Businesses have to manage myriad types of risk in their workforces. These include theft, employees deviating from company policies or the law, and workers exposing their employers to lawsuits from clients or other employees. So what are the best ways for businesses to manage these risks?
Companies that lack a framework of data and analysis to gauge risk more precisely can only guess the best ways to bolster their company culture to reduce risk
When managing risk, companies often rely on imprecise methods to determine the degree of risk an individual or a group of employees may pose to an organization. Examples of these methods include identifying employees as having high-risk potential based on their geographic location, job description or level of education required for a role.
However, these methods are often inefficient and, in some cases, ineffective in identifying and prioritizing risk. Companies that lack a framework of data and analysis to gauge risk more precisely can only guess the best ways to bolster their company culture to reduce risk.
When businesses strive to create a culture of compliance, one challenge lies in measuring its strength. Some companies send employees through an annual training program or put up posters once a year to promote safety or discourage theft, for example, and call it good. But building a culture that actively promotes compliance requires more than ticking "training" or "posters" off a list. Creating such a culture involves sending many consistent messages to employees through various channels. Compliance is meaningless unless it's continually measured and made actionable.
Read More: Permissive Cultures Make Training a Scapegoat rather than a Competitive Advantage
And a culture of compliance isn't just a nice thing to have. For most businesses, it's a requirement. The United States Sentencing Commission modified the federal sentencing guidelines in 2011 to include standards for an effective corporate compliance and ethics program. These guidelines are now the de facto criteria that prosecutors and regulators use to determine whether they should charge a company with a crime for potential legal violations, and the severity of any civil enforcement action.
Companies must be able to prove that they have implemented internal control systems that are sufficient to address their organizations' specific risk profiles.
For every one of the standards – from establishing policies, procedures and controls to the requirement to monitor and audit programs for effectiveness – one central theme stands out: Companies must be able to prove that they have implemented internal control systems that are sufficient to address their organizations' specific risk profiles. They also must be able to measure the results of these actions to establish that their systems are working.
Businesses that seek to manage risk and build a culture of compliance need to shift to more effective and actionable methods, such as analyzing survey results, metadata, incentive patterns and hiring information. Targeting employees for training based on problems that have occurred in the past, for example, is managing by looking in the rearview mirror.
By using data-driven methods and predictive analytics, companies can predict where problems might occur in the future and act to prevent them before they happen. They also can reduce risk and payouts to injured clients and government regulators.
Managing Risk by Measuring Corporate Culture
Why is corporate culture so important in assessing risk management? Quite simply, culture is what employees are doing when no one is looking. Creating a culture of compliance takes more than sending out a communication or holding an annual training; it must be woven into the fabric of an organization. An employee who is actively disengaged, for example, may be more likely to bend the rules, cheat or lie, which can result in major consequences for companies.
Higher workplace engagement also leads to lower absenteeism (37%), fewer patient safety incidents (41%) and fewer quality defects (41%).
Gallup's meta-analysis of employee engagement shows that business units with high employee engagement have 28 percent less internal theft or shrinkage and 21 percent higher productivity than their bottom-quartile counterparts. Higher workplace engagement also leads to lower absenteeism (37%), fewer patient safety incidents (41%) and fewer quality defects (41%).
Gallup's work with a healthcare network demonstrates how employee engagement creates a foundation for a culture of compliance. A large network of medical care facilities partnered with Gallup to understand, measure and strengthen its culture. When this initiative began, the patient mortality rate was considered average by national standards, yet was inflated by as much as 40 percent because of preventable issues like facility-acquired conditions – including serious infections, injuries because of falls, surgical site infections and food aspiration. The company's overall employee engagement rate was below the 10th percentile in Gallup's employee engagement database, and patients suffered as a result.
Over the next several years, the health system worked to improve employee engagement at all levels, from the executive suite to the front line, with a goal to boost engagement from below the 10th percentile to the 90th. As a crucial first step, the company's leaders narrowed their leadership priorities from 30 to three, to focus on these areas: employees, patient care and physician partnership. Leaders set the tone for the culture they wanted all employees to create by providing a renewed focus on employee engagement, safety and risk management.
Read More: Character Reputation of Senior Leaders Is Foundation of Compliance ROI
Building and improving employee engagement have had a profound impact on patient care and mortality. After years of working with the organization, Gallup found that engaged employees were doing the right thing even when no one was looking. By working together, leaders and employees created a culture that positively shaped employee behavior. Over a seven-year period, overall employee engagement rose to the 90th percentile in Gallup's employee engagement database, while patient mortality and complications were reduced. And data showed that higher nurse engagement related to a reduced number of patient falls and serious hospital-acquired wounds. By following a disciplined approach, the organization created a stronger culture and improved outcomes for patients.
Benefits of Using New Methods
Old, imprecise methods of assessing risk management are ineffective, leaving companies running to put out fire after fire. In contrast, data-driven risk management methods predict where fires will break out, helping companies to take actions that can prevent fires from starting. To reap these benefits, though, early intervention is crucial, before internal problems occur that lead to compliance, legal or regulatory failures. The benefits of data-driven risk management methods include:
Real-time results. Data-driven risk management methods allow leaders to collect relevant information in real time to understand where potential risks may lie, such as fraud detection within a financial services company. Real-time data empower leaders to spot potentially risky situations before they occur and deploy resources to prevent them from occurring.
Local data. Data-driven risk management methods enable leaders to home in on particular groups or teams of employees, customers, contractors or vendors whose actions may be putting the organization at risk. Analyzing tracking data collected with outdated methods, such as annual surveys with a random sample rather than a census of employees, might indicate that a retail company is at increased risk for employee theft, but it can't reveal the locations where the company should focus its attention to prevent it. In contrast, analyzing tracking data collected at the local level could allow leaders to pinpoint areas that are at risk more efficiently and effectively, enabling them to develop a targeted response to reduce that risk.
Predictive analytics. Using data-driven methods and predictive analytics, companies can establish relationships among events or actions that may predict risk within a company. Data analysis enables the company to scrutinize patterns and establish linkages between data and events that can paint a comprehensive picture of risk inside the organization. For example, certain hospital shifts or departments may have a higher risk of patient safety incidents. But employee engagement levels may vary on those shifts. A predictive analytics dashboard could identify which shifts, departments or teams may be more at risk based on the group's culture, providing an early warning sign to leaders.