Article Information

Authors:
Marius Meyer1
Gert Roodt1
Michael Robbins1

Affiliations:
1Department of Industrial Psychology and People Management, University of Johannesburg, South Africa

Correspondence to:
Marius Meyer

Email:
marius@sabpp.co.za

Postal address:
PO Box 524, Auckland Park 2006, South Africa

How to cite this article:
Meyer, M., Roodt, G., & Robbins, M. (2011). Human resources risk management: Governing people risks for improved performance. SA Journal of Human Resource Management/SA Tydskrif vir Menslikehulpbronbestuur, 9(1), Art. #366, 12 pages. doi:10.4102/sajhrm.v9i1.366

Copyright Notice:
© 2011. The Authors. Licensee: AOSIS OpenJournals. This work is licensed under the Creative Commons Attribution License.

ISSN: 1683-7584 (print)
ISSN: 2071-078X (online)
Human resources risk management: Governing people risks for improved performance
In This Opinion Paper...
Open Access
Introduction
Methodology
Growth in the field of managing risk
What is risk management?
International risk management standards
Governing risk in King III
Risk and the Human Resources link
Integrating risk and performance
Types and examples of Human Resources risks
   • Complying with legislation
   • Understanding trends in the business environment
   • People and corporate culture
   • Implementing business strategy
   • Carrying out operations
An Human Resources risk assessment framework
Guidelines for managing Human Resources risk
Conclusion
Acknowledgements
   • Authors’ contributions
References
Introduction

Against a backdrop of uneven and uncertain economic recovery, the worldwide economic recession has led to a renewed focus on managing risk (Butler, 2010).

At a local level, the King III Code on Governance in South Africa has been in effect from 01 March 2010. In response to King III, the South African Board for People Practices (SABPP) recently released an opinion paper on the human resource (HR) implications of King III (SABPP, 2009).

Given the important role of HR directors in supporting King III, and the sound governance of South African organisations in particular, the Human Resource Research Initiative of SABPP identified the management of HR risk as one of the most important opportunities that HR practitioners have for adding value to the new governance dispensation in the country.

In fact, the 2009 Ernest and Young Business Risk Report highlighted the importance of HR risk management. Christopher Lipski, HR Risk Management Service Line Leader in the United States of America (USA), said that ‘managing risk in the HR area has become an increasingly important issue for global executives’ (Ernest & Young, 2009).

In his new book on successful South African entrepreneurs, Brian Joffe, chief executive officer (CEO) of the Bidvest Group, states: ‘A key risk in future – just like today – is people risk.’ We live in a country with a dearth of skills. So a key test of entrepreneurship is how you develop people. One of the big lessons from Bidvest is that you grow by growing people and working together. You rarely find bad people in business. The problem is usually a bad fit. Give people the right opportunity, the right tools and training, and they will perform.

This article gives a brief overview of the importance of managing risk from an HR risk management perspective. The point of departure is that, in addition to other factors in business, a lack of proper HR risk management contributes to poor governance because businesses often use a reactive approach to HR management with no or little regard for managing risk.

Methodology

The researchers followed the following methodology when compiling this article:

• a literature review of risk management and HR risk management
• a focus group session with HR managers
• consolidating these into an HR risk management framework and guidelines for South African organisations.

Growth in the field of managing risk

Risk management, as an emerging management discipline, has gone from strength to strength over the last decade. Various universities have started to offer short academic courses in managing risk and companies employ risk managers to ensure that risk management receives the attention that it deserves.

The appointment of risk managers also had its downside because it meant that senior managers saw managing risk as a separate organisational function that risk managers controlled. Now, in the new governance regime that King III proposed, managing risk has been elevated to board level using the best practice guideline that companies should appoint a chief risk officer (CRO) to boards.

In a similar vein, King III elevated and repositioned risk management at board level by referring to the ‘governance of risk’. In fact, governing risk is now a whole chapter in King III (chapter 4). Managing risk should therefore form part of the strategic plan of an organisation.

However, as Taleb (2007) warns, companies must be careful of becoming risk complacent when they assume that they can forecast the future accurately. Who forecast 9–11, the tsunami and the worldwide economic recession?

All of these dramatic events had a major effect on business all over the world. However, risk managers and boards could not forecast any of these events. Thus, managing risk has indeed become an emerging field. However, businesses need a more integrated and proactive approach to ensure that they becomes resilient and develop capacity to handle risks and disasters.

What is risk management?

The word ‘risk’ entered the English language from the old Italian word riscare, which means ‘to dare’. The very nature of business is about taking risk for reward (Zulu, 2010).

Businesses invest money to yield returns on the risks they take. Risks are ‘uncertain future events which, left unchecked, could adversely influence the achievement of a company’s business objectives’ (Naidoo, 2002).

The definition in the International Organization for Standardization (ISO) 31 000 risk management standard is that ‘a risk is the effect of uncertainty on objectives’ (Airmic, 2010; ISO, 2009). The ISO guide also emphasises that a risk may be positive, negative or a deviation from the expected and that risk often becomes visible in an event, a change in circumstances or a consequence.

