Picture this: risk management stakeholders are at a round table reviewing the annual budget and not an asset valued at 50-70% of the operating budget. This asset is omitted as a priority for assessing vulnerability, expected likelihood, and risk reduction. Everyone gets coffee and the meeting is adjourned. Crazy, yes…likely no. With salaries, benefits, onboarding, and training expenses, it’s estimated that 50-70% of your operating budget is related to people. If you were spending 50% of your budget on a security measure or a risk control, what would you do to leverage that investment? In other words, how are you optimizing employee engagement as part of your enterprise security risk management (ESRM) strategy?

Full disclosure, I’m writing from the perspective of someone who is in Talent, also known as Human Resources, so I have a bias on the critical nature of employee engagement. My example above is, of course, a wildly improbable scenario, but I have observed a disconnect in how the engagement of “people” is perceived. I should clarify that employee satisfaction (“I’m happy”) is different than employee engagement (“I’m committed to the goals of the team and the organization”). With this, set all the targets you want, put all the controls needed into place, and think about the likelihood of a disengaged employee bringing these initiatives across the line. Further to this, organizationally viewing “people engagement” as a thread that runs through Strategic, Operational, and Financial risk is an opportunity to help remove silos and move risk to objectives.

I’ve had the opportunity to partner with teams throughout Canada, Australia, New Zealand, South Africa, and Asia, and the motivation to create a holistic, human capital strategy is a hot topic for business leaders around the world. There has been a shift in the approach of human resources (finite and/or depreciates when used or with time) towards human capital, which reflects investment and growth. With this comes the wide-view lens of people strategy and cross-functional organizational design to solve business challenges in new and interesting ways. Engagement is a critical business driver that not only impacts top-line revenue, but also bottom-line profitability, shrinkage, incidents, and accidents. If we include insider threats, data breaches, and the ease with which brand/reputation can be impacted by social media, the potential risk expands. Take a look at the State of the American Workforce (Gallup, 2017); they have a great body of supporting research if you’re looking for data to support the business case. From my perspective, this reiterates why employee engagement doesn’t just sit in the human resources department—It is a multifaceted business issue that requires attention from all levels, especially senior leadership.

So, what now? Many of you likely already have People Leadership sitting at the table but challenge yourself to think about how continuous improvement in your employee engagement strategy will facilitate your enterprise risk management strategy. Start with data. How regularly do you ask your employees about engagement (i.e., trust in leadership, alignment with business objectives, coaching from managers)? How often do you ask your employees how you can improve it? Annualized data is too far-out, think about conducting a quarterly (or even monthly) health check. Ideally, your employee feedback loop should match the speed of your business. These health checks can help you focus on tangible actions that will cascade into four key areas of employee engagement. We happen to like the Four Pillar Model (Davey, Gore, Parker, 2003) because it is broad while being specific. Each of these areas is robust and has wide bodies of research and content, so here are some initial points for consideration when looking to improve your employee engagement strategy:

4 Ways to Improve Employee Engagement to Help Mitigate Risks

1. Alignment

Do employees know how to make the organization successful?

Leadership – how does the senior leadership of the organization communicate core values? How does your leadership articulate the importance of risk management? Do they live this value or do they regularly stand on ladders during lightning storms (literally and metaphorically)?
Management – how does management communicate the impact that team members have on success? How do they coach their people to be successful and engaged? Management is the glue that brings the message of leadership into daily practice. Simon Sinek articles this well in Start with Why (2009).

2. Capability

Do people know what to do?

Role Definition – have you defined the role? This may seem like an obvious one, but I’ve worked on a ton of coaching engagements where there was a complete lack of clarity regarding expectations. Think about the measures of success for your people, as well as the skills and competencies of the role. This isn’t trying to put people in a box, but rather help give them a roadmap to success.
Hiring Process – what is your process to ensure quality hires? How do you measure the success of a new hire (within 3-6 months) to validate your process? What other metrics will help assess if your processes are working? Hiring is interesting because since most people have been interviewed or hired at some point, they have an opinion. Sprinkle some “gut feeling” in there, and hiring managers can miss out on why the science of recruiting is as important as the art. Most other HR initiatives fall down if you don’t have the right people. Jim Collins famously highlights the distinction between getting “people on the bus” vs. the “RIGHT people on the bus” in Good to Great (2001).
Learning & Development – how do you manage the development of role-specific knowledge? How do you onboard people to ensure early knowledge integration? How do you use coaching to support mastery? Opportunities for learning and development consistently top the list of what drives high engagement across generational cohorts (i.e., Boomers, Gen X, Millennials). If you’re going to hire people with strong capabilities, they will look for opportunities to grow and progress. How will you create conditions to make people successful?
Performance Feedback – how do you give feedback that focuses on improving performance? How regularly is feedback given? Research from Deloitte disrupted this space in 2015 and highlights the importance of regular quarterly feedback over annualized feedback. This comes with a shift to emphasize regular coaching to improve performance and engagement.

