How organisations can adopt the right risk cultureBy Ko Hui Yen
Cybersecurity, fraud and “fake news” often dominate the headlines in today’s world. Risk has increasingly become a part of everyday vernacular, putting us as a society and as a business community on high alert. A recent report by PWC revealed that 32% of Singapore-based organisations fell victim to fraud in 2018 causing them to lose at least US$1m as a result.
However, whilst businesses are increasingly acknowledging the importance and potential of risk, it’s only in recent years that many have begun to consider risk as an internal challenge. We’ve long recognised the impact that geopolitical turmoil or a cyberattack can have on an organisation – but what about when it’s your employees that expose you to risk? It may be accidental, such as a simple slip up in processes, such as in the Mikhy Brochez case, which saw the HIV-positive status of 14,200 Singaporeans leaked online, or purposefully, for example when a conman masquerading as a clerk at a law firm, misappropriated an estimated S$848,000 from 17 clients.
This is a real dilemma - because people and risk are intrinsically linked. They’re both your greatest asset and your biggest weakness - you can never fully eliminate it.
But then again, do you need to? After all, it’s also risk that gives way to new frontiers, innovations and ideas that shape our world.
A discussion paper developed by the Corporate Research Forum (CRF) earlier this year argued that risk is about taking a balanced approach – and having a strategy and process in place to evaluate the potential pay-off against the risk being taken.
The paper also suggested that having the right risk culture means that we need to consider the perspectives of different business functions. For example, finance will be aware if a strategy exposes the firm to foreign exchange risk, marketing will point out anything that risks undermining the brand, and legal will assess any compliance risks. HR, in its role as both recruiter and the creator of company culture, perhaps plays the most intelligent and holistic role in risk management. So, should the mantle not fall to them to determine what a company’s risk lens should look like?
Of course, you don’t always see integration between HR and risk functions, so it might be best to start within the department and look at the top HR-specific risks - be it reputation, key technical positions or even hard to fill high-volume roles. Then, evaluate each risk starting from the time horizon - when will the risk have an impact and what kind of decisions might be affected by this risk? Will the new hires from the last cycle be affected? Or is the risk something that will occur a few years from now? Other important elements include being specific about where the risk lies and the magnitude, as well as considering mitigation options. You can then look to expand from there.
It is however important to remember that a risk-savvy culture isn’t just about key decision-makers – it should permeate throughout all employees and across all levels. It’s only by having the whole team on side and preparing themselves for risk, that you’ll develop resilience.
Businesses have a tendency to stress the importance of being robust - but something is only robust to the point where forces are so strong it breaks. And, inevitably, things will break – maybe not today or tomorrow, but the storm will hit at some point.
Some industries protected by regulations end up unable to cope when someone finds a loophole - for example taxis and the disruption of ride-hailing services. A resilient organisation is able to roll with the punches, adapt to the changing landscape and overcome the challenges.
As a collective organisation, each employee should have the right mindset when it comes to risk and resilience by:
- Ensuring mistakes and near misses aren’t hidden or brushed aside and instead are regarded as signals for risk;
- Avoiding blame and focusing instead on solving problems;
- Understanding that setbacks are part of the learning journey; and
- Being willing to do things differently when it is called for
For years now, the world has been calling HR to the board, as talent was seen as key to a company’s success. The same still rings true today but we should be measured and recognise that talent too should be considered through the risk lens, whether that’s screening candidates for rogue actors, or developing a company-wide mental fortitude that’s ready to battle through an evolving landscape. HR has never been more of an integral, strategic function to a business than it is today, so it more than deserves its place at the table when risk is being discussed.