HR risk management is the process of measuring the risk employees pose to the business. It is an important part of business risk mitigation. These risks could range from things like inappropriate employee management, employee behavior, or talent acquisition practices. There is no way to avoid all risks in business, but HR management is an important part of this business operational strategy. This is how you will anticipate and plan for potential risks so you can appropriately mitigate against these risks.
Why Is HR Risk Management Important?
Every business faces risk. The most successful businesses accurately anticipate potential risks and create actionable plans to manage those risks. Here are a few reasons you should consider HR risk management.
Collaboration. Employees play a pivotal role in overall risk management. As an HR professional, you have the opportunity to affect your organization’s strategy to empower every employee to actively manage risk.
Skill strengthening. Each and every employee within your organization has a pivotal role to play in managing the risk your organization faces. No organization will ever be able to effectively manage risk if only managers and leaders are focused on it. Your HR risk management strategy should upskill all employees in managing risk. The more people who are actively protecting the business, the safer your business will be.
Monitoring. Establishing HR risk management within your organization will provide continuous monitoring of key areas that harbor risk. Continuous monitoring will keep you and your organization one step ahead in an ever-evolving threat landscape. Here are a few examples of the types of risk that HR can protect against:
There are several types of risk that are important to understand. Risk encompasses a broad array of elements that could adversely affect a business. Here are the major types of HR risk you should be familiar with.
Compliance Risks
Businesses have to abide by many state and local laws. The list of laws and types of compliance regulations required is too long for a single article, but they can range anywhere from OSHA employee safety requirements to EEOC equal employment opportunity to HIPAA privacy laws. These laws require each employee to comply, and any failure to comply can cause civil or criminal penalties to an organization. Here is an example to illustrate this: HIPAA violations can be extremely costly to an organization and carry heavy penalties. Unknowing and accidental violations can cost a business as little as $100 per violation, and willful neglect of HIPAA violations with fraudulent intentions can cost an organization as much as $1.5 million. Since every employee in an organization who comes into contact with protected information is subject to HIPAA, there is a great amount of risk to plan for.
Operational Risks
Some businesses naturally contain more risk than others. If your organization operates from a call center, you likely have less operational risk than if your organization operates from a plant that regularly uses heavy machinery. Here is an example of operational risks: OSHA, the Occupational Safety and Health Act, creates regulations and standards of safety from air quality to injury tracking that keep employees safe during the course of business operations. If your business is not keeping OSHA regulations and an employee gets hurt on the job, your business faces major risk.
Financial Risks
Even though financial risk is more difficult to conceptualize, employees do pose a very real financial risk to an organization. Here is an example of financial risk: Many organizations rely on star reviews to drive business, which increases revenue. A large part of a star review is an individual’s interactions with people/employees. If your employees are lackadaisical or causing poor customer experience, it could lower your online reviews. If your business has 4.5 stars and that drops to 3.2 stars, potential customers may decide on a competitor, which would have large financial consequences.
Reputational Risks
Outside of the financial risks of cyber threats, organizations also face reputational risk over data breaches and ransomware attacks. A business’s reputation is not immune from risk. Reputational risks can range from minor fluctuations in business to entire business failures. Here is an example of reputational risk: Ransomware is malware that threat actors use to hold sensitive company data hostage with the threat of releasing or selling it unless a ransom is paid. Here is some additional information about what can happen to a brand’s reputation after a data breach.
Strategic Risks
One of the greatest risks your organization faces doesn’t have anything to do with threat actors, injuries, or financial crises. Strategy and performance management will be a large part of your HR risk management strategy. Here is an example strategic risk: It is estimated that poor workplace performance and unhappy workers cost US businesses over $450 billion dollars every year. Even though it may not seem like poor performance is risky, it can clearly be categorized as risk. The high cost of poor performance is a great reason why you may want to include management training as part of your overall HR risk management strategy.
4 Categories of an HR Risk Management Strategy
There are four major components to an HR risk management strategy. Each of these strategies will apply differently depending on your organizational needs. You get to determine how these components should be used within your organization.
Avoidance
Not all risks are avoidable, and avoidance isn’t always the best strategy, but some types of risks are best avoided. Here are a few types of risks where avoidance is the best risk management strategy:
Personal injury. Even though it may be impossible to avoid 100% of work related injuries, these risks are often avoidable with the right risk strategy.
Cyber threats. One of the greatest risks an organization can face is an employee simply clicking on a link in an email. Phishing threats are high risk for an organization and are best avoided. You can train your team to recognize and avoid these threats.
Disparate impact. This refers to employment and hiring practices that adversely affect protected groups. Even though disparate impact is usually unintentional, it is best to avoid this type of risk.
