Research insight
Managing reward risks An integrated approach
Acknowledgements
This report has been developed following a review
of existing research and advice in this area, alongside
workshops and interviews with risk managers, reward
managers, consultants and academics from the
following organisations:
ARUP
British Bankers Association
BT
Cabinet Office
Commerzbank
Cranfield School of Management
Financial Services Authority
First Group
Guardian Media Group
ING Direct
Mercer
MBDA
MM & K Independent Remuneration Solutions
Moog
Old Mutual
Promontory Consulting
PZ Cussons
Sainsbury’s
Standard Chartered
Towers Perrin
Towry Law
UBS
Wilts Wholesale Electrical Co.
We would like to thank all of the individuals and
organisations that contributed to the research.
Managing reward risks: an integrated approach 1
Contents
Foreword 3
Executive summary 4
Introduction and background 5
Reward risk framework 9
Current reward risk concerns and our state of readiness 18
Risk management process 22
Effective risk management – what does it take? 29
Conclusion 30
References and further reading 31
Appendix – Outline reward risk mapping tool 32
Managing reward risks: an integrated approach 3
Foreword
The risk of reward encouraging inappropriate
behaviours among employees has been extensively
covered by both the UK and international media. Some
commentators have been calling for bonus awards to
be capped, while others are predicting the demise of
performance-related pay and the bonus culture.
However, as our report shows, most senior reward
professionals that we have interviewed and surveyed
do not rate this risk as the one that keeps them up
at night. They are far more concerned about the
reward management risks around implementation and
change management. In these uncertain times, when
agility and sustainability are key, reward professionals
are worried that the inability to change their reward
approach is holding them back and pulling them down.
As this report makes clear, risk management is not a
barrier to risk-taking. Rather, risk-taking is at the heart
of all organisational activity and is crucial if employers
are going to successfully seize the opportunities
afforded to them by a changing business environment.
This Research Insight is aimed at senior HR and reward
professionals who want to help their organisations grasp
the opportunities arising from change, yet do so in a
way that the risk that arises from change is managed
or mitigated. It creates a framework for practitioners to
identify and review the main reward risks faced by their
organisation as well as providing some tools to assist
them in managing and mitigating them.
Yet to be able to contribute effectively to managing
the risks that arise from how their organisation
rewards and recognises employees, they also need
to understand the business and its drivers. That way,
when they have to challenge a management decision
that they believe will bring an unacceptable level
of risk into the organisation, they are able to do so
with credibility, rather than reinforcing the case of HR
saying ‘no’ again.
This report is the first step in the CIPD’s journey on this
issue, so please let us have your views on the ideas
generated in this report and areas where further work
on examining risk in relation to reward and potentially
wider HR activities could be directed.
We hope that you find our report useful and
informative.
Charles Cotton
CIPD Adviser, Performance and Reward
Jonathan Chapman
Foundation for Management Education Fellow,
Cranfield School of Management
4 Managing reward risks: an integrated approach
Executive summary
In April 2006, a CIPD Change Agenda report, Risk and
Performance, made the case for all HR professionals
to get involved in risk management, encompassing
both how HR policies are actually working in practice
and, significantly, how employees respond to these
policies. The 2006 report called for the development
of checklists and toolkits to explicitly help HR
professionals identify and manage risk. This report
aims to meet this call through providing this support
for reward professionals.
While the research has been provoked by, and has
drawn on learning from, recent events in the financial
sector and the additional focus this has provided on
reward risk management, it is wider in remit than
financial services and the behavioural reward risks that
have been identified in that sector. It aims to capture
a broader range of reward-related risks and risk
management practices that are felt to be important
for all reward professionals.
This research shows that significant work is under way by
organisations, often led by their reward teams, to manage
risks arising from how they reward their employees.
However, what has emerged is that this work needs to
be carried out more proactively and systematically to
ensure that it is fully effective and the organisation does
not slip on a reward banana skin. Five recommendations
are made to assist organisations in adopting a more
systematic approach to reward risk management.
1 Establish effective reward risk intelligence-
gathering systems
Systematic reward risk management requires effective
intelligence-gathering on potential risks arising from
both outside (externally generated risks) and inside
(internally generated risks) your organisation. Use the risk
intelligence map presented in this report as a guide to
potential sources of intelligence for your ongoing reward
risk management process (see page 9).
2 Proactively review your reward strategy and
systems for risk
The research identifies seven risk groups that relate
specifically to reward strategy design, implementation
and impact. These are: strategic, behavioural, financial,
legal and ethical, operational, implementation, and
change and governance risks. Use the ‘Reward Risk
Framework’ developed as part of this research (page
9 and Appendix) to review your reward strategy for
these risks.
3 Use established risk management tools to
assess and manage identified reward risks
Apply risk management tools and processes – impact/
probability matrices (page 26) and risk map (page 28) – to
help you assess and manage the reward risks you identify.
4 Manage risk consistent with your reward risk
appetite
Reward risk management is not about eliminating
all risk in your business; it is about managing risk
against, ideally, predefined tolerances as to what risk
is acceptable to your business. Work with business
management to define your reward risk appetite and
manage reward risks accordingly (page 26).
5 Build your risk management capability and
build a permanent risk management culture
You cannot anticipate every risk to your organisation’s
reward strategy. You need to develop your overall
agility and resilience to manage reward risks should
they emerge. Reward risk management is not a one-off
or annual exercise but an ongoing process embedded
in all reward management work. This requires a
range of knowledge, skills and competencies. These
have been profiled in this report against the CIPD HR
Profession Map (page 29). Use these competencies as a
base to assess your ongoing capability in this area and
build plans to develop your reward team to improve its
all-round risk management capability.
Managing reward risks: an integrated approach 5
What is covered in this report?
This report examines four areas. First, it introduces
seven key reward risk groupings in a reward risk
framework and uses this framework to review the
main risks that are seen to be most relevant today to
reward management professionals. Next, it discusses
the results of a CIPD survey that gathered views from
reward professionals about the main reward risks
they see ahead and how ready they believe their
organisation is to handle these risks. It then provides
some risk management tools to assist organisations in
reviewing their reward-related risks. Finally, it looks at
the skills, competencies and behaviours required by HR
professionals in this area.
The report identifies five recommendations for
reward practitioners to consider and provides some
practical ideas on how they might address these
recommendations in their day-to-day work. These
recommendations are intended to act as a catalyst
to the reward profession becoming more risk-aware
and, through this, begin a debate across the reward
community about the best way to identify, assess and
manage risks arising from how we reward employees
at all levels.
Who should read this report?
We expect that HR directors, reward directors,
managers and analysts as well as HR generalists
will be most interested in this report as they will
be closely involved in managing reward risk and
influencing others to identify and manage these
risks in their organisations. It will also be of interest
to other individuals who are involved in the risk
management process in organisations, for example
risk management, corporate recovery, compliance
and audit professionals. If you are a member of an
organisation’s remuneration committee you may also
be interested in the findings in order to use them to
challenge the HR and reward directors on whether
they are leading the organisation in effectively
managing the risks in their reward work.
In addition, the report will be of interest to public
policy-makers who are currently reviewing the role
that regulation should have in managing remuneration
risk. We also hope the report will provide material
for those supporting, training and educating HR and
reward professionals through academic, consultancy
and training work.
Introduction and background
6 Managing reward risks: an integrated approach
Financial crisis and remuneration
In the summer of 2007, the world of financial service provision, both in the wholesale and retail
markets, changed dramatically. A sustained period of economic growth and bank lending came to
a sharp halt as financial institutions reassessed their perception of risk and, as a result, liquidity in
both the wholesale (business to business) and retail (business to consumer) markets contracted. This
contraction of liquidity came to be known as the ‘credit crunch’.
These events had a significant effect on a number of financial institutions that were reliant for their
ongoing business on funding from the wholesale market. In the UK the first casualty of this was
Northern Rock, which was taken into public ownership in September 2007 as it ceased to be able to
meet its liabilities due to the lack of access to wholesale funding. Intervention, by the regulatory and
public authorities in the form of central banks and government, continued throughout 2007 and 2008.
Central banks across the world provided billions of dollars of liquidity to the financial system and capital
injections through part-nationalisation of sections of the financial services industry, with the aim of
freeing up inter-bank lending to prevent further potentially systemic problems.
