Q&A with a Fortune 500 Whistleblower

In this Q&A, Diane Dye, CEO of People Risk Consulting talks to an anonymous whistleblower at a Fortune 500 company. This female executive shares her experience of encountering unprofessional and unethical behavior in a top organization, leading to harassment, racism, and a hostile work environment. Despite multiple reports over years with no action, this whistleblower took the initiative to report the misconduct, ultimately resulting in the individual’s dismissal after a lengthy investigation.

The Q&A highlights challenges in incident reporting and organizational preparedness for handling such issues. It sheds light on the importance of strong leadership qualities like integrity, trustworthiness, and effective communication skills to prevent toxic workplace cultures and ensure a safe environment for employees.

Diane: All right, so I am here today with a behind the scenes of the failure of when organizations do not fulfill incident reporting or enable voice within their organizations to the level that is going to help them, you know, really deal with the reality. So, tell me your story.

Executive: I worked for a very large organization in a leadership role. And when I was hired by this well known organization, that’s actually listed as one of the top 20 places to work, I was reporting to someone that I could see really quickly, was not professional, was not necessarily ethical in their behavior, in the way not just I was treated, but several people were treated. It was a man, and he definitely said things that he should not say. A lot of things were about women, and he was, like, targeting women and things like that, and just a lot of really unprofessional behavior for an organization that did not expect that from at all. So that’s how it started. And I was very surprised.

In fact, I was, at my first week or two of work, I knew right away that this was going to be a problem. And I was considering leaving within the first week or two. What I ended up doing is continuing on. As a leader, I felt like it was my obligation to make sure this got reported so that this wasn’t happening to me or to anyone else. And I saw it was happening to a number of people. It had been going on for years. People had reported this person and nothing came of it.

Statistic: 77% of employees believe their workplace has measures in place for reporting harassment. 50% of employees have reported some form of harassment. 54% of harassment complaints are fully resolved. 9.6% of female employees say raising the issue made it worse.

Diane: What were some of the reasons, you believe, nothing came of it?

Executive: And I think part of the reason for that, quite frankly, is a lot of these people that had reported this man didn’t really understand the human resources processes for corrective action. So they way they reported it was not tangible. So this person got off the hook over and over again. In hindsight, I believe someone should have dived deeper into this because so many people had turned him in and nothing happened. When I did this, I had so much to keep in mind. I’ve been a leader for over 25 years. And so I had a lot of really solid information. This was not okay. He gave information about employees that he shouldn’t have given and said completely inappropriate things in front of employees and clients.

Diane: What kind of innappropriate things were said? Was it racism? Harassment?

Executive: All of the above. Everything rolled into one. So there was racism and harassment. It was both. It was really both. I’ll give you some verbatim things that he would say.

He basically told one person that she “could be a poll dancer,” and another lady that started work, he goes, “yeah, she’s just blowing and going.” There was a girl that actually had to work in Winnemucca, Nevada. And he goes, “oh, I want to go with her to Winnemucca. And I’m going to get a shirt that says Winnemucca. Because that sure rhymes with a lot of things…”

I could go on. I mean, it’s just so much stuff, especially targeting women. But it was about sexuality, sexism, and prostitution and just saying, like, sayings and things that are really inappropriate in a very world class place.

And also he gave medical information about people, talking about why he fired people in the past and saying it in front of, like, in the lobby of a client’s building, talking about a person and firing them because of their specific medical issues. He was making comments about middle eastern people that were racist.

And honestly, I sat back and watched some of it because it is not a really fun experience to have to report someone. So, after watching for awhile, what I ended up doing is I addressed him personally. I let him know his behavior wasn’t appropriate. I had to be at a conference with him, and he started talking about the legs of this woman and how he’s “seen a lot prettier people.” This was an HR person he was talking about.

And I just told him it wasn’t appropriate and I don’t appreciate that. And it wasn’t well received. He was very angry that I said it. Then, later, it just continued and continued. And he basically told me, “there’s no way I’ll ever get fired from this organization because I have dirt on two of the people I report to. It’s like I’ve got so much dirt on them, they can never fire me.” What I ended up doing, just because I believe in giving people a heads up, I let his boss know that this wasn’t going well and that I was planning on reporting this. So I gave him a heads up and he told me to talk to HR.

HR said, “this is so out of control. You need to report this to the corporate hotline.” So I did that, and I gave, like, ten pages of documentation. And after I did that, it took corporate a long time to investigate and to complete the investigation. Every single thing I had documented, I had witnesses. It wasn’t just me and this person. Everything was witnessed. I had to continue to report to this person. And obviously, as the investigation went on, he knew I turned him in because it was very specific information and conversations that were had. So he knew it was me. I had to continue reporting to him for over three months.

Statistic: 1-2 weeks is the average and recommended time for an HR investigation to take.

Diane: How was that experience for you?

Executive: It wasn’t fun. What happened then is corporate compliance got back to me and said every single thing that I had reported was validated. They had made recommendations to his department and to his leaders. The recommendations were that he was a pretty big liability, obviously, and it was recommended to let him go. But instead of doing that, what they did is they moved him to another department, and he still had a team of people reporting to him.

