People are the biggest risk

I have always proffered that the biggest risk, above all, is your Human Resource risk.

When we look at crises in sectors such as banking, insurance, healthcare, football, charity, etc., at the core of each of these breaches or scandals are people. People control, manage and handle risk, from the board table cascading down into organisations.

We are now faced with ever-increasing cyber risks – handled by people – and pandemic risks – spread by people.

We know that risks are inevitable and organisations have a moral and legal obligation to attend to the safety and well-being of those they serve, those who work for them and other stakeholders.

However, this duty of care applies to and from us all, in whatever station we fulfill in life and work. I am struck by The Golden Rule principle of treating others as one wants to be treated, which is a maxim found in most religions and cultures.

The recent pandemic and global cyber attacks have brought the world closer. Maybe if we all turned on our screensavers to self-reflect whether our actions or inactions are contributions that adhere to The Golden Rule in all that we do, the risk impacts would not be so widespread.

Carol Ann Casey

Factual independent investigations process

CA Compliance is an established provider of impartial independent investigations delivering findings as to fact.

CA Compliance’s approach to conducting independent investigations is to:

  1. Attain clarity on what the investigation will achieve through a signed Terms of Reference between the parties and stick to this remit
  2. Interview the complainant and respondent followed by relevant witnesses to gather factual and documentary evidence
  3. Explore and investigate the information gathered to include inspections, seeking expert opinion, viewing CCTV footage, etc. to assist validation of findings
  4. Share settled interviewee meeting notes and documentation for party commentary as applicable during the process
  5. Document findings as to fact gathered during the aggregate investigation within an evidenced based report
  6. Share draft report with the complainant and respondent seeking their comments on any factual inaccuracies before finalising report
  7. Issue final report to the relevant parties and the investigation lead of the entity

4 Tips to manage HR risk


Commonly people think about risk based on financial risk and internal controls. Admirable, of course, however I proffer that the biggest risk, above all, is your human resource (HR) risk.

When we look, for example, at crises in sectors such as banking, insurance, healthcare, football, charity, etc., at the core of each of these breaches or scandals are people. People control, manage and handle risk, from the board table cascading down into organisations.

Risks are inevitable and organisations have a moral and legal obligation to attend to the safety and well-being of those they serve, those who work for them and other stakeholders who come into contact with their operations. This is known as their duty of care. However, organisations also need to peruse all the risks throughout their entire operation (not just financial and legal) and incorporate risk management strategies throughout their planning and decision-making processes.

So I believe for a business to run in a transparent, ethical and credible manner it must address its most important asset – its people and how they run the business.

To address these matters organisations could consider the following 4 HR risk and compliance tips are:

  1. Diarising on the board agenda the regular re-assessment of the organisation’s vision, mission, values and culture. This will help reaffirm who they are, their unique proposition and strategy, risks, particularly in an ever-changing economic climate.
  2. Ongoing assessment of the CEO’s performance to monitor and motivate best strategic performance, and where applicable the board’s effectiveness needs to appraised to drive strategic growth.
  3. Regular monitoring and development of their succession planning model, particularly identifying future gaps and managing the knowledge transfer of key leadership and technical talent.
  4. Regular monitoring of continuous professional development (CPD), as well as compliance to regulatory standards and requirements’ obligations, to ensure fit for growth and retention purposes for both employees and the organisation.

So, risk assessment should be an ongoing working document of the board. I believe a basic risk assessment will identify, assess, analyse and evaluate each risk in question specifically for their organisation. This will help decide and document the treatment of that risk, i.e., whether to tolerate, terminate, treat or transfer it.

We believe to adequately assess the sources and handling of risk, organisations must risk assess their aggregate internal capability, i.e., their resources, systems, structure and culture. All of these risk areas require people. People are a source of risk. People handle risk.

With the right people, in the right place, doing the right transparent, ethical and credible things, organisations can identify aggregate risks, areas for improvement, leading to increased productivity and ultimately the big P – Profit!

© CA Compliance Limited 2019

The Negotiating Table

Negotiation, like a Krav Maga self-defence course, has become a survival skill for many. It is primarily concerned with striking a bargain, attaining power and a means by which people with different interests can agree on how to reconcile them. Good negotiating is about asking the right questions or doing the right things to achieve desired results.

The same applies to career negotiations. Your negotiation at your first job interview is your most important because it sets your salary package for the future. Put harshly, salary negotiations are based on ‘price the space in the organisation’ and then ‘price the person’. This is equally the case if you are negotiating for your business where you have to ensure that your overheads are covered with an equitable profit that makes the business transaction worthwhile. It is, of course, always worth remembering that companies make decisions on their cost planning – which is likely to include you – yet customers are in charge of their revenue in terms of building equitable profit.

