Follow us on LinkedInWhen I talk about risk management, I often joke that I hope everyone has a strong cup of coffee ready, it’s not always considered the most exciting topic.
But I’m passionate about it because risk management, when done right, isn’t just about protecting an organization from lawsuits or financial loss.
It’s about creating an environment where both the company and its people can thrive.
I want to share my journey, both the challenges and the lessons I’ve learned, so you can see how a proactive approach to risk management has shaped the organizations I’ve worked with.
Matt Rieck
My story: 16 Years of growth and zero lawsuits
I recently joined Decision Minds as Chief People Officer, but before that, I spent 16 years at Sama, a company in data solutions and AI.
When I joined Sama, it was a small team of just 40 people. By the time I left, we had grown into a global organization of 2,000 employees.
That journey was anything but straightforward. We went through three rounds of acquisitions (one solution company, one product company, and one services company) as well as three rounds of funding: venture capital, debt financing, and private equity.
The due diligence that came with each stage was intense, especially when we reached the private equity phase.
The private equity firm, one of the largest in the world, couldn’t believe we didn’t have a single lawsuit in 17 years. That means no employment disputes, no harassment claims, no discrimination suits.
They asked us repeatedly to confirm this, digging through every record. But it was true, and it wasn’t by accident.
Our approach was always proactive: stay compliant, minimize risks, and build a culture where employees felt safe and supported. That, I believe, is the real heart of risk management.
The misconceptions about risk management
When people hear the term “risk management,” they often think it’s restrictive or bureaucratic.
In HR, it’s sometimes viewed as the department that says “no” to everything, the function that stifles innovation or flexibility. But I see it differently.
Risk management isn’t about preventing growth or creativity, it’s about enabling them.
By creating a healthy, safe, and compliant workplace, we allow employees to focus on their work without fear or distraction. It’s not employer-friendly or employee-friendly, it’s both.
A strong risk management framework protects employee rights just as much as it protects the company’s interests. When done right, it builds trust and enables everyone to perform at their best.
Mawulom Nenonene
The six key areas of risk management
In both my previous role and my current one, I’ve found that risk management for people functions boils down to six main areas:
1. Compliance risk
Compliance is the foundation of HR, ensuring that we adhere to federal, state, and global labor laws. At Sama, with operations across the US, Europe, and beyond, we had to navigate complex regulations like GDPR.
It’s not glamorous work, but compliance is what keeps the organization safe and reputable.
2. Employee relations risk
This is about fostering a workplace that’s free of harassment, discrimination, and bias. We ensured our policies and practices, from hiring to workplace safety (OSHA, ADA), were designed to create a fair and inclusive environment.
3. Succession risk
For a growing company, succession planning is critical. We had plans in place for the CEO and two levels below, identifying and training future leaders well in advance.
That way, no single individual leaving could derail the company or jeopardize key client relationships.
4. Talent risk
The war for talent is global and relentless. It’s not enough to attract the best people, you just have to retain them. We worked hard to create an environment where employees felt valued, supported, and motivated to grow.
5. Data privacy risk
In industries like healthcare and high tech, where data sensitivity is paramount, privacy is non-negotiable.
During the pandemic, when companies scrambled to shift to remote work, we avoided data breaches by staying vigilant and compliant with ISO and GDPR requirements.
We supported clients running clinical trials at a time when data security was under constant threat.
6. Health and safety risk
This goes beyond physical safety. We focused heavily on mental health and psychological safety, especially during challenging times. Employees need to know their employer cares about their wellbeing, both in and out of the workplace.
Teresa Garanhel
Culture risk: The unspoken factor
One additional area I consider vital is culture risk. A company’s culture can either strengthen or undermine its risk management efforts.
During acquisitions at Sama, we brought together companies from very different cultures. There was one from Ohio, one from Silicon Valley, and another from a product-focused background. Instead of imposing our culture on them, we sought to blend the best aspects of each.
We believed in the philosophy of “Better Together.” By learning from each other’s strengths, whether it was reward systems or collaboration styles, we built a culture that was stronger and more inclusive than before.
Why risk management matters
Why do all these efforts matter? Let me break it down:
- Legal and financial protection: Lawsuits and regulatory fines are expensive and distracting. By proactively managing risk, we save both money and leadership bandwidth.
- Employee well-being and trust: Risk management creates a safe and equitable workplace where employees feel heard and valued.
- Reputation and brand: A company known for ethical practices and a strong culture attracts both talent and customers.
- Strategic focus: Without the distractions of legal disputes, leadership can focus on growing the business and innovating.
- Ethical responsibility: Risk management isn’t just a legal checkbox, it’s the right thing to do.
- Operational efficiency: A proactive approach reduces the need for firefighting, saving countless hours and resources.
Our framework for risk management
So, how do we put all this into practice? Here’s the framework I’ve used across organizations:
Risk assessment framework
We start by identifying risks across all six areas. Each type of risk (compliance, talent, data privacy) requires its own assessment method.
For example, succession risks are tracked through performance management systems, while data risks are evaluated against international standards like ISO 27001.
Policy and process development
Once risks are identified, we create or refine policies to address them. For talent risks, that might mean introducing new benefits or retention strategies. For data privacy, it means ensuring every process meets regulatory requirements.
Training and awareness
Policies only work if everyone understands them. We roll out training from the executive team down to individual contributors.
Sometimes we even train clients or end-users, especially when using our proprietary software, to ensure they follow best practices.
Documentation and record keeping
Keeping thorough records is crucial, both for compliance and for measuring the effectiveness of our strategies.
Leveraging technology
AI and advanced analytics tools have transformed risk management. We can now predict trends, analyze attrition patterns, and automate parts of compliance.
Of course, we must ensure data security when using these tools, but when used responsibly, they are powerful enablers.
Contingency planning
Even with proactive management, things can go wrong. Having crisis management protocols and a Plan B in place ensures we can respond effectively.
Learning from case studies
Real-world examples highlight why proactive risk management is essential:
- Uber (2017): Uber faced significant backlash over its workplace culture, leading to high attrition and negative publicity. The company had to overhaul leadership and HR policies to rebuild trust.
- Google: When news broke about large executive exit packages despite misconduct claims, over 20,000 employees protested. Google responded by revamping its policies and adding accountability clauses to executive contracts.
- Tata Group (India): The sudden removal of Chairman Cyrus Mistry led to stock market uncertainty. The company’s interim leadership restored confidence and stabilized the business, showing the importance of succession planning.
- Amazon (COVID-19): Employee strikes during the pandemic highlighted gaps in safety measures. Amazon invested over $4 billion in vaccines and wellness programs to regain employee trust.
These cases show how reactive risk management can be costly and disruptive. The better path is to anticipate challenges and address them before they escalate.
Final thoughts
Risk management, especially in the people function, is about far more than avoiding lawsuits or penalties. It’s about building a resilient, trustworthy, and ethical organization.
When we prioritize compliance, culture, data security, and employee well-being, we create an environment where both the business and its people can flourish.
In my journey, from growing Sama from 40 to 2,000 employees to now leading people operations at Decision Minds, I’ve seen firsthand how proactive risk management fuels growth, stability, and trust.
The key is simple: anticipate, adapt, and always put people at the center of your strategy.
This article is based on Nirali's brilliant talk at our People Operations Summit.
Join our growing community of people leaders to connect with your peers and meet industry leaders, get answers to all your questions, get inspired, and so much more.
People Alliance