The boss called me, said, “oh, I’m sure you’re happy you aren’t reporting to him now.” And I said, “actually, I didn’t do this just for me. This person can’t have people that he’s leading. It’s just not appropriate. It’s a huge liability and risk, and it’s not great.” So I said I wasn’t happy with the solution and the outcome. And what ended up happening is, after I had reported this is he got moved. He didn’t lose pay, but he got a different position, kept the same pay, and had a team reporting to him. Several other people came out of the woodwork and came forward with more information that they turned in about him.

And he continued the same behavior even after getting chance after chance, continued the same behavior. More people came forward with new information, and finally he was let go. So that’s how that went.

Diane: How many years were there between when you noticed this reporting to him, to the time where he was finally let go?

Executive: From when I got involved, probably about a year. But keep in mind, I wasn’t the first person to report something about him. It was six to eight years from the first incident until the company let him go. And, actually, there was another woman who reported to him who also had to call the corporate hotline at the same time I did. So there were two of us that had to call corporate hotline at the same time. Before us, though, there were many who either didn’t know how to document or didn’t know the process. So they fell through the cracks. This went on for six to eight years.

Diane: So, so that’s a huge systemic breakdown that perpetuates risk. In incident disclosure, because you have an individual who is putting the company at risk with his language, comments, harassment, sexism, racism. In today’s climate, that’s not freedom of speech. That’s creating a hostile working environment.

So where you have the breakdown occuring is in the incident disclosure. And it not that the disclosure didn’t take place. It’s the preparedness on the other end. And its the preparedness to understand there are some instructional gaps on how to document and report in a way that aids investigators. I believe organizations want to have these things documented. But they’re not prepared on the back end to deal with the complexities of what happens if someone does disclose. The defer you to the hotline. But, meanwhile, you’re still reporting to the person and your identity as a whistleblower is not protected. This put you at risk as well.

Executive: Being a whistleblower, I was in actually a way worse of a situation after I did that. The corporate hotline was so short staffed. So it took them a long time to investigate. Three months. It took three months to complete the investigation. And during that time, the working environment was made much more hostile for me be him because he knew I blew the whistle.

Diane: So there was no protective process. Therefore, for that three months while he was under investigation, because the allegations were so specific, you were at risk. Apparently he was told about the specific allegations as well, which allowed him to link that to you.

Executive: Yeah. The way that it worked is they had to question him about incidents that occurred. And obviously, what was the common link and denominator? That was me. When he was questioned about it, he obviously put it together. But there was no protection for me. None.

Diane: The risk on top of that is that you have someone who’s being investigated for a hostile working environment. Meanwhile, as a part of the investigation, a hostile working environment is being actively created through the process, or lack thereof, to protect a whistleblower. This disincentivizes anyone who sees something to say something. Because there is increased risk in reporting. You can have a reporting process in place. But if you don’t have a process for the protection the whistleblowers, that can actually do more harm sometimes than good. That leads to hush culture. It leads to just don’t say anything because it’s going to get worse once you say something.

Executive: And in addition to that, I stayed with the organization for three and a half years. This happened in my first year. After that, there were people internally who protected this person. He’d been there doing this for eight years before I even got there. And they were not happy that this happened with him. So I was targeted by some of his friends that were in high leadership positions as well. It was not an easy three and a half years for me at all.

Diane: That’s really difficult. And I’m sorry to hear that you went through that. So, if you were to flip the script and it was done differently. So you’re a leader. You’re, you’re an executive. You’re, you’re not unfamiliar with process and procedure around things and the right way to have things be done. If you were to flip the script and you were in charge of this disclosure, how would you have done this differently?

Executive: Well, first of all, it wouldn’t have gone on this long. There’s no way that the things that were continually turned in should have been addressed a long time ago. It would not have happened like this. The other thing that would have happened is direct conversations with this person and corrective action. In addition to that, if someone had reported a leader, there would have to be arrangements made so that they’re protected and not continuing to report to this person.

This particular case has such a long tail to it because it’s an eight year long collection and reporting of these incidents. These incidents created this hostile working environment with this particular leader. So that process from the first incident and the first reporting and the documentation of it and the correction or non correction of behavior is part of it. It really starts way back before it reaches critical mass. And it’s about an organization being willing to put their foot down on their values and say, “this is not us.”

There are very strong values instilled in the organization. I would say this is just one arm of the organization or a pocket where this is happening. I don’t believe that’s true in other areas because I’ve worked in other areas. So, it was one little pocket slipping through the cracks. But that pocket can create risks for the whole organization. There are very high values instilled in most areas in the culture that weren’t being honored in this pocket.

Diane: How do you think it was that pocket slipped through the cracks?

Executive: It’s a little bit different division and the oversight of that area is an anomaly. I do think there are leaders, though, that should have taken accountability for that. They didn’t. They just allowed it to happen because they were buddies with this guy. I think what happened, too, is the HR group that was specific to this little pocket, maybe wasn’t the strongest HR group. They were understaffed. And so, when things got reported, they didn’t handle it appropriately.

Diane: What would have made a stronger HR group?