Retention
While avoiding a risk is more costly than the actual risk itself, your business may decide to simply retain the risk. Avoiding risk may be costly and your organization cannot avoid all risks. Although it might seem counterintuitive, depending on the type of risk, your strategy might be to retain or “accept” the risk. Here are some examples of risks that you may add to your retention strategy:
Low cost. There are risks that have such a cost it may not make sense to pay to avoid the risk. Often these risks are also high frequency.
Example: In some cases vandalism and theft fall into this category. Your organization may decide to retain the risk of a certain amount of theft or vandalism if it is low cost and high frequency. The cost of avoiding the low cost risk may outweigh accepting the risk.
Uninsurable. Some risks are not insurable, like criminal penalties by employees. There are some criminal actions by employees that may be uninsurable, and in risk like that it may make the most sense to retain that risk. Other examples of uninsurable risk may be those risks that insurance will not cover, like flood insurance in areas where floods are common. With that type of risk there may be no alternative to retaining the risk.
Insurance-covered. Some risks may be covered well enough by insurance that insurance may be more cost effective than avoiding the risk. When there are risks that insurance fully covers, it may make the most sense to retain that risk. The two main types of risk in this category are insurance-covered property and liability risk.
Example: an employee or customer slipping and falling on a wet floor.
Reduction
Reduction strategy is keeping risk to a minimum. When there are risks that cannot be avoided, it is best to reduce them to the greatest extent possible. Here are a few examples:
Sprinklers. Probably all buildings you have worked in have sprinklers. Buildings have sprinklers because it is impossible to ensure complete avoidance of fire, and in the event of a fire, sprinklers reduce the risk of damage to the building and loss of life.
Preventative care. Preventative health care is often covered by employer insurance because it reduces the risk of costly care down the road. The cost of preventative care reduces the risk of major care.
Routine maintenance. Keeping machinery and equipment properly and routinely maintained reduces risk. Airlines routinely conduct maintenance on their aircraft to reduce the risk of system failure.
Transference
This is also known as risk sharing; you transfer some or all risk to a third party. The main example of risk transference is purchasing an insurance policy. Insurance companies exist for the purpose of mitigating risk an organization may not have the capacity to manage on their own. Another example to help you understand risk transference and where it may apply to your HR risk management strategy would be to transfer the risk of sidewalk dangers outside of your physical establishment to a property manager or third party. In this example there is a risk, and you are transferring the responsibility or exposure to that risk to another party.
Best Practices for HR Risk Management
There are different strategies that make the most sense for each type of risk. Here are a few best practices to follow when designing and implementing your HR risk management strategy.
Stay Up to Date
Keep up to date with local, state and federal legal guidelines. Here are three ways to stay up to date:
Network. Talk to your peers and colleagues to learn more about how other HR professionals are navigating legal guidelines. Start by joining the HR Mavericks community for free!
Attend local events. HR and employment-related events cover current events, as well as upcoming changes that HR professionals should be aware of.
Partner With IT
Technology can increase your organization’s efficiency, which is a great resource for employees but also exposes the organization to data risk. Your IT department can help you design best practices for keeping your organization’s data safe in an environment of increasing technology.
Bring in Outside Help
Many organizations manage elements of risk as their business model. There may be a certain type of risk you want to outsource. Some organizations choose third parties to help with leave management, while other organizations use third parties to audit their data.
Develop a Recruitment Plan
Many organizations are reeling from the risk associated with poor recruitment processes. When organizations undergo a reduction in force, they lose valuable employees, damage their reputation and waste resources. Developing a recruitment strategy can reduce the risk of overhiring. A strong recruitment plan is not only a sound business strategy, but it can also be part of your HR risk management strategy. This is a strong example of where your recruitment strategy can go beyond a transactional interaction with business executives where you merely fill roles, to a role where you become a strategic business partner that helps the organization manage risk.
Strengthen Your Onboarding Process
Employee turnover is costly. It is estimated that replacing a lost employee can cost 1 to 1.5 times that employee’s annual salary. By investing in employee onboarding, you can effectively manage the risk caused by lost talent. Onboarding employees is a perfect time to introduce them to the many positive elements of your culture. People look at culture as a major determining factor in where they will work. When employees have a positive employment culture experience in onboarding, they are more likely to onboard quickly.
Topics
Tyler Fisher, PHR
Tyler empowers Talent Acquisition professionals, HR business leaders, and key stake holders to develop and execute talent management strategies. He is igniting the talent acquisition process through: team building, accurate time to fill forecasting, driving creative talent sourcing, and fine-tuning recruiting team effectiveness.
Every employee is an important part of HR risk management. Obtaining regular feedback from employees can provide valuable risk mitigating insight.
HR should meet with each part of the organization that manages risk to ensure the HR strategy aligns with the overall needs and goals of the organization.
