managing human capital risk

Managing Human Capital Risks: Whose Responsibility Is It Anyway?

managing human capital risk

Because people touch all aspects of an organization, a focus on human capital risk is a very important part of an effective risk management and corporate compliance program. Yet it is also because of this “human factor” – the complex involvement of people in all aspects of the business – that ownership of human capital risk management can end up ill defined. In fact, many organizations today face major challenges in this area due to a lack of clarity around roles and responsibilities assigned to human capital risk management.

Whether the risk and compliance challenges are those directly related to running an HR organization (e.g., legal requirements of ERISA, FLSA and ADEA regulations) or some of the more strategic risk and compliance issues that have human capital at their core (e.g., designing talent strategies, aligning rewards, promoting fraud prevention and ethical behavior), sorting out who specifically is responsible for identifying, assessing, prioritizing, managing and monitoring all of those risks is no easy task.

Some argue that HR leaders, who have specialized personnel-related knowledge and capabilities, should assume ownership of people-related risk management. Others, perhaps including many readers, maintain that, due to their strong regulatory expertise and capabilities, risk and compliance professionals should play the dominant role in human capital risk management. While still others believe that the strategic-level risks are the responsibility of the organization’s business leaders.

In reality, all parties are correct. Effective human capital risk management is the shared responsibility of HR, risk and compliance functions, and senior business leaders, a cooperative effort combining deep expertise in human capital, risk management and compliance, and business strategy and operations.

managing-human-capital-riskBy working together, HR, risk and compliance, and business leaders can bring their cumulative knowledge and strengths to efficiently create, manage and monitor a risk management plan, thereby minimizing people-related failures and maximizing people-related strategic opportunities. Ultimately, effective management of human capital risk – whether the upside risks associated with a growth and global expansion strategy or the downside risks driven by reckless decision making, fraud, or talent lost to poorly designed rewards programs – comes down to intelligent collaboration and cooperation across the organization.

HR professionals are equipped with an understanding of people issues, the HR regulatory environment, personnel data, future trends and competitive demands related to recruiting, retaining, managing, developing, compensating and rewarding employees. Risk, compliance, and legal professionals bring the skills and expertise necessary to help design a strong HR compliance and risk management program. Additionally, the role of the risk and compliance teams across the broader enterprise helps ensure that the HR risk management program aligns with company strategy and integrates well with organizational structure and all other risk monitoring functions. Risk and compliance professionals also bring a built-in familiarity with the latest risk assessment, monitoring, and mitigation tools and techniques.

The following are six specific ways compliance and HR functions can work together to elevate people-related risks to the top of the corporate agenda:

  1. Partner with the traditional risk management functions. Internal risk audits can be used as an opportunity for obtaining useful feedback and opportunities for improvements. Risk and compliance professionals can help HR management understand how these systems and processes work, how they can be adapted to talent issues, and how insights gleaned from them can be used to improve HR risk management.
  2. Encourage chief human resource officers (CHROs) to prepare for the broader discussion of risk. The importance of the role of people and HR in an organization’s business strategy cannot be ignored. In order to identify a company’s top human capital risks, it is important for the CHRO’s to be engaged in the process, working with risk and compliance professionals, along with business leaders, to get a complete picture of an organization’s strategic or operational risks. The information obtained can be used to develop a formal HR risk assessment and a benchmarking program to shed light on evolving risks and to explore best practices of other companies dealing with similar issues.
  3. Make the most of existing data. HR has a wealth of data that can help a company manage risk more effectively. Advanced analytics can provide deep insights about current risks and projections about future risks. Turnover data, for example, when combined with other information, may raise a red flag about hidden risks such as incompetent management or fraud.
  4. Create a risk mindset in the HR function. Risk management should be an integral part of HR’s operating processes. We typically see two sets of documentation for HR processes, one for day-to-day operations and another that is used to demonstrate risk and compliance controls. Integrating the risk and compliance controls into the overall HR process can advance the risk agenda in HR, increasing the focus of everyone working in HR on the role of risk management in supporting both HR and company goals.
  5. Get a seat at the risk management table. True cooperation between risk/compliance professionals and HR generally requires HR leaders to be directly involved with other top business leaders in the risk management process. HR leaders can help put the right human capital issues on the risk management agenda.
  6. Understand the impact of HR changes on the company’s risk management program. Many changes to the business have risk implications. When undergoing a change in the HR function, whether it is implementing a new system or changing to a global service delivery model, the risk and compliance implications must be assessed, documented and discussed with the risk and compliance teams to integrate the change into the overall risk management program.

Risk and compliance professionals have long realized that risk management is not limited to the formal monitoring functions of the organization, and increasingly, HR professionals are coming to the same conclusion. Company stability and effectiveness necessitate risk awareness and controls throughout all key areas of the organization—including, if not starting with, people-related activities.

One has to look no further than business news headlines to understand that managing people risk is about supporting an organization’s strategic intent and day-to-day assurance of specific compliance initiatives and regulations. Either, or both, type of risk management can help build or diminish an organization. Risk managers and HR executives can find that working as partners with a common goal is an effective way to address the challenges of the human factor in a dynamic workplace.


mike-fuchs-deloitte-consultingAbout the Author

Mike Fuchs is a principal for Deloitte Consulting LLP, focusing on helping clients find solutions to cultural and institutional challenges related to complex governance, risk and compliance requirements.

This document contains general information only and Deloitte is not, by means of this document, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This document is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this document.

About Deloitte

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.

Copyright © 2012 Deloitte Development LLC. All rights reserved. Member of Deloitte Touche Tohmatsu Limited

No related content found.

About the Author

Michael Fuchs

mike-fuchs-deloitte-consultingDeloitte Consulting LLP (Deloitte Consulting) Principal Mike Fuchs has focused on helping clients find solutions to cultural and institutional challenges related to complex governance, risk and compliance (GRC) requirements. As a principal for the Human Capital and GRC practice, Mike assists clients with Sarbanes-Oxley Section 404 readiness, focusing on human resources (HR) risk mitigation and entity level control assessments. Mike’s experience traverses the HR landscape and includes shared services design, business case development, enterprise transition and change management. With more than 18 years of HR consulting experience, Mike has served companies in the life sciences, health care, manufacturing and technology sectors. Regarding his career at Deloitte, Mike Fuchs said, “My proudest career moment is being able to look back at the 14 years of my career and see the positive impact I have had on my clients, Deloitte, and, most significantly, the people of Deloitte. I have not only had the opportunity to have an impact from a business standpoint, but the personal connections I have made leave a more lasting impression.” Other articles written by Mike Fuchs include: Less Risk, Greater Rewards Mike co-authored this report, which provides insights into risk intelligence and employee reward risks, as well as how to develop an effective risk management program. Growing Confidence Mike contributed to this article in Deloitte Consulting’s Straight Talk Book No.8, which discusses nine steps to cultivate a rich action plan and achieve integrated GRC, including sample e-mails and other suggestions that will ultimately help your clients “grow confidence” and improve performance. Mike Fuchs can be contacted via email at