These events led to critical attention regarding the contribution that remuneration structures had
made to these problems. For example, Alastair Darling in his speech to the Labour Party Conference in
September 2008 stated that:
‘We need to look as well at the culture of huge bonuses which have distorted the way decisions are
made. It’s essential that bonuses don’t result in people being encouraged to take on more and more
risk without understanding the damage that might be done, not just to their bank, but to the rest
of us in the wider economy…Bonuses should encourage good long-term decisions, not short-term
reckless ones.’
The focus on remuneration practices led to industry, regulatory and government bodies across the globe
commenting on whether remuneration structures within the financial service industry were to blame for
the crises. While press coverage has been critical of remuneration structures and the role they played,
‘official’ reports have generally presented a more measured view:
‘Excessive risk taking in the financial services industry…has contributed to the failure of financial
undertakings…Whilst not the main cause of the financial crises that unfolded…there is widespread
consensus that inappropriate remuneration practices…also induced excessive risk taking.’
(European Commission 2009)
‘There is a strong prima facie case that inappropriate incentive structures played a role in
encouraging behaviour that contributed to the financial crisis. It is very difficult, however, to gauge
precisely how important that contribution was.’ (Turner Review 2009)
Managing reward risks: an integrated approach 7
What is reward risk management and why does
it matter?
Large numbers of risk management approaches
have been developed and published (for example
BS31100_2008, AUS/NZ 4360_2004, Office of
Governance and Commerce Management of Risks
(OGC M_O_R), PRAM Guide, IEC 62198) to provide
definitions and practical tools for managing risk. The
Institute of Risk Management, Association of Insurance
and Risk Managers and the National Forum for Risk
Management in the public sector published a joint
standard for risk management, which defined the
following terms:
• risk – combination of the probability of an event
and its consequences
• risk management – co-ordinated activities to direct
and control an organisation with regard to risk.
However, risk management, as defined above, can
often be misunderstood. Good risk management is
not a barrier to risk-taking activity. Risk-taking is at
the heart of all organisational activity and crucial if
organisations are to innovate and develop. The failure
to take opportunities that arise from change is a
huge risk in itself. Risk management is as much about
this as it is about avoiding problems. Effective risk
management ensures that this risk-taking is carried out
as a conscious activity. Judgements need to be made
about the appropriateness of the risk-taking in line
with organisational objectives at that time.
Within this context, three separate phases to effective
reward risk management are proposed:
• Risk identification – what reward risk is your
organisation exposed to? We present a reward
risk framework on page 9 and guidance on
identification of the relevant risks for your
organisation to help you do this on page 22.
• Risk assessment – to what extent are the reward
risks identified likely to have a material impact on
your organisation? Impact and probability analysis
and risk-logging can help you do this; this is
discussed on page 26.
• Risk mitigation – what action do you need
to take to manage the reward risks to a level
that is considered appropriate or, using the risk
management jargon, in line with your risk appetite?
Suggestions of potential risk mitigation strategies
against specific risks are made throughout the report.
The main benefit of effective reward risk management
activity is, in the words of one research participant:
‘the reduction in uncertainty of outcome to reduce the
likelihood of nasty surprises’.
In the current social and political climate, the
reputation damage that perceived inappropriate
reward activities can have on an organisation is
potentially significant. The risk that reward practices
are seen in an unfavourable light by organisational
stakeholders such as employees, customers, media,
regulators and politicians is a significant issue for
organisations not only operating in the banking sector,
which is in the public limelight at present, but wider
as the focus on reward practices in all sectors remains
acute. Failure to identify a reward risk and then to
manage it can lead to damage to an organisation’s
brand, loss of customers and a reduced ability to
attract and retain employees.
8 Managing reward risks: an integrated approach
Financial Services Authority regulation of remuneration structures
The financial crisis and the resulting analysis of what happened has led the Financial Services Authority
(FSA), the independent body that regulates the financial services industry in the UK, to set out a large
number of changes it intends to make in how it regulates the financial services industry in the future.
Among these changes are amendments to the way in which it views risk arising from remuneration
structures. The FSA has introduced a new regulatory rule to apply to larger banks and building societies,
namely that ‘a firm must establish, implement and maintain remuneration policies, procedures and
practices that are consistent with and promote effective risk management.’ This rule is supported by a
range of evidential provisions that were set out in a code of remuneration practice. Six key principles
emerge from the code:
1 Remuneration policies should be consistent with effective risk management.
2 Remuneration should reflect not only financial results but compliance with risk management policies
and alignment with an appropriate culture.
3 Financial measures of performance should be adjusted to reflect the relative riskiness of assets.
4 Governance structures (for example remuneration committees) should consider the implications of
remuneration for risk and risk management.
5 Significant bonuses should have a predominant amount deferred.
6 Deferred bonuses should be linked to financial performance during deferral period.
Source: Code of renumeration practice (FSA 2009)
At present, the new FSA rule applies only to major UK banks. However, it appears to be having a wider
influence across other financial services organisations and potentially to other industries. The FSA is still
considering whether to more formally extend the rule’s application to other financial services sectors.
Managing reward risks: an integrated approach 9
What is reward risk management and what risks does
it imply need managing?
The workshops and interviews carried out identified 39
risks that were felt to apply to organisations’ reward
strategy, systems and practices. The workshops and
interviews then helped to cluster these risks into seven
reward risk groups, shown in Figure 1.
Reward risk framework
Figure 1: Seven reward risk groups
Strategic
RewardRisk
Groups
BehaviouralGovernance
Financial
Legal and ethical Operational
Implementation and change
management
10 Managing reward risks: an integrated approach
These reward risk groups require reward professionals’
attention to identify, assess and manage these risks
within their organisations. The risks identified are
intended to illustrate a potential universe of reward-
related risks, but should not be considered exhaustive
or treated as a checklist. Each organisation will have a
different risk profile and consequently require different
reward risk management strategies. Each risk group is
defined in Table 1.
Each of these seven risk groups is now discussed to
identify key issues that reward managers need to
consider in managing each group. We focus on those
that have arisen in the research interviews. The full risk
map is provided in the Appendix to this report to assist
you in your reward risk identification, assessment and
mitigation work.
Strategic reward risks
A number of risks were identified that are felt to
be particularly significant for ensuring that the
organisation could attract and retain the employees it
needs to be successful, as shown in Table 2 below.
Table 1: Reward risk group definitions
Strategic risk The risk arising from the misalignment of reward strategy to the organisation’s goals. This risk can lead to the inability to attract and retain the employees needed for success.
Behavioural risk The risk arising from the misalignment of reward strategy to the required employee behaviours. This risk can lead to rewarding inappropriate or unproductive organisational activity and behaviour.
Financial risk The risk arising from inadequate reward cost management. This risk can lead to poor value for money and, where relevant, lower profitability or even loss.
Operational risk The risk arising from the poor execution or failure of reward systems and reward processes. This risk can lead to inefficiency or inaccuracy of the systems or fraud in their operation.
Implementation and change management risk
The risk arising from poor implementation or change to the reward strategy or processes. This risk can mean that the reward strategy is managed ineffectively and therefore does not have the required impact.
Legal and ethical risk The risk arising from non-compliance with organisational and societal values and legal and regulatory reward requirements. This risk can lead to employee claims or regulatory action, which can have financial and reputation effects on the organisation.
Governance risk The risk arising from inadequate oversight and challenge to organisational reward strategy. This risk can lead to inappropriate reward policies being pursued.
Table 2: Strategic risks
Attraction and retention of key talent
The risk that reward is structured (level, structure and mix) in such a way that the organisation is unable to attract or retain the talent it needs to be successful.
Misaligned reward and business strategy
The risk that reward strategy is not aligned to organisational goals.
Misaligned reward and organisational structure
The risk that reward structure and technical design (that is, market pricing, job evaluation, and so on) are not in line with organisational structure.
Misalignment with other HR activities
The risk that the reward strategy is not aligned, or even conflicting, with other HR activities, diminishing the effectiveness of the whole HR strategy.
Reputation/brand The risk that the organisation’s reputation is adversely influenced by poor publicity resulting from adverse press coverage of reward systems.
Managing reward risks: an integrated approach 11
Fundamental to any HR strategy that is aligned with
the organisational business strategy is the attraction
and retention of employees that are needed to make
the organisation a success. This is both a matter of
the appropriate numbers of employees but also the
right skills and knowledge to deliver business priorities.
