8.2 Risk Management, Privacy, and Security

Enterprise Risk Management in HR

Risk management is the systematic process of identifying, assessing, mitigating, monitoring, and documenting events that could harm employees, disrupt operations, violate policy, or expose the organization to claims. Enterprise risk management (ERM) widens that lens from a single department to the whole organization, asking how people-risks connect to strategic, financial, operational, reputational, and compliance risks.

The core analytic tool is a likelihood-by-severity assessment, often plotted on a risk matrix (or heat map). For each risk, HR estimates how probable it is and how severe the impact would be, then selects a risk treatment:

HR risk arises from poor documentation, inconsistent policy application, unsafe conditions, weak access controls, mishandled investigations, inaccurate records, or unclear accountability. SHRM-CP answers should show proportionality — match the response to the risk rather than treating every issue as either trivial or catastrophic. A documented risk that is never assigned to an owner with a due date remains an active risk.

Business Continuity and Disaster Recovery

Business continuity planning (BCP) keeps critical functions running through disruption (storms, outages, pandemics, supply shocks); disaster recovery restores systems and operations afterward. HR's stake is substantial: emergency communication and employee accounting, succession plans for key roles, cross-training and backup staffing, remote-work readiness, and coordination of pay continuity and leave during a crisis. A continuity plan that names no backup for a single-point-of-failure role is incomplete.

Privacy and Security

HR holds some of an organization's most sensitive data — medical, pay, Social Security numbers, performance, and investigation files. The guiding principles are data minimization (collect only what is needed), need-to-know access, secure storage, and role-based permissions with periodic access review. Even when information is relevant, HR should ask who needs the underlying detail versus who only needs the decision or action step.

Use this risk-control pattern: (1) identify the risk event, affected people, and possible harm; (2) estimate likelihood, severity, urgency, and business impact; (3) review existing policy, records, controls, and ownership; (4) choose a treatment that reduces risk without blocking legitimate work; (5) monitor, document decisions, and improve the process.

In exam scenarios, avoid answers that expose confidential information to satisfy curiosity, and equally avoid answers that withhold information a manager genuinely needs to implement a work restriction or safety action. When a vendor may have mishandled data, the strongest first move is to assess what data is affected, notify internal owners, and coordinate with legal, security, and the vendor — not to minimize it or terminate the contract blindly. HR judgment is usually about sharing the minimum appropriate information with the right people at the right time.

HR Risk Categories and Audit-to-Action

It helps to group people-risks so nothing is missed. Common categories include compliance risk (wage-hour, EEO, leave, safety), operational risk (single points of failure, turnover in critical roles, skills gaps), reputational risk (misconduct that becomes public, broken promises), financial risk (litigation, penalties, benefits cost), and information risk (data breach, improper access). A risk register lists each identified risk with its likelihood, impact, owner, treatment, and review date — the register is only useful when each entry has an accountable owner and a deadline.

Audits and risk assessments must convert into action. HR translates findings into owners, due dates, communication, training, or process changes. Repeated exceptions to a control often mean the control is impractical or poorly understood, not that employees are careless — that signal should drive a redesign rather than more discipline. Review cycles keep controls current as the workforce and regulations change.

Privacy Regimes HR Should Recognize

Beyond general principles, several frameworks shape HR data practices. HIPAA governs protected health information and is why HR keeps medical records separate from personnel files. State privacy laws (such as the California Consumer Privacy Act, CCPA/CPRA) and the EU's GDPR create obligations around employee data collection, consent, access, and cross-border transfer. The ADA also requires that any medical information obtained be kept confidential and stored separately from the general personnel file.

HR does not have to be a privacy lawyer, but it should recognize when a scenario implicates these regimes and coordinate with legal and information security accordingly. A useful habit is to ask, for any new data request, three questions: do we have a legitimate business need, is access limited to those who need it, and is the record stored and retained correctly? If any answer is uncertain, that is the signal to slow down and consult before collecting or sharing.