Moral hazard In a radically changing world, HR will bear a large share of the responsibility for managing risks. By Carolyn Rance Keypoints • Major global changes mean a broader approach to risk management is needed. • HR has a central role to play in building resilient organisational cultures. • Improving employee performance and corporate practice includes skill-building in disaster scenario planning. At the heart of risk management in the 21st century is the need to expect the unexpected. From the effects of climate change, to threats of pandemics and terrorism, to the emergence of new technologies, huge economies and a global job market, the world is changing in ways that are hard to imagine, let alone predict. In the commercial sphere, businesses are finding compliance with existing laws and standards arduous enough, but survival and success in coming decades will be increasingly dependent on the ability to identify and mitigate multiple, often previously unheard-of, risks. Clearly, HR will have a crucial role in building resilient organisational cultures where potential problems are discussed and addressed rather than concealed or ignored, and where patterns of behaviour are recognised as a predictor of outcomes. “In the past, risk has been seen as the preserve of accountants, but, if you look at a company like Enron, financial failure was preceded by a very poor culture with hubris in large doses,” says AHRI national president Peter Wilson. If HR and finance are to share responsibility for good governance and legal compliance, organisations will need more people who are alert to bad behaviour and operational risk, he says. “We need HR managers with courage and instinct to apply themselves in a proactive risk management domain rather than a reactive administrative domain.” In a study by Accenture late last year, 436 senior executives at major North American, European and Asian companies rated managing risk as their top priority. It outranked growth, increasing shareholder value, acquiring new customers, IT, and organisational culture and performance issues. “The study illustrates that companies realise they must address the increased risks associated with geo-political instability, globalisation, aggressive growth, increased competition and the information explosion,” says Walt Shill, the consultancy’s managing director of strategy practice. Risk management is a logical component of HR, says psychologist Dr Robert Heath, associate professor in risk and management at the University of South Australia and author of Crisis Management for Managers and Executives (1998). “People are the greatest source of risk,” says Heath. “They have accidents, behave stupidly, make mistakes and do fraudulent things. The people hiring and managing them need to look beyond OHS and the physical environment. Although these are important, they must understand the less tangible psychological environment of how the workforce sees the workplace. There’s no doubt that we need better-qualified risk management specialists coming out of universities, but we also need to realise that every person who manages someone has to be a risk manager.” Too many organisations have processes in place that lack real content, he says. “They are apparently meeting all the requirements of good management practice, ticking all the boxes, but not necessarily following through. I often see companies where risk management is an add-on rather than part of a job. Until it is seen as part of current work, rather than an extra, there will be a problem. HR needs to push for active risk management teams drawn from all areas and to be able to say, ‘Listen, folks, every time you do that [over there], this happens over here.’” Integrating risk management into mainstream business activities is crucial, says Peter Hanzlicek, a director of the Risk Management Institution of Australasia. He sees no conflict between the formal documentation, audit and compliance duties involved, and innovation. “While understanding risk may raise negatives, it also reveals opportunities. Risk management moves things from the unconscious to the conscious and lets us look at the big picture. There is risk in everything we do—we manage it subconsciously through the cultural rules we learn as we grow up. “In an organisational environment, we often need to be instructed or coaxed. Formalising risk management enables people to understand what is meant when the business talks about risk, so getting the culture and language right is important. If senior executives are seen to take ownership of strategic risk, others in the business will accept responsibility for the wide span of operational, project and emerging risks.” Hanzlicek believes that moans about compliance are a passing phase, with many business managers moving to a mindset where managing risk is no longer regarded as a reactive process aimed only at highlighting problems. This view seems to be supported by growing evidence here and overseas of corporate willingness to go beyond the letter of the law. In complying with post-Enron legislation known as the Sarbanes-Oxley Act, US-owned enterprises are using the process to improve financial reporting, anti-fraud controls and investor confidence, noted KPMG’s Brian Bogardus last year. “Compliance doesn’t have to be an end in itself,” he says. “We are seeing companies move from ‘How do we comply?’ to ‘How do we use the improved controls to gain competitive advantage?’” Annual reports from Australian listed companies reveal increasing levels of awareness of the link between culture and risk, and the way both need to be managed to achieve compliance with the financial, social and environmental demands of legislation and the Australian Stock Exchange’s Principles of Good Corporate Governance. When National Australia Bank issued its 2006 annual report, it was still smarting from losses in its US business, and the unauthorised currency trading scandal that resulted in former employees being jailed and the CEO and chairman stepping down. NAB reported that its performance management and reward framework were now guided by principles “ensuring our people are rewarded for the way they behave and do their jobs, rather than just the outcomes they achieve”. A year earlier, Amcor chairman Chris Roberts assured shareholders that, in the wake of a discovery that some employees appeared to be in breach of competition laws and the subsequent resignation of top executives, the company had “started the process of changing the behaviour and, all importantly, the culture” within its troubled corrugated box business. But, his proviso in the same speech, that there were “inherent limitations to the effectiveness of any system of disclosure and internal controls” rings true to Heath. “You can’t control risk. You can only try to manage it,” he observes. Hanzlicek has no doubt that companies are taking the challenge seriously in a trend likely to strengthen as shareholders and fund managers demand greater transparency, and corporate regulators flex their muscles. He cites the National Packaging Covenant as an example of companies being proactive in waste management rather than waiting for legislation. Mergers and acquisitions will also focus executives on risk as they devise ways to make new entities innovative and compliant. Heath similarly views risk management as a positive activity in which opportunity will be analysed to achieve “less downtime, less faulty product and more profit”. But he notes that the consequences of change need to be considered broadly to lessen the likelihood of unforeseen problems, and when HR practitioners consider their role they should think about human expectations. “The difference between what people expect and the reality creates all sorts of problems. For HR, the facilitating role between management and workforce has to be about reducing expectation— not squeezing the hell out of everybody, but reducing misperceptions.” When rogue traders imperil a bank’s reputation and profits, or production workers become slack about safety, it may be because they reflect a corporate culture where it is assumed that, unless they are told differently, everything will be okay. “People assume they are in a safe workplace, but in reality no-one can guarantee safety. You can’t abolish risk, but you can use positive reinforcement and practical demonstrations to make clear the consequences of certain actions.” HR needs to understand that, every time you make a change to human resources, it changes the corporate asset and financial balance. “You need to think in terms of two, five and 10-year planning,” says Heath. “For example, if you are in the car industry, you know that over time the sales of gas-powered cars will increase, so you need to be thinking about adding people to the workforce who can put together the gas components. You might look at the LPG conversion industry as a source of employees for the assembly line. Risk management is a dynamic, analytical process where every day you need to think about what has changed, its possible impact and what you should be doing.” Expanding existing databases can be a practical first step. “Think about new categories of information that could be useful,” says Heath. “If you have a multicultural workforce, list the languages each employee speaks. In an emergency you’d know who to call on to explain things or calm people in their own language. We often have that sort of information only in our heads. Putting it on the system adds to your capacity to deal with unforeseen contingencies.” Peter Wilson says HR tools such as 360-degree feedback and cultural workplace inventories that identify management behaviours against expected norms can help in building compliant and risk-aware corporate cultures. “The edge of HR is moving further out to understand how people are behaving. CEOs and senior HR people have a responsibility to drive culture in an ethical and legally compliant way, and monitor exceptions.” Identifying and managing risk must be consultative, says Wilson. “The people at the coalface understand workplace risks best.” An increasing number of Australian companies are developing practices recommended by the Treadway Commission of Canada. “It says the best way to understand risk is to conduct workshops of your people at all levels and have them identify economically, culturally and socially the key things that could go wrong.” Ironically, the success of western economies increases the risks they face. As in Australia, households in the UK and US are carrying large debt burdens and there are growing signs of consumer distress. In January the UK’s Financial Services Authority urged companies to increase their stress testing. The complexity and interrelatedness of systems, technology and networks makes them more productive, but simultaneously more vulnerable in the face of extreme events such as flood, fire, power outages and external attack, says Michael Tarrant, assistant director, education and training, at Emergency Management Australia, a division of the Attorney-General’s department that works with government, business and the community to foster a comprehensive national approach to emergency management. “Management teams spend time thinking about how organisations can do what they do better, but we have tended to consume the efficiency dividend rather than use some of it to build in resilience and make sure we have the resources to deal with something that comes out of left field,” he says. Tarrant says HR could contribute to greater preparedness by looking at whether rewards and recognition are solely geared to doing the routine better and measuring the measurable, when we also need to be thinking about having the strategies and types of people able to operate in different and difficult situations. He says having people