3. Resources

Do employees have the tools they need to be successful? Is a lack of tools/resources blocking success? If the cost of NOT achieving success is greater than the investment in the resource, start investing. Are there goals and resource allocation that are at cross-purposes? As an example, I worked with a customer who had a strong value around speed and quality, but would not invest in the right tech to allow their sales software to run quickly. Therefore, not only were hours wasted due to lack of speed, but eventually the salespeople would just stop entering data… so there was no quality or speed! This isn’t about spending massive amounts of capital on resources but having a hard look at what resources will have the most significant impact on job success. Technology has done amazing things to maximize efficiency in cost-effective ways.

4. Motivation

How do you facilitate employee motivation? How committed are your employees to organizational success? Are your people motivated toward intrinsic or extrinsic outcomes? The focus on purpose, autonomy, mastery, and impact versus image, statue, and money is important to understand. Daniel Pink does a great job of diving into this topic in Drive (2009). You’ll see how the other pillars interplay with motivation. Purpose and impact with alignment; autonomy and mastery with capability. Motivation then, is both a pillar of engagement and an outcome.

HR and Risk Teams have many things in common, they just see objectives through different lenses. You’re encouraged to start (and/or continue) the dialogue and focus on the commonalities versus the differences. A series of cross-functional conversations, with the right amount of frequency, will facilitate success. Start with this:

Which pillar would have the biggest short-term impact on your ERM strategy?
Which would have the biggest long-term impact?
What steps can you collaborate on to facilitate the change?

You can’t force an employee to be engaged, but you can create all the conditions for them to do so. Engaged employees show up. They speak up about risks. They are proactive about prevention. And the best part about facilitating engagement? We can accelerate the focus on positive outcomes versus negative risk and allow employees to do great work. Everyone from employees and leadership to customers and shareholders, will thank you.

Interested in learning more about how Resolver can help? Contact us! We'd love to chat

Discover Resolver's Software

Incident Management Software

Protect your organization and prove your security team’s value with Resolver’s Incident Management application. Improve data capture, increase operational efficiency, and generate actionable insights, so you can stop chasing incidents and start getting ahead of them.

Learn More

Enterprise Risk Management Software

Provide your organization’s board and senior leaders a top-down, strategic perspective of risks on the horizon. Manage risk holistically and proactively to increase the likelihood your business will achieve its core objectives.

Learn More

Regulatory Compliance

Save time by monitoring all regulatory compliance activities, providing insights into key risk areas, and then focusing resources on addressing regulatory concerns.

Learn More

Cookie	Duration	Description
AWSALBCORS	7 days	This cookie is managed by Amazon Web Services and is used for load balancing.
BIGipServersj13web-nginx-app_https	session	This cookie name is associated with the BIG-IP product suite from company F5. Usually associated with managing sessions on load balanced servers, to ensure user requests are routed consistently to the correct server. The common root is BIGipServer most commonly followed by a domain name, usually the one that it is hosted on, but not always.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
datadome	session	This is a security cookie set by Force24 to detect BOTS and malicious traffic.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
XSRF-TOKEN	6 months	This cookie is set by Wix and is used for security purposes.
_mkto_trk	2 years	This cookie, provided by Marketo, has information (such as a unique user ID) that is used to track the user's site usage. The cookies set by Marketo are readable only by Marketo.
__cfruid	session	Cloudflare sets this cookie to identify trusted web traffic.
__resolver-ref	session	This cookie is set by Resolver to ensure visitors receive unique content after submitting a form on our website.

Cookie	Duration	Description
bcookie	2 years	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
sp_landing	1 day	The sp_landing is set by Spotify to implement audio content from Spotify on the website and also registers information on user interaction related to the audio content.
sp_t	1 year	The sp_t cookie is set by Spotify to implement audio content from Spotify on the website and also registers information on user interaction related to the audio content.
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.

Cookie	Duration	Description
ADRUM_BT1	past	This cookie is set by AppDynamics and is used to optimize the visitor experience on the website by detecting errors on the website and share the information to support staff.
ADRUM_BTa	past	This cookie is set by AppDynamics and used to optimize the visitor experience on the website by detecting errors on the website and share the information to support staff.
AWSALB	7 days	AWSALB is an application load balancer cookie set by Amazon Web Services to map the session to the target.