Management of this attraction and retention risk is
at the heart of remuneration design alongside wider
efforts to establish an effective employer brand. The
examination of key HR metrics is felt to be significant
in ensuring that reward levels are appropriate (neither
too high nor too low). In addition, it is suggested
that a critical approach is needed to benchmark
data, which, although helpful in guiding reward-level
decisions, should not be the only determinant of
reward strategy given the wider ‘total reward’ offered
in the organisation and the influence this can have
on managing attraction and retention risks. Aligning
reward strategy with other HR activities is seen as
essential in correctly positioning the reward package.
In larger organisations the risk of misalignment with
business strategy is felt to be significantly higher. One
size does not necessarily fit all and management of this
risk may require different variants of the overall reward
strategy to be executed in different business units. This is
particularly true when organisations are operating on an
international basis where, not only strategic considerations
may vary across countries and regions, but also local
cultures and legal requirements may differ.
The recent media interest in reward structures, not
just in financial services but also across other sectors
particularly at executive level, is raised as requiring
increased attention from reward professionals.
Consideration of how reward packages, especially at
board level, are likely to be interpreted by the media
should details leak out before it is officially made
public is required as an input to the reward decisions
and to develop robust media management plans to
handle the event should it occur.
Behavioural reward risks
Table 3 shows the behavioural risks that were raised
during the research.
An effective reward strategy is likely to be targeted
at influencing employee behaviour and activity
towards business goals. Key to this success is ensuring
that the behaviours encouraged are the right ones
for organisational success. Numerous examples of
remuneration structures not being appropriately aligned
to the required behaviours were raised through the
research, for example: sales performance bonuses based
solely on immediate sales, leading to poor post-sale
management and poor customer satisfaction and future
customer retention; or bonuses paid with regard to
production volumes with no quality adjustment, leading
to high failure rates in final production.
Management of these risks requires managing the
balance in performance measures used in reward
decisions including, where relevant, risk-adjusting these
measures to reflect the true value added by the team or
individual. Employee reward should be determined with
reference to clear performance criteria, which should
Table 3: Behavioural risks
Engagement The risk that the reward strategy does not engage employees.
Fairness internally of reward
The risk that reward is not seen as ‘fair’ between employees, leading to reduced engagement.
Incentives not motivating
The risk that incentive structures do not motivate employees to higher levels of performance or desired behaviours.
Incentivising inappropriate behaviour
The risk that incentives lead to inappropriate employee behaviour, such as product mis-selling or excessive risk-taking.
Innovation stifled by reward
The risk that reward structures discourage innovative behaviour.
12 Managing reward risks: an integrated approach
include qualitative non-financial criteria appropriate for
the business. Successful organisations require more than
just financial success. Issues of longer-term sustainability
of the business also revolve around areas such as
customer satisfaction and retention, referrals, quality and
appropriate risk-taking. A typical approach for managing
performance on a more holistic basis is a balanced
scorecard approach (see box).
The interviews identified a view that for non-financial
elements to be influential, they have to have a
material effect on the overall size of the reward, either
through bonus pool or merit rise determination, to
encourage the behaviours required.
While organisations often claim to be using a
balanced scorecard approach to employee reward
determination, it is felt that, certainly for revenue-
generating staff and therefore those exposing the
organisation to most business risk, the reality is that
revenue or profit generated is the dominant method
by which reward, largely through bonus pools, is
calculated. Both of these approaches present potential
drawbacks that require managing. Revenue, while easy
to calculate and often a readily available metric, takes
no account of costs raised in generating the business.
Profit numbers are seen as one way to manage this
but it is recognised that these can often be difficult to
calculate at individual or even, at times, team level. In
addition, both revenue and profit numbers fail to take
into account the riskiness of the business undertaken
in calculating incentive or bonus payments. However,
events in the financial services sector have significantly
raised the awareness of the need to consider the
effect on business risk-taking in incentive and bonus
plan design, not just in financial services but also
other industries. While this can be done through
mathematical calculations – and increasingly is done
this way in the trading businesses of financial services
organisations – this is not essential. Discussions of
leverage in bonus schemes at the design and review
phase are significant in ensuring that thought is given
to the risk-taking effects bonus targets may have and
whether these effects are considered acceptable.
The balanced scorecard
Developed by Kaplan and Norton (1996), the balanced scorecard uses both financial and non-financial
metrics that are considered important to company success to assess organisational, business, team and
even individual performance. Typically, this revolves around measures on four dimensions:
• Financial perspective – how are we performing with respect to revenue, costs, profit and return on
equity?
• Customer perspective – how do we appear to our customers?
• Learning and growth perspective – are we developing our employees such that they can increase
their contribution to the organisation’s goals?
• Internal process perspective – how successful are we in establishing and operating our key
business processes?
While the original model proposed by Kaplan and Norton does not explicitly identify risk management as a dimension, risk factors have increasingly been incorporated into organisational scorecards.
Managing reward risks: an integrated approach 13
Financial reward risks
A range of financial risks are inherent in all reward
systems. Employee reward is often a significant
proportion of total cost and therefore effective
management of this cost is essential if the organisation
is to be successful, either with regard to overall
profitability or for public sector organisations with
regard to achieving value for money in its spending.
The main risks identified in this group and discussed in
the interviews are shown in Table 4 below.
A range of suggestions has been made around the
management of a number of these financial risks.
A regular review of the cost of providing employee
benefits through competitive tendering and market
benchmarking is identified as an important way to
ensure that the organisation receives value for money.
The opportunity to negotiate better deals with benefit
suppliers given current market conditions is suggested
as one further way of potentially bringing costs down.
Alternatively, employers could consider self-insuring
some benefits, although this in turn does introduce
a potential larger risk should claims be higher than
would have been payable through standard insurance.
Self-insurance should be considered only where the
organisation has the understanding of the risks and
the scale and financial resources to manage the risk of
a large payout should it materialise.
Unsurprisingly, concerns have been raised about the
rising costs of pension and healthcare benefits. While
clearly at the forefront for reward professionals, it
is important that active management of these risks
remains a priority. Potential strategies to manage these
cost risks have been discussed extensively elsewhere so
will not be discussed in further detail here.
Overall, it is felt by those that we have interviewed
that creativity is required to balance out the often
conflicting risk of cost control against employee
satisfaction with their reward package. One suggestion
to manage these risks concurrently is to consider using
conjoint analysis (where employees trade off one set
of attributes or features against another to determine
their relative importance) to get at your employees’
underlying reward preferences and establish whether
there is a way of better meeting these preferences
while lowering overall reward costs.
In addition to cost management risks, the issue of
the sustainability of ongoing performance is raised as
presenting potential financial concerns. Management of
this risk requires that performance-related remuneration
should not be based solely on the profit of one
year’s results, where there is a possibility that profit
information may be interpreted differently over time.
Where doubt exists, remuneration could be deferred
to a point where greater certainty of profit is achieved.
Table 4: Financial risks
Employee benefits self-insurance
The risk that self-insured benefits are not managed, leading to unexpected costs to the organisation.
Healthcare costs The risk that healthcare costs are not controlled.
Inaccurate profit / revenue data
The risk that bonus payments or pay budgets are established with reference to incorrectly stated profit or revenue data, leading to payments that are not appropriate.
Organisational cash flow (ability to pay)
The risk that the organisation is unable to meet reward payments due to cash flow issues.
Overcompetitive reward
The risk that employees are paid more than is required based on market comparisons.
Pension cost management
The risk that pension costs are not managed and become unaffordable.
Pension investment strategy
The risk that the pension investment strategy does not deliver against investment goals.
Taxation The risk that employer and employee taxation is not managed correctly, leading to incorrect taxation payments or tax efficiencies being missed.
14 Managing reward risks: an integrated approach
This is identified as a factor in the financial sector, where
‘mark to market’ (see box) valuations of collateralised
debt obligations that were used to calculate traders’
bonus payouts in 2007 were not actually realisable once
the extent of the difficulties in the underlying mortgage
markets became widely known.
The extent to which this risk applies to an organisation
will depend on the certainty of valuation that is used
in the financial accounts. Although most apparently
relevant to the financial services industry, as illustrated
above, other instances of this risk were raised by
interviewees with respect to, for example, sales teams
where credits may be received for bonus purposes
when an order is made that could be later cancelled,
as well as examples in the property and construction
sectors. This could also apply where organisations have
goods or services with high product return rates that
are not accounted for in bonus payments.
