1 A brief analysis of possible risks during the FIFA World Cup 2010. http://www.sajhrm.co.za/index.php/sajhrm/article/downloadSuppFile/366/604
Table 1 shows that one can view risks as positive or negative, depending on the potential outcome of the particular type of risk. In essence, the challenge is to identify the specific risks and to plan for any deviation from the expected. Fortunately, the FIFA World Cup 2010 was a huge success because FIFA, the Local Organising Committee and all other stakeholders had excellent risk management plans in place. For example, when security guards went on strike (an HR risk) at one of the stadiums, the police deployed additional officers to the site. In addition, because schools closed, a number of employees had to take leave that depleted their usual December leave. Consequently, these employees had to work without a sufficient break in December. Furthermore, some companies slowed down considerably during this period and many day-to-day businesses lost money whilst waiting for decisions pending the end of the FIFA World Cup. A group of HR directors from Executives Global Network South Africa had a detailed discussion about the HR planning and risks associated with the FIFA World Cup. Their discussions covered the negative risks and the potential positive consequences, like improved morale and nation building. Thus, robust risk management planning is essential for the success of any venture, project or organisation. Therefore, a business needs a risk management framework to provide assurance about the effectiveness of its operations and the validity of the findings of its risk management reporting. The framework should have a clear focus on the cost implications and effects of these factors on the business. The purpose of managing risk is to ensure the effectiveness and efficiency of operations, to enforce compliance with regulations, to support business sustainability, to ensure reliable reporting to stakeholders and to ensure responsible behaviour. Significantly, the King III Report specifically mentions HR as an important area for identifying and reducing risk. Boards should report annually on risks and sustainability issues, like social development, transformation, ethics, safety and the acquired immune deficiency syndrome (AIDS) (IOD, 2009). In fact, in high-risk environments, businesses may need more frequent management reports. Therefore, companies should assess people or HR risks as part of their overall management of risk (SABPP, 2009). German banks have taken the lead in developing strategies to manage HR risks (Paul & Mitlacher, 2008). In addition, Deloitte (2008) highlights the importance of managing HR risk in the modern business environment. The King III Report on Governance for South Africa defines risk management as: the identification and evaluation of actual and potential risk areas as they pertain to the company as a total entity, followed by a process of either avoidance, termination, transfer, tolerance, exploitation, or mitigation of each risk, or a response that is a combination or integration. (IOD, 2009) However, some risk management experts feel that King III does not address managing risks adequately. They feel that King III is not sufficiently aligned to the ISO risk management standard and is out of touch with typical modern risk management practices at leading organisations. A study by Ernest and Young shows that reputation makes up as much as 50% of a company’s share price. The Exxon Valdez oil spill cost the company $2 billion in the first two months and a further $10 billion to restore the environment. If this was not enough, the United States (US) government fined it another $5 billion. From a risk management perspective, the most important question is what caused the tragedy. Was it bad environmental practice, poor management, a lack of control or negligence? It was probably all of these, but the root cause analysis showed a remarkable origin – faulty HR policy. This resulted in under staffing and poor working conditions. In essence, the cause was aggressive cost cutting at the company. A company needs to consider the value of its goodwill and intellectual property in its annual valuation, especially in the event of a sale. Often companies feel that contractors are less of a risk. However, one can challenge this when the company sells intellectual property but does not actually own the property it intends selling or which it wants valued. This has become evident in audits because companies felt that the absence of a long-term relationship reduces risk. However, they had not considered that: the top staff are not actually bound to the company or its policies and procedures the company and labour brokers are legally, jointly and severable liable, so contractors and labour brokers do not reduce risk as much as managers think they do. A study by Beatty, Ewing and Sharp (2003) also showed that HR risk was associated with higher organisational risk. The very nature of global HR poses several risks, like political instability, fraud, terrorism, regulations, health and safety, human rights abuses and intellectual property issues (Garratt, 2003). Therefore, managing risk is the process by which a board, in consultation with managers, decides which risks to eliminate, accept, reduce