Managing risks caused by employee behaviour

Corporations carrying on business are exposed to two broad types of risk arising from the conduct of employees:

• Actions by employees intended to benefit them personally at the expense of the corporation.
• Actions by employees which under the prevailing legal principles result in the employer being liable for the consequences of those actions.

The first type of conduct covers actions by a bad or rogue employee - fraud or embezzlement, through to misuse of confidential information and illegitimate competitive activities.  

The traditional method for addressing the risks posed by such conduct involves the following:

• Establishing mandatory norms of conduct in a written contract or similar document.  For example, a “confidential information” clause in the contract or a written “Code of Conduct” to which the contract of employment refers.
• Carrying out periodic monitoring activities.
• Taking legal action against the employee in response to contraventions.

The method exists largely to enable recourse against the bad or rogue employee after the impugned conduct has occurred.

The second kind of conduct does not necessarily spring from bad motives on the part of employees.  What we are talking about here are actions that might be said to amount to sexual harassment, bullying, discrimination or the creation of safety risks which expose the employer to liability under statute.  So, for example, conduct by one employee against another that answers the legal definition of sexual harassment will be sheeted home to the employer under the Federal Sex Discrimination Act if the conduct is connected with work and if the employer cannot show that it took all reasonable steps to prevent the conduct.  By way of further example, the inadvertent actions of an employee can give rise to risks to health and safety which result in the employer being in breach of the primary duty under WHS legislation.

Because the risks posed by the second type of employee conduct are more diverse and not tied to any notion of motive/intention on the part of the employee, the risk management strategies that must be adopted by employers in this area need to have the following characteristics:

• The employer needs to think in an anticipatory or proactive way about the risks that can arise.
• The risks so identified need to be assessed in terms of probability and gravity.
• Measures must be devised to abate the risks.
• Employees need to be trained in or inculcated with the right way to do the job.
• The risk abatement measures, and employees’ compliance with them, need to be regularly monitored and verified.

It is readily apparent that those characteristics are not focussed on punishing behaviour after the event, but on creating a way of doing things at the workplace (a “culture”, as it were) that stops the risk from materialising into a problematic event.

This raises the question of whether a pro-active and broad-based risk management system ought to be applied in relation to the potential risks of  intentional conduct by “bad” or “rogue” employees as an adjunct to the traditional “punish after the event” approach.

This idea is at the centre of our recent Risk Ready workshops.  Stay tuned for further articles in which we explore the issues raised in those workshops.