HR risk management is the process of measuring the risk employees pose to the business. It is an important part of business risk mitigation. These risks could range from things like inappropriate employee management, employee behavior, or talent acquisition practices. There is no way to avoid all risks in business, but HR management is an important part of this business operational strategy. This is how you will anticipate and plan for potential risks so you can appropriately mitigate against these risks.
Why Is HR Risk Management Important?
Every business faces risk. The most successful businesses accurately anticipate potential risks and create actionable plans to manage those risks. Here are a few reasons you should consider HR risk management.
Collaboration. Employees play a pivotal role in overall risk management. As an HR professional, you have the opportunity to affect your organization’s strategy to empower every employee to actively manage risk.
Skill strengthening. Each and every employee within your organization has a pivotal role to play in managing the risk your organization faces. No organization will ever be able to effectively manage risk if only managers and leaders are focused on it. Your HR risk management strategy should upskill all employees in managing risk. The more people who are actively protecting the business, the safer your business will be.
Monitoring. Establishing HR risk management within your organization will provide continuous monitoring of key areas that harbor risk. Continuous monitoring will keep you and your organization one step ahead in an ever-evolving threat landscape. Here are a few examples of the types of risk that HR can protect against:
There are several types of risk that are important to understand. Risk encompasses a broad array of elements that could adversely affect a business. Here are the major types of HR risk you should be familiar with.
Compliance Risks
Businesses have to abide by many state and local laws. The list of laws and types of compliance regulations required is too long for a single article, but they can range anywhere from OSHA employee safety requirements to EEOC equal employment opportunity to HIPAA privacy laws. These laws require each employee to comply, and any failure to comply can cause civil or criminal penalties to an organization. Here is an example to illustrate this: HIPAA violations can be extremely costly to an organization and carry heavy penalties. Unknowing and accidental violations can cost a business as little as $100 per violation, and willful neglect of HIPAA violations with fraudulent intentions can cost an organization as much as $1.5 million. Since every employee in an organization who comes into contact with protected information is subject to HIPAA, there is a great amount of risk to plan for.
Operational Risks
Some businesses naturally contain more risk than others. If your organization operates from a call center, you likely have less operational risk than if your organization operates from a plant that regularly uses heavy machinery. Here is an example of operational risks: OSHA, the Occupational Safety and Health Act, creates regulations and standards of safety from air quality to injury tracking that keep employees safe during the course of business operations. If your business is not keeping OSHA regulations and an employee gets hurt on the job, your business faces major risk.
Financial Risks
Even though financial risk is more difficult to conceptualize, employees do pose a very real financial risk to an organization. Here is an example of financial risk: Many organizations rely on star reviews to drive business, which increases revenue. A large part of a star review is an individual’s interactions with people/employees. If your employees are lackadaisical or causing poor customer experience, it could lower your online reviews. If your business has 4.5 stars and that drops to 3.2 stars, potential customers may decide on a competitor, which would have large financial consequences.
Reputational Risks
Outside of the financial risks of cyber threats, organizations also face reputational risk over data breaches and ransomware attacks. A business’s reputation is not immune from risk. Reputational risks can range from minor fluctuations in business to entire business failures. Here is an example of reputational risk: Ransomware is malware that threat actors use to hold sensitive company data hostage with the threat of releasing or selling it unless a ransom is paid. Here is some additional information about what can happen to a brand’s reputation after a data breach.
Strategic Risks
One of the greatest risks your organization faces doesn’t have anything to do with threat actors, injuries, or financial crises. Strategy and performance management will be a large part of your HR risk management strategy. Here is an example strategic risk: It is estimated that poor workplace performance and unhappy workers cost US businesses over $450 billion dollars every year. Even though it may not seem like poor performance is risky, it can clearly be categorized as risk. The high cost of poor performance is a great reason why you may want to include management training as part of your overall HR risk management strategy.
4 Categories of an HR Risk Management Strategy
There are four major components to an HR risk management strategy. Each of these strategies will apply differently depending on your organizational needs. You get to determine how these components should be used within your organization.
Avoidance
Not all risks are avoidable, and avoidance isn’t always the best strategy, but some types of risks are best avoided. Here are a few types of risks where avoidance is the best risk management strategy:
Personal injury. Even though it may be impossible to avoid 100% of work related injuries, these risks are often avoidable with the right risk strategy.
Cyber threats. One of the greatest risks an organization can face is an employee simply clicking on a link in an email. Phishing threats are high risk for an organization and are best avoided. You can train your team to recognize and avoid these threats.
Disparate impact. This refers to employment and hiring practices that adversely affect protected groups. Even though disparate impact is usually unintentional, it is best to avoid this type of risk.
