Integration of a Human Risk Module into a Risk Management Software

In the scientific literature and in practice, many questionnaires based on a myriad of measures have been designed and tested to measure and evaluate perceived work stress or employee involvement. The objective of our research is to identify the most significant elements of human risks and to combine them into a single score at the level of teams and departments. Indeed, for companies, what really matters are the stress or dissatisfaction factors that lead to harmful behavior that prevent managers and their teams from achieving their objectives. Based on this research, we are developing a module that will be incorporated into the Oxial software and will also be available as a stand-alone module. This module will collect and analyze the data to calculate a single score measuring the level of human risk. This aspect is very innovative, because no risk management software currently includes a module dedicated to human risks.


Introduction
At the European level, initiatives call for a more restrictive legal framework in order to ensure a high quality environment for workers. Various researches (e.g. at the European Union level [1]) highlighted the damaging effects of toxic environments on human health and on the performance of organizations. Companies cannot efficiently fight a toxic environment and its detrimental impact if they do not have the tools to monitor and manage human-related risks. Enterprise Risk Management (ERM) approaches are very popular today and often implemented through the COSO and ISO frameworks, although the weak link remains the human part. The most prominent examples are currently non-conformity risks, data leaks and cyber risks. However humanrelated comprise far more risks such as fraud, lack of performance or burnout. As we aim to develop a tool enabling to identify and mitigate human-related risks, the research question to be answered is: "How to build an organization's checkup tool for human risks?" This question to be answered requires a transdisciplinary approach. That question can be subdivided into four main sub-questions: 1.
"What are the necessary data to collect to ensure that human-related risks will be identified and mitigated?", 2. "How to collect data from and about the employees?", 3. "How to integrate these data into one meaningful score?", 4. "When does the system have to release an alert?". As we are in the beginning of this research, in this paper, we address the first subquestion, that is "What are the necessary data to collect to ensure that human-related risks will be identified and mitigated?" In general, the notion of risk includes two elements: probability on the one hand and impact on the other. The concept of risk therefore refers to the link between the probability of exposure to a hazard and the consequences (monetary, physical, psychological, etc.) likely to occur. Moreover, when we talk about risk, we focus more on the origin and not on the manifestation and consequences. The French Ministry of Labour, Employment and Health has commissioned an in-depth study on the topic of psychosocial risks at work and defines them as "risks to mental, psychological and social health caused by the conditions of employment and the organisational and relational factors that may interact with the mental functioning of individuals" [1].
In the context of work, the notion of risk must be understood as the probability of the occurrence of disorders originating in the professional environment. Several well-known models and related questionnaires arising from the scientific literature permits to assess precisely this notion of human risks at work. However, these questionnaires are long and rather usable for in-depth studies. In this research, we have created a software module that is to be integrated in a conventional ERM (Enterprise Risk Management) system, and that does not require a lot of data and provides an "overall enterprise temperature" of human risk for early detection. The goal is that the enterprise can if necessary response in a timely manner before it is too late. In this short paper, in Section 2, we present three well-known scientific models related to the notion of work experience. In Section 3, we show, how based on models presented in Section 2, how we have created a questionnaire of reduced size for implementation in an ERM (Enterprise Risk Management) software. In Section 4, we describe typical human risks that will addressed through our approach. In Section 5, we present the new risk visualization framework that we have developed to adapt to traditional ERM reporting. In Section 6, we show how the human risk module will be integrated in the overall Oxial GRC software. In Section 7, we conclude and indicate further research directions.paper shall include an introduction on the current research in the papers field, original solutions, experimental results analysis, conclusions and references.

