Risk has always been an important subject in business and it’s been dramatically increasing in prominence in the past two decades. In fact, following the 2008 financial crisis, the UK government passed legislation requiring financial institutions to have a Chief Risk Officer and a board-level risk committee. It’s unlikely you learned about HR risk or HR’s role in risk management in school, so it’s time to catch up now.
How should we think about risk?
The most useful way to think about risk is that it’s a lens for seeing the organization—just like you might see the organization through a competitive strategy lens or a culture lens. With a risk lens, instead of saying “We want to avoid bad hires” we would say, “What is the risk of hiring a bad one?”
If you show any interest in risk, you’ll start hearing about “risk registers”. A risk register is just a table that lists:
• What the risks are
• How likely they are
• How big the impact could be
• What you might do about it.
There may be some real sophistication behind the numbers, more likely they are just educated guesses. That’s okay. The point of a risk register is to go from having a bunch of vague ideas to something specific that you can prioritize, track and take action on.
The two sides of risk management
A big part of risk management in organizations involves activities around ensuring compliance: rules and audits, as well as activities around insuring against risk—and yes, updating those risk registers. The other side is less about processes and more about insight. The insight side of risk management is about seeing risks that may have been overlooked, understanding hidden drivers of risk, and thinking of fresh tactics for managing risk.
You should recognize that the two sides of risk management are somewhat at odds. If you are heads down working to complete an audit you won’t be interested in sitting in the lounge chatting about how AI may change talent risk. Similarly, if you are at a symposium on geopolitical trends in Africa then you won’t want to be dragged away to fine-tune compliance rules. There needs to be some way to separate these two so that both sides are handled.
HR risk and business risk
It’s natural for HR to think first about HR risks. For example, the risk of talent shortfalls or the risk of not complying with labour legislation. This is useful in itself, and a good place to start since you have subject matter expertise in these areas.
The next step is to think about HR’s role in business risk. For example, if the business is concerned about cyber-attacks, then perhaps half of the mitigation measures lies with IT, the other half lies within HR since employee behaviour is a crucial factor in protecting the firm from cyber-attacks. Don’t forget to see the positive side of risk; if you take a risk of hiring gig workers you may suffer from poor performance or you may find an outstanding source of new talent.
What to do
It sounds too simple to be useful, but it really can be helpful simply to start talking about risk. If you are buying a new technology raise the question “What’s the risk if we buy this tech? What’s the risk if we don’t?” If you are thinking about the staff in a warehouse, ask “Which jobs pose the greatest risk to the operations?” Raising the topic of risk will lead your thinking in the right direction.
It’s also a good idea to get to know the people in the risk department in your organization. You’ll find some of it boring (the specifics of insurance) and some of it interesting (the strategic risks in the industry); take the time to learn how risk professionals think about the subject and maybe more importantly, what they actually do. Ask if there is a risk committee on the board (there probably is), find out what they are concerned about then talk with your peers about the HR side of that risk.
There were two best sellers about risk that you might enjoy: Against the Gods: The Remarkable Story of Risk Peter L. Bernstein (1996) and The Black Swan: The Impact of the Highly Improbable by Nassim Nicholas Taleb (2007). While neither deals directly with the risks an HR pro would handle at work, they are good reads and will deepen your understanding of the subject.