To err is human, but can bring catastrophe

At the root of most of the growing list of corporate disasters in recent years lies a common factor — people. Companies are creating ever more sophisticated systems to protect themselves against risks, yet the hardest thing to cope with remains the unpredictability of human behaviour.

Reminders of the human element occur regularly, whether it is the rigging of emissions tests by Volkswagen engineers, failed defences against cyber attacks at telecoms company TalkTalk, a $6bn “fat finger” slip-up at Deutsche Bank or the suicidal Germanwings co-pilot who crashed his aircraft into the French Alps.

Banking has been hit by a series of scandals, from mis-selling of insurance products to attempts to rig the international loan and currency markets, but it is far from alone. The BBC, already under fire for a lax culture that allowed the late disc jockey Jimmy Savile to get away with sexual assaults on children, this year parted company with Top Gear presenter Jeremy Clarkson, one of its leading assets, after he verbally and physically attacked a producer.

People risk can range from simple mistakes, such as staff clicking on a virus-infected email, to lack of vital skills, poor succession planning, strategic miscalculations, lax safety rules and deliberate acts of sabotage or fraud.

“It’s getting more frequent because organisations are getting more complex, more global and changing more rapidly,” says John Hurrell, chief executive of Airmic, a UK association of corporate risk managers. “The business models are changing, use of technology is changing, supply chains are changing. It’s amplifying a built-in potential for failure.”

Cass Business School studied 18 corporate crises on behalf of Airmic at companies including Enron, Arthur Andersen, BP, Airbus, AIG and Société Générale, some of which destroyed the business concerned. This study, Roads to Ruin, found that people failures lay at the root of virtually all of them.

“In almost every case, quite serious people within the organisation knew the vulnerabilities they were facing or that they had already been holed below the waterline. Either it didn’t get to the board or it got ignored,” Mr Hurrell says.

Individual failures seem inextricably bound up with a company’s culture and the quality of leadership. Problems can arise if the board does not fully understand the risks in an organisation or senior management turns a blind eye, or if policies and processes are poorly communicated.

“If you have a strong chief executive officer who won’t listen to anybody, then that person can risk the whole survival of the company,” says Paul Hopkin, technical director at the Institute of Risk Management, which has members in more than 100 countries.

Companies are putting effort into systems and processes to protect against risks. There is now a global standard for risk management, ISO 31000, providing principles and generic guidelines. Many companies have adopted systems of “enterprise risk management”, or ERM, which offers a framework for identifying, analysing, responding to and reducing risks.

These have grown in popularity since regulators and debt rating agencies increased their scrutiny of risk management processes, notably when Standard & Poor’s included evaluation of ERM in its credit rating protocol.

Mr Hopkin warns: “Standards are all well and good, but businesses develop and markets change so rapidly that companies have to look at their regulatory obligations and work out the answers for themselves.” Mr Hurrell says processes can be a “cop-out for the board” if they just involve ticking boxes.

Risk managers believe that human resources are taking care of it, while HR believes risk managers are

Cranfield School of Management, on behalf of Airmic, studied eight organisations regarded as having effective risk management practices, including International Hotels Group, Jaguar Land Rover, Virgin Atlantic and Zurich, an insurer. The research identified five principles needed to achieve resilience: an ability to anticipate problems; adequate resources to respond to changing conditions; free flow of information right up to board level; capacity to respond quickly to an incident; and willingness to learn from experience.

For boards, the report said, the incentive went well beyond avoiding disaster. “Companies that are confident in their risk management have the confidence to be more enterprising and entrepreneurial, thereby not only identifying risks but also seizing opportunities.”

One difficulty is that many companies now directly control only a minority of staff, as many functions are outsourced. International Hotels Group, for example, owns only nine of the 4,600 hotels that operate under its brand, but it has to ensure that its processes and risk awareness extend across all the hotels.

Mr Hurrell cites airline Virgin Atlantic, which realised that people employed by contractors were not passing on things they saw that could help to improve safety. It removed penalty clauses in contracts that seemed to be inhibiting them and was rewarded with an avalanche of information.

Karen Seward, partner at law firm Allen & Overy, says: “For many businesses now, people are a key asset — and often the only asset. They are, however, unpredictable. To some extent they are outside the control of the employer. Although you can control risk, I don’t think it’s ever a battle that you win.” She adds that changes in working patterns, such as flexible working use of social media, make it harder for employers to exercise the controls they used to have.

A common pattern in corporate crises is “normalisation” of misbehaviour: staff find they can reach their targets only by bending the rules, but nobody blows the whistle and senior managers do not intervene. Rogue traders, for example, are often seen as star performers until their trades go wrong.

One answer for organisations may be to ensure people are encouraged to challenge established practices.

Tony Powis, chief executive of Willis Employee Benefits, also identifies a gap in the way employee risk is handled: “You get risk managers believing that human resources are taking care of it, while HR probably believes the risk managers are doing that.”

Safety issues, where failures can result in death or injury and large fines, are being taken increasingly seriously, according to Marc Spurling, UK head of workforce strategies at Marsh, an insurance broker. But, he adds: “There remain a number of challenges, largely around employee behaviour. The next step for organisations is linked to safety behaviour and safety culture.”

Cyber security is increasingly a concern after a series of breaches, including that at TalkTalk. “People is the element that is often understated and missed,” says George Quigley, partner at KPMG. Innocent people can be a weak spot in a company’s defences, often unwittingly clicking on links that can lead to a breach or using a computer memory stick found in the car park, which has been deliberately dropped by a hacker looking to gain access. Then there is the danger of sabotage by disgruntled employees.

Ultimately, argues Mr Powis: “It comes down to leadership in a company and having a vision and the actions to put people right at the centre, because without people, you have nothing.”