Ron W. Hagan
President and COO

New Opportunities for HR Leaders

Developing the culture of risk awareness in a business enterprise falls at the feet of leaders in human resources, human capital management, and talent management.

The culture of an enterprise reveals its tolerance for risk. The expected behaviors of an enterprise’s fiduciaries, which include its board of directors, finance executives, and human resources leaders, define its tactics as well.

 
Human resources leaders have the opportunity to influence excellence on a broad scale within their organizations by developing and sustaining a culture of risk awareness. But new skills and standardized methods are needed to drive change.

New Skill Sets are Needed

Several government agencies have acknowledged the need to upgrade cybersecurity-related skills among human resources professionals within the $9.3 trillion retirement plan community. One of those agencies is the U.S. Department of Labor (“DOL”). Its principles for securing the personal information of retirement plan participants appeared in a three-part guidance announcement in April 2021.

That guidance that came from the Employee Benefits Security Administration (“EBSA”), which is the DOL’s enforcement arm, focuses on the vital priority of standards and methods at the retirement and pension plan fiduciary level. Without investing the time to determine how well a retirement plan’s fiduciary management methods align with an enterprises’ risk culture, implementing a cybersecurity program will produce little benefit.

A discussion about cybersecurity naturally invokes the assumption that information technology (“IT”) is where the solutions exist. However, the FBI’s Cyber Division found that cybersecurity is more a business process issue than a technology challenge. Under fiduciary rules, human resources managers are at the epicenter of business process management for retirement and pension plans. In order to excel in that role, the complex risk environment they face requires advanced skills in 1) vendor management, 2) internal control, and 3) employee communication.

Standards Drive Performance

In order to measure the effectiveness of a risk culture with meaningful results, a standardized workflow framework is essential. Standards established should be based on what is best for the enterprise’s human capital, which will drive fiduciary performance.

Admittedly, developing risk standards is easier said than done. There are significant and real pressures in the market that work against strong information security standards. For example, the work-from-home environment brought on by the COVID-19 pandemic introduced an acute need for access standards on laptops and mobile devices that were previously outside the purview of human resources.

Where standards are lacking, the safety and confidentiality of employees’ data suffer. Practice standards have emerged. An industry task force developed and maintains a compliance framework that addresses all three categories of the EBSA’s guidance. Inquire about participation in the Employee Benefit Plan Cybersecurity Working Group.

Because ERISA regulates benefit plans, anyone who interacts with the plan should be particularly aware of breaches’ impact on participants and beneficiaries and the associated rights and duties of plan fiduciaries arising under ERISA.

Upgrade your cybersecurity capabilities with these three steps…
 

Obtain Training

If you’ve not yet had formal training in cybersecurity, the Society for Human Resource Management (“SHRM”) offers an excellent program.

Adopt a Retirement Plan Specific Cybersecurity Policy

Regardless of a plan’s size or complexity, the need for a cybersecurity policy statement (“CPS”) has escalated to the same level of importance as an investment policy statement. If your plan currently lacks a CPS, don’t delay in adding one to the policies on which you rely to demonstrate that your plan is being managed prudently.

Commission a Cybersecurity Risk Assessment

Initiate an examination of your plan’s current cybersecurity sensitivities, resourced either internally or by a qualified third-party expert. A legally defensible risk assessment will adhere to 18 discovery tasks. Scored on a scale of 1 to 100, an assessment offers a way to ensure continued improvement. Ask Roland|Criss for a list.

Visit Us On TwitterVisit Us On Linkedin