At the same time, risk is a normal and unavoidable element in any business. Entrepreneurs and investors pursue business opportunities despite the risks. Yet, not dealing with risks can lead to business failure and even the collapse of the company.

Table 1 gives a risk perspective of the Fédération Internationale de Football Association (FIFA) World Cup 2010 tournament held in South Africa. It is a brief summary of the possible risks.

Table 1 shows that one can view risks as positive or negative, depending on the potential outcome of the particular type of risk. In essence, the challenge is to identify the specific risks and to plan for any deviation from the expected.

TABLE 1: A brief analysis of possible risks during the FIFA World Cup 2010.

Fortunately, the FIFA World Cup 2010 was a huge success because FIFA, the Local Organising Committee and all other stakeholders had excellent risk management plans in place. For example, when security guards went on strike (an HR risk) at one of the stadiums, the police deployed additional officers to the site.

In addition, because schools closed, a number of employees had to take leave that depleted their usual December leave. Consequently, these employees had to work without a sufficient break in December. Furthermore, some companies slowed down considerably during this period and many day-to-day businesses lost money whilst waiting for decisions pending the end of the FIFA World Cup.

A group of HR directors from Executives Global Network South Africa had a detailed discussion about the HR planning and risks associated with the FIFA World Cup. Their discussions covered the negative risks and the potential positive consequences, like improved morale and nation building. Thus, robust risk management planning is essential for the success of any venture, project or organisation.

Therefore, a business needs a risk management framework to provide assurance about the effectiveness of its operations and the validity of the findings of its risk management reporting. The framework should have a clear focus on the cost implications and effects of these factors on the business. The purpose of managing risk is to ensure the effectiveness and efficiency of operations, to enforce compliance with regulations, to support business sustainability, to ensure reliable reporting to stakeholders and to ensure responsible behaviour.

Significantly, the King III Report specifically mentions HR as an important area for identifying and reducing risk. Boards should report annually on risks and sustainability issues, like social development, transformation, ethics, safety and the acquired immune deficiency syndrome (AIDS) (IOD, 2009). In fact, in high-risk environments, businesses may need more frequent management reports. Therefore, companies should assess people or HR risks as part of their overall management of risk (SABPP, 2009). German banks have taken the lead in developing strategies to manage HR risks (Paul & Mitlacher, 2008). In addition, Deloitte (2008) highlights the importance of managing HR risk in the modern business environment.

The King III Report on Governance for South Africa defines risk management as:

the identification and evaluation of actual and potential risk areas as they pertain to the company as a total entity, followed by a process of either avoidance, termination, transfer, tolerance, exploitation, or mitigation of each risk, or a response that is a combination or integration. (IOD, 2009)

However, some risk management experts feel that King III does not address managing risks adequately. They feel that King III is not sufficiently aligned to the ISO risk management standard and is out of touch with typical modern risk management practices at leading organisations.

A study by Ernest and Young shows that reputation makes up as much as 50% of a company’s share price. The Exxon Valdez oil spill cost the company $2 billion in the first two months and a further $10 billion to restore the environment. If this was not enough, the United States (US) government fined it another $5 billion. From a risk management perspective, the most important question is what caused the tragedy. Was it bad environmental practice, poor management, a lack of control or negligence? It was probably all of these, but the root cause analysis showed a remarkable origin – faulty HR policy. This resulted in under staffing and poor working conditions. In essence, the cause was aggressive cost cutting at the company.

A company needs to consider the value of its goodwill and intellectual property in its annual valuation, especially in the event of a sale. Often companies feel that contractors are less of a risk. However, one can challenge this when the company sells intellectual property but does not actually own the property it intends selling or which it wants valued.

This has become evident in audits because companies felt that the absence of a long-term relationship reduces risk. However, they had not considered that:

• the top staff are not actually bound to the company or its policies and procedures
• the company and labour brokers are legally, jointly and severable liable, so contractors and labour brokers do not reduce risk as much as managers think they do.

A study by Beatty, Ewing and Sharp (2003) also showed that HR risk was associated with higher organisational risk. The very nature of global HR poses several risks, like political instability, fraud, terrorism, regulations, health and safety, human rights abuses and intellectual property issues (Garratt, 2003).

Therefore, managing risk is the process by which a board, in consultation with managers, decides which risks to eliminate, accept, reduce or transfer (Naidoo, 2002). An HR risk is any people, culture or governance factor that causes uncertainty in the business environment that could adversely affect the company’s operations.

Figure 1 gives some interesting results of a survey the Human Capital Institute (Africa) conducted on business risks.

Figure 1 shows that the Human Capital Institute (Africa) identified human capital risk as the most significant threat to businesses in South Africa. However, companies are not ready to deal with human capital risks. This finding is consistent with international research. A survey by the Economist Intelligence Unit found that risk managers regard poor human capital management as the biggest threat to the long-term success of global businesses (Wybrecht, 2010).

FIGURE 1: Types of risks the Human Capital Institute (Africa) identified.

