- Corporate Security Teams
- Risk & Compliance Teams
- Information Security Teams
Governance, Risk and Compliance
By Amanda Ono Modified September 13, 2021
Picture this: risk management stakeholders are at a round-table reviewing the annual budget and note an asset valued at 50-70% of the operating budget. This asset is omitted as a priority for assessing vulnerability, expected likelihood and risk reduction. Everyone gets coffee and the meeting is adjourned. Crazy, yes…likely no. With salaries, benefits, onboarding, and training expenses, it’s estimated that 50-70% of your operating budget is related to people. If you were spending 50% of your budget on a security measure or a risk control, what would you do to leverage that investment? In other words, how are you optimizing employee engagement as part of your enterprise security risk management (ESRM) strategy?
Full disclosure, I’m writing from the perspective of someone who is in Talent, also know as Human Resources, so I have a bias on the critical nature of employee engagement. My example above is, of course, a wildly improbable scenario, but I have observed a disconnect in how the engagement of “people” is perceived. I should clarify that employee satisfaction (“I’m happy”) is different than employee engagement (“I’m committed to the goals of the team and the organization”). With this, set all the targets you want, put all the controls needed into place, and think about the likelihood of a disengaged employee bringing these initiatives across the line. Further to this, organizationally viewing “people engagement” as a thread that runs through Strategic, Operational, and Financial risk is an opportunity to help remove silos and move risk to objectives.
I’ve had the opportunity to partner with teams throughout Canada, Australia, New Zealand, South Africa and Asia, and the motivation to create a holistic, human capital strategy is a hot topic for business leaders around the world. There has been a shift in the approach of human resources (finite and/or depreciates when used or with time) towards human capital, which reflects investment and growth. With this comes the wide-view lens of people strategy and cross-functional organizational design to solve business challenges in new and interesting ways. Engagement is a critical business driver that not only impacts top-line revenue, but also bottom-line profitability, shrinkage, incidents, and accidents. If we include insider threat, data breaches and the ease to which brand/reputation can be impacted by social media, the potential risk expands. Take a look at the State of the American Workforce (Gallup, 2017); they have a great body of supporting research if you’re looking for data to support the business case. From my perspective, this reiterates why employee engagement doesn’t just sit in the human resources department—It is a multifaceted business issue that requires attention from all levels, especially senior leadership.
So, what now? Many of you likely already have People Leadership sitting at the table, but challenge yourself to think about how continuous improvement in your employee engagement strategy will facilitate your enterprise risk management strategy. Start with data. How regularly do you ask your employees about engagement (i.e., trust in leadership, alignment with business objectives, coaching from managers)? How often do you ask your employees how you can improve it? Annualized data is too far-out, think about conducting a quarterly (or even monthly) health-check. Ideally, your employee feedback loop should match the speed of your business. These health checks can help you focus on tangible actions that will cascade into four key areas of employee engagement. We happen to like the Four Pillar Model (Davey, Gore, Parker, 2003) because it is broad while being specific. Each of these areas are robust and have wide bodies of research and content, so here are some initial points for consideration when looking to improve your employee engagement strategy:
Do employees know how to make the organization successful?
Do people know what to do?
Do employees have the tools they need to be successful? Are a lack of tools/resources blocking success? If the cost of NOT achieving success is greater than the investment in the resource, start investing. Are there goals and resource allocation that are at cross-purposes? As an example, I worked with a customer who had a strong value around speed and quality, but would not invest in the right tech to allow their sales software to run quickly. Therefore, not only were hours wasted due to lack of speed, but eventually the sales people would just stop entering data… so there was no quality or speed! This isn’t about spending massive amounts of capital on resources, but having a hard look at what resources will have the most significant impact on job-success. Technology has done amazing things to maximize efficiency in cost-effective ways.
How do you facilitate employee motivation? How committed are your employees towards organizational success? Are your people motivated towards intrinsic or extrinsic outcomes? The focus on purpose, autonomy, mastery, and impact versus image, statue, money is important to understand. Daniel Pink does a great job of diving into this topic in Drive (2009). You’ll see how the other pillars interplay with motivation. Purpose and impact with alignment; autonomy and mastery with capability. Motivation then, is both a pillar of engagement and an outcome.
HR and Risk Teams have many things in common, they just see objectives through different lenses. You’re encouraged to start (and/or continue) the dialogue and focus on the commonalities versus the differences. A series of cross-functional conversations, with the right amount of frequency, will facilitate success. Start with this:
You can’t force an employee to be engaged, but you can create all the conditions for them to do so. Engaged employees show up. They speak-up about risks. They are proactive about prevention. And the best part about facilitating engagement? We can accelerate the focus on positive outcomes versus negative risk and allow employees to do great work. Everyone from employees and leadership, to customers and shareholders, will thank you.