Executive: It was just two people, and they weren’t escalating things the way they should have. When multiple people report things like this, there should have been better direction to the leaders that have this guy that this guy reported to. They could have also provided training to the leaders.

So really, there’s also an accountability thread within the organization, within the HR function. Even if you have a large organization where you have to have assigned team members for specific business units, that there has to be some thread of accountability as to what’s happening within those business units for corporate oversight and transmission of values. So there was a breakdown in oversight of that business unit’s assigned HR personnel.

Diane: Right. Well, let’s just go there and call out the elephant in the room. Were all these. Were all these male leaders, perhaps older?

Executive: Yes.

Diane: I truly believe that the younger generations are going to save us all. I really do, because this type of behavior is not acceptable. Misogyny is not acceptable. Racism, discrimination, overt sexism, all of that. But, you know, these men, they come from a different era completely. And we giggle and laugh at the absurdity of shows like Mad Men.

This is a mindset that is still present in some places. And it’s generational. But also, we are dealing right now with this cusp period of where this generational thought has to be dealt with in today’s context, because it’s not okay. And I have talked to leaders, executives in that generation, and some of them long for the good old days where you could say and do things like that. They long for those good old days like you long for your favorite candy as a kid. But the fact of the matter is there’s a high level of risk involved in that way of being.

Executive: Absolutely.

Diane: So although they are to their identity, they are not welcome to their identity of that variety within the workplace. I mean, if they want to exist like that in their social circles outside, you know, fine. It’s your life and your circle – also your personal consequences or not depending on who you surround yourself with. But, if you’re going to bring it inside the workplace, you have to understand as a leader, regardless of what generation that you’re in or what you believe, that you are dealing with an environment where it’s not the 1950s. It’s just not okay to be racist, sexist, educationalist and ageist, even all of those. It works both ways. Right? It’s also not okay for leaders who are younger than them to start saying, “well, you know what, old man? You’ve been in this job for too long. Get out.” It does work both ways.

Executive: Absolutely.

Diane: And we’re in a time where the workplace must have structures in place to disclose what’s counterproductive to not only the working environment, but the customer environment and things that directly impact the bottom line. Because I bet you dollars to donuts, if there’s a customer that’s within earshot of some of these things, that customer is not going to feel so good working with that company.

Executive: There were plenty of inappropriate customer interactions as well.

Diane: What was the net effect with the customers?

Executive: Honestly, some of them occurred before I got there. But I was there for one. And I shut it down pretty fast because I was present. You can definitely be at risk with losing a customer because it’s not appropriate. It’s a huge customer risk within the organization. And its a risk for anyone else that he interacted with.

Diane: Look at laws surrounding harassment and laws surrounding hostile working environment. I’m not an attorney. But this is a risk that can be mitigated by creating a certain environment within the workplace. Do whatever you like in your private life. Be whoever you want. But when you and your buddies impede on the workplace, that is a completely different animal. Then you have risk.

Executive: The interesting part was this person was giving, given multiple opportunities to change behavior and didn’t happen. They continued the same behavior. There were no repercussions for the behavior for years. It went on too long.

Diane: Exactly. And, and that going on too long can be headed off at the pass by being disclosure prepared and understanding those nuances of how incident reporting and the process of incident follow-through, communication and ancillary risks, like this is carried out. The internal communication aspect is important. How do you conduct an investigation without revealing the identity of the individuals that are bringing it forward? How do you protect the whistleblower within the organization to encourage employees to report? A lot of lip service can be done to “see something, say something.” And the fact of the matter is, if employees are saying something until they are blue in the face and nothing is happening, that too can impact the working environment,

So carrying this forward into your future, into your new career. How has this impacted you in a positive way?

Executive: Well, one of the things that I do is I actually consult on leadership. That’s one of my purposes, is really to help empower leaders and create really great leaders in organizations that build their teams and have positive cultures. So that is one of the things that I take from what I went through. I can relate to other people that may be going through similar experiences and really help teach leaders how to do the right things with their people.

Diane: What are some aspects of a really great leader?

Executive: Oh, gosh, there are so many. One is integrity, though. That would be one of the top. Its integrity, trustworthiness, being vulnerable and open, being honest, great communication skills and providing a great vision. Those are some of the key things.

People Risk Consulting (PRC) is a human capital risk management and change management consulting firm located in San Antonio, Texas. PRC helps leaders in service-focused industries mitigate people risk by conducting third-party people-centric risk analysis and employee needs assessments. PRC analyzes and uses this data alongside best practice to make strategic recommendations to address organizational problems related to change and employee risk. The firm walks alongside leaders to develop risk plans, change plans, and strategic plans to drive the human element of continuous improvement. PRC provides technical assistance, education, training, and trusted partner resources to aid with execution. PRC is a strategic partner of TriNet, Marsh McClennan Agency, Cloud Tech Gurus, Predictive Index, and Motivosity.

Q&A with Diane Dye by Darren Prine, Chief Revenue Officer, Cloud Tech Gurus

In this interview, Darren Prine, Chief Revenue Officer of Cloud Tech Gurus discusses the relaunch of WWC into People Risk Consulting and the importance of adoption risk mitigation up front in the requirements collection process of software or solution selection.

