Remote working plus a cost of living crisis and talent migration is leaving workforces disengaged and stressed. Unhappy employees put everything at risk, so organisations must protect their greatest asset and build risk cultures that put the heart of their organisations.

Since the coronavirus pandemic, people-related risks have been growing at an unprecedented rate.

As more people work from home, the risks of cyberattacks are heightened. At the same time, the war for talent rages on, and firms that do not build positive cultures may suffer from a talent drain leaving remaining staff under increasing amounts of pressure.

Diversity people

A disengaged and stressed workforce can lead to an uptick in malicious behaviours such as fraud. A rise in mental health issues among employees means people are more likely to make mistakes, take time off from work, or quit altogether.

David Dodds, consulting leader, continental Europe at Mercer Marsh Benefits, says: “We are living in a poly-crisis era.

“The impact of the COVID-19 pandemic overlaid with global macro-economic, cost of living and geopolitical challenges is heightening people risks in the workplace at a rate never seen before.”

“Employee well-being is being tested to the limit, with burnout and exhaustion feeding a mental health crisis, highlighted by increased absenteeism rates and presenteeism impacting business productivity and bottom-line performance.”

Subhanko Basu, managing principal at Capco, adds: “Ignoring [people-related risks] is likely to reduce productivity and increase employee turnover due to limited training, team cohesion, bonding and alignment to the group culture.”

 “Disengaged employees are more likely to be involved in risk incidents”

“It can also disengage employees, erode brand, and increase chances of risk failure, with hybrid working culture creating a lack of informal conversations, virtual induction and inability to find mentors to speak to. Disengaged employees are more likely to be involved in risk incidents.”

Against this backdrop, it’s no surprise that people risks are rising up the corporate agenda.

The good news is that leadership teams are increasingly realising that people are fundamental to the growth, development and culture within an organisation.

Consequently, risk managers need stringent strategies in place to identify and manage exposures. This means breaking down silos and working with core departments such as HR, IT and security to create a strong risk culture. 

Firms that achieve this and prioritise mitigating people-related risks can position themselves for long-term success.

People are the frontline of cyber security

Workforces nowadays are more distributed than ever, and employees can often connect to work networks from anywhere in the world.

However, while flexibility and hybrid working bring many benefits for workers, this needs to be managed properly to avoid cyber security breaches through company data being visible on insecure networks.

Miguel Clarke, GRC and cyber security lead for Armor, says: “Unfortunately, while it has delivered many benefits, our increased connectedness through multiple devices, apps and programs has delivered two more things: a greater number of outlets for leaking information and a higher number of people with greater access to critical information.

“Add to this the vulnerabilities that can result from remote and flexible working, and a data or security breach, whether intended or not, is increasingly likely.”

Indeed, humans are often the weakest link in the security of an IT infrastructure.

”A data or security breach, whether intended or not, is increasingly likely”

Emerging threats such as ransomware attacks and business email compromise rely on exploitation of the human mindset, so ignoring people-related risk in this area is a bad move.

Malicious attacks often start with a phishing email or easy-to-guess password, meaning employees represent the frontlines of cyber security.

Chris Harris, EMEA technical director at Thales, says: “The use of passwords puts the onus entirely on the user, and is heavily reliant on limited human memory capacity.

“With us all encouraged to have long, complex passwords for personal and professional use, there is a risk that people will inevitably resort to the same, easy to remember (and easily hackable) password.”

Reduced headcounts because of widespread layoffs put a strain on those employees that remain. This could mean cyber security takes a backseat, leaving businesses more vulnerable to obvious signs of attack.

”Cyber security is a pressing people-related risk that should be on every business’s radar and a top priority to address”

Redundancies can breed a disgruntled workforce that is less alert to potential risks.

A successful cyber breach can have far-reaching consequences. Financially targeted organisations face the threat of lost business due to disrupted operational activity, as well as extortionate ransoms, or fines for data breaches.

Harris says: “Nowadays, cyber security is a pressing people-related risk that should be on every business’s radar and a top priority to address – cyber attacks are a matter of when, not if!

“Our 2023 Data Threat Report found human error to be one of the leading causes of breaches, the fact that cyber security practices are often designed without taking the human element into consideration showcases where the real problem lies.

“Reputationally, there is a risk that organisations will lose the support and backing of investors and other stakeholders, as well as their customers who decide to do business elsewhere – loyalty is not easy to win back after a breach.

”Furthermore, it goes without saying that those impacted receive considerably poor media coverage, damaging the image of the brand even further.”

The risks of a workforce in ill-health

Since the coronavirus pandemic, there are reports of increasing numbers of workers in poor mental health, suffering from stress, anxiety and depression.

Lack of access to treatment during the lockdowns has also led to higher incidence of physical health issues. This causes significant risks for a business, which range from low productivity and long periods of absence to poor reputation and key personnel quitting.

Basu says: “Working from home and hybrid working culture makes it challenging to induct new employees virtually and keep ongoing engagement levels high.

“This has led to an increase in disengaged employees with high stress levels. Such employees are much more likely to leave or be involved in risk failure incidents including data breaches.”

To tackle these risks, organisations must have a robust people-centric strategy and a combination of internal processes, benefits, and external insurance.

”Employers have a duty of care to look after the well-being of their most important asset – their people”

Internal options include timely performance management and feedback, training opportunities, employee assistance programmes and mental health support, as well as access to benefits and workplace safety protection.

Insurance solutions include group life insurance, critical, group income protection, employment practices liability insurance, and directors and officers liability insurance.