Women can often not ask for what they really want and this can disadvantage them significantly in the progression of their careers or businesses. By learning how to talk themselves up (self-promotion) – a skill more common among men – women can maximise not only their current compensation, but also their future earning potential. Success to me is made up of ability, breaks and courage – the latter is necessary for good negotiating.

To conduct successful a negotiation meeting the following steps may be helpful:

  1. Prepare. Prepare. Prepare.

Information is everything. You will argue from a stronger position if you know how your salary or business compares with those doing similar jobs, both at your company and in your industry, or in the sector in which you deliver your goods or services. This involves establishing the facts getting quality information, preparing the case and for the negotiation meeting. Preparing can involve joining professional organisations, establishing relationships with recruiters and industry peers, searching the Internet for market data and intelligence on your discipline, etc.

Another crucial goal of your investigation is to learn how valued you are by your company and customers or clients. To quote Donald Trump: “If you owned the company, would you think you deserved an increase?”.

  1. Build up your alternatives

The ultimate power in negotiation comes from having a good alternative. The classic strategy is to ask for more money than you will settle for perhaps adding an extra 10 to 20% cushion or bargaining amount. Ask for much more and you risk seeming unrealistic.

The most obvious and potentially powerful fallback is an offer in hand for a better-paying position. This does not mean you should bring up a job offer in your first conversation about a raise since it will likely put your boss on the defensive. If you do not have another job lined up, the fallback could be to ask for something else important to you besides more money such as more annual leave, working at home a few days a month, an expense account, an Apple Mac, etc. as you want bargaining chips when it is time to talk. Once you determine which options are important, prioritise them – this is a skill of a good negotiator. Exaggerate the importance of issues you do not care about so that you get what you want the most. So, in practice, you might ask for a 10% raise but be willing to accept 7% if you also get extra holidays. Good negotiators get something in return for everything they give up, and this goes for business owners selling their goods or services also.

  1. Think about the other side’s perspective

Negotiating aims at solving problems. So your case will be much stronger if you focus on what your manager’s pressure points are and how you can demonstrate alleviating them, or say what you or your business can do to add value to their company.

Effective negotiators always think about the other side’s perspective. You need to understand your company’s financial situation, i.e., does your manager or client have budget constraints and how can you get what you want which is both reasonable and attainable to you both.

  1. Walk the talk

The preparatory work is done, now comes the talk. Pick a time to meet when you will not be interrupted, e.g., first thing in the morning or right after lunch. This is a serious conversation or tender meeting so have the discussion in the office and not over food or drinks.

There is no reason to feel nervous if you have done your research and homework. To reduce your anxiety before the meeting, focus on the merits of what you are asking for, not on the person you are asking. Be polite yet assertive – think if the meeting was recorded would you like to give you a raise or a contract!

  1. Be clear and listen attentively

Start the conversation by explaining why you deserve a raise or why you think your goods or services will benefit the prospective client. (This is where a written list of accomplishments or client testimonials is valuable.) Keep the meeting to the point and timely.

The best negotiators are not the people who make the most vehement argument; they are the ones who pick up on what is really being said. As much as 90% of the communication between two people speaking face-to-face is non-verbal so pay attention to body language -your manager’s or potential client’s, and your own.

Be prepared to hear no but do not give in, re-negotiate your bargaining chips and always remain calm.

Once a negotiation is reached get it in writing soonest to include building for the future in terms of measurements on job expectations or your business’ deliverables.


Negotiation should aim at a win-win situation for both parties. This will only be achieved if there is clarity of focus, preparation, proactivity and consideration for all parties. Commitment, action and positive thoughts will take you a long way.

© CA Compliance Limited 2019

The process of investigating complaints

Complaint Header

By ensuring a fair investigative process, those investigating can help build morale and trust among employees. On the other hand, a poorly conducted internal investigation can cost an employer financially and damage its reputation, not to mention the reputations of the persons involved in the investigation. Therefore conducting a thorough, impartial and prompt investigation is critical to mitigate against future risks.

Conducting workplace investigations is very challenging as often those investigating may not be properly trained or often feel under pressure to resolve complaints too hastily. Conversely employees are often very aware of their rights and fair procedures.

Linked to this awareness there are a myriad of employment laws that regulate how investigations should occur to include Unfair Dismissals Acts 1977-2007, Code of Practice on Disciplinary procedures 1996, Code of Practice on Sexual Harassment and Harassment at Work 2012 under the Equality Acts 1998-2011, Health and Safety Authority 2007 Code of Practice for Employers and Employees on the Prevention and Resolution of Bullying at Work.