or transfer (Naidoo, 2002). An HR risk is any people, culture or governance factor that causes uncertainty in the business environment that could adversely affect the company’s operations. Figure 1 gives some interesting results of a survey the Human Capital Institute (Africa) conducted on business risks. Figure 1 shows that the Human Capital Institute (Africa) identified human capital risk as the most significant threat to businesses in South Africa. However, companies are not ready to deal with human capital risks. This finding is consistent with international research. A survey by the Economist Intelligence Unit found that risk managers regard poor human capital management as the biggest threat to the long-term success of global businesses (Wybrecht, 2010). International risk management standards The ISO 31000 international standard on risk management gives a useful frame of reference to assist HR directors to place HR strategy within the context of risk management. In particular, the ISO principles and guidelines document (ISO, 2009) is extremely important. The document recommends that HR practitioners become directly involved in: embedding risk management as an integral part of all organisational processes, including managing change considering human and cultural factors and, more specifically, recognising the capabilities, perceptions and intentions of external and internal people who can facilitate or hinder the achievement of organisations’ objectives supporting managers to ensure that companies align their culture and risk management policies supporting performance management by assisting managers to determine the risk management performance indicators that align with the performance indicators of organisations acting as drivers to ensure legal and regulatory compliance building capacity for effective risk management that begins with employee induction and follows it with training in managing risk establishing appropriate organisational structures with clear roles and accountabilities for managing risk establishing sound relationships with internal stakeholders, thus considering perceptions and reinforcing values. Governing risk in King III The King III Report on Governance has a whole chapter on governing risk. Table 2 outlines the relevant governance elements, principles, and recommended governance practices, together with appropriate HR directors’ responses.
Table 2 shows that sound risk governance depends largely on clear governance elements and principles that are the foundations of risk governance. However, elements and principles of governance are not enough. A governance system requires clear practices for the effective governance of risk, like monitoring risk management activities. Lastly, the SABPP (2009) paper on King III asserted that HR directors have a critical role to play in general governance. In order to make the role of HR directors more explicit, the next session looks at risk and the HR link. Risk and the Human Resources link When one tracks the progress of the HR profession, it becomes clear that it has gone through different stages of development. These stages define the core competencies, to a certain extent, of the HR profession – the ‘things’ that HR directors are doing or should be doing. In general, the HR profession is moving beyond the strategic business partner role towards one of being a driver of business success and sustainability. Some companies’ HR functions are not performing well in this transformation process, whilst others are still struggling to become strategic partners. Research suggests that the recipients of HR services (line managers) are not ad idem with HR directors about the importance and the effectiveness of HR services (Magau & Roodt, 2010). For example, sometimes managers see training as a waste of time. This perception is a main source of HR’s credibility crisis: what is the contribution of HR directors to the success of a business? In order to meet this challenge, HR directors need to identify and manage its risks effectively, amongst other things. HR personnel should collect information about people-related governance, risk and compliance issues. The HR director should present company directors with a complete report of HR compliance and operational risks, as well as the recommended actions, and accept responsibility for reducing them. Furthermore, HR personnel can assist the board in related areas, like managing executive succession, providing board development and administrative services as well as supporting the remuneration committee (Deloitte, 2008). Although King III mentions human capital risks, this aspect deserves more prominence. The Deloitte (2008) report asserted that ‘People and behaviour are often the biggest sources of business risk.’ Therefore, it is essential to ensure that a company’s risk management plan includes people risks. It needs a comprehensive analysis of its people risks, one that significantly transcends the current narrow focus on safety in high-risk environments like factories and mines. People risks include company culture, talent shortages and retention, incompetence, employee performance, unethical behaviour, low morale, grievances and disputes, excessive absenteeism, employee wellness, sabotage, workplace violence, as well as noncompliance with industry and other regulations and laws. If an organisation makes political appointments without a proper focus on the right qualifications and skills needed for a job in the public sector, and in certain private companies, these appointments may affect productivity. This leads to poor turnaround times in dealing with suspensions of senior managers or hasty decisions to dismiss managers without proper investigation. In the South African environment, failure to transform and, in particular, to achieve employment equity targets are significant risks. South African organisations need a more integrated approach to managing HR risks. They need to consider HR risks in every major business decision, like opening a branch in a different province or country. Research has clearly shown that so-called ‘soft’ issues, like cultural incompatibility, have led to more major business failures during mergers, acquisitions and international joint ventures than ‘hard’ factors, like cash flow or debt, have. Any strategic risk-management exercise, which a business conducts without a HR due diligence exercise and without considering crucial inputs from senior HR executives, is bound to encounter some form of HR-related problem. Board directors and chief executives are, by definition, also human resources that organisations should use optimally to ensure profitability and productivity. Organisations should subject directors, their board subcommittees and audit committees to the same regular 360-degree performance assessments and reviews as they do with ordinary employees. For too long, boards, managers and HR practitioners have turned a blind eye on incompetent managers and directors, people who simply do not attend board meetings and are, in most instances, free agents who operate above the scrutiny and reproach of company shareholders and other stakeholders. Whilst King III is correct to emphasise the importance of information technology (IT) governance, neglecting HR governance is a serious omission. Deloitte (2008) states that ‘governance, risk and compliance challenge affect every part of the business – and every one of those challenges has a significant human component.’ HR practitioners must use their unique knowledge, skills and experience to help business leaders tackle governance, risk and compliance issues throughout the organisation. Like its predecessor, King II, the third King code highlights the importance of ethics at board, management and staff levels. It also emphasises, in particular, the need for an ethical culture. However, to think that an ethical code in itself will instil a culture of ethics is short sighted. Deloitte (2008) argues that every business scandal or regulatory violation ultimately has its roots in the workforce. That is why HR practitioners must expand their role from ‘stewards’ (which focuses on workforce compliance and administration) to ‘strategists’ (which affects every governance, risk and compliance issue with a human element). Regular articles in the press about governance problems in the boards of parastatals serve as good examples of the need for a strong focus on ethics at board level and throughout the organisation. Carnel Botha, director of BDO Spencer Steward in Cape Town, says that ‘companies need to proactively look for red flags when it comes to their employees’ (Botha, 2008). Audits identify certain ethical risks that companies should manage. HR practitioners should also play a more proactive role in ensuring the appointment of staff with the right abilities, values and ethical culture. Organisations place too much emphasis on the technical knowledge and skills of employees and not enough on their ethical character and behavioural fit. Organisations need to consider the psychological contract upfront. Every employee’s values and needs must align with the values and culture of the company. HR practitioners can help line managers to probe for character fairly and legally when conducting interviews. In addition, organisations need HR due diligence to prevent the damage that incompetence causes (Deloitte, 2008). The HR executive often works with business development teams at a global level and has to add value to the process of interpreting business opportunities. A new global business opportunity may allow a business to increase its profits. However, it may also present risks that could have an adverse effect on sustainability and growth if the business does not manage these risks well. Finkelstein (1999) states that most cross-border mergers and acquisitions are not successful and Ryan (2006) reports that only 13% of executives said that these deals went smoothly. Differences in corporate governance, regulatory environments and national culture create additional layers of complexity that companies needs to manage. Furthermore, a global company needs a clear HR due diligence process to highlight all the HR risk factors that the company should manage to avoid rushed and poor decisions. The HR executive can make a valuable contribution by collaborating with commercial and financial managers in the due diligence process. In this way, the HR executive can add value to the process of interpreting and developing business opportunities as well as ensuring an effective approach to completing