Where this doubt exists it is suggested that some form
of deferral of bonus payments should be considered to
hold back funds until the reliability of profit numbers
is more assured. The proportion of any bonus that
should be deferred should be related to the extent to
which there is doubt in the profits on which the bonus
has been paid. The length of any such deferment
will depend on the time period over which greater
accounting certainty can be attained.
Operational reward risks
The reward system itself will bring direct risks to the
organisation. Reward processes can be complex and,
if not appropriately managed, may lead to errors. The
system is also dealing with large amounts of personal
data and the confidentiality of this data has to be
a key priority for reward and payroll professionals.
Financial fraud is also possible. Unlike a number of
the strategic, behavioural and financial risks, these
risks are often more directly in the control of the
reward function. A number of interviewees also noted
frustrations with their reward IT capability, which often
led to workaround solutions and therefore potentially
increased the risk of error or of lower levels of security
on personal data. These plus other potential reward
operational risks are shown in Table 5.
Mark to market valuations in the financial
services industry
Marking to market is the practice of assigning
a value to financial products (for example
equities, bonds, foreign exchange, and so
on) based on the price prevailing in the
market for that product. This may be based
on data provided from a market exchange
or, alternatively, an estimate based on similar
trades made that day or theoretical model
valuations (also known as ‘marking to model’).
Table 5: Operational risks
Benchmark data quality
The risk that benchmark data is inaccurate, leading to the establishment of inappropriate pay structures and therefore overpaying and lowering organisation cost control or underpaying and bringing attraction risks into play.
Data confidentiality The risk that personal data on employees is not protected appropriately, leading to breaches of security and potential legal challenges.
IT system The risk that the reward IT system does not deliver efficient and secure reward processes.
Outsource provider management
The risk that outsource providers (for example payroll, benefits) do not meet agreed contractual requirements.
Payroll management (for example error or fraud)
The risk of payroll errors leading to incorrect or fraudulent payments.
Reward system legacy management
The risk that management of legacy reward systems (that is, merger, TUPE) lowers the overall effectiveness of the reward strategy.
Managing reward risks: an integrated approach 15
It is suggested that operational reward risk
management needs to be the reward team’s first
priority. Managing this risk effectively is a prerequisite
to being able to focus on other, more ‘strategic’ risk
areas such as those discussed above.
The importance of understanding and controlling the
basic operational risks is a consistent theme running
through the research. If payroll administration or data
confidentiality risks are not under control, there is little
hope of more strategic or behavioural risks identified
by the reward team being considered. A number of
organisations have outsourced the management of
some of these risks through outsourced payroll and
the implementation of industry IT solutions. However,
this does not negate the need to manage these risks
through effective contract management processes
and ongoing development of IT systems. In larger
organisations this means that a number of these
operational reward risks are managed in close liaison
with procurement and IT functions.
Implementation and change management reward risks
Effective reward policy is meaningless if the
organisation is unable to implement the policy. A
range of implementation and change management
risks have been raised, often relating to the capacity
and competency of both the HR function and
organisational line managers to effectively implement
the policies that were developed. Of most significance
is the need for effective communication for successful
reward implementation. Reward management change
related risks are shown in Table 6.
It is recommended that HR directors and reward
directors review the overall organisational capacity and
capability to deliver on espoused reward strategy and
take corrective action where necessary.
Table 6: Implementation and change management risks
Change management The risk that the reward strategy is unresponsive to a changing business environment or changes required to the reward strategy are managed ineffectively and therefore are not having the required impact.
Communication The risk that employees do not understand their reward package and therefore the organisation does not achieve full value from its components.
Employee relations The risk that reward issues lead to problems with general employee relations.
Employee reward understanding
The risk that employees do not understand how their reward package is constructed and as a result the organisation does not achieve best value from its reward spend.
Line management reward capability
The risk that the reward strategy is ineffectively delivered by line managers.
Reward team capability
The risk that the reward team does not have the capability to develop and implement an appropriate reward strategy.
Reward team capacity
The risk that the reward team does not have the capacity to develop and implement an appropriate reward strategy.
Trade union/works councils
The risk that trade union/work councils relationships inhibit the operation of the preferred organisation reward strategy.
16 Managing reward risks: an integrated approach
Legal and ethical reward risks
The volume of employment legislation in the UK
has significantly increased since 1970 with, for
example, equal pay rights between men and women,
compensation for loss of job, minimum wage rights,
maternity and paternity rights, hours of work and
holiday entitlements, share ownership and pensions
and various trade union legislative requirements having
been introduced. Perkins and White (2008) in their
CIPD Reward Management textbook feel that the legal
context is so significant that ‘while employers may
wish as far as possible to create reward strategies for
their own particular circumstances, the starting point
will always be what the law allows or requires’ and,
given this, ‘a major skill for reward specialists is being
able to implement strategy within the constraints of
the law’. In addition, research participants felt that
ethical issues are becoming more fundamental in
guiding the strategic direction of organisations.
In this context a number of legal and ethical reward
risks were raised (Table 7).
A major challenge for reward professionals is keeping
abreast of legislative and regulatory requirements and
ensuring that reward systems stay in line with these
requirements. As with other risk groups, this requires
drawing expertise from other areas, namely HR legal
teams, either in-house or advice provided by external
legal firms. This is discussed later in the report.
Governance reward risks
The significance of corporate governance in effective
people risk management was identified in the 2006
Change Agenda Risk and Performance (CIPD 2006).
In the context of reward risk management this has
been further reinforced by the findings in the Turner
Review (FSA 2006), outlined in the box on page 8,
and Sir David Walker in his initial review of corporate
governance in the banking sector (Walker 2009) in
their discussions of the causes and potential solutions
to remuneration-related risk in the financial services
industry. Lessons can be drawn for all sectors from
their findings. While a detailed review of reward
governance and, in particular, the role of remuneration
committees in overseeing the development and
implementation of reward structures is beyond the
scope of this report, two risks were repeatedly raised
in relation to oversight and governance of reward.
These are shown in Table 8 below.
Table 7: Legal and ethical risks
Ethical The risk that the reward strategy is developed or managed in an unethical manner.
Implied terms, that is, contractual custom and practice
The risk that organisations establish custom and practice from actions taken that have larger consequences at a later date.
Legislative change The risk that legislative changes impact on the alignment of reward strategy with wider organisational goals.
Regulatory The risk that regulation of reward structures requires changes that are not consistent with organisational goals.
Reward discrimination, for example equal pay
The risk that the reward system inappropriately and potentially illegally discriminates between employees.
Table 8: Governance risk
Board / remuneration committee reward knowledge
The risk that the knowledge of those accountable for overseeing the governance of reward structures at executive and other levels is insufficient to carry out the role effectively.
Conflicts of interest The risk that reward decisions are influenced by individuals with a conflict of interest in the final decisions.
Managing reward risks: an integrated approach 17
The FSA, in its work on remuneration risk, has
highlighted the importance of organisations’
remuneration committees having sufficient knowledge
of organisational risks to ensure that the reward
structures adequately account for the management of
these risks. Further, the EU Commission identified the
important role that remuneration committees should
have in designing company remuneration strategy
beyond that of executives, thereby suggesting that
for many organisations the remuneration committee’s
remit should be extended. However, it is important
that the focus of reward governance is on the need for
independence and challenge in remuneration decisions
and not committees and process. Reward teams need
to ensure that this independence is present.
The Treasury Select Committee, in its report on the
financial crisis and the role of remuneration in this
crisis, notes that remuneration committees need to
identify the risks within the organisation’s business
strategy and from this the role reward can play in
helping to manage these risks. This could perhaps be
done through stronger or improved links between the
remuneration and risk and audit committees (where
they exist) that would typically review an organisation’s
risk map. This approach could then be mirrored
further down the organisation with links between
the reward function and other ‘risk-aware’ functions,
such as audit, finance and risk management. However,
questions have been raised over the ability and
time for remuneration committee members to carry
out this enhanced role and the knowledge of both
remuneration practice and organisational risk profiles
that this would require. This means that HR may have
to carry out a review of the level of knowledge of the
organisation’s remuneration committee (or equivalent
governance for reward strategy) to ascertain whether
the remuneration committee has the knowledge
and ability to adequately develop and challenge
remuneration design and the need for risk issues to be
considered in this design.