The following are 10 steps for handling a complaint that could be followed if an employer is faced with a complaint it needs to investigate:

10 step complaints handling process:

  1. Plan and prepare gathering factual and documental evidence (decide who will investigate, who and what will be investigated, what evidence needs to be gathered, etc.)
  2. Communicate clearly and promptly – do not ignore any complaint/complainant
  3. Confidentiality is critical, and only with the parties involved
  4. Ensure objectivity and impartiality
  5. Be attentive during interviews and allow no distractions
  6. Ask open probing interview questions
  7. Investigate thoroughly and data record appropriately
  8. Do not make assumptions; act fairly and proportionately
  9. Document factual findings within a written report *
  10. Follow-up with those involved

A well-written investigative report* can help minimise liability risks. Such a report should include:

  • The matter being investigated with date(s)
  • The people involved
  • Applicable employer policies or guidelines
  • Key factual findings and credibility determination
  • Summaries of witness statements
  • Specific findings and conclusions
  • Issues that could not be determined/resolved
  • Employer actions taken
  • The name of the investigator.

Once a written report is submitted to the decision-maker (who is not the investigator), they will determine what, if any, disciplinary action will occur. Typically the decision-maker will:

  • Notify the employee who made the complaint that action was taken
  • Re-integrate the employee(s) involved back into the workplace, shifting focus from the complaint to the changes the investigation has brought about
  • Where applicable, remind employee(s) that retaliation will not be tolerated, and check back within three months to ensure that there has been none
  • Review the investigation to determine what could be done better the next time, should there be a next time
  • Look for patterns in complaints that might suggest more training is needed to avoid similar problems in the future
  • While every complaint is unique, having a well-defined, consistent procedure in place can ward off future complaints.

© CA Compliance Limited 2016

The GDPR approach in simple terms

There is so much talk about the GDPR (General Data Protection Regulations) that come into effect on 25th May 2018, I am setting out my simple approach:

  1. Appoint a Privacy Lead.
  2. Make sure you have effective ongoing communications in place – internally with employees and externally with customers/clients and suppliers.
  3. To meet the requirements of the core principles of the GDPR be open, honest and transparent with your customers/clients about what data you are collecting, as well as why and how you are using that data.
  4. Ensure you have consent from your customers/clients to process their data.
  5. Audit your data and update your privacy policies (personnel and customers/clients), as well as identify relevant technology to help fill in the gaps.
  6. When auditing assess the data you are holding, i.e.,
  • What kind of data are you storing?
  • Where does the data reside?
  • What is the format of the data?
  • Can you anonymise the data?
  • Is it centralised or does it live on multiple devices?
  • Why are you storing the data?
  • How did you get the data?
  • Do you need to keep storing the data and can it be deleted or changed?
  • How do users access the data? Is access encrypted and secured?
  • Is the data exposed to third parties?


  • Personal data is “any information relating to an identified or identifiable natural person”[1].
  • Ultimately the increased protection of EU’s citizens and their rights is the end goal of GDPR.
  • A main difference between pre- and post- GDPR is that your customers/clients will now have the ability to request their data is completely erased.
  • Fines of up to €20 million or 4% of global revenue are a possibility for those who are deemed to be negligent.
  • The Data Protection Commission’s “The GDPR and You” is a good preparation tool.

[1] The EU definition of “personal data” is set out in the Data Protection Directive 95/46/EC


Ethical leadership: what FIFA thought us?

Ethical leadership: what FIFA thought us?

Is there something about power that gets people into trouble? Ethical leadership has a compelling case for a business.

It is clear that the egregious acts of dishonesty that destroy careers (and in some cases organisations in their aftermath) have been generally executed by people who hold the most senior roles in their organisation.

Taking a 2015 example, FIFA, one of the biggest sports bodies in the world with a 111-year history, became embroiled in numerous ethical debacles not just over gifts and bribery in recent times but for many years. Or another example from 2012, the Barclays’ libor rate-rigging scandal questioned ethics and resulted in the resignation of its CEO and chairman. We could also write a book on political, banking, property, charity, etc. examples from our own Isle.

Simply put, unlimited power dramatically increases ethical risks.

So how should organisations be more ethical in conducting their business. I proffer that ethical leadership can include:

  • the board of directors’ accountability, encompassing an independent director(s), to include supervision of the senior executives;
  • 360 degree performance and peer feedback at all levels – from the board down – with budget for training and development against outcomes;
  • accounting oversight with control on all spend;
  • internal risk and control measures throughout the business;
  • moderate incentives at all levels;
  • corporate policies, procedures and practices followed by all executives;
  • encouragement of whistleblowing.

Each of these items need to be regularly and routinely carried out and reported on to avoid any surprises and to highlight any risks.

In doing so, ethical leader executives should be mindful of the following characteristics that they should bring into their day-to-day working life:

  • Authority: establishing clear performance goals and providing guidance for completing tasks.
  • Autonomy: allowing their team to complete tasks as they see fit and to their own schedule and providing opportunities for them to grow as individuals.
  • Fairness: providing their team with equal opportunities, rewarding those who perform well and withholding rewards from those who perform poorly.
  • Care: helping their team develop their skills, showing compassion for their personal problems, organising work so as to reduce stress, and volunteering.
  • Loyalty: emphasising pride in the organisation, demonstrating a willingness to sacrifice one’s own well-being for the well-being of the organisation and speaking highly of the organisation to outsiders.

