Managing Human Capital Risk: Ingraining Risk Management Into Corporate Culture
The following Q&A was contributed to CCI by one of our preferred partners, Deloitte Consulting, and features the thoughts and expertise of Timothy Lupfer and Mike Fuchs.
Manging Human Capital Risk
Making Risk Management an Essential Part of Corporate Culture
Premise: People pose both the greatest risks and the greatest rewards for organizations. Especially during uncertain times, an organization must develop the knowledge, capabilities, and motivation of its people to align them with the organizational objectives of effective governance and risk management.
Q. At a time when organizations are experiencing heightened scrutiny from lawmakers, regulators, and shareholders, what role – if any – is there for talent management in an organization’s risk and compliance efforts?
My response to this question is along two dimensions.
The first dimension emphasizes the increasing need and ongoing challenge to fill positions in an organization, e.g. internal audit, compliance and risk functions, etc., whose primary responsibility is managing and monitoring risks. Now, more than ever, there is heightened importance placed on attracting and retaining highly skilled individuals in these types of positions. The jobs are much more complex and the stakes are significantly higher.
When you think about the concept of critical workforce segments, rarely has that applied to individuals in these roles. However, it has become abundantly clear that targeted talent strategies focusing on these functions is critical to an organization achieving its business objectives.
The second dimension relates to embedding risk and compliance into the fabric of the organization. One of the best ways an organization can achieve this goal is by effectively incorporating risk and compliance into the talent management process.
Consider, for example, the basic elements of an employee’s lifecycle – recruiting, deploying, rewarding, developing, promoting, and terminating/retiring. These are all areas in which an organization can take the opportunity to introduce, reinforce, and reward the importance of clear and necessary steps taken to ensure risk management and compliance.
Take the hiring process, for instance. Most organizations view background checks and effective assessment of an individual’s capabilities as the main component of their due diligence on risk and compliance in the hiring process. However, it is during this process that the organization has its first interaction with a prospective employee—an interaction that can have great impact and leave a lasting impression.
To emphasize the importance of risk and compliance within your organization, incorporate questions that demonstrate an individual’s ability to assess and address risk, determine how an individual has handled conflict/challenges in the past, and include how the candidate can contribute to a risk and compliance-centric culture. Similarly, evaluating performance and rewarding your people should not be based only on results. Rewarding proper behavior should be a part of the overall performance management process, with clear expectations set as to how an individual should address risk and compliance issues.
And, by incorporating risk into various stages of the talent management lifecycle, you also help identify, through the lens of risk management, the general talent needs required to effectively run the enterprise.
Q. Are employees aware of their responsibilities in addressing risk in the organization? Who is responsible for making risk an integral part of daily business?
Employees in the formal risk functions of an organization are clearly aware of their “responsibility in addressing risk” within the organization. We put that phrase in quotes, because if you were to ask employees in these functions, “Are you aware that you are responsible for addressing risk in the organization?,” they would probably say yes. However, as you start peeling back the onion to discuss how this actually works on the job, you invariably find overlap, gaps, and/or limitations in how risks are addressed.
The confusion lies in the follow-up question concerning who is responsible for making risk an integral part of daily business. The answer is everyone, because managing risk is an inherent element of any task in business. Responsibility and accountability for managing risk runs throughout every level of the enterprise.
It starts with the board and senior management, includes C-suite officers and business unit owners, as well as employees in the formal risk and compliance monitoring functions under the general counsel, chief risk officer, chief compliance officer, and internal audit. Not to be forgotten, however, are the supporting functions that deal with and/or facilitate the risk process in human resources, IT, Finance, and accounting. Finally, there are those employees who help to run the business and make decisions every day that have risk and compliance implications.
Risk is an inherent element of every business activity. However, some risk areas are complex and require specialized expertise, such as credit risk requiring sophisticated quantitative skills. Too often, people focus on the specialized skills to manage risk and forget that managing risk is a basic requirement for anyone in business. As a result, few people in operational jobs are explicitly reminded of their duty to manage risk on an ongoing basis. It is no wonder then that many employees are unsure of their day-to-day responsibilities concerning risk.
Q. How can HR leaders increase their value and contributions to governance, risk management, and compliance?
A stronger HR presence in identifying and dealing with matters of enterprise risk can potentially mitigate many risk management issues that organizations face. For instance, let’s consider how HR can assist employees with operations-related risk challenges, which we typically see falling into four categories:
- I did not know it was my responsibility.
- I knew it was my responsibility, but did not understand what I was supposed to do and/or how.
- I knew it was my responsibility, knew what and how, but did not have the time.
- I knew it was my responsibility, knew what and how, had the time, but frankly did not see the value to the company or me.
HR leadership can certainly play a critical role in mitigating some of these risk management considerations. For instance, HR can effectively map each component of the employee lifecycle to each of the issues above and strengthen the organizations’ overall governance and risk management program. Leadership alignment and organizational effectiveness also presents a clear opportunity for HR leadership to increase their value and contributions to these areas.
