By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.
Functional Area 13—Risk Management This is SHRM’s BoCK definition: “Risk Management is the identification, assessment and prioritization of risks, and the application of resources to minimize, monitor and control the probability and impact of those risks accordingly.” Risk management is a broad functional category. There are so many types of risk management that it is hard to list all of them. Some areas of risk management are liquidity, banking, crisis, supply chain, insurance, software, and strategic reputation risk management. In human resource terms, risk management involves health insurance, discrimination and employee behavior, workplace safety, asset security, and more. Key Concepts - Approaches to a drug-free workplace (e.g., testing, treatment of substance abuse) - Approaches to qualitative and quantitative risk assessment (e.g., single loss expectancy, annualized loss expectancy) - Business recovery and continuity-of-operations planning - Emergency and disaster (e.g., communicable disease, natural disaster, severe weather, terrorism) preparation and response planning - Enterprise risk management processes and best practices (e.g., understand context, identify risks, analyze risks, prioritize risks) and risk treatments (e.g., avoidance, reduction, sharing, retention) - Legal and regulatory compliance auditing and investigation techniques - Legal and regulatory compliance auditing and investigation techniques - Quality assurance techniques and methods - Risk sources (e.g., project failures) and types (e.g., hazard, financial, operational, strategic) - Security concerns (e.g., workplace violence, theft, fraud, corporate espionage, sabotage, kidnapping and ransom) and prevention - Workplace/occupational injury and illness prevention (e.g., identification of hazards), investigation, and accommodations
The following are the proficiency indicators that SHRM has identified as key concepts: Establishing the Context of Risk Nearly every aspect of HR management impacts the function of risk management in one way or another. Employee satisfaction can be captured through monitoring of complaints. Safety can be expressed in terms of workers’ compensation experience. The cost of employee health benefits is impacted by employer programs that support smoking cessation, exercise, and good diet. Computer security programs can block unauthorized access to confidential employee and business records. Privacy of records can be expressed in financial terms. All of these issues are potential impacts on the profit or loss of an employer’s organization. Even nonprofits and governmental agencies have budgets they are expected to live within. Huge, unexpected expenses related to risks can cause instant budget failure. HR professionals can have a great impact on the organizational finances by preventing large losses through proper risk management programs. Focusing Risk Management Risk management covers many functional areas in the employment world. Some of them are as follows: complying with federal employment laws, identifying workplace hazards, developing safety plans to protect employees and the public, and preparing job descriptions to be used both as a communication tool and as a means to address the physical and mental requirements of each job. Risk management explores how technology can help manage the liability that comes with operating an employment organization. Finally, risk management addresses the rapidly evolving field of social media, Internet, technology, and e-mail use.
There are business risks, and there are employment risks. Risk management addresses issues related to employees, customers, clients, the public, and vendors/suppliers. Risk management is the process of managing liabilities related to these populations in ways that will protect the employer organization and not be so heavy-handed that the organization can’t function well in performing its mission. HR professionals are the key to striking a balance in that delicate effort—developing, implementing/administering, and evaluating programs, procedures, and policies to provide a safe, secure working environment and to protect the organization from potential liability. There are lots of exciting things to think about. Defining Risk Risk is the potential for losing something of value. As individuals we value our health, our financial well-being, the people we care for, and our happiness. As organizations, we value investment in our workers’ training, worker skills, physical plant, assets such as supplies and product material inventories, customer/employee data, financial records, and community goodwill. Categories of Risk Risk comes in many forms and can be related to many different issues. There are risks of decision-making, but there are also risks of standing outside as a target for lightning strikes. What Is Unknown and What Is Not Known About the Unknowns Planning for risk management is based on the ability to identify anticipated risks. If you are unable to identify the risks in the future, you are not reasonably able to determine how to mitigate them.