Conclusion: the reward professional’s contribution
The seven risk groups identified are intended to act
as a prompt for discussion about the reward risks that
organisations are incurring. Ensuring that management
considers each of these risk groups when taking both
reward design and implementation decisions may help
in ensuring that reward risk management is an integral
part of the reward function’s work on a day-to-day
18 Managing reward risks: an integrated approach
Current reward risk concerns and our state of readiness
In June and July 2009 the CIPD conducted a survey
to learn how reward management professionals,
consultants and academics perceive the risks facing
their reward strategies. The questionnaire was in
two sections. First, they were asked to rate a list of
potential risks – which had been identified through
two workshops and a series of interviews with risk
management and reward professionals relating to
reward strategy and its implementation – for impact on
a scale of 1–5 and whether these risks were felt to be
rising, steady or falling.
Second, participants were asked to rate the readiness
of their organisation to manage the risk that they had
identified.
We received 285 responses. The breakdown of
respondents is shown in Figure 2.
The top ten ranked risks faced by employers are as
follows:
1 poor communication of reward leading to poor
organisational performance
2 inability to adapt reward policies and practices to
the changing business environment
3 reward failing to engage employees
4 reward failing to attract key talent
5 ineffective reward strategy causing poor
employee relations
6 poor employee understanding of reward
7 line management reward capability – not being
able to link pay to employee performance or
communicate what is being rewarded and why
8 employees not perceiving reward as fair
9 that bonuses and incentives do not motivate
10 how people are rewarded does not support the
business strategy.
The list is dominated by risks from the ‘implementation
and change management’ risk group, with five of the
top ten risks coming from this group. Given that risk
management is fundamentally about managing the
uncertainty of events, this is not surprising. Comments
made by respondents reflect this concern, focusing on
the burden of change required in current economic
conditions and the gap between the intention of the
organisation and employee understanding of what
organisations are looking to deliver.
Behavioural risks are the next group to be raised,
especially around engagement, fairness of reward
and the need to incentivise employees effectively. Of
interest – given the political and media attention in
this area following the financial crisis – is the fact that
the risk that incentives create inappropriate behaviour
finished 29th. This perhaps identifies a gap between
what reward professionals believe is needed within
organisations and media and political coverage.
Figure 2: Breakdown of survey respondents
Consultant
HR practitioner
Academic
1%
9%
90%
Managing reward risks: an integrated approach 19
Strategic risks around attraction and the alignment
of reward strategy with both organisational strategy
and other HR policies all feature in the top 20. Brand
and organisational reputation concerns are also high,
just outside the top ten at 13, which is reflected in
written comments around media interest and the need
for reward policies to be seen to be appropriate, not
just by employees but by wider stakeholder groups.
Not surprisingly, financial risks focus on pension cost
management, both directly and with respect to the
investment strategies that firms are employing to
manage their pension liabilities. In addition, cash flow
risk is highlighted, which is undoubtedly related to
the timing of the survey with organisations struggling
to manage through the recession and taking radical
action to manage cash flow through actions such as
pension holidays, pay freezes and cuts. Legal risks
barely feature, with legislative change at 14 the only
legal concern raised in the top 20. Encouragingly,
operational risks are also lower down the list, with
benchmark data quality the highest at 18, followed
closely by concerns over IT systems.
The survey also asked participants to identify risks
that they think are growing and will need increasing
attention in the future. The top ten risks that are
predicted to grow and therefore warrant increased
focus are as follows:
1 inability to adapt reward policies and practices to
the changing business environment
2 pension investment strategy – returns not
meeting expectations
3 pension cost management – organisations unable
to meet increasing costs associated with providing
an employee pension scheme
4 poor communication of reward, leading to poor
organisational performance
5 reward failing to engage employees
6 ineffective reward strategy, causing poor
employee relations
7 legislative change leading to more rules and red
tape
8 poor employee understanding of reward
9 organisational cash flow – not having the money
to meet reward commitments
10 failing to comply with regulatory requirements.
Given the current economic climate, attention will be
increasingly focused on the cost management risks
around cash flow management, pension cost and
investment strategy management, and healthcare cost
control. In addition, there will be the risks associated
with change management issues associated with
changing policies in these areas and the resulting risk
of reductions in employee engagement and problems
with employee relations.
Clearly legal and regulatory reward risks are also seen
to be on the increase, which – given the survey was
being completed during the FSA’s consultation on
reward in the financial services sector and Sir David
Walker’s review of corporate governance in the banking
industry and significant media coverage of reward
issues – is to be expected.
Also of interest is the difference in views as to the
main reward risks between HR practitioners and their
consultants. These are shown in bold in Table 9. HR
concern over employee relations, employee reward
understanding, incentives and line management
capability did not feature in the equivalent top ten
risks identified by their consultants. They are more
concerned with board and remuneration committee
knowledge (perhaps reflecting increasing work in that
area and the focus of their consulting on executive
reward issues), reputation, misalignment with other
HR policies and reward team capability. Despite these
differences, there is a consensus that the change
management risks are important.
20 Managing reward risks: an integrated approach
Table 9: Comparison of practitioners’ and consultants’ perceptions of reward risks
HR Consultants
1 Communication Change management
2 Change management Communication
3 Engagement Attraction of key talent
4 Attraction of key talent Board/remuneration committee knowledge
5 Employee relations Fairness internally of reward
6 Employee reward understanding Engagement
7 Fairness internally of reward Misaligned reward and business strategy
8 Incentives not motivating Reputation/brand
9 Line management reward capability Misalignment with other HR activities
10 Misaligned reward and business strategy Reward team capability
Table 10: Sector views of reward risks
Manufacturing and production
Private sector services
Voluntary, community and not-for-profit Public sector
1 Communication Change management Change management Attraction of key talent
2 Engagement Communication Communication Change management
3 Attraction of key talent Engagement Line management reward capability
Communication
4 Change management Attraction of key talent Attraction of key talent Engagement
5 Employee relations Employee reward understanding
Employee relations Employee relations
6 Employee reward understanding
Incentives not motivating
Engagement Employee reward understanding
7 Pension cost management
Employee relations Fairness internally of reward
Fairness internally of reward
8 Incentives not motivating
Misaligned reward and business strategy
Misaligned reward and business strategy
Pension cost management
9 Benchmark data quality
Fairness internally of reward
Retention IT system
10 Fairness internally of reward
Line management reward capability
Benchmark data quality
Incentives not motivating
The risk profile by industry sector is shown in Table 10.
Overall, between sectors there are not huge differences
in the risks that practitioners feel are significant.
Again, change management risks dominate. However,
‘employee reward understanding’ and ‘incentives not
motivating’ are less of a concern for the voluntary
sector, perhaps reflecting why people work in these
sectors in the first place. Pension cost concerns are
higher in the manufacturing and public sectors, which
may indicate a different stage within those sectors of
managing pension cost risks.
Managing reward risks: an integrated approach 21
Preparedness
The survey asked respondents, ‘How well prepared
do you think your organisation is to manage the risks
you have identified?’ The breakdown of responses is
shown in Figure 3.
Only 17% feel they are well prepared to handle
the myriad risks they face, while 9% think they are
poorly prepared. The rest gave a mixed response
(74%). This cautious response may be a reflection of
current demanding times for reward management and
concern that the future, with respect to the state of
the economy, is still unclear. This was reflected in the
comments made.
Given this general concern over preparedness, this
report now provides some guidance and supporting
tools to assist reward professionals to identify, assess and
manage risks within their organisation’s reward strategy.
Figure 3: How well prepared do you think your organisation is to manage the risks you have identified?
Well
Mixed
Poor
17%9%
74%
22 Managing reward risks: an integrated approach
Risk management process
Risk management techniques are well established
and used widely in many organisations. The following
advice is intended to provide a high-level route map
to reward teams as to how they might go about
identifying, assessing and managing risks that apply to
their reward strategy.
Reward professionals are advised to use established
risk management techniques (for example impact
and probability analysis, risk logs, stress testing) to
identify their organisation’s key strategic, behavioural,
financial, operational, legal, change management
and governance reward risks and manage and
control these risks in line with the organisation’s
defined risk appetite. These tools are intended to
support a proactive approach to predict and manage
unacceptably high risks rather than reactive ‘fire
fighting’ of ‘crystallised’ or realised risks after they
have occurred.
Where possible, the adoption of established
organisational risk management processes should be
used in managing reward risks. This has the dual benefit
of saving the time and effort required in designing
reward risk management processes and it can also help
increase the credibility of any reward risk assessment
results and resulting recommended actions through
presentation of results in line with organisational
standards. However, where such a process does not
exist, the support provided below will help.