International risk management standards

The ISO 31000 international standard on risk management gives a useful frame of reference to assist HR directors to place HR strategy within the context of risk management. In particular, the ISO principles and guidelines document (ISO, 2009) is extremely important. The document recommends that HR practitioners become directly involved in:

• embedding risk management as an integral part of all organisational processes, including managing change
• considering human and cultural factors and, more specifically, recognising the capabilities, perceptions and intentions of external and internal people who can facilitate or hinder the achievement of organisations’ objectives
• supporting managers to ensure that companies align their culture and risk management policies
• supporting performance management by assisting managers to determine the risk management performance indicators that align with the performance indicators of organisations
• acting as drivers to ensure legal and regulatory compliance
• building capacity for effective risk management that begins with employee induction and follows it with training in managing risk
• establishing appropriate organisational structures with clear roles and accountabilities for managing risk
• establishing sound relationships with internal stakeholders, thus considering perceptions and reinforcing values.

Governing risk in King III

The King III Report on Governance has a whole chapter on governing risk. Table 2 outlines the relevant governance elements, principles, and recommended governance practices, together with appropriate HR directors’ responses.

TABLE 2: Governing risk.

Table 2 shows that sound risk governance depends largely on clear governance elements and principles that are the foundations of risk governance. However, elements and principles of governance are not enough. A governance system requires clear practices for the effective governance of risk, like monitoring risk management activities. Lastly, the SABPP (2009) paper on King III asserted that HR directors have a critical role to play in general governance.

In order to make the role of HR directors more explicit, the next session looks at risk and the HR link.

Risk and the Human Resources link

When one tracks the progress of the HR profession, it becomes clear that it has gone through different stages of development. These stages define the core competencies, to a certain extent, of the HR profession – the ‘things’ that HR directors are doing or should be doing. In general, the HR profession is moving beyond the strategic business partner role towards one of being a driver of business success and sustainability. Some companies’ HR functions are not performing well in this transformation process, whilst others are still struggling to become strategic partners.

Research suggests that the recipients of HR services (line managers) are not ad idem with HR directors about the importance and the effectiveness of HR services (Magau & Roodt, 2010). For example, sometimes managers see training as a waste of time. This perception is a main source of HR’s credibility crisis: what is the contribution of HR directors to the success of a business? In order to meet this challenge, HR directors need to identify and manage its risks effectively, amongst other things.

HR personnel should collect information about people-related governance, risk and compliance issues. The HR director should present company directors with a complete report of HR compliance and operational risks, as well as the recommended actions, and accept responsibility for reducing them. Furthermore, HR personnel can assist the board in related areas, like managing executive succession, providing board development and administrative services as well as supporting the remuneration committee (Deloitte, 2008).

Although King III mentions human capital risks, this aspect deserves more prominence. The Deloitte (2008) report asserted that ‘People and behaviour are often the biggest sources of business risk.’ Therefore, it is essential to ensure that a company’s risk management plan includes people risks. It needs a comprehensive analysis of its people risks, one that significantly transcends the current narrow focus on safety in high-risk environments like factories and mines.

People risks include company culture, talent shortages and retention, incompetence, employee performance, unethical behaviour, low morale, grievances and disputes, excessive absenteeism, employee wellness, sabotage, workplace violence, as well as noncompliance with industry and other regulations and laws.

If an organisation makes political appointments without a proper focus on the right qualifications and skills needed for a job in the public sector, and in certain private companies, these appointments may affect productivity. This leads to poor turnaround times in dealing with suspensions of senior managers or hasty decisions to dismiss managers without proper investigation. In the South African environment, failure to transform and, in particular, to achieve employment equity targets are significant risks.

South African organisations need a more integrated approach to managing HR risks. They need to consider HR risks in every major business decision, like opening a branch in a different province or country. Research has clearly shown that so-called ‘soft’ issues, like cultural incompatibility, have led to more major business failures during mergers, acquisitions and international joint ventures than ‘hard’ factors, like cash flow or debt, have. Any strategic risk-management exercise, which a business conducts without a HR due diligence exercise and without considering crucial inputs from senior HR executives, is bound to encounter some form of HR-related problem.

Board directors and chief executives are, by definition, also human resources that organisations should use optimally to ensure profitability and productivity. Organisations should subject directors, their board subcommittees and audit committees to the same regular 360-degree performance assessments and reviews as they do with ordinary employees. For too long, boards, managers and HR practitioners have turned a blind eye on incompetent managers and directors, people who simply do not attend board meetings and are, in most instances, free agents who operate above the scrutiny and reproach of company shareholders and other stakeholders.

Whilst King III is correct to emphasise the importance of information technology (IT) governance, neglecting HR governance is a serious omission. Deloitte (2008) states that ‘governance, risk and compliance challenge affect every part of the business – and every one of those challenges has a significant human component.’ HR practitioners must use their unique knowledge, skills and experience to help business leaders tackle governance, risk and compliance issues throughout the organisation.

Like its predecessor, King II, the third King code highlights the importance of ethics at board, management and staff levels. It also emphasises, in particular, the need for an ethical culture. However, to think that an ethical code in itself will instil a culture of ethics is short sighted.