Consider these examples:
Kaplan and Mike’s Categories Robert S. Kaplan and Annette Mikes are two Harvard Business School professors who wrote an article for the Harvard Business Review in June 2012. In it they suggest that risks can be managed using a model containing three categories of risks. - Preventable risks Internal risks that are controllable and should be eliminated or avoided. They include illegal, unethical, or inappropriate actions and breakdowns in operational processes. These are manageable through rule-based compliance approaches. The best controls involve active prevention such as monitoring operational processes and guiding people’s behaviors and decisions toward desirable norms. - Strategic risks Such risks are identified and accepted in the process of strategic planning. These cannot be managed through a rule-based control model. Instead, it is necessary to reduce the probability that the assumed risks actually materialize and to improve the employer’s ability to manage or contain the risk events should they occur. - External risks These risks generally cannot be prevented from happening. So organizations should forecast what those risks might be and develop ways in which their impact can be minimized. Using key-player discussions to identify how best to handle such risks will take the form of war gaming (simulations) for the near-term issues or scenario analyses for long-term issues. Both offer value from stepping out of individual and group comfort zones, looking around at the bigger picture, and taking the time to plan for the unexpected. Enterprise Perspective Risk management can best be performed with an enterprise perspective. Looking at risks solely within a department or division won’t reveal the importance of those risks to the entire organization without taking the wider view. When risks are identified, the potential impact on each department can be assessed as well as the impact on the enterprise as a whole. If the risk involves illegal activity, even though only one department is involved, the entire enterprise will be tainted by the bad publicity generated by the bad behavior. HR and Risk Human resource management (the HR department) plays a key role in risk management and mitigation. From benefit program management to employee complaint investigations, HR professionals help protect the employer from serious harm and the employees from abuse. ISO Principles, Framework, and Process The International Organization for Standardization (ISO) is based in Geneva, Switzerland, and is the world’s largest developer and publisher of international standards. In the United States, the oversight organization is called the American National Standards Institute. It publishes standards applying to everything from the size of nuts and bolts (ISO 225:2010) to how to measure the cost per hire (ANSI/SHRM 06001.2012). Establishing the Context of Risk Management In 2011, the U.S. Department of Homeland Security (DHS) published a paper on its risk management process.54 It says, “It is critical to define the context for the decision that the risk management effort will support. When establishing the context, analysts must understand and document the associated requirements and constraints that will influence the decision making process, as well as key assumptions.”
Here are the key variables DHS says should be considered: - Goals and objectives Clearly defined goals and objectives are essential to identifying, assessing, and managing those areas that may threaten success. - Policies and standards Ensure that risk management efforts complement and take into account any risk management policies, standards, or requirements the organization has in place. - Scope and criticality of the decision The risk analysis and management effort should be commensurate with the criticality of the decision. - Decision-makers and stakeholders Stakeholders should be engaged and represented throughout the risk management process. - Decision time frame The time frame in which a decision must be made and executed will dictate a number of the attributes of the risk management effort, including how much time is available for conducting formal analysis and decision review. - Risk management capabilities and resources At the beginning of the process it is useful to identify the staff, money, skill sets, knowledge levels, and other resources available for risk analysis and management efforts. - Risk tolerance Risk management efforts often involve trade-offs between positive and negative outcomes. - Availability and quality of information Consider the anticipated data limitations, including expected levels of uncertainty, so decision-makers can adjust their expectations accordingly.