Dodds says: “Employers have a duty of care to look after the well-being of their most important asset – their people.

”People are what make a business and the most successful businesses are built on thriving, healthy cultures where employees act as brand ambassadors and offer loyalty to the business.

“Where a workplace culture becomes toxic or broken, the impact is stark and badly managed people risk is at the heart of that.”

Winning the war for talent

Ties between employers and employees are fraying. 

The cost of living crisis has made people feel less committed to their employers as they naturally look for better-paying work.

With employees ‘quiet quitting’, there is a real risk to business performance and the ability of firms to grow in the face of economic headwinds.

Where employees are tired, emotionally disengaged and suffering from presenteeism, the results are stark. Failure to act may be costly in terms of productivity, absence, talent drain and in terms of the reputation of the business.

Dodds says: “Where people risk is not being managed carefully, we are seeing key talent leaving businesses for better workplace culture and work life balance, and with businesses struggling to attract the right talent to support their needs.”

“By proving to employees that a business cares, people risk can be managed effectively”

“[However], our latest Global Talent Trends research shows that thriving employees are 4 times more likely to say their company meets their needs and to be satisfied not to plan to leave the organisation.

“Where an employer offers a broader range of benefits, employees are more likely to be thriving and ultimately less likely to move elsewhere. By proving to employees that a business cares, people risk can be managed effectively.”

A good starting point is an effective employee well-being strategy.

Risk managers must work with HR and listen to what employees need.

All companies have access to meaningful data that provides insight into the well-being of a business, such as sickness/absence rates, medical claims/premiums, employee engagement surveys and benefit take-up.

Managing wrongdoing

As more employees feel disconnected from their employers, there is a risk that malicious behaviours could start to become more prevalent.

This could manifest in higher levels of IP theft, data theft, fraud and poor behaviours.

StoneTurn partner Sarah Keeling and senior adviser Richard Mackintosh say: “People risk is especially high during times of change.

“This could be a merger or acquisition, restructuring, acquisition of a new but different type of business, downturn in the economy, increased pressure to perform better and achieve higher revenue targets.

“This unfortunately can prompt individuals who fear or resent change to recognise they are vulnerable and thus can potentially provide opportunities for fraud and malfeasance.”

 “People risk is especially high during times change”

“An understanding of how and why ‘people go wrong’ and what red flags might look like for an organisation will lead to appropriate and proportionate controls being established.

“All the controls need to be managed holistically – not in silos. History is littered with cases where the failure to join the dots allowed people to get away with a full range of malicious acts when in hindsight a joined-up approach would have identified and stopped their activity sooner.”

Managing behavioural risks, such as unethical conduct, bribery, fraud, bullying, sexual harassment, excessive risk-taking and toxic leadership styles, means managing the tone from the top, and developing a strong culture at every level.

Vera Cherepanova, ethics and compliance author and owner of Studio Etica, explains: “Looking through a behavioural risk lens means looking at organisational culture, and how it steers employee behaviour towards what’s expected.

“As we have seen in many recent corporate scandals, unethical culture can compromise the effectiveness of ethics and compliance efforts in many ways, but most importantly by sending the wrong signals of what’s the acceptable standard of behaviour.”

Creating a culture of risk management

To manage and mitigate people-related exposures effectively, risk managers need to have a clear understanding of the threats their organisations face.

This can be difficult as it requires them to break down silos and get input from other areas of the business. Risk management frameworks can help.

Cherepanova says: “The key to managing behavioural risks begins with a robust risk assessment, with the ultimate goal of creating an organisation’s behavioural risk map.

“Through having an insight into risk hot spots, behaviours and their underlying drivers, the organisation is ready to start applying interventions that will lead to sustainable change in unwanted behaviours.”

Successful people risk management also requires board-level buy-in. An executive or board member should be accountable for people-related risks to ensure that all stakeholders are fully engaged and sharing relevant information.

”The key to managing behavioural risks begins with a robust risk assessment”

StoneTurn’s Keeling and Mackintosh say: “A stakeholder group should be empowered to keep the risks under review and to ensure all controls are managed in a holistic fashion.

“Data on people risks should be collected and discussed at board level. The goal is to create a ‘high trust’ working environment.”

This framework must then be underpinned by good management, regular training, constructive feedback, a ‘speak up’ process that is trusted, and a code of conduct and ethics that is demonstrated by leadership and management.

Keeling and Mackintosh add: “Visible consistent leadership in this space is vital. People risk is nearly always mitigated by strong accountable management, a fair and meritocratic, transparent process for advancement, strong role models and a genuine commitment to all employees to provide opportunities to thrive.

“These are all things that any modern organisation will espouse anyway. The key is making sure that actions match the words.”

“People risk is nearly always mitigated by strong accountable management”

Risk managers also need to empower employees to understand risk and how to mitigate personal exposures, particularly when it comes to cyber controls.

Harris explains: “A common observation from cyber vulnerability investigations is a tendency for employees to rely on their IT department to protect them from cyberattacks.

“In a mature culture, everybody takes responsibility for their own cyber security… Having a culture of blame within an organisation is not helpful. Policies and procedures should be designed around job roles.”

At the end of the day, experts agree that the key to successfully managing people risks is to take a holistic and joined-up view, liaising with other departments.

That starts with HR, but should also include IT, physical security, investigations, ethics, compliance and legal.

Keeling and Mackintosh say: “People risks touch all parts of an organisation and can manifest themselves in many ways. Having these stakeholders sharing a common view of the risks and an agreed risk approach will help head off preventable people risks and manage people risk incidents when they arise.”