Risk managers and the businesses they work for must stop thinking of people-related threats as someone else’s problem, says Howden Employee Benefits’ Mark Ramsook.
People-related risks underpin many of the greatest threats facing organisations today.
Whether it’s poor physical and mental health leading to staff shortages or inadequate training opening firms up to cyberattacks – firms that do not prioritise talent threats could be in for a nasty shock.
The problem, according to Mark Ramsook, executive director at Howden Employee Benefits, is that too many organisations view human-based risks as an HR problem. Even where people risks are understood, the controls for addressing them are once again considered to be the remit of HR.
This is compounded by the insurance industry, which tends to focus on transferring physical assets and transactions under general insurance, while only reacting to human-based risks with reactive insurances like life, health and disability, which are typically managed separately from the risk management function (by HR), treating them as isolated incidents.
Ramsook explains: “People-based risks such as employee behaviour, lack of training, poor workplace culture, mental health issues, absenteeism, chronic health conditions, climate-related events, and bad leadership can significantly impact company performance through E&O (PI), cyber claims, erosion of talent, increasing operational costs and premiums. However, the traditional approach to risk management often fails to identify or address these causation factors.”
“Risk managers have their structured enterprise risk management view… that’s typically about assets, transactions and business risk. HR then looks after all the people-related aspects, creating silos that don’t always deliver the best outcome for the business or reflect the true picture.”
A NEW APPROACH
In today’s world, characterised by rising healthcare costs, ageing populations, climate change, geopolitical instability, populism and increasing costs of living, the risks related to people are becoming more pronounced. This in turn means that those threats have the potential to cause greater, longer-lasting impacts on businesses.
Ramsook believes businesses must respond by taking a more holistic approach, which accounts for the positive and negative effects of people-related risks on long-term company performance.
This, he argues, means moving away from focusing on reactive insurance products and instead prioritising proactive risk management and looking at the bigger picture. He says: “In countries where there is a duty of care around absence, disability and workers compensation, we are starting to see the pendulum shift, but as a whole this is limited.
“So much of what HR gets tasked with, like organisational design and culture, has a massive impact on risks that enterprise risk managers are trying to insure.”
“It is time for companies to rethink how they assess risk, moving beyond traditional asset-based models to include more comprehensive strategies that address the human factors driving business risk.”
Ramsook says the first step is making a shift towards recognising and mitigating people-based risks before they harm business resilience. This means embedding what have traditionally been HR responsibilities within a wider risk management framework.
He explains: “So much of what HR gets tasked with, like organisational design and culture, has a massive impact on risks that enterprise risk managers are trying to insure. Bad behaviours, bad culture and poor leadership can critically undermine risk management efforts.”
He illustrates this with an example from the construction sector, where legislative requirements mandate health and safety standards, but organisational culture and behaviour can significantly impact how construction workers operate. “Often, misalignment here can be the key reason for contract failures and professional indemnity claims,” Ramsook says.
BETTER USE OF DATA
Behavioural analytics is another strategy that can help to reduce a business’s risk profile.
For instance, if you understand how and when employees are likely to commit fraud, you can address the root causes and minimise the risk. Equally, continuous feedback and employee engagement surveys can help risk managers keep their fingers on the pulse of employee culture and satisfaction, and highlight key people threats that might be emerging.
Ramsook says: “In the tech sector, for example, the growth-at-all-costs mentality often runs harshly over the cultural and behavioural frameworks HR is trying to establish. This can lead to cyber claims because employees aren’t vigilant about phishing and other cyber risks.
“We correlated absence data and mental health claims with professional indemnity claims and found strong correlations. Toxic leaders were linked to higher PI claims.”
“If businesses don’t listen to what their employees are saying, they create an imbalance that increases risk. It’s crucial to pay attention to the voices within the organisation.”
He adds that companies often already have a lot of useful information, but it’s not used effectively because departments operate in silos: “Most organisations have the data; it’s just about how we want to start looking at it.
“By packaging claims data with wider risk drivers, we can help risk managers understand the underlying factors contributing to higher risk. This re-frame can be invaluable.”
He gives the example of a successful project at a law firm, where existing data was used to better manage a people-related threat. He says: “We correlated absence data and mental health claims with professional indemnity claims and found strong correlations. Toxic leaders were linked to higher PI claims. This data helped us build a stronger case for investing in preventative well-being and mental health programs.”
BUILDING TRUST AMONG LEADERSHIP
Trust and leadership behaviour are crucial for addressing people risks, but Ramsook says that businesses are falling at the first hurdle because things like well-being are often seen as ‘fluffy’ and inconsequential by other departments and ‘culture’ is seen as the responsibility of HR, despite being very much a leadership and C-suite responsibility.
He explains: “Leadership behaviour directly sets a precedent within the business. In sectors like law, negative behaviour can get out quickly, damaging the firm’s reputation and ability to attract talent. The speed with which negative behaviour is exposed is staggering.”
So, how do risk managers make sure that people risk and culture gets the board-level attention that it needs?
“You need to present a picture of organisational risk encompassing behaviour-led risks that drive wider reputational risks,” Ramsook advises. “In some of the most effective scenarios, we involved the CEO and CFO from the outset. This elevated the conversation around risk and led to meaningful changes in organisational behaviour.”
He concludes: “We’re not necessarily going to solve all of this with insurance policies or from an enterprise risk management perspective alone. But by getting the right people together to look at this through an integrated lens, we can have a fundamentally different and positive outcome.”
This is the new frontier in risk management – one where people risk is given the attention it deserves.
This is the first in a series of articles that explore the concepts and challenges around people risk. Does this resonate in your organisation and have your leadership team considered shifting the paradigm around their view of people-based risks and the impact on the business?
No comments yet