Risk Criteria According to ISO 31000, risk criteria are terms of reference and are used to evaluate the significance or importance of an organization’s risks. They are used to determine whether a specified level of risk is acceptable or tolerable. Risk criteria should reflect your organization’s values, policies, and objectives; should be based on its external and internal context; should consider the views of stakeholders; and should be derived from standards, laws, policies, and other requirements. Moral Hazard Moral hazard is a situation in which one party gets involved in a risky event knowing that it is protected against the risk and the other party will incur the cost. For example, shareholders may want to have managers distribute all profits to them. Managers may be more interested in using profits to increase manager compensation. Principal-Agent Problem The problem of motivating one party (the agent) to act on behalf of another (the principal) is known as the principal-agent problem. For example, shareholders expect managers to oversee profit generation so distributions can be made to the shareholders. Managers may want to hold back some profits to hedge against future problems involving dropping revenues. Conflict of Interest A conflict of interest is a conflict between the private interests and the official responsibilities of a person in a position of trust. For example, a manager is responsible for the impartial selection of vendors to maximize value to the employer but has a close relative bidding on the contract. Selecting the relative may represent a conflict of interest for the manager. Identifying and Analyzing Risk Risk identification is the process of recognizing and defining risks. Risk analysis is the systematic process to comprehend the nature of the risk and to determine the level of risk. Risk Assessment Phase Risk assessment involves evaluating and comparing the level of risk against predetermined standards, target risk levels, or other criteria. For example, the risk identified is associated with managers and supervisors sexually harassing someone in the workforce. Compared to a standard of zero tolerance for such behavior, the risk may be deemed to be strong if there is only one occurrence. Identifying Risks Risk identification is the process of determining risks that could potentially prevent the program, enterprise, or investment from achieving its objectives. For example, an employee complains of sexual harassment coming from one manager. The risk has been identified.
Risk Identification Approaches There are many tools and techniques for risk identification.
Here are some of them: - Brainstorming This is a freewheeling generation of ideas without criticism of any one until later. - Delphi technique Here a facilitator distributes a questionnaire to experts, and responses are summarized (anonymously) and circulated among the experts for comments. This technique is used to achieve a consensus of experts and helps to receive unbiased data, ensuring that no one person will have undue influence on the outcome. - Interviewing This is a discussion with individuals using questions to stimulate responses. - Root-cause analysis This is for identifying a problem, discovering the causes that led to it, and developing preventive action. - Checklist analysis This involves comparing each item on the checklist with a set of pre-established criteria. - Assumption analysis This technique may reveal an inconsistency of assumptions or may uncover problematic assumptions. - Diagramming techniques This includes cause-and-effect diagrams, system or process flow charts, or influence diagrams (graphical representations of situations, showing the casual influences or relationships among variables and outcomes). - SWOT analysis This is a structured planning method used to evaluate the strengths, weaknesses, opportunities, and threats (SWOT) involved in a project or in a business venture. - Expert judgment Individuals who have experience with similar projects may use their judgment through interviews or risk facilitation workshops. Analyzing Risks Risk analysis involves evaluating vulnerable assets, describing potential impacts, and estimating losses for each hazard. When you buy common stocks, the potential exists for them to lose some or all of their value. Risk Analysis Tools It is helpful to have some tools with which to assess risks to your organization. The following are some of the more popular tools available. Risk Scorecard The U.S. Army Materiel Systems Analysis Activity developed a “reliability scorecard” that uses eight critical areas to evaluate a given program’s reliability progress. Each element within a category can be given a risk rating of high, medium, or low (red, yellow, or green) or not evaluated (gray).
