Updated: January 2020
Table of Contents:
Simply put, any company with employees is at risk of human error in the workplace. Your clients are constantly at risk of harm that can come from workplace harassment, safety negligence, and more. That’s why educating them on people risk management is vital before, during, and after workplace safety incidents occur.
People risk management is necessary before something happens to your clients. If they don’t have a plan in place, it’s going to make your job a lot harder. They’re going to scramble when something goes wrong, and you’re going to have to work with them. Preparing clients with a risk management plan will help everyone in the long-term.
What is People Risk Management and Why Is It Important?
People risk management covers everything from employee relations to compliance with anti-discrimination laws to cybersecurity. It involves minimizing risks through proper procedures set by the leadership of the employer.
People risk management is essential for every company, but your clients may not be aware of all the threats that could affect them. They may not be prepared to manage a certain kind of risk, or they may not have a set procedure in place when a situation occurs.
Ensuring your clients have more than insurance gives you a competitive advantage over other brokers and provides clients with an additional layer of security and comfort. Clients will have reduced risk if they have procedures and a risk management plan in place.
As you begin to acquire clients, setting up client-procedural checklists and processes can be a powerful part of your client acquisition and retention.
How to Prevent Workplace Violence
Employers have a duty to provide a safe workplace.
In 2017 alone, 18,400 injuries and illnesses caused employees to take days off for recovery, and 458 fatalities related to workplace violence occurred. One of the ways workplace violence can be reduced for your clients is through a workplace violence prevention policy integrated throughout their control systems and training. The goals of the policy should be:
- Reduce the chance of violence in the workplace
- Have a responsive procedure ready to go if any incident happens
Employee workplace policies should be a first line of defense against incidents. They set expectations for behavior, help employees identify possible safety issues, and establish a channel for reporting incidents.
You can be a big help here. If clients ask you what they should have in their workplace violence prevention policy, you can recommend the following:
Clearly defined reporting and response procedures
Security risk evaluations
From here, you can advise clients to inform employees of state/federal law requirements and risk factors in the workplace.
How to Prevent Sexual Harassment
Along with addressing workplace violence, companies should also have up-to-date sexual harassment policies. You can be a big help to your clients by providing them with a checklist of what should be included in a sexual harassment prevention policy.
The EEOC recommends that sexual harassment prevention policies and procedures include the following:
- An unequivocal statement that sexual harassment (or other harassment based on any protected characteristic) will not be tolerated.
- A clear, simple, and easy-to-understand description of what constitutes harassing behavior or conduct, including examples of the types of behaviors that are considered harassing.
- A description of the employer’s established reporting system, including all avenues for reporting (for example, reporting to a direct supervisor, to a department head, or to human resources) and who can report incidents of harassment (such as the victim and any employees who observe harassing behavior).
- A statement that allegations will be investigated promptly and thoroughly through an impartial process and that individuals involved in the investigation (victim, witnesses, and/or the target of the complaint), as well as information gathered during the investigation, will be kept confidential by the investigator(s) to the extent possible.
- Assurances that the employer will take immediate and proportionate corrective action if the investigation reveals sexual harassment has occurred.
- A statement that any individual who reports an incident of sexual harassment, either as a target or a witness, will be protected against retaliation from coworkers and supervisors or managers. If the individual does experience retaliation, the coworker, supervisor, or manager who retaliates will be disciplined appropriately.
- A statement that any employee who retaliates against any individual who submits a report or provides information regarding a report will be disciplined appropriately
- A statement written in clear, simple words, in all languages commonly used by members of the workforce
Are your clients’ mitigating their risk?
Check out the People Risk Management Scorecard to see if your clients are prepared.
Make training a priority. Your clients’ employees need to know what they should do when an incident occurs, what their employer will do in response to a reported harassment, and what consequences may follow an investigation.
Assisting clients with their state training requirements helps ease their process significantly. While only five states (California, Connecticut, New York, Delaware, Illinois, and Maine) require harassment prevention training for supervisory personnel in non-governmental companies, other states mandate training for public sector employees and recommend harassment prevention training for all employers.
Encourage reporting. Incidents happen no matter what clients have set up. It’s essential to set up a safe space for reporting where individuals can easily report harassment issues. Ensure clients don’t just have someone managing this process. Properly trained staff need to manage this process to ensure it is handled appropriately and that victims of harassment feel comfortable reporting.
Follow up on complaints immediately. Part of a proper sexual harassment investigation process includes a timely, confidential investigation from an unbiased party with thorough documentation. Any involvement should be limited to those individuals needed to conduct a thorough investigation and to gather all the facts. Anyone reporting an incident also needs to be protected from retaliation so they feel safe coming forward. When clients have this set up properly, stories aren’t forgotten or made up, and incidents are reported more accurately.
Workplace Injury Record Maintenance
Along with setting up clients with strong safety policies comes ensuring they know what to do when workplace injuries occur.