Deloitte (2008) argues that every business scandal or regulatory violation ultimately has its roots in the workforce. That is why HR practitioners must expand their role from ‘stewards’ (which focuses on workforce compliance and administration) to ‘strategists’ (which affects every governance, risk and compliance issue with a human element).

Regular articles in the press about governance problems in the boards of parastatals serve as good examples of the need for a strong focus on ethics at board level and throughout the organisation. Carnel Botha, director of BDO Spencer Steward in Cape Town, says that ‘companies need to proactively look for red flags when it comes to their employees’ (Botha, 2008). Audits identify certain ethical risks that companies should manage.

HR practitioners should also play a more proactive role in ensuring the appointment of staff with the right abilities, values and ethical culture. Organisations place too much emphasis on the technical knowledge and skills of employees and not enough on their ethical character and behavioural fit. Organisations need to consider the psychological contract upfront. Every employee’s values and needs must align with the values and culture of the company. HR practitioners can help line managers to probe for character fairly and legally when conducting interviews. In addition, organisations need HR due diligence to prevent the damage that incompetence causes (Deloitte, 2008).

The HR executive often works with business development teams at a global level and has to add value to the process of interpreting business opportunities. A new global business opportunity may allow a business to increase its profits. However, it may also present risks that could have an adverse effect on sustainability and growth if the business does not manage these risks well. Finkelstein (1999) states that most cross-border mergers and acquisitions are not successful and Ryan (2006) reports that only 13% of executives said that these deals went smoothly. Differences in corporate governance, regulatory environments and national culture create additional layers of complexity that companies needs to manage.

Furthermore, a global company needs a clear HR due diligence process to highlight all the HR risk factors that the company should manage to avoid rushed and poor decisions. The HR executive can make a valuable contribution by collaborating with commercial and financial managers in the due diligence process. In this way, the HR executive can add value to the process of interpreting and developing business opportunities as well as ensuring an effective approach to completing projects. In line with the corporate governance principles of accountability and responsibility, companies need a rigorous and systematic approach to HR due diligence. The project development team should examine all the HR risk factors and look for answers to the questions that arise. The challenge is then to explore, within the legal framework, how to reduce these risk factors.

Managing HR risk is a key element of HR governance. Proper HR risk management gives HR executives an opportunity to fulfil their fiduciary duties of care and sound financial management. Therefore, HR risk management flows directly from external and internal stakeholder engagement. HR risk management addresses key HR risk issues like reducing risk, HR due diligence, the role of HR committees, implementing codes of ethics and fair labour practices. Companies should identify HR risks in different sites or countries and develop proactive risk-reducing plans to deal effectively with these risks.

Liaising with and consulting different stakeholders is an important element of sound HR governance. The purpose of the seamless interfaces between the different stakeholders is to reduce the different risks and uncertainties that arise because of the interaction between them. Inevitably, the HR practitioner needs to work closely with the risk manager and risk committee to ensure that the overall risk management plan of the company includes HR risks.

Integrating risk and performance

The long-term and sustained success of an organisation relies on two key factors: risk management and performance management. Strategic objectives are the bases for the approach an organisation adopts to achieve both.

A process-based framework needs to unify performance, risk and compliance management and move out of the risk or finance office. Organisations have seen the disciplines of performance, risk, and compliance management as separate for a long time, but the walls are breaking down. Managing performance begins with the objectives an organisation is trying to achieve and risk management has evolved from its silo-driven roots into enterprise risk management. Therefore, it has become clear that an organisation must identify and assess risks in the light of the objectives it is trying to achieve. A process-based framework that allows for effective organisational governance needs to unify all three of these disciplines.

Risk and performance management also share other essential management system elements. Continuous improvement is crucial in the ever-changing commercial world and organisations must see managing risk as a continuous process. It is essential that organisations review the incidence of risk to see whether it has changed over time.

Managing risk is a dynamic process and good governance practice requires an organisation to identify new risks, to eliminate some and to update control measures in response to changing internal and external events. An organisation also needs to review its assessments of probability and effect, particularly in the light of the actions of managers and/or external influences. King III requires that internal auditors assess the system of managing risk or annual review in the first instance and report on the effectiveness of control measures.

Improving business results requires an organisation to simplify risk management practices and to integrate them seamlessly with normal business operations, its planning and budgeting processes and organisational culture. Managing risk is no longer an add-on or fad. Private and public sector organisations alike have struggled to understand the steps and techniques of implementing risk management practices. Those who have succeeded are reaping the fruits of their labours. High performing organisations, having developed strategies through sound strategic planning processes, must implement strategies ruthlessly by removing performance barriers or risks through enterprise-wide risk management practices.

Approaches to managing risk are designed to enable an organisation to reduce the uncertainty surrounding the achievement of its objectives. They aim at reducing the likelihood that the events, which organisations expect to affect them negatively, will occur. These approaches also focus on reducing the effect these events might have on achieving objectives.

