For most organisations a risk register exists to make sure everyone knows what could impact the organisation and how to mitigate them. One risk that can often be neglected is insider risk.
An Insider is any person who has or previously had, authorised access to or knowledge of the organisation’s resources, including people, processes, information, technology, and facilities.
An Insider event, is where an activity conducted by an Insider (whether intentional or unintentional) that could result in, or has resulted in, harm or loss to the organisation.
This means that the risk is coming from a lack of intention or strategy around your employee experience. We know that for every six promoters of your organisation there is an average of one detractor. This means that for every six ambassadors you have employed, there is one doing what they can to tear your brand apart.
So when we talk about insider risk, we have to talk about how employee experience can help you manage it.
The latest guidance from the National Protective Security Authority (NPSA) around insider risk and insider events outlines five main types of insider events:
1. Unauthorised disclosure of sensitive information
2. Process corruption (most likely fraud)
3. Aiding third-party access to an organisation’s assets
4. Sabotage (physical, electronic, or IT sabotage)
5. Physical threat (violence)
An insider event is distinct to whistleblowing, which is a legitimate means of raising a public interest concern and is protected by law. This should follow a whistleblowing process internally.
What can you do to focus on your employee experience when it comes to insider risk?
- One of the biggest risk areas is former employees. The separation part of the employee lifecycle is so often forgotten or not given the importance it needs so make sure you’re investing in the experience for employees at every stage
- Creating a culture of psychological safety as a way to prevent insider risk isn’t a quick win. This needs intentional work and focus on behaviours, communication, culture, and leadership
- Expectation alignment between the employee and the organisation is one of the biggest areas for relationships to break down. If the act is intentional, it will be linked to breaks in the psychological contract between the employee and the organisation. This is why focussing on the employee experience is important
- Check the security, processes, and ways of working if you’re operating in a hybrid way after the pandemic. Some of the risk will be here due to ease of access to information
- Align your values and behaviours as an organisation and make sure there is accountability when necessary
- Ultimately everyone needs to understand the risk, how to mitigate it, and understand their role in prevention
I’ll always advocate for getting to the root cause of any cultural or communication challenges inside organisations. Spending time to discuss what each stage of the employee lifecycle really means for your organisation and employees, how that impacts the employee experience, and what the communication and culture should be as a result, will all help you reduce those detractors inside the organisation.
Additional resources
Below are some further links to learn more about the risk of ignoring the employee experience:
What are the stages of the employee lifecycle: https://redefiningcomms.com/what-are-the-stages-of-the-employee-lifecycle/
UK Government Body issues insider risk guidance for communicators: https://www.provokemedia.com/latest/article/uk-government-body-issues-insider-risk-guidance-for-communicators