projects. In line with the corporate governance principles of accountability and responsibility, companies need a rigorous and systematic approach to HR due diligence. The project development team should examine all the HR risk factors and look for answers to the questions that arise. The challenge is then to explore, within the legal framework, how to reduce these risk factors. Managing HR risk is a key element of HR governance. Proper HR risk management gives HR executives an opportunity to fulfil their fiduciary duties of care and sound financial management. Therefore, HR risk management flows directly from external and internal stakeholder engagement. HR risk management addresses key HR risk issues like reducing risk, HR due diligence, the role of HR committees, implementing codes of ethics and fair labour practices. Companies should identify HR risks in different sites or countries and develop proactive risk-reducing plans to deal effectively with these risks. Liaising with and consulting different stakeholders is an important element of sound HR governance. The purpose of the seamless interfaces between the different stakeholders is to reduce the different risks and uncertainties that arise because of the interaction between them. Inevitably, the HR practitioner needs to work closely with the risk manager and risk committee to ensure that the overall risk management plan of the company includes HR risks. Integrating risk and performance The long-term and sustained success of an organisation relies on two key factors: risk management and performance management. Strategic objectives are the bases for the approach an organisation adopts to achieve both. A process-based framework needs to unify performance, risk and compliance management and move out of the risk or finance office. Organisations have seen the disciplines of performance, risk, and compliance management as separate for a long time, but the walls are breaking down. Managing performance begins with the objectives an organisation is trying to achieve and risk management has evolved from its silo-driven roots into enterprise risk management. Therefore, it has become clear that an organisation must identify and assess risks in the light of the objectives it is trying to achieve. A process-based framework that allows for effective organisational governance needs to unify all three of these disciplines. Risk and performance management also share other essential management system elements. Continuous improvement is crucial in the ever-changing commercial world and organisations must see managing risk as a continuous process. It is essential that organisations review the incidence of risk to see whether it has changed over time. Managing risk is a dynamic process and good governance practice requires an organisation to identify new risks, to eliminate some and to update control measures in response to changing internal and external events. An organisation also needs to review its assessments of probability and effect, particularly in the light of the actions of managers and/or external influences. King III requires that internal auditors assess the system of managing risk or annual review in the first instance and report on the effectiveness of control measures. Improving business results requires an organisation to simplify risk management practices and to integrate them seamlessly with normal business operations, its planning and budgeting processes and organisational culture. Managing risk is no longer an add-on or fad. Private and public sector organisations alike have struggled to understand the steps and techniques of implementing risk management practices. Those who have succeeded are reaping the fruits of their labours. High performing organisations, having developed strategies through sound strategic planning processes, must implement strategies ruthlessly by removing performance barriers or risks through enterprise-wide risk management practices. Approaches to managing risk are designed to enable an organisation to reduce the uncertainty surrounding the achievement of its objectives. They aim at reducing the likelihood that the events, which organisations expect to affect them negatively, will occur. These approaches also focus on reducing the effect these events might have on achieving objectives. Performance management approaches focus on selecting the strategic objectives that an organisation needs to achieve and on monitoring progress through measurable parameters. These approaches revolve around cascading these measurable parameters down to each person in the organisation. The monitoring system uses trend, deviation and root cause analyses of these parameters. The organisation then consolidates these individual parameters to analyse whether the organisation is achieving its strategic objectives. Types and examples of Human Resources risks A review of the literature on risk suggests that one finds general business risks in these areas: compliance with legislation understanding trends in the business environment people and corporate culture implementing business strategy carrying out operations. HR risks are no different. One finds them in the same areas. The sections that follow discuss each of these HR risk areas in more detail. Complying with legislation There is a