Global Association of Risk Professionals, DECEMBER 2008 ISSUE 45

1. O
perational risk has a primarily human nature.
Loss-number crunching and value-at-risk (VaR)
quantifications are useful, but cannot be used
independently as a proxy for future losses or
present a perfect picture of the company’s risk
profile. The truth is that after every significant
operational loss — whether process, system or people related
— people are responsible for making sure that this doesn’t
happen again.
People risk is often complex, delicate
and extremely difficult to manage. It starts
even before employment, in the recruit-
ment phase — e.g., doing background
checks, matching profiles with jobs and
making sure you do not employ “over-
qualified” people to perform mundane
tasks. (The latter is possibly the highest
risk associated with job placements, as
it will create a culture of dissatisfaction
quicker than anything else.)
Poor hiring practices, poor or non-existent ethics policies
and, perhaps most significantly, corporate fraud are among
the different types of people risk. Studies on corporate fraud
indicate that 48% of corporate fraud happens through collu-
sion between employees and third parties, while 37% occurs
through collusion strictly between employees.
To manage this type of risk, a firm must perform individual
people risk assessments and evaluate relationships between
employees. These are not new concepts. Rather, just as op-
erational risk has grown more structured, these processes are
becoming more formalized.
Since the introduction of new people into an organization
is the responsibility of the human resources department, the
person in charge of this department must have oversight of
people risk management. Hiring managers, who are usually
not members of the human resources department, must be
given interview training and perform interviews (within guide-
lines established by human resources) to identify behavioral
qualities specified for the position or behavioral qualities the
company wishes to avoid. Too often, interviews only focus on
behavioral qualities the company wishes to attract.
The human resources department is also responsible for
the performance appraisal component of people risk manage-
ment. Managers who execute performance evaluations must
not only be given performance evaluation training but also be
supplied with guidelines for identifying and assessing behav-
ioral qualities.
The risk of human error is, of course, one type of opera-
tional risk, so people risk can be seen as a subset of this risk
discipline. Without talented, ethical, properly trained employ-
ees, the collection of loss data and even the introduction of
a specific capital charge will not actually prevent or reduce
operational risk. Sophisticated risk measurement procedures
and structures cannot compensate for deficits in the risk-re-
turn consciousness of employees. n
[OPERATIONAL RISK ]
People Risk and How Human
Resources Should Manage It
44 DECEMBER 2008 ISSUE 45
Horst
Simon
GLOBAL ASSOCIATION OF RISK PROFESSIONALS
Phases of People Risk
Employee training
This is the phase when you basically make your inter-
nal processes and controls “public” to new employ-
ees, which is almost like telling the business secrets
to strangers.
Access to systems
This phase, which generally follows training, opens
up access to company information. Employees then
have everything they need to manipulate, infect (e.g.,
introduce a virus) or “copy and carry” data.
Performance management
This is the phase in which people risk typically peaks.
Companies with poor performance management sys-
tems or bad ethics might have to contend with em-
ployees who feel slighted and could seek revenge.
.
Horst Simon is the co-regional director of GARP’s chapter in Dubai. He is also head of technology risk at Mashreq, the largest private
bank in the United Arab Emirates.At Mashreq, he has pioneered the concept of risk technology management and also oversees the bank’s effort
to achieve complete risk governance. He can be reached at HorstS@mashreqbank.com.