Managing enterprise risk
You can understand the risks to the business or project through the following filters. It’s helpful to get organized by understanding these big three areas of knowledge:- Financial risks: Financial risks include corporate espionage, sabotage, embezzlement, and other types of theft. Minimizing these risks may be best accomplished through the use of technology to limit access to sensitive information. HR can also develop policies and procedures such as procurement policies, credit card and expense policies, and ones that limit loss from these work efforts through checks and balances.
- Physical risks: The employees’ physical well-being used to be the largest focus of workplace safety efforts, so a lot of information is related to this HR activity. Target your studying on education and prevention efforts such as compliance with safety standards and commonsense work rules. Areas include hazard communication, workplace safety, emergency response, and violence prevention.
- Information risks: The loss of critical information can be devastating to both the employer and employee. The exam objectives and knowledge components address information risks through the use of data security techniques, such as passwords and monitoring software.
Example enterprise risk question
The BEST way to protect confidential employee information is to
(A) Not collect it in the first place
(B) Store it digitally, with no paper trail
(C) Limit access to only those who need to refer to the data for business purposes
(D) Create a buddy system in which information is accessed only with witnesses present
The correct answer is (C). Whether confidential information is stored as paper files or digitally, HR must control access through passwords and keys. Choice (A) is unrealistic because labor laws require that employers collect and store information. Choice (B) doesn’t address protecting the information, just the storage, so it’s an incomplete answer. Choice (D) is unrealistic and unnecessary for the types of information collected and stored by HR.
Complying with safety standards in the workplace
The Occupational Safety and Health Act (OSHA) and administration are your go-to resources for workplace safety compliance. As with all of the functional areas, each begins with the need for HR professionals to ensure that activities are compliant with the law. The exam objectives take you on a nice little journey to tell you how to do so, as this figure illustrates.
The journey from hazard assessment to training the workforceAll you have to do is fill in the blanks of the requirements. Look at some examples of OSHA standards on how you can accomplish these tasks:
- Hazard assessment: Although the exam objective calls them a needs assessment, OSHA gets a bit more specific. OSHA requires you to conduct a hazard assessment to determine, for example, what personal protective equipment is required for each job, and OSHA asks you to conduct a job hazard analysis to identify hazards before they cause injury. OSHA publishes the top ten most cited standards on its website, and it’s a good idea to be familiar with these hazards and relevant compliance requirements for the exams. Ones that seem to make the top ten year after year include fall protection, hazard communication, scaffolding, respiratory protection, powered industrial trucks, lockout/tagout, ladders, electrical, wiring methods, machine guarding.
- Injury and illness prevention programs (IIPP): OSHA identifies the common elements that should be present in all company IIPP. Although some states may have differing standards, all must meet or exceed federal requirements. Therefore, you can confidently assume the baselines will include management leadership, worker participation, hazard identification, hazard prevention and control, education and training, and program evaluation and improvement.
Obtain a copy of your employer’s IIPP and compare it to the common elements defined by OSHA. Doing so can give you an experience layer to apply to the exam requirement.
- Disaster preparedness and emergency response: Called emergency preparedness by OSHA, compliance efforts focus on both disaster response and recovery. In some standards, OSHA requires companies with more than ten employees to have these plans in writing. I provide a more detailed look at this HR activity in the next section.
- Training of the workforce: Most OSHA compliance efforts require some measure of communicating hazards to employees. Communicating hazards is most often accomplished through employee training. Accurate documentation of training efforts includes a description of the training content, the date(s) of training, who conducted the training, and signatures of the training participants.
- General duty clause: OSHA states that employers are required to provide their employees with a place of employment that “is free from recognizable hazards that are causing or likely to cause death or serious harm to employees.” This is more commonly referred to as the general duty clause. The courts have interpreted OSHA’s general duty clause to mean that an employer has a legal obligation to provide a workplace free of conditions or activities that either the employer or industry recognizes as hazardous and that cause, or are likely to cause, death or serious physical harm to employees when there is a feasible method to abate the hazard.
Example safety standards question
How should an employer communicate the contents of an IIPP?
(A) Give it to employees at the time of hire.
(B) Make it available on a company intranet.
(C) Conduct annual training on the various hazards addressed in the IIPP.
(D) All of the above
The correct answer is (D). There are several acceptable methods for communicating the contents of the employer’s injury and illness prevention program (IIPP), and they include a need to present it at the time of hire, Choice (A); giving employees access if they have questions, as in Choice (B); and conducting compliance training for known hazards that are identified in the document, Choice (C).
Creating preparedness plans
The Federal Emergency Management Agency is an excellent resource for businesses. The agency’s website has free checklists and disaster preparedness materials that you can use to brush up on your disaster preparedness knowledge for the exams. FEMA also has a five-step process for designing an effective workplace preparedness plan. This plan is an excellent way to approach the process and compare your organization’s current plan.According to the FEMA, these steps include the following:
- Manage the program. The first step establishes a committed leadership effort out of the gate, which means that HR may need to make the case to executive management that resource allocation will provide a return on investment should a disaster occur. Communicating customer and financial impacts and identifying mitigation efforts such as insurance coverage are both elements to gaining upper management buy-in at this stage.
