Look at any significant corporate failure over the last 20-30 years, and at its heart will be issues relating to people. In most industries, people are your greatest asset — but they can also be your biggest liability. Unlike machines, they are unpredictable, irrational, and erratic, which makes "people risk" one of the most challenging areas to define, assess, and manage on your risk register.
People risk is the risk that the people in your organisation, either through ill intent or ignorance, will act in a way that prevents you from achieving your strategic aims and objectives. It is rarely stand-alone but instead is a contributing factor to many other risks on your register. It is often overlooked — either because it is seen as too difficult to define or because it is a less obvious contributing factor than something more visible such as a system failure or, indeed, a global pandemic.
"People" does not just mean employees either. A variety of agents, suppliers, contractors, and others will be representing your organisation. Your level of control over them will vary, but where possible, you should introduce measures to manage the risk from these stakeholders, too.
The causes of people risk can broadly be split into three categories:
- Lack of understanding: Individuals are unclear about what they are supposed to be doing;
- Lack of skill: They know what to do but do not know how to do it; and
- Lack of will: They know what to do and how to do it but do not do it.
This article looks at lack of understanding in more detail.
Setting expectations of what an employee has to do and the standard to which these tasks must be carried out is critical. The standard tool for enabling employees to understand what is required of them is a job or role description. These are typically prepared for recruitment or to help with career development but rarely for managing an organisation's risk. They may also have been languishing on the intranet or on the shelf for the last few years and don't reflect the current reality of the role.
Review descriptions before recruiting for a new role, particularly for one in a higher-risk position. Where does this role fit in carrying out the organisation's aims and purpose? Think about the touchpoints this person will have with customers and other stakeholders. If something goes wrong, what will it be, and where will it happen? What has gone wrong in the past? Speak to others who do the job — the person writing the description is unlikely to be close enough to know exactly what happens on the ground. This should not be a theoretical exercise.
From a risk point of view, a good role description should include overall responsibilities, the tasks to be carried out to meet those responsibilities, and any expected standards or targets. It should also include the manager the role reports to. A list of desirable skills is typically included to aid with recruitment and performance management, but these can also be helpful when dealing with people risk to determine whether the person has the ability to carry out the role successfully.
Training and communication
It is not enough to give an employee a job description and then expect them to understand and remember it fully. As part of the induction process, there should be sufficient training and communication of what the role entails, bringing the job description to life.
An essential element of this is understanding why the tasks and responsibilities are important and how they help the organisation fulfil its aims and purpose — or prevent it from being exposed to failure. Communications or training should explain the consequences if things go wrong. This is particularly important in those items highest up your risk register — for example, regulatory breaches.
Training is also where the "how" of an employee's day-to-day work should be explained. This may be part of values or code-of-conduct training and introduces employees to the organisation's culture.
It does not have to all be done through formal training. A period of work shadowing, a "buddy" or "mentor" system, and high-quality on-the-job coaching all reduce the risk of an employee not understanding what is required.
A role description by itself is not sufficient. In some cases, it may be appropriate to have procedure manuals, standards of practice, or other documentation to explain what an employee needs to do and when.
Embedding the requirement to use these documents should be part of any induction. Ensure that employees can navigate their way around them, perhaps by undertaking a "treasure hunt" activity, where employees are set tasks that use the documentation and help sources. Help guides should be easily accessible on the intranet or even on an app.
In reality, employees may find it quicker to ask colleagues for advice on how to do something, so there must be refresher training and communications so all employees know what to do.
The nature of some job roles does not lend itself well to manuals, particularly those in less process-oriented industries. In such cases, employees must understand the framework within which they can make decisions that affect the organisation. This can include guiding principles and decision-making tools. Knowing when to consult elsewhere within the organisation is critical.
Of course, knowing that you have set your employees off on the right track does not mean that they will always stick to it. Having a robust performance-management process is crucial to understanding whether employees' actions open you up to risk.
A culture of continuous and honest feedback can help employees to understand where they are not meeting expectations. Enabling a two-way dialogue allows both for them to ask any questions and for management to understand why they may not be aware of what is required of them in the role. Employees may also be able to make suggestions as to what tools, guidance, and training would help them understand things better.
You should also continually monitor issues as they arise and ask whether there are root causes relating to any cases of employees' lack of understanding of their roles.
Putting this guidance in place will help ensure your employees understand their role and how it supports the organisation to be successful. You may not have the resources to put all of the elements into place, but by taking a risk-based approach, you can determine where best to focus your efforts.
And do not forget, one of the additional benefits of clarity of role and purpose is that employees will be more motivated and engaged in their work.
Helen Tuddenham is an executive coach and leadership development consultant based in the UK. To comment on this article or to suggest an idea for another article, contact Oliver Rowe at Oliver.Rowe@aicpa-cima.com.
Coaching and Mentoring
Leading vs Managing
Analysing what leaders do, why they do it, and when they do it is vital to understanding how to manage. This course looks at how to create a balance between using leadership and management skills as a practitioner in any workplace. Find this course in the AICPA store and in the CGMA store.
Optimizing Performance Through Listening and Observing
Provides essential information on how to listen to and observe others so you can optimise your own work performance and that of your colleagues. Find this course in the AICPA store and in the CGMA store.
Rewards Inside and Out