A three-stage process for managing reward risk was
presented earlier and is shown in Figure 4.
Each of these stages will be discussed alongside
suggestions for how to carry out the stages efficiently
and effectively.
Figure 4: Three-stage process for managing reward risk
Stage 1
Risk identification
Stage 2
Risk assessment
Stage 3
Risk mitigation
• collection of risks from a diverse range of intelligence, both internal and external to the organisation
• initial risk assessment against two criteria: – impact that the risk occurring would have on the organisation – probability that the risk will occur
• decision on appropriate mitigating action to be taken• reporting of risk assessment to ‘appropriate’ persons
Managing reward risks: an integrated approach 23
Stage 1 – risk identification
The research highlights the importance of reward
professionals using a range of sources of intelligence to
be able to begin to identify risks that may be pertinent
to their organisation’s reward strategy and delivery.
To successfully identify the risks that may influence the
effectiveness of the organisation’s reward strategy, it
is important to engage with a range of functions and
key individuals to get their intelligence on what might
happen and to involve them in brainstorming activities,
drawing on their particular expertise. Key functions for
reward to engage with in identifying reward risks are
presented in Table 11.
Table 11: Key functions to engage with in identifying reward risks
Function How they can help Questions to consider
Internal audit
Internal audit play a key role in assessing the controls in organisations. This requires them to assess the risks that organisational processes and functions are managing and how effective the controls are to manage these risks. They are likely to have done some form of organisational risk-mapping and may have already considered reward-related risks.
What risk-mapping work have they already done and where do reward-related risks appear on this map?
What do internal audit reports say about reward risks?
Compliance and risk management
In some industries a formal compliance team or a centralised risk management function will be in place. They can be a source of intelligence around business risks that may be impacted by reward structures. For financial services organisations in the UK, it is now regulatory guidance that reward decisions take into account the views of risk and compliance.
What regulatory issues may be emerging that may impact on the reward strategy?
What behavioural issues may impact on regulatory compliance and how is reward contributing or assisting with managing these issues?
Unions Unions (and works councils or equivalent), through their engagement with employees, will have intelligence on the current state of employee satisfaction and the likely reaction of employees to different reward approaches. They will also, because of their wider industry understanding, have thoughts on industry reward developments.
What is the union view on future reward risks that the organisation may face?
Finance Given that reward costs are often a high proportion of overall employee cost, the finance function is likely to have input on potential future cost risks through their understanding of the cost structure of employment costs. Specifically in relation to pension costs they may also have insight into future regulatory or accounting changes that may apply to these costs, which may influence reward decisions.
Where are our biggest reward expenditures?
What have we seen happen to those spends over time?
What are our views on likely future cost changes in areas such as pay and benefits?
HR business partners/line managers
What is happening in business units on the ground is crucial risk identification data.
What trends around recruitment, retention and motivation are HR business partners and line managers seeing?
What influence are reward structures having on front-line employee behaviour? Are these the behaviours that are required to make the business a success?
24 Managing reward risks: an integrated approach
As well as engaging with key functions and individuals,
reward risks can be identified through review of
management information. Review of this data can help
identify emerging trends and concerns. Key sources
and where they may provide insight to reward risks are
shown in Table 12.
As well as these internal sources of data for identifying
reward risks, there are numerous external sources that
will assist you in thinking as widely as possible about
potential events that may impinge on the effectiveness
of your reward strategy. Some suggestions as to
potential sources are presented in Table 13.
Table 12: Key internal sources of management information for identifying reward risks
Organisational and HR risk maps
Does an HR risk management process already exist?
What risks have already been identified and do these include reward-related risks?
Exit interviews What reward issues are being raised by those leaving the organisation?
Equal pay audit results
What do your equal pay results tell you about potential discrimination risks?
Management accounts
What are the main drivers of organisational performance?
What are the main sources of organisational costs?
Business forecasts What are the future expectations of the business?
Balanced scorecard results
What are the main performance issues in the business – financial, process, people and customers? How might reward structures and systems impact on these (for example, customer satisfaction scores, sales results, process efficiency, and so on)?
Service level reports from suppliers (for example payroll, benefits, IT systems)
What level of performance are you getting from your external suppliers?
What level of errors are occurring and how are these being addressed?
HR management information
What level of recruitment offers are accepted? Why are offers rejected?
What is employee turnover? How does it vary by function and business unit?
How do actual pay levels compare with the market position that is being targeted?
What ongoing grievances or legal disputes do you have with employees and how do these relate to reward systems?
Table 13: Key external sources of information for identifying reward risks
Employment law alerts/briefings
Many of the legal firms provide regular updates on future employment law changes and recent cases. What legal changes are likely in the future and how will they impact on your reward strategy? What tribunal cases have been held and what implications may they have?
Government consultation papers
The Government regularly consults on proposed changes. These can provide an opportunity to mitigate the risk through engagement with the consultation process or alternatively early warning of potential changes for you to consider the implications for your reward strategy.
Press publications and trade conferences
Both the HR press and wider media will provide information on reward issues emerging and good practice carried out by other organisations. What can you learn from these with regard to potential threats to your reward strategy?
Research Economic data is crucial for understanding potential future reward-related issues. For example, what is inflation likely to be in the future and what influence might changes in this have on how you approach reward? Demographic data can also be useful in identifying particular employment trends that may have a disproportionate influence on your business. In addition, academic research is carried out on reward-related areas that may give you insights as to potential issues within your reward approach or ideas for future changes.
Managing reward risks: an integrated approach 25
The significance of developing the discipline within
your reward function to continually engage with other
parts of your organisation and review key internal
and external data sources cannot be understated.
A successful reward risk manager will be assessing,
on a continual basis, all the data they are gathering
and considering its potential implications for the
effectiveness of the reward strategy.
Having developed a good understanding of what is
happening that may be relevant to your reward strategy,
both external to and within your organisation, you should
then be in a better position to identify reward risks. A
systematic approach to the identification of reward risks
can then be used as a guide to assess the main reward
risks relevant to your current organisational position.
Reward risk assessment will now be discussed.
MBDA is a defence company with industrial facilities in France, Germany, Italy, the USA and the UK.
It has 9,000 employees worldwide. As with all organisations in the defence industry, it faces future
challenges with reducing defence budgets and increased international competition from former Eastern
European defence companies, the United States and developing countries intent on building their own
indigenous technical capability.
At MBDA, a number of reward-related risks have been identified. The company has relatively long-
serving employees and consequently the principal focus hasn’t historically been on retention risks, but
rather, with the increased competition in the sector, employee motivation and cost control. As well
as these behavioural and financial reward risks, MBDA has also faced different legal requirements,
and resulting legal reward risks, in each country in which it operates. In addition, the cross-border
nature of its operations has meant that reward change management and communication risks have
required particular attention through careful consideration of how the company communicates with
its employees what is contained in their remuneration package, in each country, in order to raise the
visibility of the offer. This is to help ensure that employees know what they are receiving and get full
value from it, as it is felt that many employees are not fully aware of the extent of their package.
The company has an organisation-wide risk management process that includes an organisation-wide
risk register. However, this has typically focused on front-line business processes, such as supply chain
management, specific project management risks and business contingency planning, rather than on HR
and reward-related risks. The intention is to bring a more systematic approach to reward risk identification,
assessment and mitigation through the adoption of already established organisation risk management
practices. The initial focus is likely to be on using reward systems to help address the business challenge
of aligning employee reward to business performance which, due to relatively long product lifecycles,
can mean that employees lose sight of the ultimate customer and their needs. It is felt reward can help
manage this risk through revisions to the bonus scheme linked to both organisation-wide and local
performance measures alongside longer-term incentive programmes to help employees see both short-
and longer-term priorities. Risks that are having to be considered in the development of this reward
system include: communication risks to ensure that employees are fully aware of what they need to do
to increase their reward; and achieving the right balance between individual and team reward to manage
individual performance but support teamworking and contribution ultimately to the organisation’s bottom
line. Clearly, performance management is also key and educating and encouraging managers to more
actively differentiate between employees is an area of focus.
Going forward, the reward team will be looking to leverage off the organisation’s approach to risk
management, given the immediate advantage this presents with respect to linking into organisational
tools and using business language to highlight and give attention to HR and reward-related risks.
This information was supplied by John Murray, HR Director, Operations, at MBDA.
