Managing employee risk – new guidance from PA and the Centre for the Protection of National Infrastructure (CPNI)
“Managing employee risk can help organisations to improve their performance significantly while taking account of regulatory requirements. Developed by PA and the CPNI, the HoMER guidance sets the framework in which an organisation can build a risk-based, performance-led strategy.” Bill Windle, EMPLOYEE risk expert
Employees are a key asset in all organisations and yet, in this information age where it is possible to transfer huge amounts of data or money with a single click, they also represent one of the greatest sources of risk. Balancing trust with effective and proportionate control is a challenge for many organisations – particularly when you consider legal issues, privacy concerns and organisational culture. To address this, many medium and large organisations have defined and communicated their values to employees.
However, high-profile, high-impact cases of counter-productive behaviour in the workplace still occur all too frequently. The day-to-day behaviour of employees, including senior leaders, does not always support the organisation’s values and desired culture and in some instances may even breach specific policies. This can weaken motivation and trust among employees, reduce the confidence of regulators and expose the organisation to risks that are not immediately apparent (and consequently, are not being managed).
Managing employee risk is a key challenge for senior business leaders in both the public and private sector, requiring a strategic approach that is owned and driven by the highest levels of an organisation’s leadership. To help, PA Consulting Group and the UK Government’s Centre for the Protection of National Infrastructure (CPNI) have launched new guidance, the Holistic Management of Employee Risk (HoMER).
HoMER draws on research from both the US and UK and offers organisations a framework of best practice within which to consider and address the challenges for their business.
From a business leadership perspective, there are three principles for more effective management of employee risk:
1) Manage employee risk at board level from a single point of accountability
All incidents have the potential to damage the reputation of an organisation, and even minor ones are often expensive and time-consuming to resolve. To date, employee risk has typically been disaggregated across an organisation, creating gaps that can be exploited. However, drawing together an organisation’s functions (including security, HR and IT) and making employee risk the responsibility of a single, senior owner will allow for timelier identification of potentially counter-productive behaviour, which can be then be more quickly explored and resolved.
2) Implement an open, ethical and legal approach to people security and protective monitoring
Protective monitoring, which involves the collection of information for risk management or compliance purposes (by establishing new processes across HR, legal, information security etc.) can help to detect potentially risky behaviour before it causes significant damage. Necessarily, an organisation must ensure that its protective monitoring is based on transparent and ethical policies, with advice readily available from many sources including the Information Commissioner’s Office. Managed and communicated well, protective monitoring will generate internal support and a stronger security culture to help deter counter-productive behaviour and protect an organisation’s critical business assets.
3) Take a proportionate and risk-based approach that draws on experience
The starting point for any effective security strategyis to identify the key business assets and the associated threats and vulnerabilities, and to apply security measures proportionately – thus focusing investment and security where it matters most. From an employee perspective, this means identifying where your most valuable assets are, understanding who has, or needs, access to them, and developing measures and controls that enable rather than constrain business operations.
The management of employee risk needs to be an ongoing consideration. As technologies evolve, it is important to anticipate new vulnerabilities and risks alongside business opportunities. This will enable anticipation of regulatory trends and better management of stakeholder expectations (including those of your customers) and will ultimately position you more strongly for the future
Please register to request your copy of the HoMER executive summary.