Q. What resources should be provided to employees to help them identify fraud and other behaviors that could endanger their organizations? Is whistle-blowing typically encouraged as it relates to compliance issues?
It is finally time for the dreaded 7-letter word, culture (and the 6-letter word, ethics). We are sure that if you think about any of the major frauds, scandals, and other risk-based failures of the past few years, most of those organizations had a clearly worded mission, codes of conduct and vision statements that emphasized the importance of ethical behavior. It is likely that they also had formal whistle-blower and escalation processes. All of those things are important, but if people do not understand the process, believe that leadership truly embraces the concepts and/or that they personally will be appropriately rewarded (or worse, punished), any well-intentioned formal program will fail.
It goes back to how people get rewarded for their actions. If it starts becoming clear that appropriate behavior (“doing the right thing”) can trump bad behavior and achieve good business results, then companies will likely see a change in the attitude and actions of their employees. If short-term results are the only factor to drive rewards, expecting people to think about the longer-term considerations of risk and its impact on compliance is fruitless. It is a recipe for disaster in an environment of short-term urgency and “get it done at all costs” to expect employees to resist the temptation to cut corners, ignore policy, relax rules, or eventually commit fraud in order to achieve short-term gains
Q. What should be the content of risk management training? How often should it be taught?
Understanding what the content should be and how often individuals should receive training in any area are critical questions that need to be answered when developing any learning and development curriculum. Companies also must ask what is the best venue and medium for the training.
We recommend general ethics training for everyone on a fairly frequent basis, with emphasis on the real dilemmas that people face in their jobs. The key to effective risk and compliance training, on the other hand, is to customize it to the person’s role in the enterprise and the business issues the company is facing. Also, the more you can integrate risk and compliance training into the general learning and development components, the more likely you will increase the level of attention and the capabilities of your employees when dealing with risk and compliance issues. Fundamentally, ethics, risk management, and compliance training needs to have the same diligence associated with it as any robust learning and development experience.
Q. What are the key tenets of Risk Intelligence that should be incorporated into the organizational structure and employee training strategy of an organization?
At Deloitte1, we focus on the Nine Principles of Risk Intelligence for organizational structure and training strategy.
The first four principles establish the baseline for the organization with common risk definitions, responsibilities, and frameworks. Risk is executed with clear management responsibilities through a common risk infrastructure with controls and monitoring. Finally, Risk Intelligence is embedded in operations (the business units) and staff (the key functions). Clarity of risk responsibilities strengthens the organizational structure, and guides the training strategy.
Q. With the magnitude of layoffs and cost reductions dominating today’s corporate agenda, how can corporate risk and compliance managers assure risk management is truly ingrained and sustained in the corporate culture? What are the risk factors associated with low employee morale, and can they be avoided?
The greatest cause of unethical behavior by otherwise “good” employees is the pressure of unrealistic goals. Especially in today’s turbulent environment, managers and leaders must avoid overloading the remaining employees with demands that seem only attainable through dubious actions.
At the end of the day, the biggest challenge that an organization faces during times of significant turmoil and unrest is the undermining of trust and confidence. Do employees trust leadership? Do they have confidence that leadership can get the organization through this? Do employees trust each other? Do they trust that what was important yesterday is still important today? You can never underestimate the impact that this uncertainty and lack of faith can have on employees’ actions. Is it really worth it to follow that procedure? It is easier to ignore it, and what is the worst that could happen, get fired? Why should I do the right thing, they’re just going to cut my pay anyway?
The best defense that leadership has against these creeping doubts is to be open and honest in their communications. Also, being consistent and being able to link these tough decisions to real business reasons is paramount during these times. Finally, a sense of shared burden with a common goal will help keep people focused on the task at hand, which should include continuing with the basic risk and compliance efforts that the employees were performing before.
1 - As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries.
**********
About the Authors
Mike Fuchs
Deloitte Consulting LLP (Deloitte Consulting) Principal Mike Fuchs has focused on helping clients find solutions to cultural and institutional challenges related to complex governance, risk and compliance (GRC) requirements.
As a principal for the Human Capital and GRC practice, Mike assists clients with Sarbanes-Oxley Section 404 readiness, focusing on human resources (HR) risk mitigation and entity level control assessments.
Mike’s experience traverses the HR landscape and includes shared services design, business case development, enterprise transition and change management.
Timothy Lupfer
Tim Lupfer is a director with Deloitte Consulting LLP in its Organization & Change practice.
He specializes in helping clients establish and maintain comprehensive compliance program, develop and deliver compliance and ethics training, and “bake in” desired new behaviors into their organizational culture.
Tim was a co-founder of an Ethics and Compliance Working Group, which is now part of Deloitte’s Governance and Risk Management Integrated Market Offering.
Tags: best practices, Compliance, corporate culture, deloitte, Fraud, grc, human capital risk, mike fuchs, risk and compliance, risk management training, risk managemet, talent management, tim lupfer, whistleblowing
