Press article: Defining and understanding people riskDOWNLOAD
People risk is an area that so far has received relatively little attention. This fact is not quite surprising, since, on the one hand, regulators and risk managers have mainly focused on more “tangible” (quantitatively measurable) risk areas - notably operational risk, credit risk and market risk – and, on the other hand, people risk has mostly been restricted merely to HR processes.
It is, however, an increasingly recognised fact that people represent a cause of operational risk that is as important as (if not more important than) other causes such as failed systems, processes and information flows. This is clearly illustrated by the Basel Committee’s definition of operational risk (“the risk of loss resulting from inadequate or failed internal processes, people and systems or external events”), which explicitly identifies people risk.
People risk represents the “soft factors” of operational risk management, the “hard factors” being the mechanisms that are in place as embodied in systems, processes and information flows.
We can define people risk as “the risk that people do not follow the organisation’s procedures, practices and/or rules”, i.e., that they “deviate” from expected behaviour. Such deviation can be broken down into two components: deliberate deviant behaviour and non-deliberate deviant behaviour.
The foregoing definition also implies that people risk has two components: human error and human fraud. In managing people risk, it is vital that these two components are kept in mind, because it is much more difficult and complex to safeguard against human fraud than it is to control human errors.
It is also important when looking at people risk that one excludes what is commonly known as “HR” risks and which represent the operational risks linked to HR procedures per se. Examples are “inadequate recruitment procedures for screening employees”, “inadequate training and change management programmes” or “poor succession planning policies”. Such HR operational issues contribute, of course, to people risk (poor staff screening leads potentially to incompetent or dishonest people being hired and inadequate change management programs cause staff to lose commitment in executing their jobs), but they should not be considered as being people risks in themselves.
Although people risk should be considered, as argued above, a potential cause of operational risk alongside the other harder factors of operational risk, it is in my opinion quite different from the hard factors for the following reasons:
Nearly all operational steps in an organisation depend on the quality, commitment and honesty of the people performing them, meaning that people risk is (potentially) embedded in all the other causes of operational risk that the Basel Committee has identified. Because of its “embedded” character, people risk has in my view a “multiplier” effect that can significantly magnify potential risk issues in the other elements of operational risk – especially when we consider human fraud. Indeed, a significant number of financial losses and physical accidents experienced by organisations can be attributed to the fact that people acted inappropriately – through sheer incompetence, lack of commitment or deliberate fraud.
While in a number of cases certain improvements in internal control procedures might have (partly) prevented or delayed the errors, in most cases the “writing was on the wall”. Why? Simply because no system is infallible. No matter how good procedures are, there will always be certain employees who do not have the required technical and behavioural competencies to perform their tasks and others who will deliberately manipulate and exploit the weaknesses in their organisation’s internal control environment to pursue their own personal goals.
The two components of people risk (human error and human fraud) are very difficult to control, because their causes are often hard to identify (fully) – Why does a seemingly honest employee suddenly start defrauding a company? Why does a competent employee suddenly experience problems executing his/her work correctly?
No matter how good an organisation’s procedures and systems are, if an employee becomes unreliable, deliberately or not, an organisation will find it difficult to prevent fraud and/or mistakes. People risk is therefore much more difficult to control than the other causes of operational risk and can have much greater consequences for an organisation. It therefore should be high on the agendas of all companies, regardless of the industry, in which they are active.
How then should we manage people risk? Because people risk has its roots in the underlying competencies, attitudes and motivation of employees, one needs to adopt a much more “holistic” view to address it. Organisations should ensure that their risk culture aligns their overall mindset and expectations with the individual competencies, attitudes and motivation of their employees.
To create such a risk culture, organisations must continually emphasise that their risk management, their risk strategies and policies align with the day-to-day reality in the workplace. This approach will prevent cases of companies that have in place comprehensive procedures, which, however, are deliberately ignored by their employees (for example, because of pressure from senior management or customers) or those companies, in which staff follow set rules blindly without ever questioning them. Such risk cultures are obviously not the ones we want to emulate. Rather we should target a risk culture, in which the main defense against people risk are the people themselves, who behave in a discerning and appropriate manner - in accordance with the spirit of the organisation’s risk management procedures.