People remain one of the biggest vulnerabilities for businesses. Whether an intentional or accidental action from an employee, the impact on a business can be huge, or simply a warning. But the risk that your employees present to your business is controllable if the organisation takes the threat seriously and embeds a positive risk culture.
Companies generally understand the importance of managing risks and have rigorous progresses in place for prevention. However, your workforce is a challenging task. Faced with individuals from a variety of backgrounds, experiences and values, the business needs to create a shared vision for risk ownership which resonates with your workforce.
A QBE risk culture survey, conducted in 2015, found that only three in 10 businesses felt that there was a shared understanding of the importance of risk management. This outcome demonstrates that there is some work to do in educating staff to understand their contribution towards limiting risks.
The risk impact of employees
Mistakes do happen; it is human nature that people can simply mess up . But risks also occur because of inadequate training, not following agreed policies or processes, or due to more malicious actions, such as fraud or sabotage.
Rules are often overlooked when employees are under pressure to meet targets or other people’s demands. One example is in law firms where criminals intercept property transaction emails between the firm and the client. Bank details are altered to the fraudster’s account details and staff sometimes fail to follow the prescribed rules on verifying bank details by phone, resulting in money being sent to the fraudster’s account. This is estimated to have cost around £180 million over the last two years alone.
Incidents can take an employer by surprise and result in loss of funds, reputation or even life. But they can also be much less severe, a warning from which a business can learn. This knowledge sharing is an important element of people risk management. Organisations can learn too, by embedding the same learning into permanent processes, precedents, training materials, and other documents across the business.
Business risk lessons
How a business evaluates an employee incident is just as important as how it plans for potential risks. Applying lessons learnt can help shape how you prepare, not only processes, but people to recognise the ‘warning signs’. The focus should be on improvement, not punishment for those employees involved in mistakes, so you can use the past to learn for the future.
Creating an open, blame-limiting business, creates a sharing risk culture. Management and employees work together to create a unified front, so employees feel they can quickly escalate any potential risks, and then managers can limit the impact.
Setting a risk culture
By embedding practical risk management steps into an organisation, employee risk can be limited. This starts by ensuring that the workforce is aware of their responsibility. Face-to-face briefings help shape attitudes towards risks more openly, and through discussion ensure the understanding is shaped and shared collectively. The induction process, reference resources and further briefing events also help to shape and reinforce the positive attitude and shared understanding of risk-decisions.
As with all organisational changes, senior management support is crucial. Employees will not proactively address risks and take ownership unless this is happening throughout the entire organisation. QBE sees claims where pressure to bend rules comes from those in senior positions, but it is essential that managers lead by example and the approach is shared across all levels.
In too many businesses employees still consider risk management to be a management responsibility. Their own risk influence continues to be considered insignificant and this is where the danger lies. The business world is a busy place. Companies are keen to do everything at great speed, whether it is close deals, hit inflated sales targets, meet timeframes, or get products to market, to maintain their competitive edge.
With employees under pressure to meet corporate demands incidents do occur. By educating the workforce to be more aware of risks and take ownership of their own actions, businesses can create a shared risk culture, which can only enhance their long-term corporate goals.
Risk Culture Profiling
In November 2015, QBE released a practical Risk Culture Profiling Tool which is available to all clients using our online platform QRisk. So if you are starting out on your risk culture improvement journey, or wish to stress test an established risk culture against a comprehensive framework, please get in touch with your broker, your usual QBE contact, or email us at firstname.lastname@example.org.