One way to think about risk management is as a set of procedures designed to mitigate risks identified in a threat assessment. In this view, the risk management program contains a set of rules that can be taught to the right people who can implement the procedures to reduce or eliminate risk.
Humans are good at inventing routines to make repetitive tasks easier or faster to complete. In the beginning, we spend a lot of time and energy working out how the parts of the puzzle fit together, what causes what, what can go wrong, and how to achieve the goal most efficiently, in this case, to mitigate risk.
Once the routine is designed properly, we test it. If it works, we implement it and then begin the second phase of embedding the routine into a body of standard procedures.
… Continue reading
Every day there are things that can go wrong in organizations. And sometimes they do, often taking an organization by total surprise. Assessing what threats exist from the HR perspective can give an organization a far greater chance to minimize and even prevent the potential loss. When unforeseen threats transform into a situation, the effect can ripple from those directly involved all the way out to customers or even beyond the organization’s operations altogether and into the realm of reputation.
“People are at the core of each major risk. If not as part of the problem, then as part of the solution.” — DELOITTE, 2012 REPORT
Understanding the threats and managing the associated risks are imperative at every level of an organization – because it’s the people (the human capital) who are supporting the organization at every level. Risks can present in different forms such as: complacency, turnover, occupational fraud, catastrophic workplace events, and negligent hiring and retention. In fact, human capital is one of the most pressing corporate risks, evidenced by its continuous presence on the Government Accountability Office (GAO)’s high risk list. Human capital risk should be on your radar too.
… Continue reading
In general, compliance is conforming to particular expectations, standards, or behaviors, where risk is an exposure to potential loss or injury. When we think of compliance in the security arena, it often means that you are following prescribed standards, which could be regulatory, industry best practices, or standards that are otherwise customized or company specific.
While compliance and risk often follow the same path, a compliance audit or survey is often performed with a one-size-fits-all “compliance only” approach, as opposed to one that requires more complex reasoning.
Some may question the rationale of compliance if risk is not a constant consideration. Lack of experience, industry knowledge, or even simply lack of time can hinder the ability to take a more risk-based direction. After all, taking a compliance only approach simplifies the security audit process by allowing for uniform application, reduced subjectivity and error in assessment, and strong performance metrics capability.
Is the added complexity of a risk-based approach worth the effort? … Continue reading
Each is an Avoidable Human Capital Risk.
At first glance three recent news stories seem completely unrelated: a USA Today article about thefts from a trust fund; NBC News stories (here and here) about deaths from a building collapse; and an Albany Times Union report about a sexual assault. As one reads the details of each story, the commonality begins to reveal itself; they each are examples of avoidable human capital risk.
Trust Fund Thefts: Lack of Internal Controls
The USA Today article describes a nursing home office staffer’s unlawful personal use of residents’ trust funds and her August 2013 conviction, in Vicksburg, Miss., on multiple counts of exploitation of vulnerable adults.
An administrator at a nursing home stumbled upon a highly suspicious debit from a resident’s trust fund that was missed, along with many similar debits, by a cursory audit. When the subsequent criminal investigation was complete, an office staffer working in the nursing home was charged criminally, and ultimately convicted, on multiple counts of exploitation of vulnerable adults. … Continue reading
There are a couple trends in our current society that lead many to believe that risks from human capital are on the rise. You might refer to this as the “cultural context of risk.”[i] If indeed human capital risks are on the rise it makes sense that C-suites have a greater obligation to take action to identify, assess, and act to mitigate the risks they face.
One trend is exemplified in the increasing incidence of occupational fraud (see our graphic summary of fraud). The most worrisome aspect of this is that it may reflect a change in our culture toward less personal honesty or restraint – sociologists would refer to this as a decline in “social control” as opposed to the formal control of law enforcement. If this is true, employers face a permanently more difficult challenge in finding employees they can trust to work for the good of the organization.
The second trend may actually be part of a social response to the failure of social control. In place of allowing organizations to control their own behaviors, government has adopted some increasingly stringent regulations ranging from SOX, to the Fair Credit Reporting Act, to the Consumer Finance Protection Bureau. These legal controls create a rigid, maybe brittle, operating environment that exposes organizations to much higher risk for specific kinds of employee-based failures. … Continue reading