"Effective resilience in this area relies on a strong culture of trust between an organisation and its people."
BILL WINDLE, PA expert in people risk and cyber security18 September 2012
Counterproductive behaviour by employees – whether inadvertent, negligent or malicious – can represent a significant risk to organisations but companies’ efforts to reduce this risk often fail or even make things worse, according to new guidance published by PA Consulting Group and the Centre for the Protection of National Infrastructure (CPNI).
Holistic Management of Employee Risk (HoMER) offers a range of practical measures to help organisations reduce the risk from their employees. This risk ranges from oversight and corner-cutting – such as sharing passwords or propping open doors – to opportunistic behaviour including theft and fraud. At its worst, it can extend to malicious actions such as installing malware in the firm’s IT or enabling access to third parties. Direct losses can be severe, such as in one case putting a firm out of business for three months. Indirect losses are often less easy to measure, including the impact on a business’s reputation, which has a very real commercial value. Recognising that workplace monitoring schemes can be overly secretive or lacking in proper oversight, HoMER recommends a pragmatic approach using clear guidance and senior-level accountability and is defined by transparency and clear governance.
Bill Windle, expert in people risk and cyber security at PA Consulting Group, explains: “We have found that effective resilience in this area relies on a strong culture of trust between an organisation and its people, as well as between individual colleagues themselves. After all, trust underpins all relationships and HoMER is as much about protecting employees (from theft and false accusations) as it is about protecting organisations.
“Organisations should empower staff to act in the right way, encourage them to challenge unsafe behaviour and make sure that they follow company policies. We also recommend that firms learn from the good and bad experiences of other companies worldwide and, where necessary, engage in protective monitoring that is ethical, legal and holistic.”