The scorecard weights the elements, normalizes the scores to a 100-point scale, and calculates an overall program risk score and eight category risk scores. - Risk assessment - Reliability requirements and planning - Training and development - Reliability analysis - Reliability testing - Supply chain management - Failure tracking and reporting - Verification and validation - Reliability improvements
Risk Matrix A simplified example, using a single element from the previous list, is shown here:
In general terms, risks can be classified as low, moderate, high, or extreme, as shown here: Evaluating Risks A risk evaluation system is a combination of practices, tools, and methodologies within a risk management system used to measure the potential impacts of risk events on the performance metrics of an organization. So, evaluating risks is the act of measuring potential impacts that various risks will have on the organization’s ability to accomplish its objectives. For example, you can identify a risk as the possibility of a work stoppage when the union contract expires. Evaluation of that risk can tell you how well you may expect to keep your business operating using only management personnel during the strike. Key Risk Indicators A key risk indicator (KRI) is a measure that indicates how risky an activity is. It is different from a key performance indicator (KPI). The KRI indicates the possibility of a future adverse impact. A KPI measures how well something is being done. Indicators are metrics used to monitor identified risk exposures over time. Therefore, any piece of data that can perform this function may be considered a risk indicator. The indicator becomes “key” when it tracks an especially important risk exposure (a key risk) or it does so especially well (a key indicator), or ideally both. An example is the forecasting of the financial impact of expanding the workforce into international offices in multiple countries. Will that be repaid with profits over time, or will it interfere with profitability? Then, how can HR management impact those potential results? Risk Register A risk register acts as a central repository for all risks identified by the organization and, for each risk, includes information such as source, nature, treatment option, existing countermeasures, recommended countermeasures, and so on. ISO 73:2009, “Risk management – Vocabulary,” defines a risk register to be “a record of information about identified risks. It can sometimes be referred to as a risk log.” Managing Risks Once risks have been identified and logged, the next logical step is planning for handling those risks believed to bring negative impacts on the enterprise that cannot be accepted. Responses to Upside and Downside Risks Upside and downside risks are two sides of the same coin. Possible adverse outcomes represent downside risk. When there is uncertainty about a desirable outcome, there is upside risk.
Eliminate Uncertainty Risk can be managed if the uncertainty is eliminated. If you know for certain that there will be an undesirable outcome, there is no risk. You simply avoid entering into the activity that will produce that outcome because you know for certain that it will take place. If someone sets fire to a building, that person knows for certain that the fire will happen. There is no risk, simply a certain undesirable outcome. If you can eliminate the uncertainty of an event, you can control the risk. Redefine Ownership Only the person or organization that owns the circumstances will own the risk. If you can redefine ownership of the problem, you can reduce your risk exposure. - Share Sharing the risk of being an employer can be done, for example, by entering into a joint-employer relationship with an employment leasing agency, sometimes called professional employer organizations (PEOs). That won’t eliminate risk for either party, but it will double the resources available to combat whatever risk may exist because of having an employee workforce. - Transfer Transferring risk is done by purchasing insurance policies. Employers are able to reduce their exposure to employee liability through the purchase of employment liability insurance. It can lower the potential for financial loss when employees are found to have engaged in harassment, for example. It is much the same as purchasing fire insurance to protect against financial loss if there is a fire in the workplace. Increase or Decrease Effect A way to decrease the effect of fire in the workplace is to install a water sprinkler system. So, if a fire does happen, the sprinkler system can limit the damage or effect of the fire. Employee training programs can act in the same way. Teaching employees about the dangers of harassing behavior can help them reduce their personal exposure to liability while at the same time lowering the employer’s liability exposure. Take No Action In most circumstances, when faced with various possible courses of action, one of those options is to take no action. When a risk is identified and defined, it may be judged to be in the best interest of the organization to do nothing. Usually this is considered if the impact expected would be minimal or the level of certainty for the outcome is low. - Accept “We will take the risk” is sometimes heard, meaning the decision is to take no action to eliminate the hazard and just wait to see how things develop. If a safety hazard is identified that would not cause serious harm and can be repaired within the near future, it may be best to simply identify the risk by putting out orange cones, for example, than prohibiting all access to the area. Remediation of the hazard will take place in due time. The risk of injury is minimal, and the level of certainty can be lowered by putting out the cones. - Ignore When a safety hazard is identified, considered, and ignored, there is no credence given to the level of risk or the certainty of loss. Think about the air bag failures that Takata Industries ignored for several years. That was a decision that didn’t work out so well for the company. Implementing the Risk Management Plan A risk management plan results from analysis of the circumstances that foresees risks, estimates impacts, and defines responses to issues. Defining Risk Management Performance Objectives All business enterprise exists in the world of balancing risks and rewards to produce value. Risk management performance objectives should be part of the overall list of performance objectives generated at each level of the organization. Just like EEO compliance or time reporting, risk management for each component of the organization should be identified by those responsible for the component/department/division. Integration Is our risk management process aligned with our strategic decision-making process and existing performance measures? Is our risk management process coordinated and consistent across the entire enterprise? Communication Does everyone use the same definition of risk? Are all employees involved in some way with the risk management process, sensing a degree of ownership that will result in organizational success? Proper risk management plans will involve employees in training programs and daily discussions, if only brief, about the “risks facing us today.” These are sometimes called tailgate meetings where safety topics are common. And, they last only five or ten minutes, and then everyone is off to do their work for the day. At higher levels of the enterprise, the topic of risk management should be present on each staff meeting agenda. That way, it becomes a common topic of conversation, and everyone begins to take some level of ownership in the results. Emergency Preparedness and Business Continuity A primary safety axiom is that proper planning can save lives and property. It is a good idea to have a written plan specifying what actions will be taken in any of many various scenarios. There are some basic alternatives for dealing with a disaster, large or small. We are talking about the entire universe of emergency planning.
