Risk Management For HR Professionals
This blog is part of a new series on risk management for professionals in different industries. Along with the use of waivers to secure yourself against frivolous lawsuits, we want to ensure all businesses fully understand risk and how to best manage it.
Many U.S. colleges learned the hard knocks of risk management and the need for waivers the hard way.
In the 1980s and 1990s, colleges faced waves of lawsuits that set new legal precedents and made them more liable for the safety of their students. As colleges are enormous organizations and rely on their reputations, they invested heavily in developing risk management processes and safety programs to protect students and themselves.
HR professionals of organizations both large and small can take away valuable lessons in how colleges developed their risk management processes.
All human behavior is a source of risk, which puts HR professionals at the forefront of risk management. Managerial practices and the way peers in your organization treat each other are all potential risk factors, as are any situations in which an employee could foreseeably undergo physical or emotional harm.
This is why it is imperative that HR professionals design or participate in an organization’s risk management program. Thankfully, we have the lessons learned by various U.S. colleges to help promote proper risk control.
Lawsuits against colleges that prompted the new wave of risk management
There were many landmark Supreme Court rulings against colleges in the 1990s that helped establish that a college’s relationship with their students demanded special oversight. These rulings expanded the notion of what could be considered to be seen as negligent behavior from a college.
Consider the case of Furek v. The University of Delaware (1991). Former University of Delaware student and football scholarship recipient Jeffrey Furek was permanently scarred during hazing activities at a frat house. Since the college recognized the fraternity at the time of the incident, they legally bore some of the responsibility.
In the case of Nero v. Kansas State University (1993), former student and tenant of a university residence, Shana Nero, was sexually assaulted by another student. Her law team successfully argued that as the University was acting as a landlord to her and her attacker, they had a duty to protect their “tenants.”
As a result of these and many other cases, colleges recognized that they had a legal obligation to boost their oversight and work to identify and mitigate all risks of harm to their students. They then established themselves as leaders in risk management.
Risk causes uncertainty and opens up an organization to damages from which it sometimes can not recover. By having risk management checks in place, a company can grow and take actions with the confidence that they are doing their due diligence to stave off harm.
What HR professionals can take away from college risk management practices
Higher education institutes have some of the sharpest risk management departments to be found in any organization. It has been pointed out that the sheer size of many colleges puts them on par with risk management for an entire city.
College risk management departments are continually seeking new ways to mitigate risk and stay on top of new laws that require a reassessment of current policies.
The bottom line is that all businesses should have a risk management plan in place. The development of risk management plans involves three stages:
- The identification of risks that must be addressed.
- The analysis and evaluation of risks.
- The development of risk management processes to manage and mitigate risk.
There are six primary categories of risk that should be considered by any organization. All of these have implications for any human resources professional. Steve Dunham, JD, the vice president and general counsel for Penn State University, outlined these categories in a blog for The Association of Governing Boards of Universities and Colleges (AGB):
1. Reputational – Most risks pose the danger of reputational harm. An example of current relevance that has legal implications is sexual misconduct by an institutional official or widespread sexual misconduct within the institution.
2. Financial – Risks of financial impropriety such as embezzlement or theft involve violations of the law. Also, such business risks as financial viability, creditworthiness, and counterparty risks raise legal issues based on contractual obligations to lenders and other third parties.
3. Compliance – All compliance issues pose legal risks. One example with a high degree of severity is a compliance failure in federal sponsored research or financial aid programs that results in claims by a whistleblower and/or the federal government alleging violations of the False Claims Act.
4. Operational – Risks of tort and statutory liability arising from institutional operations involve legal concepts of duty and negligence.
5. Strategic – Failure to consider legal risks and opportunities (and lost opportunities should be part of any risk management program) in connection with a technology transfer program can cause strategic and financial harm. As a further example, strategic choices that lead to significant employment decisions—such as layoffs—create employment and labor law risks.
6. Governance – Conflicts of interest by board members can result in reputational harm and violations of law, institutional policy, and fiduciary duties.
All of the risks that could potentially affect an organization will fit into one of these broad categories.
Step 1: Identify Risks
Human Resources must work to brainstorm all of the common risks and risks unique to their organization that fit into all of the above categories. By examining how various HR activities fit into each category, you can then begin to assess where there are risks and considerations that might affect their importance.
Here are just a few examples:
HR Activity | Category of Risk | Related Questions |
Hiring | Reputational | Are our hiring processes inclusive? Could any aspect of hiring be seen as discriminatory? |
Manager / Employee Conduct | Reputational | Are employee conduct processes well-written and regularly acknowledged? Do we provide enough managerial training and oversight? |
Compensation | Financial | Is compensation fair and transparent?Are there checks and balances on compensation? |
Health & Safety | Operational | Are onsite safety checks and training performed regularly?Is adequate oversight and supervision provided for offsite activities? |
It is very important when identifying risks to have an understanding of the law. That is why it is also imperative that you have legal counsel involved in risk management program development.
Step 2: Analyze and Prioritize Risks
Not every risk assessment will be cut and dry. Glenn Klinksiek, former head of risk management at the University of Chicago, outlines some of these challenges in a blog on Risk Management:
“For example, should college education be accessible to all students—even if they are unprepared to learn at that level—if it means reducing the disparity certain ethnic groups endure in the United States? How can Institutes of Higher Education address the challenges women face in the economy from unequal treatment and in society from sexual assault?”
You can’t eliminate every risk, nor pour all of your resources into each. This is why it is important to prioritize every possible risk factor before developing your plan. For every risk, you should determine:
- What are the chances of experiencing the worst possible outcome of a risk?
- Can a risk be avoided altogether through avoidance?
- What trainings, checks and balances can be practically implemented to mitigate risk?
- How easily can a risk be mitigated from both a practical and potentially legal standpoint?
- And of course: How much would different legal scenarios cost the company from a financial and reputational standpoint?
This workbook entitled The State of Enterprise Risk Management at Colleges and Universities Today developed by AGB provides a framework that you can tweak to help organize and prioritize risks.
Once you have prioritized risks, you can then develop your risk management procedures.
Step 3: Develop Risk Management Procedures
The four major categories that all risk management procedures fall under are:
- Risk avoidance: Limit risk by removing risk factors from an institution.
- Risk control: Manage liability by structuring activities to limit institutional risk.
- Risk transfer: Use of methods including insurance, enforceable liability waivers or employee releases so transfer the onus of risk to another party.
- Risk retention: The setting aside of funds to prepare an organization against unforeseen losses or legal action.
Human resources can contribute to the first three. Where it is feasible to avoid risk, there is no need to develop a full-fledged set of processes for those.
You should work with other HR professionals, legal professionals, and designated leadership members to ensure there are no blind spots in your planning. Once a program is developed, you must then reevaluate it regularly to assess how effective it has been, and whether new legal or organizational development requires the program to be revamped.
Make risk management a company-wide priority
Colleges are risk management gurus, and there is a lot that HR professionals at any size of organization can learn from them.
Risk management doesn’t work without full buy-in from leadership. A big part of staying on top of risk is fostering a culture of risk management in leadership and employees at all levels. You will then ensure that your organization thrives without feeling like you’re missing something important.
Take a lesson from colleges and ensure that you and your organization make risk management a top priority.