Posted by Michael Fuchs on September 9, 2011
The HR function has traditionally been the “stewards” responsible for managing internal HR compliance and regulatory risks in its direct area of responsibility. Recruiting, hiring, compensation and pension/401(k) plans have long been in HR’s purview and as regulatory requirements in these areas have grown, so has HR’s compliance burden. But these aren’t the only areas affected by an increasingly regulated business environment. Other parts of the organization are also feeling the pain of managing and mitigating risk and it’s here that HR leaders can add strategic insight and value.
The challenge of leading in an “all risk, all the time” world is one of the evolutionary human capital trends we’ve been following. What makes risk an HR issue? The fact that adhering to regulatory compliance and the overall process of managing risk are ultimately a people issue: Do employees understand their roles and responsibilities? Have they received the right training? Are they being measured and compensated in ways that support risk awareness and compliance? Is there an effective alliance and understanding between monitoring functions like Risk and Compliance and other corporate and business functions? Many of the skills and experience required to effectively address these questions reside within the leaders in the HR space. In particular, as the number and complexity of regulations grow and the prevalence and severity of risks continue to escalate, we’re increasingly seeing HR leaders become an integral part of the leadership team searching for effective ways to solve specific risk and compliance issues, as well as assist in the creation of an effective and efficient risk and compliance program across the organization.
Of course, not every organization has reached this point of “maturity” when it comes to how to effectively address risk and compliance concerns. Some still view risk management and compliance as a “check the box” activity or perhaps as a one-time problem that’s been “fixed.” Some still don’t believe noncompliance poses much of a risk, despite the number of companies that have been financially or reputationally damaged or even brought down by it. Some are still treating it narrowly as a compliance or risk issue, instead of a more complex business issue.
There’s real opportunity here for HR leaders to step up and help deepen the organizational understanding of what causes risk events and regulatory failures to occur and to drive a more holistic response to what will continue to be a critical factor in how businesses operate. Probing the root cause of compliance issues is one way to start. For example, what’s really behind a problem in China related to the Foreign Corrupt Practices Act or a violation of HIPAA patient privacy requirements or a breach of consumer data under FACTA? Was there no policy in place, or was the current policy ineffective? Was the oversight process outdated (or nonexistent)? Or were policies and procedures in place, but people didn’t know how to follow them or decided it wasn’t important to follow them? Did the potential benefits of ignoring the policy outweigh the potential risks? And finally, the real question to be asked and answered is: What needs to change so it doesn’t (or is less likely to) happen again?
Asking questions likes these helps get senior leaders thinking about the broader implications of compliance and risk. HR leaders can then assist further by applying their expertise in change management, leadership alignment, organization effectiveness, learning and development and rewards alignment to strengthen the organization’s overall risk management and compliance capacity. By doing so, HR leaders not only add value, but also continue to evolve their role from steward to strategist.
|Michael Fuchs is a principal in Deloitte Consulting LLP’s Human Capital practice and has 21 years of human resources (HR) consulting experience. He is also a member of the leadership team for the Governance, Risk and Compliance practice, helping to assist clients with their governance, risk and compliance challenges.|
As used in this document, “Deloitte” means Deloitte Consulting LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.