Reward risk management at MBDA: the start of a journey
26 Managing reward risks: an integrated approach
Stage 2 – risk assessment
At this stage you should have an idea of the universe
of risks that apply to your reward strategy across
the seven risks groups – strategic, behavioural,
financial, operational, legal, change management and
governance risks. The next stage requires you to assess
the probability and impact of each of the reward risks:
• probability – the likelihood of the identified risk
actually occurring
• impact – the effect the risk occurring will have on
your overall reward strategy and, through this, your
business strategy.
Assessing both of these dimensions requires
judgement. One approach that is taken to support
this judgement is to map the identified risks onto an
impact and probability matrix. An example is given in
Figure 5.
Risk appetite
The coloured zones in Figure 5 show potential risk
management actions to be taken against each of
the reward risks identified. Where these zones lie in
your own reward risk map will depend on your risk
appetite. Risk appetite is the amount of risk that you
are willing to accept or be exposed to at a specific
point in time. Some organisations are willing to accept
higher levels of risk than others depending on the
prevailing culture at the time that the risk appetite
is defined. What is crucial is that you engage senior
management in defining what level of reward risk they
are willing to be exposed to. Potential questions that
can help you define your risk appetite are as follows:
• Financial cost – what is the potential financial
loss to the company should the risk materialise, for
example legal costs and fines should tribunal cases
be lost through running a legal risk?
Figure 5: Impact and probability matrix
8
11 2
57
3
4
96
Minimal risk – does not require specific attention
Contingency plans should be in place
Preventative controls should be put in place
Heavy risk management focus
High
Medium
Impa
ct
Low
Low Medium
Probability
High
1
2
3
Identified reward risk 1
Identified reward risk 2
Identified reward risk 3etc...
Managing reward risks: an integrated approach 27
• Reputation – what level of publicity may occur if
the risk occurs? What level of bad publicity are you
willing to accept if a risk materialises?
• Regulatory – is potential regulatory intervention
acceptable to the business?
These are just examples. Many organisations
present potential negative scenarios to their senior
management and ask them whether the occurrence
of the scenario is acceptable or should be eliminated.
This allows them to carry out some calibration of the
organisation’s reward risk appetite.
Combining risk
While the framework presented identifies numerous
individual risks, they should not be considered in
isolation. A number of these risks are likely to arise in
tandem and as a result their individual influence may be
increased through combination effects. Consequently,
the risk assessment process should consider how the
identified risks are related and whether the combination
will lead to a higher impact or probability than may be
suggested by examining each risk individually.
Commerzbank is an international German bank providing retail and corporate banking worldwide. Its
UK operation focuses on investment and corporate banking. It employs around 1,200 staff in London.
Reward risks are examined systematically using assessment of both impact and probability criteria.
The probability of a reward risk occurring is assessed using a simple percentage (0–100%). Impact is
measured on a five-point scale, 1 being a non-material impact and 5 being an impact critical to business
performance. The probability percentage and impact are then multiplied to give an overall reward risk
score. This score is then used to identify where reward risk mitigation should be focused. Any scores
above 200 are considered to be red risks and require immediate action. The risks are then presented on
a ‘risk umbrella’ map to demonstrate the highest risks, as shown below.
The risks identified and the analysis of their probability and impact are then captured in a risk log, along
with defined mitigating actions where it is felt the risk is too high for Commerzbank’s reward risk appetite.
This information was supplied by Ian Davidson, Head of Compensation and Benefits, at Commerzbank, London.
Reward risk assessment at Commerzbank London
1 Set by Frankfurt300
250
200
150
100
50
0
19 Loss of reward knowledge in London
18 Regulatory communication
17 Employee communication
16 Senior management communication
15 Head office communication
14 Delivery not in accordance with contracts
13 Incorrect HMRC reporting
12 Correct levels of bonus
11 Correct levels of pay 10 Market issues
Probability Impact Total score
9 Discrimination issues
8 Bonus system
7 Bonus levels
6 Levels of base salary
4 Regulatory agreement
3 Understanding by HR business partners
2 Communications to senior management
5 Business impact
28 Managing reward risks: an integrated approach
Stage 3 – risk mitigation
The final risk management stage is to consider what
risk mitigation actions may be required. This will be
heavily informed by your risk assessment process, with
higher impact and higher probability risks warranting
more attention. Typically, organisations capture the
risks identified and their assessments of these risks in
some form of risk map (also sometimes referred to as a
risk register or risk log), which then allows the actions
to be taken to be laid out and accountability to be
assigned for ongoing management of the risk.
A typical risk map is presented in Table 14, along with
some illustrative risks and potential action plans. Where
scoring is used, as in the Commerzbank case study, risk
maps will often include a column for this score alongside
a target score for the risk after the action plans have been
completed.
Clearly risk mitigation will be specific to the risks identified
and the assessment of their potential impact and their
likelihood of occurring. It is an area where creativity is likely
to be required in thinking through ways of managing the
risks so that the costs of carrying out the mitigating action
are proportionate to the costs of such action.
Scenario analysis can assist the development of
appropriate risk mitigation strategies. These are basically
‘what if’ questions intended to provoke ideas on what
strategies or controls should be put in place to prevent
potential risks occurring or alternatively the building of
contingency plans to manage the risk should it occur.
Table 14: Example risk map
Risk group Description Impact Probability Owner Action Review date
Operational Employee confidentiality is breached through loss of reward data
Medium Low Clare Brown Annual data confidentiality audit
January 2010
Financial Inaccurate profit data used to set bonus pool
High Medium Ann Jones Establish bonus deferral policy
Bonus pool set on audited profit
November 2009
Financial Escalating healthcare costs
Medium Medium Clare Brown Supplier re-tendering
Employee consultation as part of ‘total reward’ review
April 2010
Strategic Loss of key employees
High Low John Smith Intra-year review of market benchmarks for key groups
Retention bonus policy in place
Line management communication of the tool and its potential use
December 2009
Change management
HR capability to implement new job evaluation system
Medium High John Smith HRBP training sessions on new job evaluation system
Job evaluation guides developed
October 2009
Managing reward risks: an integrated approach 29
There is no definitive list of the skills, knowledge and
competencies required by reward professionals to
successfully pursue a risk-based approach to their work.
However, the reward professionals that we talked to
have identified a number of competencies from the
CIPD’s HR Profession Map that they felt to be particularly
relevant in adopting a risk-based approach. These are
highlighted in Table 15 against each of the three stages
identified in the reward risk management process.
Clearly behaviours are important but can only be
effectively deployed in the reward risk management
approach described if they are accompanied by a
base of technical skills and knowledge. This skill
and knowledge will be a combination of business
understanding, technical reward knowledge and,
where relevant, operational management to ensure
all types of reward risk are well managed. The CIPD’s
‘reward and performance’ professional area in the
overall HR Profession Map can help establish the key
knowledge required.
For more detail on the CIPD HR Profession Map, go to
www.cipd.co.uk/hr-profession-map
Table 15: Risk management process and CIPD HR Profession Map competencies
Risk identification Curious– active interest in the internal and external environment– open-minded with a bias to learn and enquire
Collaborative– works effectively and inclusively with colleagues
Co
urag
e to ch
alleng
e
Shows courage and confidence to speak up, challenge others
when faced w
ith resistance.
Risk assessment Decisive thinker– analyse and understand data quickly– use judgement wisely to identify options and defendable decisions
Skilled influencer– gain the necessary commitment
Risk mitigation Driven to deliver– a consistent and strong bias to action
Personally credible– track record of reliable and valued delivery
Effective risk management – what does it take?
30 Managing reward risks: an integrated approach
Conclusion
While the research identifies that reward risks are
on the increase, and practitioners are struggling to
manage these risks, there are many good examples of
organisations getting on top of their reward risks and
managing them effectively. Successful organisations
are assessing their reward strategy and systems for risk
so that they can proactively manage these dangers
and avoid unnecessary reward shocks. There are clear
steps that reward practitioners and their HR colleagues
can take to more effectively identify, assess and
then manage the risks that organisations face when
managing their reward practices. By adopting five
simple steps, organisations can significantly improve
their preparedness for managing reward-related risks:
1 Establish effective reward risk intelligence-
gathering systems.
2 Proactively review your reward strategy and
systems for risk.
3 Use established risk management tools to assess
and manage identified reward risks.
4 Know your reward risk appetite and manage risk
consistent with this.