- Conduct the needs assessment and business impact analysis. Upon getting the green light, the planning stage formally begins, which involves identifying potential hazards that could affect your business. A commonsense approach may be helpful. For example, earthquakes are likely in California, whereas hurricane preparedness is more likely in the Southern states. Large corporations in multiple locations must create custom programs suited to the unique natural threats in the communities of business.
- Implement the plan.
As with all great plans, proper execution is arguably the most important step. It actually begins by writing the multitude of plans that are identified as necessary in the assessment process. Consider business continuity plans, information technology plans to recover data, and the crisis communication plan so that information flows as freely as possible in the middle of a crisis.
An ad hoc committee is one that meets to address a specific need. Identifying participants for an ad hoc crisis management meeting may be a helpful prevention effort. Use job titles rather than employee names for a practical approach to maintenance, but be sure the participants are properly trained in their roles.
- Test and conduct simulations and drills. Employee training is a significant element of program effectiveness. Rather than holding classroom-based training, hands-on simulations and exercises are more likely to condition employees on how to respond in an emergency. Where possible, bring in outside experts to validate the company’s point of view. These experts are also helpful in spotting program deficiencies before a crisis, enhancing the overall effect of a good response plan.
- Update, maintain, and improve the program. As an R & D technician once put it to me, his goal was to “break it, then build it better.” This stress-the-system philosophy serves the program improvement step of disaster preparedness well. Running the tests and simulations on a regular basis should identify where the program is deficient. Calendaring this activity on an annual basis allows HR to update the plan based on business changes such as expansions, turnover of key personnel, and training of new hires.
Reducing the risk of workplace violence
Although the exam content appears to focus on having a plan to respond to workplace violence, OSHA also addresses the issue in its standards. Refer to OSHA’s specific definition of workplace violence. In addition, OSHA has conducted research to identify who is at greatest risk for workplace violence and concluded that positions that involve an exchange of money, working in isolated locations, and working with unstable individuals all have an increased risk for violence on the job.As with most safety standards, the employer’s response should be aimed at reducing the risk of harm to its employees. This effort begins by having a zero-tolerance policy for any intimidating or violent behavior in the workplace. OSHA also offers support in the development of a workplace violence prevention program, which aligns your work efforts with the exam objective. These programs include policy development, employee training, and administrative controls.
Another area of concern for employers includes the threat of terrorism. FEMA describes several different types of potential terrorism threats, including biological, cyber, chemical, and nuclear. Visit Ready.gov, an excellent resource to find out more about employer responsibilities. This website is a public service campaign affiliated with FEMA. Ready.gov states that more than 40 percent of businesses affected by a natural or man-made disaster never reopen. From an HR perspective, you should anticipate questions on the exam that relate to preparing your company to respond as quickly and effectively as possible to avoid short-term or long-term business impact.
Example preparedness question
Disaster preparedness is most effective when built on a foundation of what?
(A) Leadership
(B) Regulatory compliance
(C) Business needs
(D) Understanding hazards
The correct answer is (A). A foundation of leadership commitment involves providing the resources necessary to prepare. Choices (B), (C), and (D) are all important, but unlikely without the commitment of the executive management team.
Completing common reports and tools
As with all the other functional areas of human resources, risk management has a fair share of paperwork. These reports and tools are very useful in demonstrating compliance with safety laws, such as the safety audit and safety training matrix. Other reports assist employers in making decisions about risk, such as workers’ compensation reports and data reports from their human resource information system. Read on for more information about these useful options.Safety audits
Safety audits differ from hazard assessments in that they’re used to evaluate compliance with safety programs rather than identify hazards. Even though hazard identification may certainly be a byproduct, their primary focus is to evaluate whether the controls established in the safety planning process are firmly rooted in place. Depending on the need, a safety audit can be conducted by visual walkthroughs, data collection, drills, or stressing the system to see what works and what doesn’t.Workers’ compensation reports
Keeping track of workers’ compensation claims should be a monthly activity. Doing so requires HR professionals to be familiar with the workers’ compensation laws in their states. The compensation reports help track the accrued versus paid amounts on open claims and allow you to manage the accruals where possible by working with the administrator. Compensation reports are useful to trigger status checks on injured workers still off work. This gives you the opportunity to engage in one of the exam objectives by building return-to-work programs such as modified duty. By doing so, the employee returning to work in a limited capacity is paid through regular payroll rather than through the workers’ compensation insurance, lowering the overall claim costs. Because workers’ compensation insurance is experience rated, this strategy is an effective way to keep insurance costs down long term.Safety training matrix
Depending on the industry from which you practice, safety training can be a mixed bag.A training matrix is a spreadsheet that compiles all of the required safety training in one place. The following figure gives you an example of one such matrix that can be modified on several levels to account for the who, what, where, when, and how often aspects of safety training. It can also help employers demonstrate a commitment to compliance.
A sample safety training matrixAnother option is to utilize your human resource information system (HRIS) to track dates and send reminders to management that safety training is coming due. Managing it from the time of hire and through the tenure of the employees is a streamlined way to keep track and run reports.