Performance management approaches focus on selecting the strategic objectives that an organisation needs to achieve and on monitoring progress through measurable parameters. These approaches revolve around cascading these measurable parameters down to each person in the organisation. The monitoring system uses trend, deviation and root cause analyses of these parameters. The organisation then consolidates these individual parameters to analyse whether the organisation is achieving its strategic objectives.

Types and examples of Human Resources risks

A review of the literature on risk suggests that one finds general business risks in these areas:

• compliance with legislation
• understanding trends in the business environment
• people and corporate culture
• implementing business strategy
• carrying out operations.

HR risks are no different. One finds them in the same areas. The sections that follow discuss each of these HR risk areas in more detail.

Complying with legislation
There is a wide range of relevant legislation. Companies’ HR policies should show compliance with these different pieces of legislation:

• the Employment Equity Act
• the Skills Development Act
• the Black Economic Empowerment Act
• the Basic Conditions of Employment Act
• the Occupational Health and Safety Act
• the Labour Relations Act
• the mining, banking, IT and other charters.

The typical HR risk here is noncompliance. This means that HR managers should have a clear understanding of what each piece of legislation requires for compliance, regardless of whether this entails the actions a company must take or information it needs to provide.

Compliance is not relevant only to HR legislation. The huge increase in fines for noncompliance with legislation for anticompetitive behaviour is a good example. Munnik (2008) asserts that: ‘Your management of employment equity, or lack thereof, could put your business at risk.’

Companies need to consider the effects of fines and pressure from the minister of labour to comply with employment equity legislation. Therefore, if a company complies with employment equity requirements too quickly and employs incompetent people, who cause damage to the business, these appointments can cause significant risk to the business. On the other hand, if it complies too slowly, the company may face prosecution for noncompliance and significant risk to its reputation may follow.

Understanding trends in the business environment
Business environments do change. What are the key drivers of change and what are the effects and consequences of change for the business and its HR function? This question suggests that HR managers should understand key trends in their business’ environment and be able to convert them into business and HR strategies and policies.

Typical HR risks here are top and senior managers, including HR managers, who lack the ability to analyse the external and internal business environments systematically, who lack the ability to understand what the key drivers of change in these contexts are, who lack the ability to convert them into business strategies or to foresee their strategic implications.

People and corporate culture
People and corporate culture drive the implementation of the business’ strategies. Does the company have the right people in the right places? Can these people perform their jobs in a constructive, engaging and empowering climate?

These questions suggest that HR managers should find the right talent and create the right environment in which people can perform.

Typical HR risks here are:

• not having the right talent in the right places
• not attracting and retaining key talent
• performance that does not meet predetermined standards
• training and development interventions that do not improve performance
• absence of a constructive company climate.

Furthermore, the human immunodeficiency virus (HIV) and AIDS have a disastrous effect on many businesses. ‘In some sub-Saharan African countries, a third of the workforce has the HIV virus’ (Feller, 2007). This problem could seriously affect the business’ sustainability.


Implementing business strategy
Strategy implementation means developing a business strategy and then implementing it. Does the company have a strategic or business plan? Does this plan convert into different project plans with clear time lines for implementation? Is there an effective budgeting and governance system in place?

These questions suggest that HR managers should help to draft the business strategy, understand the supportive role and function of HR practitioners in governance, and help to implement the strategy.

Typical HR risks here are that the business does not have a strategic or business plan that converts into different strategic objectives or projects and that the business has not spelt out the demands on, or implications for, HR practitioners in terms of talent, policies, practices and procedures.

Carrying out operations
Carrying out operations means converting business or project plans into executable operations or tasks. Do these functions or tasks have the right people to execute them? Has the business specified performance standards? Are systems for measuring performance and management in place?

These questions suggest that HR managers should help to design and implement performance management systems.

In this area, typical HR risks are not having clearly defined operations and tasks or the right staff to execute them.

Further risks are the absence of clearly defined performance standards and systems for measuring and managing performance. For example, Harris (2007) showed that careless selection could be disastrous. In fact, she stated that one can trace many corporate disasters back to poor recruiting practices. In some cases, businesses did not check curricula vitae (CVs) properly.

The typical operational risks that organisations experience usually dominate risk management. However, several examples of people or HR risks have come to the surface recently. The literature reports typical HR risks.

Not all companies experience all of these risks. Some will occur more often in certain businesses than in others. In addition, there may be different risks at some companies and new risks may emerge in the future.

Given that risk is about uncertainty, many other unexpected events may occur. No risk manager could have predicted the 9/11 attacks, the 2008–2009 worldwide economic recession, the swine flu epidemic or the eruption of the volcano in Iceland. Furthermore, the workplace stress and work overload that staff shortages cause and poor communication during restructuring processes pose significant risks to organisations.

The challenge is to build rigorous risk management systems and resilient organisation cultures where all employees have a risk mindset to enable their organisations to respond to typical risks, even if new risks come to the fore. However, most of the typical HR risks outlined in Table 3 have been around for some time.

TABLE 3: Examples of Human Resources risks.