Crisis Management Planning and Readiness Process The first step toward having an emergency response plan is to conduct a risk assessment for your work location. Look at the physical facilities, emergency exits, fire suppression systems, electrical and gas shut-off access, hazardous materials used in the workplace, protective equipment needed for operations, employee training for special equipment, use of proper lock-out/tag-out procedures when working on electrical equipment, and proper handling of carcinogenic substances such as copy machine toner. Answer hypothetical questions such as, “What would we do if someone with a gun walked through our front door?” Engage key personnel in the development process. Ask people on the production line and in the office what they would do in some circumstances. Get input from experts and nonexperts alike. Then list the responses that should happen for each emergency you listed. Finally, once the plan is developed, be sure everyone in the workplace knows about it and what to do if an emergency happens. Manage Risk Initially, it is important to identify the risks. Then you can move on to identifying how to deal with them effectively.
So, what types of risks are we concerned with in the world of human resource management?
And, what type of involvement does HR have with those risks?
Develop Contingency Plans If there is a flood or fire and your workplace is destroyed, the computers, hard drives, on-site backup systems, and filing cabinets may no longer be available. How will you open your business tomorrow morning? Employers must have a plan for how they will continue operating their organization. What about customer records, accounting records, client data, and payroll information?
This is an area of responsibility where HR professionals should work with others in the organization such as professionals in information technology (IT) and accounting. It should be common practice for backups to be made of all technology systems, especially a human resource information system (HRIS). And, those backups, or at least duplicates of them, should be stored off-site at some secure location. It is necessary for the survival of your organization that it be able to continue operations as quickly as possible with all the records it requires for that to happen. How will you communicate to employees where they should report to work after such a disaster? Do you plan to use e-mail, text messages, or a telephone tree to contact everyone and pass along instructions? How will you keep supervisors and managers informed? Who will handle media inquiries about the disaster and your plans for the future?
Test and Implement Plans A key element of disaster recovery is practicing the contingent plan to see whether it will actually work. That’s what fire drills are all about. People in the military constantly gripe about having to drill all the time. Those drills are nothing more than rehearsals for the time that the actual event will come to pass and the practiced behavior responses will become essential. The same holds true for civilian organizations. Employees need to practice evacuating their work location so they know for sure which exit they should use and what their assigned rallying point is once outside the building. If there is a disaster involving the loss of key personnel, an emergency response plan should be activated. Ideally, it will have been rehearsed so everyone involved understands their roles and how to play them. Who will be the spokesperson for the company when media representatives come asking for answers to their questions? Who will be responsible for interacting with government officials if that becomes necessary? Who will be guiding the instruction of managers and distributing information to the general employee group?