If we relate this to the point about encouraging whistleblowing above, which is a topical issue in Ireland presently with the Protected Disclosures Act 2014 recently enacted, there can be issues for organisations to train staff to understand how they are protected if they disclose a perceived wrongdoing. For example, while an employee with a value of fairness would blow a whistle on the breach of corporate ethics, another individual with the prominent value of loyalty might not do so, protecting the organisation. So organisations must ensure their staff disclose and are informed about their right to raise concerns regarding potential wrongdoing that has come to their attention in the workplace in the knowledge that they can avail of significant employment and other protections if they are penalised by their employer or suffer any detriment for doing so.

Further, training ensures staff are aware that different types of leaders’ moral behaviours elicit different types of responses among followers. For example, being caring and fair is likely to lead to behaviours of helping others, while loyalty is aimed at benefiting the organisation over individuals.

A couple of years’ ago I recall reading an article by Lucy Kellaway, colmnist at the Financial Times, that CEOs should do ‘an annual hubris test’. This has resonated with me ever since. We have to put our cars through NCT tests, so perhaps this is rhetorical but why not a similar exercise for our senior executives to ensure that they remain fit for purpose at the helm and deliver on performance? If this happened in FIFA I question whether the organisation would have faced the public embarrasment from bodies such as Coca-Cola calling on it to set up independent reform commission and the US Attorney General’s intervention on the Association’s perceived uber ethical dilemmas.

Simply put, it should not be correct that leaders believe that they are responsible for the financial success of the company with deserving large financial, and/or other, rewards.

Leaders need to strengthen behaviours that correspond with ethical conduct. Organisations can help by having good structures in place, and by appointing and developing appropriate senior executives with board and independent supervision. However, it is ultimately a leader’s responsibility to develop a more honest and integrity-filled way of doing business for their business.

© CA Compliance Limited 2016

10 Tips to be a HR Compliant Employer

10 Tips to be a HR Compliant Employer

Analysis with charts of progress in business and metallic pen

Employers should be compliant to their responsibilities fulfilling their specific industry’s regulations as well as employment regulations.

CA Compliance sets out the following 10 Tips to be a HR Compliant Employer:

  1. Contracts of employment: ensure contracts of employment have clear terms and conditions, e.g. make sure your employees are given and fulfil their job descriptions, have signed acceptance of confidentiality and non-disclosure clauses, there is a provision for changes to terms and conditions, etc.
  2. HR policies: ensure up-to-date documents reflect your company’s policies, procedures and practices on which employment practices are covered from initial employment through to termination of employment, e.g., bullying, grievances, disciplinary (the latter must legally be issued to employees within 28 days of commencing employment).
  3. Working time and record-keeping obligations – it is legally mandatory for employers to record the hours their employees work, and equally to ensure that any other external work falls within the aggregate working time legal requirements.
  4. Wages – compliance to the minimum wage payment (€9.15 per hour) is required ensuring employees are in receipt of regular pay slips and are provided with access to a Personal Retirement Savings Account for pension provision.
  5. Leaves from work – ensure staff benefit from their entitled leaves away from their workplace such as annual leave, illness and injury leave (sick leave), maternity leave, parental leave, paternity leave from September 2016, force majeure (emergency) leave, carer’s leave, etc.
  6. Data protection – retention of staff files (their records and data) is mandatory and employees must be given access to the documentation on their personnel records upon request.
  7. Health and safety – risk assessments should be completed on all work activities, and the safety statement must be updated and signed annually.
  8. Employment equality – ensure that the 9 grounds of discrimination are adhered to from recruitment through to termination of employment with equal treatment of persons.
  9. Contract, temporary and part-time employees – part-time staff and contractors should not be treated less favourably to that of a permanent or similar comparator employee.
  10. Termination of employment – retirement, references, short-time working, lay-offs, redundancy, garden leave all need to be treated with care to avoid legislative claims.

Workplace Relations Commission
The Workplace Relations Commission ( provides information on rights and obligations under employment, equality, equal status and industrial relations legislation setting out the resolution and redress options available where disputes or potential contraventions arise. The Rights Commissioner Service, the Employment Appeals Tribunal, the Equality Tribunal and the Labour Relations Commission have been superseded by the Workplace Relations Commission. The Workplace Relations Commission hears employee complaints under all employment legislation in the first instance with the exception of the Industrial Relations Act. The Labour Court hears appeals of Adjudication Officers’ decisions of the Workplace Relations Commission in all disputes arising under employment rights and industrial relations enactments.

© CA Compliance Limited 2015