wide range of relevant legislation. Companies’ HR policies should show compliance with these different pieces of legislation: the Employment Equity Act the Skills Development Act the Black Economic Empowerment Act the Basic Conditions of Employment Act the Occupational Health and Safety Act the Labour Relations Act the mining, banking, IT and other charters. The typical HR risk here is noncompliance. This means that HR managers should have a clear understanding of what each piece of legislation requires for compliance, regardless of whether this entails the actions a company must take or information it needs to provide. Compliance is not relevant only to HR legislation. The huge increase in fines for noncompliance with legislation for anticompetitive behaviour is a good example. Munnik (2008) asserts that: ‘Your management of employment equity, or lack thereof, could put your business at risk.’ Companies need to consider the effects of fines and pressure from the minister of labour to comply with employment equity legislation. Therefore, if a company complies with employment equity requirements too quickly and employs incompetent people, who cause damage to the business, these appointments can cause significant risk to the business. On the other hand, if it complies too slowly, the company may face prosecution for noncompliance and significant risk to its reputation may follow. Understanding trends in the business environment Business environments do change. What are the key drivers of change and what are the effects and consequences of change for the business and its HR function? This question suggests that HR managers should understand key trends in their business’ environment and be able to convert them into business and HR strategies and policies. Typical HR risks here are top and senior managers, including HR managers, who lack the ability to analyse the external and internal business environments systematically, who lack the ability to understand what the key drivers of change in these contexts are, who lack the ability to convert them into business strategies or to foresee their strategic implications. People and corporate culture People and corporate culture drive the implementation of the business’ strategies. Does the company have the right people in the right places? Can these people perform their jobs in a constructive, engaging and empowering climate? These questions suggest that HR managers should find the right talent and create the right environment in which people can perform. Typical HR risks here are: not having the right talent in the right places not attracting and retaining key talent performance that does not meet predetermined standards training and development interventions that do not improve performance absence of a constructive company climate. Furthermore, the human immunodeficiency virus (HIV) and AIDS have a disastrous effect on many businesses. ‘In some sub-Saharan African countries, a third of the workforce has the HIV virus’ (Feller, 2007). This problem could seriously affect the business’ sustainability. Implementing business strategy Strategy implementation means developing a business strategy and then implementing it. Does the company have a strategic or business plan? Does this plan convert into different project plans with clear time lines for implementation? Is there an effective budgeting and governance system in place? These questions suggest that HR managers should help to draft the business strategy, understand the supportive role and function of HR practitioners in governance, and help to implement the strategy. Typical HR risks here are that the business does not have a strategic or business plan that converts into different strategic objectives or projects and that the business has not spelt out the demands on, or implications for, HR practitioners in terms of talent, policies, practices and procedures. Carrying out operations Carrying out operations means converting business or project plans into executable operations or tasks. Do these functions or tasks have the right people to execute them? Has the business specified performance standards? Are systems for measuring performance and management in place? These questions suggest that HR managers should help to design and implement performance management systems. In this area, typical HR risks are not having clearly defined operations and tasks or the right staff to execute them. Further risks are the absence of clearly defined performance standards and systems for measuring and managing performance. For example, Harris (2007) showed that careless selection could be disastrous. In fact, she stated that one can trace many corporate disasters back to poor recruiting practices. In some cases, businesses did not check curricula vitae (CVs) properly. The typical operational risks that organisations experience usually dominate risk management. However, several examples of people or HR risks have come to the surface recently. The literature reports typical HR risks. Not all companies experience all of these risks. Some will occur more often in certain businesses than in others. In addition, there may be different risks at some companies and new risks may emerge in the future. Given that risk is about uncertainty, many other unexpected events may occur. No risk manager could have predicted the 9/11 attacks, the 2008–2009 worldwide economic recession, the swine flu epidemic or the eruption of the volcano in Iceland. Furthermore, the workplace stress and work overload that staff shortages cause and poor communication during restructuring processes pose significant risks to organisations. The challenge is to build rigorous risk management systems and resilient organisation cultures where all employees have a risk mindset to enable their organisations to respond to typical risks, even if new risks come to the fore. However, most of the typical HR risks outlined in Table 3 have been around for some time.