Cookie	Duration	Description
ajs_anonymous_id	never	This cookie is set by Segment.io to check the number of ew and returning visitors to the website.
ajs_user_id	never	The cookie is set by Segment.io and is used to analyze how you use the website
CONSENT	16 years 2 months 17 days 10 hours	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
ln_or	1 day	Linkedin sets this cookie to registers statistical data on users' behaviour on the website for internal analytics.
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_4655365_4	1 minute	Set by Google to distinguish users.
_gat_UA-4655365-4	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_ga_VCHH3SM1QW	2 years	This cookie is installed by Google Analytics.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_hjAbsoluteSessionInProgress	30 minutes	Hotjar sets this cookie to detect the first pageview session of a user. This is a True/False flag set by the cookie.
_hjFirstSeen	30 minutes	Hotjar sets this cookie to identify a new user’s first session. It stores a true/false value, indicating whether it was the first time Hotjar saw this user.
_hjid	1 year	This is a Hotjar cookie that is set when the customer first lands on a page using the Hotjar script.
_hjIncludedInPageviewSample	2 minutes	Hotjar sets this cookie to know whether a user is included in the data sampling defined by the site's pageview limit.
_hjIncludedInSessionSample	2 minutes	Hotjar sets this cookie to know whether a user is included in the data sampling defined by the site's daily session limit.
_omappvp	11 years	The _omappvp cookie is set by OptinMonster to distinguish new and returning users and is used in conjunction with _omappvs cookie.
_omappvs	20 minutes	The _omappvs cookie set by OptinMonster, used in conjunction with the _omappvp cookies, is used to determine if the visitor has visited the website before, or if it is a new visitor.
_uetsid	1 day	This cookies are used to collect analytical information about how visitors use the website. This information is used to compile report and improve site.

Cookie	Duration	Description
anj	3 months	AppNexus sets the anj cookie that contains data stating whether a cookie ID is synced with partners.
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
MUID	1 year 24 days	Bing sets this cookie to recognize unique web browsers visiting Microsoft sites. This cookie is used for advertising, site analytics, and other operations.
personalization_id	2 years	Twitter sets this cookie to integrate and share features for social media and also store information about how the user uses the website, for tracking and targeting.
sa-user-id	1 year	StackAdapt sets this cookie as a Random Identifier for user identification, to display relevant advertisements.
sa-user-id-v2	1 year	StackAdapt sets this cookie as a Random Identifier for user identification, to display relevant advertisements.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
uuid2	3 months	The uuid2 cookie is set by AppNexus and records information that helps in differentiating between devices and browsers. This information is used to pick out ads delivered by the platform and assess the ad performance and its attribute payment.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
_uetvid	1 year 24 days	This cookie is set by Bing to store and track visits across websites.

Employee Engagement as Part of Your Risk Management Strategy

Learn strategic and tactical approaches to reducing risk through talent acquisition, onboarding, culture and HR policies.

4 Ways to Improve Employee Engagement to Help Mitigate Risks

1. Alignment

2. Capability

3. Resources

4. Motivation

Discover Resolver's Software

Incident Management Software

Enterprise Risk Management Software

Regulatory Compliance

Request a Demo

Cookie	Duration	Description
33ff0b0c0c	session	No description
ajs_group_id	never	This cookie is set by Segment.io. The purpose of the cookie is currently not identified.
AnalyticsSyncHistory	1 month	This cookie set by LinkedIn is used to store information about the time a sync with the lms_analytics cookie took place for users in the Designated Countries
AWSALBAPP-0	7 days	No description
AWSALBAPP-1	7 days	No description
AWSALBAPP-2	7 days	No description
AWSALBAPP-3	7 days	No description
debug	never	No description available.
DEVICE_INFO	5 months 27 days	No description
guestidc	session	This cookie is set by Jobvite.
li_gc	2 years	Set by LinkedIn and used to store consent of guests regarding the use of cookies for non-essential purposes
loglevel	never	No description available.
muc_ads	2 years	No description
rl_anonymous_id	never	No description available.
rl_user_id	never	No description available.
UserMatchHistory	1 month	Linkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.
visitorId	1 year	No description
_cfuvid	session	No description
_hjSessionUser_103316	1 year	No description
_hjSession_103316	30 minutes	No description
_smm_answers	session	No description
_smm_answers_text	session	No description