Some companies are addressing their HR risks proactively and almost aggressively, whilst others sit back and wait for the risk to disappear. One can adopt a ‘wait-and-see’ attitude, or a ‘make-and-see’ one. The latter focuses on introducing programmes proactively to reduce and manage HR risks.

For example, statistics show that 14 mineworkers die every month (Swanepoel, 2009). Surely, the industry can introduce more proactive safety programmes to reduce safety risks.

Essentially, the involvement of the whole workforce in creating and maintaining a safety culture will be a key component of managing HR risk effectively.

During the release of the SABPP King III opinion paper, HR managers were asked to provide the SABPP with a list of HR risks in a focus group session.

Figure 2 presents the findings of the focus group session.

FIGURE 2: Human Resources (HR) risks identified by HR managers.

Figure 2 shows that the challenge of retaining employees is the biggest HR risk for the 40 HR managers who participated in the focus group session. They indicated that skills shortages were the second biggest risk, followed by poor leadership or management in their organisations.

Interestingly, some of the delegates suggested that poor leadership contributes to the high turnover of staff. They also identified lack of compliance with laws, rules and procedures as a major HR risk.

Furthermore, it appears as if organisations struggle to deal with verifying qualifications properly during recruitment and selection processes. Interestingly, HR managers reported employee sabotage as another HR risk. Some of the HR managers referred to this problem as ‘internal terrorism.’

An Human Resources risk assessment framework

An HR risk assessment framework provides a conceptual model for systematically developing and planning HR risk management actions in an organisation. The framework is useful for determining the level of HR risk in an organisation and for measuring it. The Human Factor Management Assessment Risk Framework, that Figure 3 illustrates, provides a basis for planning, assessing and implementing HR risk management.

FIGURE 3: Human Factor Management Assessment Risk Framework.

Figure 3 illustrates the European Foundation of Quality Management Risk Management Model adapted for an HR risk management framework. The building blocks to the left of the framework show the capabilities an organisation needs to make HR risk management work. It begins with human factor risk leadership to the far left of the framework. Here senior managers and the HR executive of the organisation take responsibility for human factor risk leadership. In essence, this means that the HR executive leads by locating HR risk management at board level. Therefore, the HR director introduces human factor risk leadership to the organisation. However, line management ownership is critical here.

The next building block shows the importance of people as key components of the risk management framework. People contribute to risks daily, either positively or negatively. If managed proactively, people play a significant role in creating and maintaining a risk culture, as King III proposed. However, managing risk does not happen automatically. Therefore, it is necessary to create a human factor risk policy and strategy to institutionalise HR risk in the company (next building block). Next, the organisation needs partnerships to optimise human risk management, both internal and external to it. Internally, the organisation needs partnerships between different departments to manage risk (like between the health and safety function as well as the production department). Externally, the organisation may need a variety of partnerships with key stakeholders to get the right information and/or support to manage HR risk (like the Department of Labour, suppliers or industry bodies). Human factor risk processes are at the centre of the framework (all the processes and practices the organisation needs to manage human factor risk). The key question is ‘do risk management processes incorporate effective HR risk management?’

Once the organisation has developed all the capabilities to manage risk (left-hand side of the framework), it is ready to deal with risks. The company has developed the resilience it needs to handle human factor risk (next building block) and can then report on the outcomes of its risk management framework (last block). Essentially, the better its capabilities, the more likely the organisation is to manage risk successfully. The critical question is ‘Does HR risk management help the organisation to achieve its objectives?’ However, whilst an organisation may achieve a high level of maturity in dealing with risk, a company will never succeed entirely in managing risk.

Therefore, the different intersections that link all the building blocks of the model, together with the bottom arrow, imply that the organisation needs continuous innovation and learning.

Control measures are concerned with the actions the organisation takes to reduce the probability or effect of risk, although they may never eliminate or transfer risk completely. This is true for all the areas of managing an organisation. Treating and tolerating risk are key elements of the process of controlling risk.

The four options for dealing with risk follow.

BOX 1: Four options for dealing with risk.

The example that follows shows the commitment of a South African bank to take responsibility for managing HR risk.

BOX 2: Commitment of a South African bank to take responsibility for managing Human Resources risk.

The ISO (2009) standard on risk and the Nedbank example make it clear that organisations need HR executives to adopt a relevant approach and framework for managing HR risk. The example that follows shows how organisations can apply the ISO definition of risk in the HR environment:

• Objective The objective is to employ competent people with the right knowledge and skills to perform their jobs.
• Risk – There may be significant skills gaps in the market and in the people who apply for a position.
• Event The decision is to risk employing the candidate despite the skills gaps the organisation identified.
• Consequence The employee starts to work and delivers substandard work. The consequence is that the business loses key customers. The business suffers because of poor HR risk management in recruiting and selecting.

In the light of this example of the effect of uncertainty on business objectives in the HR field, HR managers can conduct similar risk analyses on all other HR subfields, like talent management, employee induction, learning and development, employment relations and performance management. HR managers need to decide on and implement relevant HR risk management actions to ensure that they address HR risks adequately in their organisations. The key question is to decide what can go wrong and then to plan accordingly.