When workplace injuries happen, make sure clients know how to follow OSHA reporting laws and to what extent they’re required to follow them. OSHA has three forms for illness/injury records:
- OSHA Form 300, “Log of Work-Related Injuries and Illnesses” (annual record of all injuries/illnesses);
- OSHA Form 300A, “Summary of Work-Related Injuries and Illnesses.” This report is an annual summary, and employers must post a copy of this summary in a conspicuous place where notices to employees are customarily posted each year from the start of February through April; and
- OSHA Form 301, “Injury and Illness Incident Report” (individual incident report of an employee’s injury or illness on the job).
These forms should be updated within seven calendar days of learning of a recordable incident and retained for five years after the end of the year in which the incident occurred. Form 300 or Form 301 should not be posted since these records have information relating to each specific injured or ill employee, and clients should protect the employee’s personal health information. The only form that must be posted for public inspection is Form 300A, which summarizes the incidents for the year.
Some industries are exempt from reporting and businesses of 10 or fewer employees may not need to file a report. More information on OSHA Forms 300, 300A, and 301 is available here.
Reporting to OSHA
Reporting any workplace injuries to OSHA can be confusing if clients don’t know what to report or how to report. Furthermore, their time and energy may be spent on reporting when they don’t need to report. When you work with clients, knowing the top safety violations in 2018 and 2017 can help you focus on what to look out for when you communicate workplace injury prevention with clients.
What to report to OSHA
All employers are required to notify OSHA when an employee is killed on the job or suffers a work-related hospitalization, amputation, or loss of an eye as follows:
- Employers must report work-related fatalities within eight hours.
- For any inpatient hospitalization, amputation, or eye loss, employers must report the incident within 24 hours.
Importantly, many employers are required to electronically submit their summary of injuries and illnesses to OSHA. Read more on the following websites about required electronic reporting:
- Information about electronic submission of injury and illness records
- Injury Tracking Application
- OSHA serious event online reporting website
However, employers do not have to report an event if it:
- Resulted from a motor vehicle accident on a public street or highway (except in a construction work zone).
- Occurred on a commercial or public transportation system such as an airplane or bus.
- Involved hospitalization for diagnostic testing or observation only.
Reporting requirements may be more stringent in states with OSHA-approved state plans, so tell your clients to check their state’s reporting rules in addition to the federal OSHA regulations to avoid citations and penalties.
How to report to OSHA
Your clients can easily report to OSHA by using our OSHA Injury and Illness Recordkeeping log. This product enables them to record and track injuries, illnesses, and “near miss” data to keep them in compliance.
A comprehensive data dashboard and reporting package are also included, along with search and an easy export function to create and download 300 and 300A forms.
How to Train Employees on Cybersecurity
Security incidents can cost companies millions, if not billions of dollars. If your clients ensure employees are properly trained on cybersecurity, it can save clients from paying in the future. Cybersecurity training should be made part of the initial orientation process. Employees should be trained on basic questions to ask themselves and there should be guidelines in employee policies.
Common Cybersecurity Threats
When employees are educated on some of the most common cyber threats, clients can be at much less risk. Here are some of the most common cybersecurity threats:
These are emails designed to collect valuable information, such as login credentials, credit card information, SSNs, and other confidential data. Phishing emails appear to come from trustworthy sources like banks, credit card companies, shippers, and other sources with which potential victims have established relationships. More sophisticated phishing attempts use corporate logos and other identifiers to fool recipients into believing the emails are real.
These are targeted phishing attacks typically focused on one company or affinity group (such as an industry organization). Usually, cybercriminals have studied the target and composed a message designed to have a high degree of believability and a potentially high open-rate.
Consumer file sync and sharing tools
Productivity tools like Dropbox, Microsoft OneDrive, and Google Drive, which let users make files available on all desktop, laptop, and mobile platforms, generally are safe but can be targeted by sophisticated criminals as an entry point. For example, when an employee accesses corporate files on a home computer that doesn’t have current anti-virus software, the employee can inadvertently infect these files with malware. When files are synced back to the employee’s work computer, malware can infect the network because it may have bypassed corporate email, web gateway, and other defenses.
In these social engineering attacks, cybercriminals identify websites they would like to infiltrate and that employees might visit on a regular basis. They infect these sites with malware.
Malicious Internet advertising (malvertising) is designed to distribute malware through advertising impressions on websites.
Users sometimes inadvertently install malware or compromised code on their computers. This can occur if they install ActiveX controls, download a codec, install various applications intended to address some perceived need (such as a capability that IT does not support), or respond to scareware attempts that prey on users who are trying to protect their platforms from viruses and other malware.
The growing use of smartphones and tablets is increasingly being exploited by cybercriminals. Most infections impact Android devices.
Compromised search engine queries
Common search queries can be hijacked by cybercriminals to distribute malware when employees perform web searches. This type of attack relies on populating results to display malware-laden sites during these searches. This is particularly effective for popular search terms, such as information on celebrities, airline crashes, natural disasters, and other “newsy” items.