Literature Review
We present three well-known models (demand-autonomy [3], effort-reward imbalance [4] and Maslach burnout inventory [5]) related to work experience. All these models are at the origin of questionnaires often used to conduct field studies related work experience (see Section 3). In Karasek's model [3], also known as the demand-autonomy model, a work context characterized by a combination of low decision-making autonomy and high psychological demand is assumed to increase the risk of developing a physical or mental health problem. More precisely, the psychological demand is the amount of work to be done, the time constraints related to this work and the mental demands. Decision-making autonomy refers to the worker's ability to have control over the tasks the employee must perform but also over the possibility of developing his/her skills. Future research has added social support as a third component of the model. In general, it reflects the interactions experienced at work, with colleagues and the hierarchy. Social support therefore intervenes, when it is present, as a modulator of tension at work. In other words, in case of difficulty, social support can help the person by making them feel supported, or on the contrary aggravate the situation with a feeling of abandonment by their colleagues/leaders. Siegrist's model [4], also known as the effortreward imbalance model, is based on the hypothesis that a combination of high effort and low rewards will allow pathological reactions to occur, both physiologically and emotionally. The high effort variable can come from two sources: external and internal. External origin includes high demands at work such as having a lot of responsibility or being often interrupted. Otherwise, it may be an intrinsic effort that translates attitudes into motivations for excessive engagement in work. With regard to the latter aspect, a sense of duty, a need to surpass oneself or the self-gratifying experience of facing challenges or controlling a situation can be explaned. If low rewards such as unsatisfactory pay, lack of esteem and respect at work and low job security are present in conjunction with high effort, then the person may be faced with a risky situation. Burnout in the BMI (Maslach Burnout Inventory) model [5] is defined as a psychological syndrome of exhaustion, cynicism and ineffectiveness, experienced in response to chronic stressors. Engagement (versus burnout) as proposed by this model [5] is a different construct from others typically proposed by organizational psychology such as organizational commitment, job satisfaction or job invasion. Organizational commitment refers to the employee's allegiance to the organization that gives him/her work. The focus is on the organization, while the commitment focuses on the work itself. Job satisfaction is the extension of the idea of work as a source of the need for achievement and satisfaction, but does not include the person's relationship with the work itself. Organizational involvement is similar to the concept of involvement contained in engagement with work, but does not include the dimensions of energy and efficiency. Therefore, engagement provides a more complex and in-depth perspective of an individual's relationship.

From Questionnaires Based On Scientific Literature to a Reduced Risk Questionnaire
The risk management process [11] can be summarized as shown in Figure 1. In step one, business objectives must be defined. Then risks that can prevent the achievement of the business objectives must be inventoried (i.e. step 2). These risks are then evaluated by calculating their probability and impact (i.e. step 3). They are visualized trough a risk map. In step 4, treatments are in place to give an appropriate response to the significant risks by either mitigating, avoiding or transferring them. Finally, step 5 or risks controls allow to monitor whether the treatment measures are effective. It is an iterative process. In general, in a large company, one or two full cycles are carried out per year. The human risk module has been designed to be directly integrated into an ERM software. However, the logic of the human risk calculation will be different from the traditional approach where the probability is multiplied by the impact. Indeed, the human risk will correspond to a single score that gives a severity or criticality according to a predetermined color (green=small risk, yellow=medium risk, ref=high risk). Consequently, the human risk matrix will be, as shown in Figure 2, structured the following way: on the left hand side, each row shows a given BU (Business Unit) and then, on the right hand side, we will be able to see the evolution over time (here week after week) of the aggregated human risk measure. Both tools (risk map and human risk matrix) will therefore be combined, which will provide managers with an even greater depth in terms of enterprise risk management diagnosis. The main motivation for this, is that the human risk is already contained in each given risk inventoried in the enterprise risk map and thus should not be presented as an individual risk. Thanks to this new kink of risk reporting combining both the classical risk map and the dynamic human risk matrix, triggers calling for risk treatments and monitoring through controls will be addressed in a research paper addressing our fourth sub-question: "When does the system have to release an alert?"