Darren: Can I tell you something? I’m just picking up a great energy vibe from your company rebranding. I see a lot of excitement and positivity in what you’re doing at People Risk Consulting. 

Diane: I just feel good and there is, so thank you for that feedback. I started What Works Consultants (WWC) in 2016. It’s been great being this trusted advisor to the C-level, helping them with board communications. But I had this nagging feeling the business wasn’t capturing my “why” as a CEO, you know? And, you know, Simon Sinek says start with why, right?

Darren: Someone else brought up his “Find Your Why” book to me on a call yesterday, and now I’m going to have to read it.

Diane: Oh, yeah, you have to. It’s the purpose-driven energy. That’s what you are experiencing is coming from. And as I proceed in my doctoral studies, which I’ll finish this year, I have just uncovered this passion for use of voice and disclosure.

And what happens, especially linking the purpose of our two companies, is you have solution adoption risk. You have a big adoption risk any time you make technological changes. Adoption risk begins with not doing the proper research on the front-end to determine where the current solution was lacking and how that aligns with what you want to achieve.

You don’t want to get excited about adopting something new and, because you missed the end-user or the CX element, recreate the problem with a different solution. That’s frustrating.

So, it’s a different approach to requirements collection. You want to look at both the power users within the organization and the customer-facing reception and how it impacts the customer experience.

When evaluating, ask yourself…

  1. What impacts has the current solution had? Positive and negative?
  2. What pain does the current solution create that you are looking to solve for? If there is no current solution, what are the reasons for seeking a technological solution to a problem?
  3. How has the people element of change been considered?
  4. What advocates and resistors exist within the organization?
  5. How does this transfer into your ability to drive full solution adoption?

You have to ask these questions because, otherwise, people will stay pretty tight-lipped internally if you don’t ask. This lack of inquiry creates a data vacuum that can add risk to a change effort.

I mean how many times have you heard, “we’re just going to stick with the status quo because we don’t want to open that can of worms. It’ll be fine.” It results in a kind of ostrich syndrome. Then, they get surprised when ignorance is anything but bliss from a risk perspective.

Darren: This is a good time to have this discussion. I recently had some issues with Airlines. I had a flight from Costa Rica, coming home from a trip there, and last minute they canceled the flight. There was really no information. I was in a giant line of people at the airport trying to figure out what to do. I then spent six hours in the chat queue, trying to get an agent. During that six hours, I went ahead and just booked another flight with Southwest instead of American to get home. After six hours, finally, they got on the chat. And I told them what was going on and how poorly they handled it. And at least they got them to refund me on the flight. But that’s an awful customer experience. But the part of that which is really sad is that there are so many technologies and solutions available that could have kept my experience from happening. 

Diane: And I can also understand and empathize somewhat. It’s not easy when the world is changing all around you. What they are worried about is the AI chat bots creating more liability for them than solving problems. But that’s a garbage in, garbage out kind of problem. And if you are engaged in the adoption of your solution, that’s a risk that can be mitigated.

Darren: American Airlines either doesn’t care or they’re like the ostrich and are happy with the status quo. And from a professional perspective with years in the call center industry, there are things they can do immediately to fix this. They can use Realtime AI agent assist to speed up agent interactions so agents can handle more interactions. They can use AI to automate 30% or more of their voice and digital interactions. We have partners who have thousands of on-demand gig agents trained and skilled who could be utilized during times of high interaction fluctuations. Our partners can fulfill that very quickly to handle surge times and improve customer experience on the fly.

Many organizations don’t know it but – they’re an ostrich. Most of them opt to save the money now not realizing the risk they are opening themselves up to. But it’s not just a risk mitigation play, there’s plenty of reward. Most of them have like a 5x to 10x ROI or more but they’re just not doing it.

And I see it all the time with companies. They will have an AI adoption team meet with consultants like you to look at their the full picture, someone outside the organization who’s agnostic, who’s going to look at the whole landscape of the company. They look at people, processes, leadership, training, how do they create leaders, etc., and map that out so they can understand it. By the end of it, the executives understand the root causes to some of their expenses and problems, customer care calls that could be avoided if they handled something differently or had better self-service, but there’s a resistance there.

Diane: Everyone wants to be the first person to win. No one wants to be the person to publically fail. But failure is a necessary risk of change. Kaizen says experiment fast, fail fast. Rapid prototyping is a core of innovative behavior. And the philosophy behind both is you never really fail, you just learn and innovate. But there’s a fear. And when there’s fear, there’s paralyzed action until its too late and then there’s a crisis. My workbook takes this concept down to an elementary but effective level anyone can understand.

Darren: It’s like there’s a fear and a resignation at the same time. I know my systems. I know my job. It’s not perfect. And ultimately it’s not that bad so I don’t care.

Diane: It’s also about empowerment too, the confidence someone has if they speak up that their voice will be heard and heeded. Inability to create change can be a real demotivator of the most brilliant people. Like this is the way it’s always been, this is the way it always will be. I’ve accepted that.