3Examples of Human Resources risks. http://www.sajhrm.co.za/index.php/sajhrm/article/downloadSuppFile/366/606
Some companies are addressing their HR risks proactively and almost aggressively, whilst others sit back and wait for the risk to disappear. One can adopt a ‘wait-and-see’ attitude, or a ‘make-and-see’ one. The latter focuses on introducing programmes proactively to reduce and manage HR risks. For example, statistics show that 14 mineworkers die every month (Swanepoel, 2009). Surely, the industry can introduce more proactive safety programmes to reduce safety risks. Essentially, the involvement of the whole workforce in creating and maintaining a safety culture will be a key component of managing HR risk effectively. During the release of the SABPP King III opinion paper, HR managers were asked to provide the SABPP with a list of HR risks in a focus group session. Figure 2 presents the findings of the focus group session. Figure 2 shows that the challenge of retaining employees is the biggest HR risk for the 40 HR managers who participated in the focus group session. They indicated that skills shortages were the second biggest risk, followed by poor leadership or management in their organisations. Interestingly, some of the delegates suggested that poor leadership contributes to the high turnover of staff. They also identified lack of compliance with laws, rules and procedures as a major HR risk. Furthermore, it appears as if organisations struggle to deal with verifying qualifications properly during recruitment and selection processes. Interestingly, HR managers reported employee sabotage as another HR risk. Some of the HR managers referred to this problem as ‘internal terrorism.’ An Human Resources risk assessment framework An HR risk assessment framework provides a conceptual model for systematically developing and planning HR risk management actions in an organisation. The framework is useful for determining the level of HR risk in an organisation and for measuring it. The Human Factor Management Assessment Risk Framework, that Figure 3 illustrates, provides a basis for planning, assessing and implementing HR risk management. Figure 3 illustrates the European Foundation of Quality Management Risk Management Model adapted for an HR risk management framework. The building blocks to the left of the framework show the capabilities an organisation needs to make HR risk management work. It begins with human factor risk leadership to the far left of the framework. Here senior managers and the HR executive of the organisation take responsibility for human factor risk leadership. In essence, this means that the HR executive leads by locating HR risk management at board level. Therefore, the HR director introduces human factor risk leadership to the organisation. However, line management ownership is critical here. The next building block shows the importance of people as key components of the risk management framework. People contribute to risks daily, either positively or negatively. If managed proactively, people play a significant role in creating and maintaining a risk culture, as King III proposed. However, managing risk does not happen automatically. Therefore, it is necessary to create a human factor risk policy and strategy to institutionalise HR risk in the company (next building block). Next, the organisation needs partnerships to optimise human risk management, both internal and external to it. Internally, the organisation needs partnerships between different departments to manage risk (like between the health and safety function as well as the production department). Externally, the organisation may need a variety of partnerships with key stakeholders to get the right information and/or support to manage HR risk (like the Department of Labour, suppliers or industry bodies). Human factor risk processes are at the centre of the framework (all the processes and practices the organisation needs to manage human factor risk). The key question is ‘do risk management processes incorporate effective HR risk management?’ Once the organisation has developed all the capabilities to manage risk (left-hand side of the framework), it is ready to deal with risks. The company has developed the resilience it needs to handle human factor risk (next building block) and can then report on the outcomes of its risk management framework (last block). Essentially, the better its capabilities, the more likely the organisation is to manage risk successfully. The critical question is ‘Does HR risk management help the organisation to achieve its objectives?’ However, whilst an organisation may achieve a high level of maturity in dealing with risk, a company will never succeed entirely in managing risk. Therefore, the different intersections that link all the building blocks of the model, together with the bottom arrow, imply that the organisation needs continuous innovation and learning. Control measures are concerned with the actions the organisation takes to reduce the probability or effect of risk, although they may never eliminate or transfer risk completely. This is true for all the areas of managing an organisation. Treating and tolerating risk are key elements of the process of controlling risk. The four options for dealing with risk follow. 1Four options for dealing with risk. http://www.sajhrm.co.za/index.php/sajhrm/article/downloadSuppFile/366/599 The example that follows shows the commitment of a South African bank to take responsibility for managing HR risk. 2Commitment of a South African bank to take responsibility for managing Human Resources risk. http://www.sajhrm.co.za/index.php/sajhrm/article/downloadSuppFile/366/600 The ISO (2009) standard on risk and the Nedbank example make it clear that organisations need HR executives to adopt a relevant approach and framework for managing HR risk. The example that follows shows how organisations can apply the ISO definition of risk in the HR environment: Objective – The objective is to employ competent people with the right knowledge and skills to perform their jobs. Risk – There may be significant skills gaps in the market and in the people who apply for a position. Event – The decision is to risk employing the candidate despite the skills gaps the organisation identified. Consequence – The employee starts to work and delivers substandard work. The consequence is that the business loses key customers. The business suffers because of poor HR risk management in recruiting and selecting. In the light of this example of the effect of uncertainty on business objectives in the HR field, HR managers can conduct similar risk analyses on all other HR subfields, like talent management, employee induction, learning and development, employment relations and performance management. HR managers need to decide on and implement relevant HR risk management actions to ensure that they address HR risks adequately in their organisations. The key question is to decide what can go wrong and then to plan accordingly. Guidelines for managing Human Resources risk HR risk management provides unique opportunities for HR directors, managers and practitioners to support risk governance and management and to develop appropriate HR risk management plans to address HR risks. Therefore, the researchers propose the guidelines that follow for HR directors. Redesign your organisation’s HR plan to include HR risk management. Aligning HR policy with the overall business strategy is essential for managing HR risk effectively. When your company pursues business projects, conduct HR due diligence to identify the HR risks relevant to business plans. Read more about risk management to gain a proper understanding of the importance of risk management and governance in the workplace. Study the ISE risk management guidelines and chapter four of the King III report and code for governance in South Africa. This chapter deals with governing risk. Based on the knowledge you will gain from chapter four of King III, together with the ISO guidelines for governance at your organisation, identify opportunities where you can add value to the risk management practices and risk culture at your company. Arrange a meeting with your organisation’s CRO or head of risk. Show this person that you are studying risk management and ask this person to show you where and how you can contribute to managing risk, especially from an HR perspective. Ensure that key staff members in your organisation have the proper training and education for managing risk. They include the board, managers and other key staff members that risk management affects directly. Develop skills in managing risk throughout the organisation. Liaise with line managers to explore opportunities where you can help to create and nurture a risk management culture in your organisation. Check whether your organisation’s risk register has a record of HR risks and assist the CRO and line managers to identify risk management strategies to deal with these risks. Excellent people and talent management are the best bulwarks against HR risks. Therefore, introduce rigorous talent management strategies and systems and ensure that line managers take full responsibility for leading and managing people. In addition, the HR executive should manage HR compliance with all relevant laws, rules, codes or standards. Support the board by ensuring that the company appoints a highly competent CRO and other risk managers for different business units. Ongoing staff training in risk management is very important for the sustainability and future success of the organisation. Introduce robust HR risk controls, monitoring systems and respond appropriately to any HR risks by using early warning systems before an HR risk starts to threaten the sustainability of the organisation. The company needs regular HR audits, with an emphasis on clear reporting lines, and evidence of actions it has taken to address