look at disaster scenarios as part of their operations improves their ability to think laterally and solve problems, which benefits organisational performance and practice. Beef at stake Henry Lawson and Banjo Paterson wouldn’t recognise the bush today. Station managers are internet-connected and workplace safety means much more than carrying a bandage in the saddlebag. The Australian Agricultural Company operates 24 huge cattle stations and two feedlots, where training, communication and compliance are crucial to managing risks, including biosecurity and environmental threats, and health, safety and staffing issues, says quality systems manager Trish Quirk. “AAco is a very old company [founded in 1824], with a lot of tradition and a long history—but all new documentation and systems.” The organisation moved into the 21st century with a stock exchange listing in 2001 and a proactive approach to risk and environmental management. Last year it won two categories at the NAB agribusiness awards. Quality management and assurance programs aim to combine risk management with a focus on performance and continuous improvement. The company has implemented the ISO 9001:2000 standard across all operations. A certified food safety system (HACCP) helps manage production risks for its 1824 and Wagyu beef products and on feedlots, and AAco is a recognised leader in its compliance with the National Feedlot Accreditation Scheme and Livestock Production Assurance quality program CattleCare. Quirk says such compliance provides a logical, consistent way to identify risk and put in monitoring and management practices along a supply chain that includes breeding cattle in one part of the country and sending them to another part to grow, and another to fatten in feedlots, before transportation to market. Senior management workshops have identified the company’s top 20 risks and developed documented management plans. A breakout of an exotic animal disease in Australia is one risk. “We have a business continuity plan for dealing with an outbreak, and run scenarios at one of the feedlots on what we would do if animals became sick,” says Quirk. “And we’ve taken that learning to senior management and the people working on the cattle stations.” HR is integral to induction and training that make risk awareness part of the staff mindset. “All new station managers come to head office in Brisbane and receive induction from every department in the procedures and risks relevant to their job. We can follow up if required with face-to-face support out on the station.” Administration systems are standardised and reference manual updates are sent out in hard copy format. A teleconference follows, where changes to procedures and practices are explained and discussed. Once a process is captured in a procedure it becomes identified as “the company way”. Regional managers provide a constant link between station managers and the Brisbane head office. Regional meetings ensure station managers meet head office staff from a range of disciplines to establish lines of communication. Risk and compliance messages from head office target frontline staff as well as more senior managers. Head stockmen play a crucial part in managing operational risk, with responsibility for things like chemical safety, animal treatment and vaccination programs. Each year they attend a week’s training. “Last year we developed a head stockman’s toolkit—a practical mini reference manual in a hardwearing plastic pack to carry in their vehicles.” Corporate governance, with its requirement for a risk management plan and risk register, drives Aaco’s approach to all types of risk, says Quirk. “Everyone is expected to look at their business responsibilities in an integrated way and understand the range of risks that could have an impact on their area and the company as a whole.” For HR, this includes looking at training and overseas recruitment as ways of addressing staff shortages. “Finding people who want to work in the outback is really difficult.” Looming issues Climate change and recruitment and retention issues loom large for Australian businesses, says Aon Australia as it awaits the findings of its latest annual risk survey. Expectations are that the survey will reveal potential disruptions for business, says Ross Castle, national manager, client research and development. “With the hospitality, energy and resource sectors already starting to cite climate change as a key risk, we expect this concern to become more widespread,” says Castle. “Social and community activism may see governments take a far more active role in the debate and demand a greater level of action and involvement from business in terms of regulation and personal accountability.” Continuity risks and labour market issues that have concerned business for a number of years look set to remain pressing. “We predict increased concern around business dependency, and business disruption from supply chain risks, heavy reliance on systems and technology, and the proliferation of outsourcing and off-shoring.” The ability to attract and retain staff and develop the right organisational culture will continue to worry executives, says Castle. “Tight labour market conditions and a shortage of skilled staff are likely to heighten this concern. Combined with an ageing population, Generation Y issues and the emergence of stress as an OHS issue, workforce issues are likely to weigh heavily on the minds of Australian executives.” Workshops AHRI is running a risk assessment and management program nationally from August to September. Designed for HR practitioners, managers and business owners, the workshops cover the principles of risk and the role that HR has to play. VIC: 23–24 August SA: 11–12 September WA: 13–14 September NSW: 2–3 October TAS: 22–23 October QLD: 17–18 September Visit www.ahri.com.au for details and to register. Carolyn Rance is a freelance writer.