Guidelines for managing Human Resources risk

HR risk management provides unique opportunities for HR directors, managers and practitioners to support risk governance and management and to develop appropriate HR risk management plans to address HR risks. Therefore, the researchers propose the guidelines that follow for HR directors.

Redesign your organisation’s HR plan to include HR risk management. Aligning HR policy with the overall business strategy is essential for managing HR risk effectively. When your company pursues business projects, conduct HR due diligence to identify the HR risks relevant to business plans.

Read more about risk management to gain a proper understanding of the importance of risk management and governance in the workplace.

Study the ISE risk management guidelines and chapter four of the King III report and code for governance in South Africa. This chapter deals with governing risk. Based on the knowledge you will gain from chapter four of King III, together with the ISO guidelines for governance at your organisation, identify opportunities where you can add value to the risk management practices and risk culture at your company.

Arrange a meeting with your organisation’s CRO or head of risk. Show this person that you are studying risk management and ask this person to show you where and how you can contribute to managing risk, especially from an HR perspective.

Ensure that key staff members in your organisation have the proper training and education for managing risk. They include the board, managers and other key staff members that risk management affects directly. Develop skills in managing risk throughout the organisation.

Liaise with line managers to explore opportunities where you can help to create and nurture a risk management culture in your organisation.

Check whether your organisation’s risk register has a record of HR risks and assist the CRO and line managers to identify risk management strategies to deal with these risks.

Excellent people and talent management are the best bulwarks against HR risks. Therefore, introduce rigorous talent management strategies and systems and ensure that line managers take full responsibility for leading and managing people. In addition, the HR executive should manage HR compliance with all relevant laws, rules, codes or standards.

Support the board by ensuring that the company appoints a highly competent CRO and other risk managers for different business units. Ongoing staff training in risk management is very important for the sustainability and future success of the organisation.

Introduce robust HR risk controls, monitoring systems and respond appropriately to any HR risks by using early warning systems before an HR risk starts to threaten the sustainability of the organisation. The company needs regular HR audits, with an emphasis on clear reporting lines, and evidence of actions it has taken to address HR risks.

Consider holding regular meetings with staff members to discuss HR risk factors that may affect business operations.

Conclusion

Organisations risk their sustainability if they do not consider the effects of HR risks on their businesses. HR risk management presents HR directors with opportunities to elevate current HR strategies to board level, given that risk governance is now a board responsibility.

Line managers must consider all people risks in the business. Most risks in business come, directly or indirectly, back to people – the human element is the major source of business risk.

The challenge for HR executives is to gain a proper understanding of risk management methodology, then to identify, reduce and manage HR risks. Failing to manage HR risks may threaten the sustainability of companies.

Managing HR risk is not only about the softer issues. Many organisations suffer from poor governance and a lack of clear policies, processes and procedures. Fortunately, though, developing and implementing effective HR risk management strategies can lead to significant business opportunities and allow the HR executive to ensure that HR risk management is embedded in the overall governance and management strategies of organisations. As Zulu (2010) concludes, ‘Not managing risks, is risky in itself’.

This article is a position paper that the Human Resource Research Initiative (HRRI) of the South African Board for People Practices published.

Acknowledgements

The researchers acknowledge the Institute of Directors (IOD) as the custodians and compilers of the King III Report. However, this SABPP position paper contains the views of the SABPP and the IOD does not necessarily agree with it.

The researchers thank the IOD for its leadership as the champion of sound governance in South Africa. The researchers encourage HR managers to embrace King III and to help their boards and executive management teams to implement King III.

The original King III Report and Code can be ordered directly from the IOD.

Authors’ contributions
M.M. is CEO of the South African Board for People Practices (marius@sabpp.co.za). G.R. is head of the Centre for Work Performance at the University of Johannesburg. M.R. is director of International Management of Risk (IMORSA).

References

Airmic. (2010). A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000. London: The Association of Insurance and Risk Managers.

Beatty, R.W., Ewing, J.R., & Tharp, C.G. (2003). HR’s role in Corporate Governance: Present and Prospective. Human Resource Management, 42(3), 257–270. doi:10.1002/hrm.10084

Botha, C. (2008). Corporate fraud: notice the red flags. Management Today, 24(4), 58.

Brown, W. (2006). How well does your HR management system curb fraudulent practices? People Dynamics, 24(8), 23.

Bryson. (2003). Managing HRM risk is a merger. Employee Relations, 25(1), 14–30.

BSI. (2010). Publicly Available Specification 1010:2010, Third Draft version 2.0: Guidance on the management of psychosocial risks in the workplace. United Kingdom: British Standards Institute.

Butler. (2010). The downside of recovery: The new business risk landscape in 2010. Management Today, 28(2), 60–62.

CEO. (2009). Alcohol abuse and workplace losses. CEO, 8(5), 36–37.

Colman, S. (2007). Employment Practices’ Liability and Risk Management. People Dynamics, 25(11).

