Your people may be your most important asset, but they can also represent a hidden business risk. And not just through isolated fraud, data security or privacy breaches. From your shared business culture can emerge risks that range from issues with regulatory compliance to charges of bribery and corruption. Even the process of paying your people has become a source of reputational risk, no longer a matter of simple economics but an ethical issue as well.
Types of people, culture and value risk
The many risks that arise from how you and your people do business fall into two main areas:
Board level risks - these reflect the awareness of GRC issues among your leadership and are raised or lowered according to the strength of its leadership skills.
Operational risks - these depend on how far risk management and compliance activities are embedded in everyday business practices. For global businesses, overseas exposure and political risk are also vital concerns.
Getting it right
It all starts at the top. Your leadership should be demonstrating its commitment to the GRC agenda - not just talking about it. Do executive performance objectives balance financial and non-financial goals? Are your remuneration policies aligned with business strategy and business realities?
If you've got the right tone at the top, then you have already mitigated some of the potential risk from your workforce. But you'll need to be able to match aspirations with capabilities. Do you have the people you need to do what you want?
What is more, are your people aware of their personal responsibilities? What are the most important risks you face and who is managing them? How formal are your processes for managing overseas exposures and political risk? A behaviour risk review will give you the answers, showing whether your people demonstrate appropriate GRC behaviours, and how exposed you might be.
And the outcomes? Regulatory compliance is just one. Knowing that your policies do not expose the business to excessive risk and that the Remuneration Committee has robust processes to defend itself from attack are others.For 'people, culture and values' read the public reputation of your business.