Mobile copycat apps
Some mobile applications are distributed through vendor-based and third-party stores that offer varying levels of security. If the store lacks stringent standards, serious security risks like the distribution of fake apps and malware that can cause infections when downloaded can occur.
These are the source of many successful hacking and phishing attacks against high-profile targets. A CenturyLink Threat Research Labs study for a 2018 threat report tracked an average of 195,000 threats per day from botnets impacting an average of 104 million unique targets, from large servers to handheld devices, that steal sensitive data and launch network attacks impacting businesses worldwide.
In this particularly malicious form of attack, a cybercriminal can encrypt all files on a hard disk and then demand ransom for access to a decryption key. Victims who choose not to pay the ransom quickly will have their files remain encrypted permanently. Cryptolocker, a common variant of ransomware, typically extorts a few hundred dollars per incident and normally is delivered through email with a PDF or .zip file disguised as a shipping invoice or some other business document.
With this form of cyberattack, cybercriminals use many techniques to breach corporate defenses.
Preventative Cybersecurity Employee Measurements
Employees can be an organization’s biggest source of cyber risk. Stress the importance of employee risk to clients regarding the physical protection of devices (e.g. not leaving them unattended or in insecure areas including locked cars) is important. Present opportunities for clients to identify the types of malware employees may encounter and whom in the company they should notify if they discover malware on their devices. Using slogans like “think before you click” can help clients communicate better decisions for their employees.
Easy training tips include the following:
- Be skeptical of any email, web page, or social media post that appears to be even remotely suspicious, makes an offer that is too good to be true, or contains strange information.
- Ask questions. Michael Osterman recommends asking these questions when viewing emails:
- Do you recognize the sender’s email address?
- Do you recognize anyone else copied on the email?
- Are others in the email seemingly from a random group of people or do their last names all begin with the same letter?
- Is the domain in the email address spelled correctly or is it simply close to the actual URL (e.g., bankofamerica.com vs. bankofarnerica.com)?
- Would you normally receive an email from this individual or organization?
- Does the subject line make sense?
- Is the email a “response” to an email you never sent (e.g., does it begin with “re:”)?
- Does the email contain an attachment that does not make sense in the context of the email or sender?
- Does the attachment end in “.exe,” “.zip,” or some other possibly dangerous attachment type?
- Did you receive an email at an unusual time, such as 3 a.m. on a Sunday?
- Is the sender asking you to keep the contents of this email or requests within it a secret?
- Does the email contain spelling or grammatical errors?
- Is there even a hint of extortion in the email, such as a request to look at compromising or embarrassing photos of you or someone else?
- Review quarantined messages carefully before bringing them out of quarantine. Most anti-spam solutions capture phishing emails correctly.
- Don’t click on a link in an email or open an attachment until you are certain it is valid.
- Never use USB flash drives from unknown sources.
- Set strong passwords. Change passwords regularly.
- Use password protection on every electronic and mobile device.
- Intentionally use wrong information for security questions.
- Keep security software up to date on personal devices.
For mobile devices:
- Disable auto usernames and passwords. This reduces the risk of having personal data accessed if the device is lost or stolen.
- Know how to wipe your data if your device is lost or stolen.
- Be careful when using public Wi-Fi networks, especially with insecure networks that do not require a password.
- Use safe stores for downloading mobile applications.
For social media:
- Don’t overshare personal information on social media.
- Turn off location services.
- Be careful clicking on links, liking, and sharing them.
How to Write a Risk Management Plan
Creating a risk management plan can be overwhelming for clients. Fortunately, there are four questions clients can ask themselves at each stage of the process:
- When and how does this impact me? If it’s a law or regulation, when does it go into effect? Is it an ongoing issue or something that can be addressed and then set aside with lower priority? What are the potential threats presented by the risk and how severe are they?
- What’s the best course of action? Is the solution going to be a simple change to operations or a more complicated approach? Where do changes need to be implemented — in handbook policy updates, procedural documentation, or new training programs?
- How do I communicate this to others? Who needs to know what, and how much information should be given across the scalar chain? What information is confidential? What information is only relevant to a handful of people (such as when an OSHA report is due) and what information is relevant to everyone (such as who needs sexual harassment training in your state)?
- What changes need to happen to get management to buy-in? Making a change may be easy. However, people may be resistant to these changes. If the change is accepted, then the implementation will be smooth and the risks will be lower. If there is resistance, clients will have a much more abrasive time implementing these changes.
Looking for an all-encompassing solution to help your clients? ThinkHR is your partner to guide you and your clients through every step of people risk management. Find out how ThinkHR’s suite of content, technology, and people solutions can help your clients anticipate, reduce, and mitigate risks: watch our video or check out our People Risk Management solution.
Help your clients mitigate people-centric risks and see how we integrate into your process!