So they just kind of suck it up and do the day-to-day of job, even though the risk of failure is so much greater with inaction. But the interpersonal risk comes in because in their mind, they say, “you open your mouth you might piss the wrong person off and lose your job.” It’s self-protective.

That’s where that’s where psychological safety comes in. As an executive, you have to set up these structures where people can speak up. Otherwise, you’ve got your company or department set up like a horse with blinders on. You don’t get suprised by external circumstances. You blindside yourself in a way. And this chaos that comes from silence and avoidance could literally bring your company down. Southwest really got hit hard. I was part of that. Actually I was traveling with them during that time. They gave me a 25,000 air miles, an apology and a refund. I was fortunate to be in driving distance from where I was going, from Reno, Nevada to Scottsdale, Arizona. So, I just hopped in the car and just drove myself in my own car. But a lot of people aren’t that fortunate.

When that whole story broke, it was like, “their systems are how old? Their training process is what?” And then it became known it was always this project or that pushed in front of updated booking and call center systems. And ultimately, it required a crisis moment to make a choice.

You can see the tsunami, you can see the water pulling back from the shore. You don’t have to wait until people are drowning to take action. That’s why I tell our clients: Are you ready to take the RED PILL, Matrix-style? Because we can assess all day long, but a company has to be willing to say yes. We will invest today to avoid drowning in the flood tomorrow.

Darren: I think what you’re saying is so important.

Diane: I am really passionate about activating the voice of the organization (VoO) and the voice of the customer (VoC) and unifying them to create meaningful organizational change.

People Risk Consulting (PRC) is a human capital risk management and change management consulting firm located in San Antonio, Texas. PRC helps leaders in service-focused industries mitigate people risk by conducting third-party people-centric risk analysis and employee needs assessments. PRC analyzes and uses this data alongside best practice to make strategic recommendations to address organizational problems related to change and employee risk. The firm walks alongside leaders to develop risk plans, change plans, and strategic plans to drive the human element of continuous improvement. PRC provides technical assistance, education, training, and trusted partner resources to aid with execution. PRC is a strategic partner of TriNet, Marsh McClennan Agency, Cloud Tech Gurus, Predictive Index, and Motivosity.

Q&A: Cybersecurity, Human Behavior, and Education

Today’s Q&A was with Angela Mosino, an expert in cybersecurity and Executive Officer at Cyber Eye Global Strategies.

Before recording, Angela and Diane Dye, the CEO of People Risk Consulting, had a conversation about people risk and how its the biggest risk to cybersecurity.

Diane: All right, so the biggest risk to cybersecurity is the resistance or the know it all of your own people. Can you explain more?

Angela: So there’s a, there’s this knowledge piece and the understanding of the importance to follow the framework. And the most resistant are the business owners who don’t speak cyber and they speak business. And they speak business well, but they’re business owners who don’t have a cybersecurity background. And then the IT people, they’re not cybersecurity.

Diane: How do we tell the story of cybersecurity in a way where people are going to get it? And what kind of risk is cybersecurit coming into this new era right now, where it is the main front of attack? What are the statistics on that?

Angela: Cyber attacks are on the rise all over. But what they’re not talking about is a mid-sized company that has over 300% higher level for vulnerabilities and attacks. So, whether it be a large company or medium sized company the risk is high. Anything they say over 100 employees would be within that medium sized company and they, in general, are even at a higher risk than the large companies. But, here is how the larger companies get attacked. What happens is those small companies open a back door into those larger companies. So, even if the larger company thinks that they’ve implemented their controls and they’re pretty knowledgeable about cybersecurity, there are risks that are not accounted for.

Diane: How can companies protect themselves?

Angela: Larger companies do business with the smaller companies who lack cybersecurity knowledge and understanding. So risk professionals at learger companies need to look at their software, at those vulnerabilities, what they’re developing and implementing. How are they embedding in security into those processes every step of the way within an organization? Whether its in the HR department or in software product development, cybersecurity needs to be embroidered into the process.

Diane: Where does people risk come in?

Angela: People tend to silo themselves based upon what they know and what tasks they’re performing. So breaking down those silos is one of the hardest things to do. That’s why it’s important to advance the individual knowledge of every individual within an organization is key. So cybersecurity is going to be the modern day war. That’s where we’re heading. So people need to be educated on all fronts.

Diane: I have heard of cyber-attacks referred to as “modern day warfare.” Can you expand on what that means?

Angela: On a daily basis, I get anywhere between three to five intel reports of different types of attacks. So Microsoft has been hit heavily of recently. You know, we look at the risks and where we have the most to lose, obviously, our airplane industry, our healthcare industry. So what we need to do is and the biggest piece is, you’re correct, we talk to individuals about the risk. The risk is the individuals within your organization.

Diane: Have you had a case study where you have seen individuals, leaders in an organization go, oh, yeah, we need to. We need to do this?

Angela: When you look at it, what sells the most or convinces people the most is when you look at similar cybersecurity attacks, different cases that have happened, and you present those cases to them and say, “well, look, this is another company or this is a church that didn’t have cybersecurity.” Ultimately they thought it was a contractor sending them the email. They sent out the invoice for $800,000. And guess what? They lost their money. So once you start showing the case scenarios, what’s happening? That’s when people start to get on board.

