees, data access they have, levels of seniority and their contribution to the running of the organisation, then track the different types of checks alongside that.
She added: “Go through the types of checks you would do that would cover particular risks and figure out whether those are relevant and proportionate in context of that individual’s role in your organisation.”
Criminal background checks, for example, may not be appropriate in all roles or geographies. There are other things, like social media trawls, that may be less intrusive and more appropriate depending on the kind of risk being assessed.
For 30% of the webinar audience, there was also some concern of scaremongering by bringing up the topic of risk management with employees.
For HR leaders daunted by the prospect of implementing a risk management culture from scratch, Frost advised that above all, it has to be a team effort.
“We operate on basis of teams very local to where we operate. We decentralise responsibilities in regions, etc. Teams are able to make right decisions locally.”
Additionally, he said it’s about seeking good advice. “What’s the saying? ‘Good advice is
cheap advice’? You’ve got to make sure you get people around you to support you who are outside your organisation.”
For the majority (70%) of the webinar audience that said they would not be concerned about scaremongering, Smith suggested they may be more comfortable addressing risk than others is that they realise it can be done in a positive way.
She said: “The way we’re talking about risk management and people coming back into the office is very much about how their role contributes to the business’s overall success.”
If HR teams can take this approach and include wellbeing as part a positive conversation around risk management, Smith said she thinks barriers can be avoided when addressing risk as people return to a changed workplace.
She explained: “It’s all about communicating with your employees when they’re coming back about what to expect, and this type of screening would be part of that communication.
“Make it part of your culture. Don’t just have it as a one-off ‘It’s for COVID’ but keep it going, because if you build it in as part of your culture then it will be something that is intrinsically accepted if you get the legal framework right.”
Find more of HR magazine’s webinars here.
This piece first appeared in the January/February 2020 print issue. Subscribe today to have all our latest articles delivered right to your desk.