Debrief and Learn Make plans and then test them by rehearsing. Evaluate the results of the rehearsal and adjust the plans based on those experiences. Identify where improvements can be made and then make them. Debriefing is the process of meeting to discuss what happened during the practice exercise. Debriefing should gather input from individuals as well as the collective input of managers and employees. Debriefing is the opportunity to be sure all of the communication channels are open and working accurately. Are all telephone number lists up-to-date? Are other contact points noted and verified? What are the emergency contact points for government resources (fire/ambulance/police/sheriff)? If the plan involves coordination with other organizations, they should be represented in the debriefing session so their input can be gathered and evaluated. Evaluating Risk Management At least once per year, all formal risk management plans should be reviewed and adjusted if it is thought necessary. Those reviews are usually chaired by either the chief HR officer or the chief legal officer in the organization. Providing Oversight The role of risk management oversight is commonly assumed by the board of directors. It applies to all forms of risk for the entire enterprise. Since the board is the organizational element responsible for the overall success of the company, identifying how risk management is being handled becomes a key element of the board’s responsibilities. Evaluating Effectiveness of Risk Management Policies and Processes Obviously, the most effective feedback or evaluation comes from having actually experienced the danger (risk) that plans had been developed to address. When disaster strikes, debriefing sessions or critique meetings should be held to establish what worked well and what needs improvement. Healthy organizations will conduct periodic tests of their risk management plans through exercises designed to probe every element of reaction to the problem anticipated. There should be critique sessions held following each test to determine what updates should be made to the plans. Then, after a reasonable interval, the plans should be tested again. Some plans (evacuation/earthquake/shelter-in-place) should be tested quarterly. Other plans can be tested once a year, or even less frequently. Some tests can be as simple as the CEO walking into an executive staff meeting and announcing that a test scenario will be run in which the top five executives of the enterprise have all been killed in a plane crash. What will the remaining employees do as a result of hearing “The exercise begins now”? Tests of risk management plans must be customized to the plan.
After-Action Debriefs and Incidents Investigations How to determine the effectiveness of risk management plan test exercises depends on what the plan involves. Fire reactions and building evacuation can be evaluated by using a stop watch and exercise referees who keep track of when each group of employees has assembled at their emergency contact point outside the building. When testing plans for handling embezzlement or product failure/recalls, the exercise will not be as dramatic. But, it should be evaluated after it has completed to determine whether people followed the plan and what issues they discovered need improvement. If an employee comes to work one morning to find an alligator sitting on the building’s front porch blocking the normal route employees use to enter the building, there needs to be a risk management plan/safety plan implementation that can address that issue. The reaction may be as simple as directing workers to a different entrance. But the incident demands there be a reaction to prevent serious harm to humans. After-incident investigations can shed light on how well the plan worked and people reacted. If the plan was good but people didn’t implement it properly, there may be a training need. More frequent practice could be called for. The investigation should provide direction for resolving any remaining issues. Whistle-Blowing When an employee (or outside person) blows the whistle on bad behavior going on within the organization, it can result in a public relations nightmare. One of the conditions for which emergency plans are prepared should be disclosure of bad behavior such as a cover-up of illegal activity or simply behavior that is ethically wrong and embarrassing to the employer. What can be made of the story by media representatives will be potentially damaging to the company. Someone will need to be positioned to speak for the company on such issues. There needs to be a predesignated group of key employees who will decide quickly how to address the problem and explain the company’s reaction to it when addressing the media. Evaluating Compliance Compliance with government regulatory requirements is a complex realm.
There are compliance requirements for many different topics. Promoting Continuous Improvement In 1985, Tom Peters wrote a book entitled Thriving on Chaos. In it, he highlighted the Japanese management concept of Kaizen, the never-ending quest for perfection. American managers have retitled the concept to continuous improvement. Whatever it is called, the idea is to strive each day for a little better quality, quantity, and effort. Peters became famous for, among other things, his suggestion that management by walking around (MBWA) was the most effective approach and produced the greatest positive organizational results. Searching for continuous improvements means employees must be involved by very definition. Managers can’t be expected to think of everything, and those who work directly with the process are best able to identify how improvements can be made. Employees are truly the best resource for identifying better ways of doing things.
Join 4M+ learners. Unlock unlimited quizzes, wrong-answer tracking, flashcards + reminders, study guides, and 1-on-1 challenges.