Does your risk tech actually reflect people as a priority?

?This is a deeper question than you might at first think. And it is a question around your risk technology, not so much your processes ... though your tech models your process, so still highly important. If your risk tech does not articulate or highlight your workforce safety and security as a priority (as in People Risk Management or PRM) ... does your cross-business approach to risk even register when or if that has even been considered and where there are issues? In context to PRM, this covers general health and wellbeing, workplace safety and security and travel risks.

Traditional risk registers (often part of your ERM or BCP tech) typically bundle people's health, safety and security under 'Operational Risk'. This is certainly where standards such as ISO 31000 place it. Is that just a convenient place ... or hiding place ... for all the potential threats to your people? Are those operational risks clear and visible when there are issues? There are some risk solutions that have people as a top-level category when it comes to identifying threats and vulnerabilities. But often those technologies reflect more strategic risks ... and are not necessarily designed to guide around people's safety and security in context to ethics and morality, appetite and tolerance, legal regulations and compliance. But those are very much the foundations in building a risk culture in respect to your people. Does the technology you use support a culture prioritising PRM?

If you genuinely place people first as priority, the tech you deploy should also support that same culture. So much tech in the people and travel safety/security lacks human engagement and meaning for a workforce ... assuming they will simply have to adopt it. In reality, that is a mountain to climb and may also be at odds with the regulations and compliance in many countries. Having a mindset where people are the priority, should not be limited to technology rolled out for industries operating in hazardous or hostile environments.

Building a meaningful risk register that considers people as priority needs a realistic starting point. It is not easy to build a risk register from scratch ... it requires constant attention and evolution to ensure it is relevant and up to date. A good starting point is to analyse your existing experience within your organisation (from your response team, case management, existing risk tools etc.) and merge that with third party threats, advisories, forecasts and knowledge bases. Place value on the technologies and partners who provide common risks and potential impacts out of the box, backed with their industry expertise. Especially technology that not only identifies the risks, but gives you tools to test them out with simulations and exercises and analyse potential impacts.

Looking at the general risk technology market today, it is very fragmented. There are still challenges when converging risk and impact into a more integrated solution. But, we are in the early days of this happening ... where risk tech designed for a business function, recognises that risks are often connected and impact is felt elsewhere.