The concept of human resources risk management is foreign to most corporate managers as well as to HR managers. This is not surprising as risk management is an enterprise discipline that can not be broken into silos if it is to be successful.
It is, nevertheless, a necessary risk management function as the greatest danger companies are exposed to today emanates from employees. Staff members, either intentionally or through ignorance, expose their employers to enormous risks on almost a daily basis.
“A human resource is a human risk,” says Amir Lubashevsky, director of Magix Integration, “and HR must put the right policies and procedures in place to mitigate these risks without hindering the productivity of workers. HR risk management must therefore be an integrated component of the enterprise's risk management discipline designed to deal with the issue of human uncertainty.”
All HR policies, processes, systems and people must fall within the gamut of the HR risk management function.
“It's easy to check someone's qualifications, for example, but it gets a bit harder when one has to make sure sensitive corporate data or intellectual property is not being used as stock in an employee's private business,” notes Lubashevsky. “We never consider information to be an asset, but corporate data is often more valuable then physical assets and much easier to steal.”
The only way to protect these assets is to constantly monitor what staff members are doing, what data they are accessing, if they are copying it to portable storage devices and where it's going. The monitoring should be done according to published corporate policies and any activity outside of the employee's normal job requirements should be flagged for closer inspection.
Of course, physically inspecting everything every employee does is simply impossible and checking up after the fact is too late because the damage will have been done. Effective monitoring must therefore be electronic and non-invasive.
“Non-invasive monitoring is an effective, real-time check on what is happening in the organisation,” Lubashevsky explains. “It does not interfere with employees' job functions and alerts can be raised when a suspicious activity occurs, allowing management to act pre-emptively to protect the company's information assets.”
There is always an outcry when the subject of monitoring is raised, but Lubashevsky says automated, non-invasive monitoring does not affect the employee. This type of risk management only deals with corporate assets and issues, and only alerts a human supervisor if the employee does something suspicious or at odds with what their job requires.
It may well be that the problem is one of ignorance and a need for better training. This in itself is a critical piece of information, as education is also an HR function that needs to be included in risk management discipline.
“People don't know how to avoid risk if they are not taught what constitutes risky behaviour,” Lubashevsky concludes. “And in the end it's all down to people because the human factor is the riskiest element in business today.”