While many risk managers say cybersecurity is the greatest source of risk to an organization today, I believe there are greater sources of concern. One of these has been in the news over the last year, and it's called the Great Resignation.
Employees Seeking a Fresh Start
Consider this set of survey results from ResumeBuilder.com.
An article related to the survey results stated: "ResumeBuilder estimates that in 2022, as many as 32% of U.S. workers will leave not only their jobs but their careers behind to start afresh in new industries, especially in IT. Overall, a quarter of employed individuals will quit their jobs in 2022, and half will leave in the first half of the year."
The numbers are sobering. In the second half of 2021 alone, nearly 20 million people quit their jobs, including 4.5 million in November alone. A number of factors are driving this trend, including a disconnect between employee needs and employer understanding and a general reevaluation of life driven by the events of the last two years.
What Does the Great Resignation Mean for Risk Practitioners?
What does all this mean for risk and audit practitioners?
Recognize the potential effects losing key employees will have on the organization and its success. While risk disclosures may talk about the loss of the CEO and other top executives, we also have to consider the loss of:
- Customer relationships as sales personnel leave, perhaps to a competitor.
- Innovation as top engineers and product designers abandon ship, again possibly to a competitor.
- Momentum in the development and use of technology due to the loss of IT staff.
- Revenue growth as the capacity of the organization to deliver products and services in impacted.
- Key individuals in the performance of critical controls and security practices, with less capable individuals (or nobody) taking their place.
- Leaders within the organization.
- Risk and audit practitioners.
We need to help management understand the level of risk to enterprise objectives, which can be in every nook and cranny of the organization.
We also need to help management assess whether it is doing enough to stem the tide and respond to the waves breaching the storm wall.
At the same time, we should consider whether management is taking advantage of the situation to upgrade its potential by hiring the best people now on the market.
I recommend reading the following article on Smart Brief: "Let’s call it a retention review."
An Opportunity for Reflection for Employees and Employers
People are transforming their relationship with the traditional workplace, revaluing the importance of career versus quality of life.
This prompts an overdue opportunity for employers to do the same, by asking themselves four fundamental questions: What do employees seek in this new work-life balance? How will companies provide what employees need for that balance? What does that new workplace look like? What can employees and employers bring to it?
Risk practitioners can work with management to understand the risk (and the opportunities).
Internal auditors can help by assessing whether that is sufficient, and perhaps suggest ways to improve retention and hiring.
What do you think?
Writing this reminded me of another point I want to discuss: Some have said that if an event or situation is certain, there is no risk. They are referencing the ISO 3100 definition of risk as “the effect of uncertainty on objectives.” If there is no uncertainty, they assert, there is no risk.
My problem with that is that while an event or situation may be certain to occur or may even have happened, the effect or effects in the future may be uncertain.
I think we have to be careful to avoid traps like the rigid interpretation of definitions. But, I will point out that we are talking about the “effect on objectives.” That part of the definition is critical. Assessing a risk or opportunity in other ways is not necessarily always wrong, but I think it is questionable.