5 Build your risk management capability and develop
a permanent risk management culture.
To assist practitioners in following these steps this
report has identified seven key reward risk groupings.
We have used this framework to review the main risks
that are seen to be most relevant today to reward
management professionals and have provided some
risk management tools to assist organisations in
reviewing their reward-related risks.
Managing reward risks: an integrated approach 31
References and further reading
ASSOCIATION OF INSURANCE AND RISK MANAGERS,
ALARM and INSTITUTE OF RISK MANAGEMENT. (2002)
A risk management standard. [London]: AIRMIC,
ALARM and IRM. Online version also available at:
http://www.theirm.org/publications/PUstandard.html
[Accessed 22 September 2009].
CHARTERED INSTITUTE OF PERSONNEL AND
DEVELOPMENT. (2006) Risk and performance: HR’s
role in managing risk [online]. Change agenda.
London: CIPD. Available at: http://www.cipd.co.uk/
subjects/corpstrtgy/general/_rskprfrmnc.htm [Accessed
22 September 2009].
FINANCIAL SERVICES AUTHORITY. (2009) The Turner
review: a regulatory response to the global banking
crisis [online]. London: FSA. Available at: http://www.
fsa.gov.uk/pages/Library/Corporate/turner/index.shtml
[Accessed 22 September 2009].
KAPLAN, R.S. and NORTON, D.P. (1996) The balanced
scorecard: translating strategy into action. Boston,
MA: Harvard Business School Press.
PERKINS, S.J. and WHITE, G. (2008) Employee reward:
alternatives, consequences and contexts. London:
Chartered Institute of Personnel and Development.
STEVENS, J. (2005) Managing risk: the human
resources contribution. London: LexisNexis.
WALKER, D. (2009) A review of corporate governance
in UK banks and other financial industry entities
[online]. London: The Walker Review Secretariat.
Available at: http://www.hm-treasury.gov.uk/walker_
review_information.htm [Accessed 22 September
2009].
32
Managing rew
ard risks: an integrated approach
Appendix – outline reward risk mapping toolThe risks below were identified during the research as being
particularly relevant to reward risk management. They are
intended to act as a guide for reward functions in their
assessment of risks that are present and need managing
in their own reward systems. They are presented alongside
a simple tool to allow reward professionals to review
each of the risks against their own reward strategy and
systems. The list is intended to provide a potential universe
of reward-related risks but should not be considered
exhaustive or treated as a checklist. Each organisation
will have a different risk profile and consequently require
different reward risk management strategies.
Risk Definition Impact Probability Owner Action
Strategic risks
Attraction and retention of
key talent
The risk that reward is structured (level,
structure and mix) in such a way that the
organisation is unable to attract or retain the
talent it needs to be successful.
Misaligned reward and
business strategy
The risk that reward strategy is not aligned to
organisational goals.
Misaligned reward and
organisational structure
The risk that reward structure and technical
design (that is, market pricing, job evaluation,
and so on) are not in line with organisational
structure.
Misalignment with other
HR activities
The risk that the reward strategy is not aligned
with other HR activities, diminishing the
effectiveness of the whole HR strategy.
Reputation/brand The risk that the organisation’s reputation is
adversely influenced by poor publicity, resulting
from adverse press coverage of reward systems.
Uncompetitive reward The risk that employees are paid less than is
required based on market comparisons, leading
to attraction and retention difficulties.
Managing rew
ard risks: an integrated approach
33
Risk Definition Impact Probability Owner Action
Behavioural risks
Fairness internally of
reward
The risk that reward is not seen as ‘fair’
between employees, leading to reduced
engagement.
Engagement The risk that reward strategy does not engage
employees.
Incentives not motivating The risk that incentive structures do not
motivate employees to higher levels of
performance or desired behaviours.
Incentivising inappropriate
behaviour
The risk that incentives lead to inappropriate
employee behaviour, such as product mis-
selling or excessive risk-taking.
Innovation stifled by
reward
The risk that reward structures discourage
innovative behaviour.
34
Managing rew
ard risks: an integrated approach
Risk Definition Impact Probability Owner Action
Financial risks
Employee benefits self-
insurance
The risk that self-insured benefits are not
managed, leading to unexpected costs to the
organisation.
Healthcare costs The risk that healthcare costs are not
controlled.
Inaccurate profit / revenue
data
The risk that bonus payments or pay budgets
are established with reference to incorrectly
stated profit or revenue data, leading to
payments that are not appropriate.
Organisational cash flow
(ability to pay)
The risk that the organisation is unable to meet
reward payments due to cash flow issues.
Overcompetitive reward The risk that employees are paid more than is
required based on market comparisons.
Pension cost management The risk that pension costs are not managed
and become unaffordable.
Pension investment
strategy
The risk that the pension investment strategy
does not deliver against investment goals.
Taxation The risk that employer and employee taxation
is not managed correctly, leading to incorrect
taxation payments or tax efficiencies being
missed.
Managing rew
ard risks: an integrated approach
35
Risk Definition Impact Probability Owner Action
Operational risks
Benchmark data quality The risk that benchmark data is inaccurate,
leading to the establishment of inappropriate
pay structures and therefore overpaying
and lowering organisation cost control or
underpaying and bringing attraction risks into
play.
Data confidentiality The risk that personal data on employees is not
protected appropriately, leading to breaches of
security and potentially legal challenge.
IT system The risk that the reward IT system does not
deliver efficient and secure reward processes.
Outsource provider
management
The risk that outsource providers (for example
payroll, benefits) do not meet agreed
contractual requirements.
Payroll management (for
example error or fraud)
The risk of payroll error leading to incorrect or
fraudulent payments.
Reward system legacy
management
The risk that management of legacy reward
systems (that is, merger, TUPE) lowers the
overall effectiveness of the reward strategy.
36
Managing rew
ard risks: an integrated approach
Risk Definition Impact Probability Owner Action
Implementation and
change risks
Change management The risk that changes to reward strategy are
managed ineffectively and therefore are not
having the required impact.
Communication The risk that employees do not understand
their reward package and therefore the
organisation does not achieve full value from
its components.
Employee relations The risk that reward issues lead to problems
with general employee relations.
Employee reward
understanding
The risk that employees do not understand
how their reward package is constructed and
as a result the organisation does not achieve
best value from its reward spend.
Line management reward
capability
The risk that reward strategy is ineffectively
delivered by line managers.
Reward team capability The risk that the reward team does not have
the capability to develop and implement an
appropriate reward strategy.
Reward team capacity The risk that the reward team does not have
the capacity to develop and implement an
appropriate reward strategy.
Trade union / works
councils
The risk that trade union / works council
relationships inhibit the operation of the
preferred organisation reward strategy.
Managing rew
ard risks: an integrated approach
37
Risk Definition Impact Probability Owner Action
Legal and ethical risks
Ethical The risk that reward strategy is developed or
managed in an unethical manner.
Implied terms, that is,
contractual custom and
practice – precedent risk
The risk that organisation establishes custom
and practice from actions they take that has
larger consequences at a later date.
Legislative change The risk that legislative changes impact on
the alignment of reward strategy with wider
organisational goals.
Regulatory The risk that regulation of reward structures
requires changes that are not consistent with
organisational goals.
Reward discrimination The risk that the reward system inappropriately
and potentially illegally discriminates between
employees.
Governance risks
Board / remuneration
committee reward
knowledge
The risk that the knowledge of those
accountable for overseeing the governance of
reward structures at executive and other levels
is insufficient to carry out the role effectively.
Conflicts of interest The risk that reward decisions are influenced by
individuals with a conflict of interest in the final
decisions.
Chartered Institute of Personnel and Development151 The Broadway London SW19 1JQ Tel: 020 8612 6200 Fax: 020 8612 6201Email: [email protected] Website: www.cipd.co.uk
Incorporated by Royal Charter Registered charity no.1079797 Issu
ed:
Oct
ober
200
9 R
efer
ence
: 50
07 ©
Cha
rter
ed In
stitu
te o
f Pe
rson
nel a
nd D
evel
opm
ent
2009
We explore leading-edge people management and development issues through our research.
Our aim is to share knowledge, increase learning and understanding, and help our members
make informed decisions about improving practice in their organisations.
We produce many resources on people management and development issues including guides,
books, practical tools, surveys and research reports. We also organise a number of conferences,
events and training courses. Please visit www.cipd.co.uk to find out more.