If you’re catering to a small to mid-sized business, one cyber attack has the ability to close the doors within six months. That’s the average statistic. So that being said, when you look at cyber attacks, people subscribe to cyber insurance. Those rates are going up. The cyber insurance is not going to cover because you’ve not done due diligence, which requires you, or they’re now asking for you to implement those security pieces.

Diane: What has the potential to create the biggest wave of change in cybersecurity?

Angela: So I think if you had to ask me, what has created the biggest wave of change is education. Educate them on the cases, educate them on the types of attacks, and then turn around, give them simplistic ideas and things that they can implement from an individual standpoint and as a group standpoint.

Diane: What are the common things that you hear when there’s resistance to change?

Angela: Money. Money’s always the first one, right? Well, we can’t do that because we don’t have the funds to do that.

A lot of the changes that are required in cybersecurity, the number one area that you can improve in is what we call access control, meaning, have you locked your front door or not? I mean, it literally is that easy. So you think about it, that’s the use of multifactor authentication. You know, changing your passwords, password complexity, those sort of things. That doesn’t cost a lot of money to do. But so what they’re describing as why they can’t do it, in most cases, it’s not realistic. The reasoning, the resistance is there by lack of knowledge. So the way to reach them and to educate is by the knowledge.

These are the things you can do that are easy and implementable on an individual basis. These are the things from a group standpoint. And if you were looking at your business as a whole, this would be the pool and a prioritization based upon your return on investment. Right? So some people wouldn’t care about, because they don’t operate the technology to take credit card payments. But they use a third party vendor to do it. So they don’t care about PCI compliance. If you are a company that takes payment and that company got hacked and those people’s information gets lost, what does that do to your reputation? Because at the end of the day, your reputation means a lot, especially as a small to medium-sized business.

Diane: Reputation is a make or break thing. And a lot of companies come to People Risk Consulting because of reputation. Reviews are showing up on Indeed or Glass door that tell the story of employee experience. And they say, “oh, that’s just one. Disgruntled employee. That’s just one. That’s just one.” It’s not just one. You know, just like a cybersecurity breach is probably not just one employee who’s not in compliance.

Angela: How do you help leaders understand and embrace change?

Diane: What I’ll do to help stakeholders understand things is bring them through the lens of something called expectancy value theory. So an expectancy value theory (Feather, 1892), there’s a deep thing that these people expect to happen. I spend this money, this is what I expect to happen.

And there’s good expectancies and then there’s the bad expectancies. Like, “we just threw $500,000 down a deep, dark hole and nothing changed.” Or, “we wasted our money. We caught chicken little syndrome, the sky was falling and it didn’t,” whatever those expectancies are. And then there’s what they value. What they value might be sometimes in direct conflict with what they expect. So, if they value stability, that’s the doorway to cybersecurity education, understanding that value. And from that value, that’s where the motivation drives action. So having those deep conversations, pre-education, is important. It’s essential to get underneath those fears and uproot some of that stuff while at the same time leaning into the aspiration.

I think there’s a lot of people right now know the environment that we’re in right now. But it’s almost like “if I didn’t see it didn’t happen.” If a tree falls in the forest and no one’s there, it doesn’t matter. It’s not in my backyard right now, so I’m totally okay. And it seems to me, as a business educator, that the real conversation stems around, what are you afraid of by doing it?

Angela: That’s usually how we say it is. What keeps you from sleeping at night. And from executive level, it’s, you know, what, it’s reputational and, you know, closing the doors or the monetary.

Diane: So how do you explain it in a way that makes sense to leaders when cybersecurity might not be top of mind for them?

Angela: From a cyber perspective, we use the CIA triad. We use level of impact, meaning based upon the company, they. They evaluate their assets. That might be people, that might be computers, it might be product, service, whatever it is that they do.

Based upon that CIA triad, which is availability, integrity, and confidentiality. So which ones of those are most important? And that’s how we develop a risk register as well. So based upon that risk register, we help them prioritize what is the highest level for them.

And then based upon the highest level, those are the things that we’re going to start with. First. We’re going to start with looking at their confidentiality, because confidentiality leads to all the legal considerations. Then, integrity. We’re looking at where data could be changed, and maybe they’re making payments for things that they shouldn’t. Or instead of $1,000 payment, they made a $10,000 payment. That leads to monetary consequences, right? And then availability tends to be the last one because it would be better that it’s not available if it’s not functioning well or if it’s not being protected.

Diane: In the people risk category, you also hold a lot of private employee data as a company. Hospitals hold patient data, HIPAA. There’s also regulatory privacy concerns.

Angela: Exactly. So in most cases, you’ll see that the first place that they’re going to be looking at is that confidentiality, if they have anything of value, you know, from an HR perspective, that should always be their first piece, right?

Diane: Yes! Social Security number leaks. I mean that’s the biggest hit, right? HR holds identifying information that can be used to steal your employees’ identitities. So you don’t have to be a big banking entity. Your mid sized business gets hit, all your employee data is yanked, and soon all of your employees Social Security numbers, everything, are on the dark web. What does that do to employee trust? How does that breach of trust impact performance? Retention?

