[co-author: Andros Payne]
Humatica and StoneTurn explore how to identify and manage organisational risk.
The Essence of a High Trust Environment
In a high trust organisation each member can be relied upon to demonstrate behaviours which foster transparency, good decision making and delivery of the shared vision without a large controlling overhead. It’s rare in corporations today, but essential for success in increasingly complex and dynamic markets. Culture plays a key role in shaping a mature and pervasive understanding of risk and individual responsibility to protect the organisation, its reputation and assets. Despite “culture” being a difficult topic to grasp, specific behaviours which drive risk can be objectively measured and managed.
The key question for HR, Heads of Talent and of Risk functions is how to foster the ‘right’ behaviours that drive high performance while minimising organisational risks.
Challenges and Threats in Modern Organisations
People are the critical resources that generate value, but also risk. Personnel risks are agnostic to the size or sector of an organisation. The world is facing complex and evolving threats as well as a changing working environment. As the value of information, innovation and intellectual property increase, it’s never been more important to address organisational and people risks. And, with organisational risk, you are truly only as good as your weakest link – which can take many different forms. Everyone therefore has a role to play in terms of awareness and action.
The biggest threat to an effective approach to people risks are organisational silos, which impede information flow and connecting-the-dots on an emerging threat. StoneTurn often manages investigations where an earlier intervention would have avoided significant costs, disruption and damage, but this didn’t happen because of a failure to “join the dots”. The risk was never identified and managed until it was too late.
Progressive security recognises the value of high trust environments. The work of Paul Zak and others, shows that high trust environments, which attract and retain the best staff, are more innovative and more profitable. From a risk standpoint they are also more secure.¹ This is critical in a world where IP has huge value and hostile actors will “steal with pride” to gain commercial and strategic advantage. Keeping the crown jewels safe has never been more pressing. For organisations whose value depends on their IP and people, keeping these assets secure needs careful attention. Risks need to be managed holistically across the organisation. And, building a high trust work environment is the only way to have ubiquitous awareness.
Leadership and Accountability
Building a high trust organisation needs great leadership that inspires and aligns people on the company goals, vision, and desired behaviours. It also requires a solid foundation of accountability, risk management, and policies and processes to find the right people, to support them and to manage people problems when they arise. Failure to invest in line management (80% of managers in the UK without training), has costs like a disengaged workforce and toxic environments which drain performance and negatively affect the ability to drive success.
Whilst a disengaged workforce may not be actively disruptive, it will act as a drag on the business², evidenced by high staff turnover, mediocre performance and poor compliance rates. Poor line management which overlooks seemingly minor transgressions like expense fraud, can lead to ‘ethical ‘fading’ which erodes trust in the broader organisation. And, crucially, most investigations following an Insider ‘event’ demonstrate that this originated in an area of the business with poor management.
Great line managers have high awareness. They naturally spot emerging org risks early, manage in the moment, and intervene before the risk grows and manifests. Training and support are needed to help the average manager identify organisational risk and with remediation. A strong workplace culture reinforces security behaviours at all levels and makes for a pleasant place where people want to work. Finally, attracting the right people in the first place isn’t just about the money. It has to do with the culture and “feel” of a business. Especially in the most sensitive IP-driven businesses relying on scarce specialist skills such as digital design, AI and software, “culture” can be THE USP.
The best barometer of poor behaviour is other people, so driving the right behaviours every day throughout the company will help to pick-up the emerging problems that can in turn escalate. High trust is therefore the secret to great organisational risk management. Building it requires consistent leadership and organisational processes over time. However, it is quickly eroded by just a few dysfunctional behaviours, and in particular the tone from the top.
An essential behaviour at all levels is to speak-up when you see an organisational risk. This requires a “psychologically safe” environment and processes. Confidential channels, where employees can report issues irrespective of role or seniority are essential. Nothing kills a speak-up channel faster than the perception that senior people are treated differently, or their poor behaviour is excused. For a speak-up channel to work effectively, employees must know that there won’t be negative consequences speaking up in good faith, that confidentiality is assured, and their concern will be handled consistently.
Leveraging Data and AI in Risk Management
Firms often reach for a technology risk “solution” before thinking about the insights they can gain from the data they already have. It’s only after something has gone wrong that the red flags which would have enabled a proportionate intervention are recognised. And now, with AI, it is easier than ever to comb through big data sets like Humatica’s behavioural benchmarking-, performance review-, comp-, absentee-, system and physical access data to connect-the-dots early on an emerging organisational threat.
Collaborative Approach to Risk Management
As we are often dealing with imperfect or incomplete information when assessing people risks, it’s critical that insights are shared between HR, Finance and Security. A joined-up approach will help to spot dysfunctional behaviours early on, allow proportionate interventions and drive institutional learning. This helps to support employees and reinforce a culture of continuous improvement. It’s also helpful to engage other stakeholders including legal, IT security, investigations, ethics & compliance and audit. They will each have valuable information about potential problem areas that helps to connect-the-dots on emerging personnel risks.
Good organisational risk management makes the company a great place to work, helps to attract and retain the best talent, and above all, enables consistent high performance.
This article was co-authored with Andros Payne, Managing Partner and Founder at Humatica.