Designing a Visualization Interface for Human Risk Identification
The risk management process [11] can be summarized as shown in Figure 1. In step one, business objectives must be defined. Then risks that can prevent the achievement of the business objectives must be inventoried (i.e. step 2). These risks are then evaluated by calculating their probability and impact (i.e. step 3). They are visualized trough a risk map. In step 4, treatments are in place to give an appropriate response to the significant risks by either mitigating, avoiding or transferring them. Finally, step 5 or risks controls allow to monitor whether the treatment measures are effective. It is an iterative process. In general, in a large company, one or two full cycles are carried out per year. The human risk module has been designed to be directly integrated into an ERM software. However, the logic of the human risk calculation will be different from the traditional approach where the probability is multiplied by the impact. Indeed, the human risk will correspond to a single score that gives a severity or criticality according to a predetermined color (green=small risk, yellow=medium risk, ref=high risk). Consequently, the human risk matrix will be, as shown in Figure 2, structured the following way: on the left hand side, each row shows a given BU (Business Unit) and then, on the right hand side, we will be able to see the evolution over time (here week after week) of the aggregated human risk measure. Both tools (risk map and human risk matrix) will therefore be combined, which will provide managers with an even greater depth in terms of enterprise risk management diagnosis. The main motivation for this, is that the human risk is already contained in each given risk inventoried in the enterprise risk map and thus should not be presented as an individual risk. Thanks to this new kink of risk reporting combining both the classical risk map and the dynamic human risk matrix, triggers calling for risk treatments and monitoring through controls will be addressed in a research paper addressing our fourth sub-question: "When does the system have to release an alert?"

Typical Human Risks We Are Addressing In the Context of Enterprise Risk Management 5.1 Cognitive Dissonance at Work
Cognitive dissonance is a phenomenon that affects human resources in companies. It occurs when people feel that the behaviors they need to adopt are in contradiction with their values. It typically occurs when these people find themselves in the midst of motivational conflicts where it becomes difficult to reconcile their objectives and interests with the negative aspects associated with them. For example, we can cite the case where people trust managers to ensure their well-being and health, but they will ask them to increase the work rate by justifying it by rationalizing production processes. The love of a job well done conflicts with the new requirements of the position. One of the most important risk factors we have observed in our research is loss of meaning. The type of conflict generated by digitization often leads to a loss of reference points, in the vain race between the human and the machine that makes no mistakes and is never sick. Even if physical hardship is reduced thanks to the automation of work, the resulting lack of managerial flexibility is likely to increase the risk of demotivation of employees. In addition, the need for training increases with automation, as the required skills become more specialized while the pressure on immediate results increases.

Presenteeism Risk vs. Absenteeism Risk
While absenteeism is poorly recognized, in a situation of limited resources, its impact is amplified by the increase in workloads passed on to other employees, who, in turn, due to exhaustion can also make more mistakes. Absenteeism therefore entails direct costs that are easily identifiable, but also indirect costs in terms of demotivation of employees, errors and reduced quality. Presenteeism is a human risk that is more difficult to treat and detect because employees go to their workstations and carry out most of their activities, but motivation is no longer there. When employees are demotivated, the risk resulting from human error can affect the quality of the product or the production environment. In extreme cases, we can even speak of sabotage, conscious or unconscious. Even if the company has quality certification (e. g. ISO9001), employees with little motivation for their mission are becoming increasingly dangerous for the quality of production and for the working environment, which is likely to deteriorate due to contagion.

Organization in "silos"
Silos can significantly affect the company's reputation due to inefficient communication between departments. In the absence of adequate coordination, this typically leads to delays in the production process and bottlenecks in meeting requests on time. The silo effect can also reduce work efficiency by preventing employees from sharing information and best practices, which can affect the company's competitiveness.
The people usually mention this risk by absurdities observed (poorly assigned staff, inadequate equipment, erratic decision-making processes, etc.) that are due to a problem of interdepartmental communication. Unfortunately, this risk is not specific to only certain companies. This is apparent from most of our risk maps in other business contexts.
To compensate for the negative effects identified, management must establish and maintain a link between the "silos". This can be done by better listening, closer proximity and support for teams. Social" activities (company outings, training workshops, etc.) are of course expensive and tend to disappear, but they are vital to promote healthy corporate cohesion.