Angela: Well, or think about it from something that’s not even banking. You look at a marketing company. A marketing company has its clients. Those clients make payments to you, right? You’ve got their names, you’ve got their addresses, you’ve got how much they paid, what their services were. If somebody was able to hack your repository of information in that data or your taxes or whatever that might be, I mean, look at the consequences of it, right? So that marketing agency, guess what, they’ve just been hacked and all of their clients have been spilled over onto the dark web. So there are many instances. I recently commented on an issue with Microsoft. Microsoft sells a product, expensive product, obviously, that’s where teams is driven and they’ve developed this platform with all the functionality on it.

Even on my personal email, I’m getting things from PayPal. I’ve got one from Apple, from the repair shop. I haven’t put anything in there, but guess what? If you happen to click that, what they do is it that gives them a way to get into your system and then they move laterally. A lot of these viruses have the ability to stay undisclosed for on average 18 months to 24 months. So what you think is clean may not be.

Diane: So they just lie and wait?

Angela: That’s right. And they’re, at the same time, guess what they’re doing? They’re learning all your passwords because they’ve got that back end access. Right. They’re also learning what times are the high times, what’s the network traffic look like? They’re learning all your patterns. And then when they go in to make that move, they’re going to make the most catastrophic move they can, or they’re going to use it to have pulled your data to ask for ransomware. So something that seems small, I see about 10,000 phishing attempts a month and we get hundreds of attachments that are on those, which is like, you know, a big one of the bigger nos and a much quicker way to get in. That being said, we still have about 150 individuals within the company that end up doing it. We train consistently, we require continuous training.

We teach about cybersecurity. We have a phishing button, but that does not prevent it. And what happens is people get busy, they’re not rationalizing it, they’re not really thinking about it. And that’s where at the end of the day, that human factor will always be your biggest vulnerability.

Diane: And it’s a factor that like, no algorithms can really predict it with accuracy. There, there aren’t predictive analytics for human behavior that are accurate because you can’t say when someone’s going to be too busy and accidentally click on something.

Angela: Right? Well, I mean, so imagine somebody’s had a really hard weekend. They come in, they’re tired, they haven’t slept much, they’ve had a situation, a mom or dad has been sick, whatever. Are you going to be thinking as clearly as maybe at other points? So just something as basic as that.

Believe it or not, even working in cyber and working with people that are of cyber minded, we still have incidences where they click occasionally and, you know, we have what we call a B2B. Essentially, it’s a service that you can subscribe to that continuously tests and assesses the level of cyber savviness of your people. And that’s a common, you know, subscription you can subscribe to. You can kind of add different things to it. Over the holidays, they tend to add more of the gift cards and promotions and bonuses sort of scenarios to it. But at the end of the day, you’d be surprised who clicks it.

Diane: So that would be very interesting to do. A feature on is who actually ends up clicking on some of these things. I think where your company and my company have a great place in the sandbox together is that education piece, that understanding piece from that executive side about the people risk associated with non adoption of these things and the reputation, the money loss, the risk of closure, the loss of trust. I mean, that is huge. The loss of trust in an organization ripples all the way down. I may, I’m a big believer in creating environments that drive disclosure and driving the voice behavior that recognizes risks in an organization. Organizations win when they recognize failures and don’t make them a punitive thing. They make them an, okay, we need to back this up and we need to learn from this.

That disclosure piece matters to psychological safety in an organization which immediately connects to the ability to comply with cybersecurity, to accept cybersecurity measures, to say something without embarrassment. If you clicked on something that, I mean, that’s massive. The fear, the unnecessary fear of being punished for being human is damaging.

I think you had a brilliant idea. It’s like, yeah, let’s send out something and say, look who actually clicks on it. Not have it be anything that’s malicious or malware or phishing, but have it be something that would model that. Do a click, study on that, and then advertise that to normalize the fact that it happens to everyone. And if you do it within the organization, you’re not going to get in trouble for a mouse click.

You’re not going to lose your job for a mouse click. I think one of the biggest problems in your cybersecurity battle, Angela, is the fact that organizations don’t have these environments of disclosure and they’re not disclosure prepared. So they, someone says something, they don’t know what to do. Like someone just said something, I don’t know what to do. So then what that creates is that hush. Just don’t, just don’t say anything. And that’s so dangerous. The hush culture that can crop up in organizations is so damaging to psychological safety, physical safety, financial safety, reputation. You know, all of these things, it’s incredibly damaging. And I think until organizations realize exactly how damaging, they’re going to continue to get hurt.

Connect with PRC to learn how you can develop a disclosure preparedness plan for your company.

People Risk Consulting (PRC) is a human capital risk management and change management consulting firm located in San Antonio, Texas. PRC helps leaders in service-focused industries mitigate people risk by conducting third-party people-centric risk analysis and employee needs assessments. PRC analyzes and uses this data alongside best practice to make strategic recommendations to address organizational problems related to change and employee risk. The firm walks alongside leaders to develop risk plans, change plans, and strategic plans to drive the human element of continuous improvement. PRC provides technical assistance, education, training, and trusted partner resources to aid with execution. PRC is a strategic partner of TriNet, Marsh McClennan Agency, Cloud Tech Gurus, Predictive Index, and Motivosity.

