8.2 Risk Management, Privacy, and Security
Key Takeaways
- HR risk management identifies, prioritizes, mitigates, monitors, and documents people-related risks.
- Privacy and security require need-to-know access, careful records handling, data minimization, and coordination with information security and legal resources.
- Risk controls should fit the severity, likelihood, employee impact, and business impact of the issue.
- A strong SHRM-CP answer reduces risk without creating unnecessary barriers to legitimate work.
Managing People Risk Before It Becomes a Crisis
Risk management in HR means identifying events or practices that could harm employees, disrupt operations, violate policy, damage trust, or expose the organization to claims. It is not only about avoiding negative outcomes. It is also about building reliable processes so managers and employees know what to do when risk appears.
HR risk can come from poor documentation, inconsistent policy application, unsafe work conditions, weak access controls, mishandled investigations, inaccurate records, or unclear accountability. A SHRM-CP answer should show proportionality. The response should fit the risk instead of treating every issue as either routine or catastrophic.
| Risk area | Control example | HR partner |
|---|---|---|
| Employee records | Need-to-know access and retention practices | Legal, information technology, records owner |
| Payroll or time records | Review procedures and correction workflows | Payroll, finance, managers |
| Workplace complaint | Intake, documentation, investigation plan, nonretaliation reminders | Employee relations, legal as needed |
| System access | Role-based permissions and periodic review | Information security, system administrator |
| Vendor handling of HR data | Contract review, data safeguards, service standards | Procurement, legal, information security |
Privacy is a recurring workplace risk because HR handles sensitive information. HR should collect only what is needed, limit access to those with a legitimate business reason, store records appropriately, and avoid casual sharing. Even when information is relevant, HR should consider who needs the detail and who only needs the decision or action step.
Security also includes physical and operational safeguards. Badge access, visitor controls, emergency communication, secure file storage, and password practices may involve other functions, but HR often helps communicate expectations and respond when employees are affected. HR should coordinate rather than operate alone.
Use this risk-control pattern:
- Identify the risk event, affected people, and possible harm.
- Estimate urgency, likelihood, severity, and business impact.
- Review existing policy, records, controls, and ownership.
- Choose controls that reduce risk without blocking legitimate work.
- Monitor results, document decisions, and improve the process.
Risk registers and audits can be useful when they lead to action. HR should translate findings into owners, due dates, communication, training, or process changes. A risk that is documented but never assigned remains active, and repeated exceptions may show that the control is impractical or poorly understood. Review cycles keep the control current.
In exam scenarios, avoid answers that expose confidential information to satisfy curiosity. Also avoid answers that withhold necessary information from a manager who must implement a work restriction, schedule change, or safety action. HR judgment is often about sharing the minimum appropriate information with the right people at the right time.
A manager asks HR for an employee's medical details because the employee has a temporary work restriction. What is the best HR response?
Which action best supports HR system security?
What is the best first step when HR learns a vendor may have mishandled employee data?