Deloitte. (2008). Taking the Reins: HR’s opportunity to play a leadership role in governance, risk management and compliance. CHRO Strategist and Steward Series. Deloitte Consulting. Midtown: Manhattan.

Engelbrecht, L. (2009). King III: The Director’s view. Business Brief, 14(2), 18–20.

Ernest, & Young. (2009). The 2009 Ernest & Young Business Risk Report.

Feller, G. (2007). Beating the virus. Africa Investor, 64–66.

Finkelstein, S. (1999). Safe ways to cross the merger minefield. In T. Dickson (Ed.), Mastering Global Business: The Complete MBA Companion in Global Business. London: Financial Times Management.

Garratt, B. (2003). Thin on top: Why Corporate Governance Matters and How to Measure and Improve Board Performance. London: Nicholas Brealy.

Harris, M. (2007, 18 November). Careless hiring can be disastrous. Business Times.

Harris, M. (2010, 30 May). High cost of disengaged workers. Business Times.

Heath, W. (2007). The biggest risk of all — not developing tomorrow’s talent. CEO, 6(6), 74–75.

Heath, W. (2008). Ignoring the risks of commercial crime. CEO, 7(3), 108–109.

Heslop, B., Hilbron, D., Koob, J., & Szumyk, R. (2005). Why HR Governance Matters: Managing the HR Function for Superior Performance. New York City: Mercer Human Resource Consulting.

IOD. (2009). King III Report and Code of Governance for South Africa – 2009. King Committee on Governance. Johannesburg: Institute of Directors (IOD).

ISO. (2009). ISO 31 000 International Standard: Risk management – Principles and guidelines. Geneva: International Standards Organization.

ISO. (2009). Guide 73: Risk management — Vocabulary. Geneva: International Standards Organization.

Magau, M.D., & Roodt, G. (2010). An evaluation of the Human Capital BRidgeTM Framework. SA Journal of Human Resource Management/SA Tydskrif vir Menslikehulpbronbestuur, 8(1). doi:10.4102/sajhrm.v8i1.276

Malkin, R. (2007). The cost of absenteeism. People Dynamics, 25(10), 30.

Martin, J., & Schmidt, C. (2010). How to Keep Your Top Talent. Harvard Business Review, May, 54–61.

Meyer, M., & Robbins, M. (2010). HR Risk Management: Balancing HR governance, risk and compliance. Paper presented at the SABPP Professional Review Conference. Midrand: Knowledge Resources.

Munnik, J. (2008). From basic compliance to true transformation. HR Highway, January/February, 20–23.

Naidoo, R. (2002). Corporate Governance: An essential guide for South African companies. Cape Town: Double Storey.

Paul, C., & Mitlacher, L. (2008). Expanding risk management systems: human resources and German banks. Strategic Change, 17, 21–33. doi:10.1002/jsc.813

Pile, J. (2009). The prognosis is good. Financial Mail, 202(6), 19.

Pitman, J. (2010). Clear and Present Danger? Entrepreneur, June.

Robinson, J. (2008, May 08). Turning around employee turnover. Gallup Management Journal. Retrieved n.d., from http://gmj.gallup.com/content/106912/turning-around-your-turnover-problem.aspx

Ryan, C. (2006, 10 September). Cross-border deals on track. Sunday Times, p. 3.

SABPP. (2009). Comments on the King III Code and Report for South Africa: HR — The Way Forward. Parktown: SABPP.

Sacht, J. (2010). Business Risks Identified in South Africa. Personal discussion. Johannesburg.

Sanborn, M. (2008). Tactics to reduce pharmacy staff turnover and increase job satisfaction. Hospital Pharmacy, 43(8), 670–675.

SHL (2007). How to become an Air Traffic Controller. The Selection Process. www.stuckmic.com/international-atc/5015-intl-air-traffic-control-employment.html

Stelzner, S. (2006). The risks of racism in the workplace. People Dynamics, 24(8).

Swanepoel, E. (2009). Tougher Stance. Mining Weekly, 15(35), 12.

Taleb, N.N. (2007). The Black Swan: The Impact of the Highly Improbable. London: Penguin Books.

Temkin, S. (2009, 25 February). King report to focus on board responsibility. Business Day.

The European Foundation for Quality Management (1999). The EFQM Excellence Model. Retrieved n.d., from http://www.efqm.org/en/tabid/132/default.aspx

Van der Merwe, N. (2009). Increased mobility a security threat. Enterprise Risk, 3(3), 33–34.

Van Graan, W. (2009). Safety failures: Miners count the cost in unexpected ways. Enterprise Risk, 3(3), 16–17.

Wright, L. (2010). Entrepreneur who did it his way. In M. Makura (ed.), South Africa’s Greatest Entrepreneurs. Johannesburg: MME Media.

Wybrecht, G. (2010). The Sustainable MBA: The Manager’s Guide to Green Business. Chichester: John Wiley.

Zinn, S. (2011). Personal Interview: HR Risk Manager from Nedbank.

Zulu, T. (2010). Risk and Reward: Start and run a successful small business in South Africa. Cape Town: Tafelberg.