Q&A: How do you minimize human risk through change management, metrics, and monitoring when the solution is provided to you by another department?

The Question:

Hey Diane. Solutions have already been purchased for my human resources department. My company is exploring AI and predictive analytics and solutions are already rolling in with a fast expected implementation date. How can we best manage the change and make sure our employee experience is impacted as little as possible by the risk?

The Answer:

Your first step is to identify the unknowns, potential risks and problems you could be facing with the systems that have been purchased.

  1. Unknown alignment of these systems with current employee journey for human resources
  2. Unknown predictive analytic or AI capabilities
  3. Unknown risks associated with the systems

Your second step is to create a system of inquiry to understand the current situation in relation to those risks and unknowns to uncover the opportunities.

  1. Conduct what we call a backwards analysis of the systems. Rather than a traditional systems requirements collection, what you are doing here is collecting the capabilities of the systems that are already purchased. What are these systems capable of doing?
  2. Conduct a departmental needs analysis. These are needs in relation to your employee journey. Create or pull your employee journey map. Align the systems analysis with its place along the existing employee journey. How do these systems support the existing people operations of the company?
  3. Align systems capabilities with organizational goals for the human resources function. What capabilties do these systems have in alignment with organizational objectives for maturity in AI and predictive analytics?
  4. Determine system shortfalls, if any. Where are the gaps between systems capabilities and the employee journey throughout the human resources/people operations function?
  5. Determine opportunity areas offered by the systems. Where are the opportunity areas, aspects perhaps not thought of, that are possible due to the systems capabilities?

Third, you are going to begin to develop a change management strategy based on the data you have collected.

  1. Visualize how the current situation would be adjusted. How can the employee journey adjust to capitalize on opportunities while mitigating risk in any systems shortfalls?
  2. Understand if additional system modules or plug-in solutions are needed to meet organizational needs. How, if at all, can the gaps be filled in a way that will improve employee experience and minimize talent risk?
  3. Develop a change management plan with change phases. Create a phased rollout plan for the change just rolling the new systems into a status quo environment. The phased replacement will minimize change fatigue, cognitive overload of personnel, and mitigate the risk of low adoption. It will also create a level of comfort, achieving success with one stage before moving on to the next – building momentum. This also mitigates risks to employee experience and employer reputation created by poor hiring and onboarding experiences.

Now that change is underway, you will want to develop success metrics for the project and become an active observer of the results. Particularly in the case of AI integration, there are a number of risks.

  1. Unintended consequences: Theory and practice are two different animals. Once you begin to pilot, you will need to keep your eyes open for unintended consequences of change not covered by the list below.
  2. Garbage in-garbage out: Generative AI needs to pull top down and learn from established documentation such as existing policy documents or communication with employees.
  3. Unlawful discrimination: Lack of consideration of environment or personality for performance planning for example
  4. Loss of talent trust: Be mindful of automating too much and reducing empathy, transparency, sincerity, rapport, and humanity in your organization
  5. Regulations: Data collection and use and new regulations on AI will be important to understand as you roll out new features
  6. Communication: Don’t AI drop your employees. Internal communication plans should fully explain what the AI is doing and when a human can be contacted.
  7. Privacy and security: Your IS teams should be on top of this. Data sensitivity, cyberattack, hacking, and breaches are now a new way of life. Your employees should also know what behavior they need to exhibit with their data to enhance their privacy.

During this period of monitoring, watch and report. This is a multi-disciplinary effort. Depending on your company size, you may be working with HR, risk management, and information systems as well as reporting to your executive team. Here’s what to report that will help you continuously improve.

  1. What’s not working.
  2. What is working and wins.
  3. Employee sentiment.
  4. Power user sentiment.
  5. Remaining gaps.
  6. Discovered innovation.
  7. Suggestions for systems modules, plug-ins, or development.

All of these things enhance your toolbox to step into a new and exciting time in our history, as well as arm yourself to proactively mitigate the risks that go along with new frontiers. This pathway is all about leaning into the future, which is a common interest among departments. Build on your shared vision and goals to unify as a cross-functional team. And, as always, if you need help PRC is always here for you.

PRC’s role is to help guide you through all of this, to drive you and navigate you through the change and risk, however the situation flows.

You are not alone. Contact us if you need someone to walk beside you.

People Risk Consulting (PRC) is a human capital risk management and change management consulting firm located in San Antonio, Texas. PRC helps leaders in service-focused industries mitigate people risk by conducting third-party people-centric risk analysis and employee needs assessments. PRC analyzes and uses this data alongside best practice to make strategic recommendations to address organizational problems related to change and employee risk. The firm walks alongside leaders to develop risk plans, change plans, and strategic plans to drive the human element of continuous improvement. PRC provides technical assistance, education, training, and trusted partner resources to aid with execution. PRC is a strategic partner of TriNet, Marsh McClennan Agency, Cloud Tech Gurus, Predictive Index, and Motivosity.