Lack of Communication or Poor Communication along the Line of Authority
As in all industrial organizations, the management ratio (i.e. number of managers compared to the number of employees hired in the production line) has been significantly reduced over the years in order to reduce costs. On the other hand, scientific studies show that the management ratio should increase with the increasing complexity of production processes, DOI: 10.12948/issn14531305/23.3.2019.01 and in particular with automation. The lack of supervision is often expressed by a feeling that one is not being listened to, that one's opinion does not matter. The hierarchy is becoming more and more distant. We fear it. In everyday life, employees no longer understand the decisions that are made. Worse still, they think that the decisions taken are not adequate, and that they could have made a positive contribution if they had been listened to. The positive aspect is that employees in general want to contribute strongly to the success of the company. The latent involvement is therefore often strong, it is enough to mobilize it. It would be essential for managers to spend more time developing transversal links, but also to develop and maintain links between hierarchical levels to encourage top-down and bottom-up exchanges. This would allow for better staff mobilization and greater coherence between strategy and operations.

Loss of Talents
Talent retention has become crucial to generating the company's competitive advantages because these employees are the repositories of the know-how and knowledge that have a significant impact on the company's performance. In the past, corporate culture often seemed to favor loyalty by offering promotion opportunities based also on seniority. However, this practice is very unsuitable for young talents of the new generations (Y and millennium) who require rapid recognition and immediate rewards. Especially for heavy work (physical work, picketed schedules, etc.), it is very difficult to motivate newcomers. If it is easier to keep senior employees who show a real attachment to the company, as we have already mentioned above, the risk of loss of young employees cannot be neglected. If they do not perceive opportunities that are attractive enough to them, they will not hesitate to respond to a better offer in another company.

Oxial GRC Software And the Implementation of the Human Risk Module
Oxial is a provider of web-based governance, risk management and compliance (GRC) software and on-demand service solutions for large, medium and small businesses in a wide range of industries.. The philosophy of the Oxial system is based on two fundamental pillars:  systems theory: this methodology makes it possible to understand the complexity of a company in the current context and therefore to respond in a structured and coherent way to all the risks that could hinder these objectives.  co-production: varied expertise (employee, customer, partner,...) is taken into account in order to co-create the most effective and sustainable solutions for all stakeholders. A holistic approach and multiple expertise offer an ecosystem based on dialogue, equity and transparency for each of the contributors to academics and here in particular with the Innosuisse Human Risk project. Today, a company can no longer achieve its objectives without integrating two strong and essential components: well-being at work and technology as a tool. A digital ERM (Enterprise Risk Management) tool such as Oxial has 3 main objectives that are communication, centralization and exploitation:  real-time and continuous communication with all stakeholders creates the conditions for a viable involvement and transformation of the company  the centralization of data in a secure framework allows the capitalization of best practices and therefore, a permanent evolution of the company  the exploitation of information via artificial intelligence functionalities allows an analysis and supervision of all the company's activities These 3 elements are generally grouped under 2 complementary attributes: risk dashboard and risk reporting. The risk dashboard and risk report use consolidated data via a structured model and is intended to communicate information, either for internal or regulatory purposes. Consequently, this is why the Oxial GRC platform is based   to create a regular, fast and ergonomic bottom-up data collection system to achieve an overall human risk score for companies. This score can then be integrated into an enterprise risk mapping and allow for better governance that also integrates human risks alongside more traditional risk categories such as operational, financial, strategic and compliance risks. The challenges of our research lie mainly in the relevant and simplified collection of company data and in the definition of an overall human risk score that will be based in a further research on advanced statistical methods. Managers need new means to manage humanrelated risks to assess human risk. Companies need an indicator which measures human risks, monitors its trends and benchmarks among departments and products of companies. We aim at developing a human risk platform accessed through an SaaS (Software as a Service). Our solution relies on data collection and processing in order to measure human-related risks, analyses data and provide a unique score for the company. Research challenges mainly lie in a regular and rapid data collection process among employees and in the definition of the score through statistical methods. In this paper, we have presented the concept of our human risk management solution. The first step of this research (the data collection phase) is currently implemented in a large Swiss company as a module of the oxial Risk solution for testing purposes. In the future, we hope that our solution will enable to address in a pragmatic and relevant manner human-related risks that are at present not properly covered by most ERM (Enterprise Risk Management) software. Human-related indicators will be combined with more traditional indicators to generate alerts that are working as early signals. Consequently, our ERM software solution will favor feedforward controls [12] (as opposed to feedback controls) in order to prevent risks to arise rather than to deal with damages when observed. Feedforward controls