HR risks. Consider holding regular meetings with staff members to discuss HR risk factors that may affect business operations. ConclusionOrganisations risk their sustainability if they do not consider the effects of HR risks on their businesses. HR risk management presents HR directors with opportunities to elevate current HR strategies to board level, given that risk governance is now a board responsibility. Line managers must consider all people risks in the business. Most risks in business come, directly or indirectly, back to people – the human element is the major source of business risk. The challenge for HR executives is to gain a proper understanding of risk management methodology, then to identify, reduce and manage HR risks. Failing to manage HR risks may threaten the sustainability of companies. Managing HR risk is not only about the softer issues. Many organisations suffer from poor governance and a lack of clear policies, processes and procedures. Fortunately, though, developing and implementing effective HR risk management strategies can lead to significant business opportunities and allow the HR executive to ensure that HR risk management is embedded in the overall governance and management strategies of organisations. As Zulu (2010) concludes, ‘Not managing risks, is risky in itself’. This article is a position paper that the Human Resource Research Initiative (HRRI) of the South African Board for People Practices published. Acknowledgements The researchers acknowledge the Institute of Directors (IOD) as the custodians and compilers of the King III Report. However, this SABPP position paper contains the views of the SABPP and the IOD does not necessarily agree with it. The researchers thank the IOD for its leadership as the champion of sound governance in South Africa. The researchers encourage HR managers to embrace King III and to help their boards and executive management teams to implement King III. The original King III Report and Code can be ordered directly from the IOD. Authors’ contributions M.M. is CEO of the South African Board for People Practices (marius@sabpp.co.za). G.R. is head of the Centre for Work Performance at the University of Johannesburg. M.R. is director of International Management of Risk (IMORSA). 1.2010A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 310002.10.1002/hrm.100843.BothaC2008Corporate fraud: notice the red flags244584.BrownW2006 How well does your HR management system curb fraudulent practices?248235.Bryson2003 Managing HRM risk is a merger25114306.2010 Publicly Available Specification 1010:2010, Third Draft version 2.0: Guidance on the management of psychosocial risks in the workplace8.2009 Alcohol abuse and workplace losses8536379.ColmanS2007Employment Practices’ Liability and Risk Management251110.Deloitte2008Taking the Reins: HR’s opportunity to play a leadership role in governance, risk management and compliance11.EngelbrechtL2009King III: The Director’s view142182012.ErnestYoung2009The 2009 Ernest & Young Business Risk Report13.FellerG2007Beating the virus646614.FinkelsteinS1999Safe ways to cross the merger minefieldT. Dickson15.GarrattB2003Thin on top: Why Corporate Governance Matters and How to Measure and Improve Board Performance16.HarrisM2007, 18 NovemberCareless hiring can be disastrous17.HarrisM2010, 30 MayHigh cost of disengaged workers18.HeathW2007The biggest risk of all — not developing tomorrow’s talent66747519.HeathW2008 Ignoring the risks of commercial crime7310810920.HeslopBHilbronDKoobJSzumykR2005 Why HR Governance Matters: Managing the HR Function for Superior Performance21.2009King III Report and Code of Governance for South Africa – 200922.2009ISO 31 000 International Standard: Risk management – Principles and guidelines23.2009Guide 73: Risk management — Vocabulary24.10.4102/sajhrm.v8i1.27625.MalkinR2007The cost of absenteeism25103026.MartinJSchmidtC2010How to Keep Your Top TalentMay546127.MeyerMRobbinsM2010HR Risk Management: Balancing HR governance, risk and compliance28.MunnikJ2008From basic compliance to true transformation202329.NaidooR2002 Corporate Governance: An essential guide for South African companies30.10.1002/jsc.81331.PileJ2009The prognosis is good20261932.PitmanJ2010Clear and Present Danger?June33.RobinsonJ2008, May 08Turning around employee turnover34.RyanC2006, 10 SeptemberCross-border deals on track335.2009Comments on the King III Code and Report for South Africa: HR — The Way Forward36.SachtJ2010Business Risks Identified in South Africa37.SanbornM2008Tactics to reduce pharmacy staff turnover and increase job satisfaction43867067538.2007How to become an Air Traffic Controller39.S2006The risks of racism in the workplace24840.SwanepoelE2009Tougher Stance15351241.TalebN.N2007The Black Swan: The Impact of the Highly Improbable42.TemkinS2009, 25 FebruaryKing report to focus on board responsibility43.1999The EFQM Excellence Model44.Van der MerweN2009Increased mobility a security threat33333445.Van GraanW2009 Safety failures: Miners count the cost in unexpected ways33161746.WrightL2010Entrepreneur who did it his wayMMakura47.WybrechtG2010The Sustainable MBA: The Manager’s Guide to Green Business48.ZinnS2011Personal Interview: HR Risk Manager from Nedbank49.ZuluT2010Risk and Reward: Start and run a successful small business in South Africa