Retention
While avoiding a risk is more costly than the actual risk itself, your business may decide to simply retain the risk. Avoiding risk may be costly and your organization cannot avoid all risks. Although it might seem counterintuitive, depending on the type of risk, your strategy might be to retain or “accept” the risk. Here are some examples of risks that you may add to your retention strategy:
Low cost. There are risks that have such a cost it may not make sense to pay to avoid the risk. Often these risks are also high frequency.
Example: In some cases vandalism and theft fall into this category. Your organization may decide to retain the risk of a certain amount of theft or vandalism if it is low cost and high frequency. The cost of avoiding the low cost risk may outweigh accepting the risk.
Uninsurable. Some risks are not insurable, like criminal penalties by employees. There are some criminal actions by employees that may be uninsurable, and in risk like that it may make the most sense to retain that risk. Other examples of uninsurable risk may be those risks that insurance will not cover, like flood insurance in areas where floods are common. With that type of risk there may be no alternative to retaining the risk.
Insurance-covered. Some risks may be covered well enough by insurance that insurance may be more cost effective than avoiding the risk. When there are risks that insurance fully covers, it may make the most sense to retain that risk. The two main types of risk in this category are insurance-covered property and liability risk.
Example: an employee or customer slipping and falling on a wet floor.
Reduction
Reduction strategy is keeping risk to a minimum. When there are risks that cannot be avoided, it is best to reduce them to the greatest extent possible. Here are a few examples:
Sprinklers. Probably all buildings you have worked in have sprinklers. Buildings have sprinklers because it is impossible to ensure complete avoidance of fire, and in the event of a fire, sprinklers reduce the risk of damage to the building and loss of life.
Preventative care. Preventative health care is often covered by employer insurance because it reduces the risk of costly care down the road. The cost of preventative care reduces the risk of major care.
Routine maintenance. Keeping machinery and equipment properly and routinely maintained reduces risk. Airlines routinely conduct maintenance on their aircraft to reduce the risk of system failure.
Transference
This is also known as risk sharing; you transfer some or all risk to a third party. The main example of risk transference is purchasing an insurance policy. Insurance companies exist for the purpose of mitigating risk an organization may not have the capacity to manage on their own. Another example to help you understand risk transference and where it may apply to your HR risk management strategy would be to transfer the risk of sidewalk dangers outside of your physical establishment to a property manager or third party. In this example there is a risk, and you are transferring the responsibility or exposure to that risk to another party.
Best Practices for HR Risk Management
There are different strategies that make the most sense for each type of risk. Here are a few best practices to follow when designing and implementing your HR risk management strategy.
Stay Up to Date
Keep up to date with local, state and federal legal guidelines. Here are three ways to stay up to date:
Network. Talk to your peers and colleagues to learn more about how other HR professionals are navigating legal guidelines. Start by joining the HR Mavericks community for free!
Attend local events. HR and employment-related events cover current events, as well as upcoming changes that HR professionals should be aware of.
Partner With IT
Technology can increase your organization’s efficiency, which is a great resource for employees but also exposes the organization to data risk. Your IT department can help you design best practices for keeping your organization’s data safe in an environment of increasing technology.
Bring in Outside Help
Many organizations manage elements of risk as their business model. There may be a certain type of risk you want to outsource. Some organizations choose third parties to help with leave management, while other organizations use third parties to audit their data.
Develop a Recruitment Plan
Many organizations are reeling from the risk associated with poor recruitment processes. When organizations undergo a reduction in force, they lose valuable employees, damage their reputation and waste resources. Developing a recruitment strategy can reduce the risk of overhiring. A strong recruitment plan is not only a sound business strategy, but it can also be part of your HR risk management strategy. This is a strong example of where your recruitment strategy can go beyond a transactional interaction with business executives where you merely fill roles, to a role where you become a strategic business partner that helps the organization manage risk.
Strengthen Your Onboarding Process
Employee turnover is costly. It is estimated that replacing a lost employee can cost 1 to 1.5 times that employee’s annual salary. By investing in employee onboarding, you can effectively manage the risk caused by lost talent. Onboarding employees is a perfect time to introduce them to the many positive elements of your culture. People look at culture as a major determining factor in where they will work. When employees have a positive employment culture experience in onboarding, they are more likely to onboard quickly.
Topics
Tyler Fisher, PHR
Tyler empowers Talent Acquisition professionals, HR business leaders, and key stake holders to develop and execute talent management strategies. He is igniting the talent acquisition process through: team building, accurate time to fill forecasting, driving creative talent sourcing, and fine-tuning recruiting team effectiveness.
Every employee is an important part of HR risk management. Obtaining regular feedback from employees can provide valuable risk mitigating insight.
HR should meet with each part of the organization that manages risk to ensure the HR strategy aligns with the overall needs and goals of the organization.