Managing risk from within: monitoring employees the right way

Risk Management, April, 2007 by Aaron Latto

No one thinks twice about having employees punch time clocks to document their work time. Eyebrows are not raised over procedures for checking out and returning expensive equipment when an employee heads out for an assignment offsite. And few question the use of secured entrances to control who comes and goes from a company's facilities.

But what about other forms of workplace surveillance? If a company takes security measures a step further--monitoring employee e-mail and Internet surfing, for instance--red flags may be raised about privacy concerns. Add to that highly visible cases, like the Hewlett-Packard investigation of board member leaks that turned into a damaging spying fiasco last year, and it may appear that enhanced supervision is more trouble than it is worth.

Yet many employers have well-founded--and often compelling--reasons to engage in employee monitoring. Competent risk management involves protecting against losses from within. Thoughtful and effective employee supervision can help companies manage the risks of reduced productivity, liability claims and loss of assets.

Having good reasons to monitor employees is not enough, however. Companies should thoughtfully craft their policies and implement them clearly and consistently. A best practices approach to employee monitoring involves identification of the risks of concern, careful analysis of how monitoring would help manage those risks, and clear communication of expectations and consequences.

Is There Really a Problem?

Monitoring employees may include highly visible actions, such as posting guards in building lobbies to check ID badges. But less obvious monitoring, such as tracking computer-related activity, sometimes raises questions. Businesses want to take steps to protect assets and reduce liability claims, while remaining sensitive to concerns about individual privacy.

Some sources of productivity loss and potential liability exposure are obvious. An employee spending hours each day writing personal e-mails and visiting websites of personal interest may be wasting time on the company clock. Other risks exist too. Downloaded music files, personal photos and video clips may slow system response times and require increased expenditures for storage capacity. Still other concerns center on liability: Companies increasingly are held to high standards when it comes to protecting others from their employees' actions, ranging from the professional (e.g., inadvertently divulging client records in violation of statutes or regulations) to the personal (e.g., the sharing of offensive jokes).

Is cyber-slacking--what one researcher has termed the modern method of procrastination--pervasive enough to be a concern for employers? Statistics from a variety of sources make a compelling case. A 2004 American Management Association survey found that 86% of employees engage in personal e-mail at work, with 75% saying up to 10% of their e-mail is not work related. IDC Research, a technology analysis firm, has claimed that between 30% and 40% of employee Internet activity is not related to work.

Websense, Inc. says that more than half of employees spend between one and five hours per week on the Internet at work for personal reasons. In fact, Websense estimates that American businesses lose $85 billion a year from the misuse of the Internet in the workplace. Indeed, the American Management Association survey revealed that 13% of respondents' workplace lawsuits are triggered by employee e-mail, 20% have had employee e-mails subpoenaed, and 25% have terminated an employee for violating e-mail policies.

These technology-related risks have led to widespread response by employers. A 2005 survey by the American Management Association found that 75% of employers monitor website visits; 65% use software to block specific types of websites; and about 33% track keystrokes and the time spent on keyboards. The ePolicy Institute reports that half of all companies review computer files and 55% read email messages. Overall, experts believe that about 14 million employees (one-third of all U.S. workers) are under some form of "surveillance" in the workplace.

First Identify Risks, Then Choose Appropriate Methods

An effective employee-monitoring program begins with the identification of the risks to be managed. Defining corporate objectives first, and then crafting a program to achieve those goals, helps a company defend a monitoring policy if it is later challenged in court or in the press. Almost lost in the hailstorm of criticism directed at Hewlett-Packard's leak investigation was the company's strong and legitimate interest in the secrecy that should surround board deliberations and company strategy. Moreover, defining and weight the importance of objectives first helps a company ensure that the allocation of risk management resources appropriately corresponds to the company's perception of the size of the risk.

Although many companies have risks specific to their business or competitive environment, the following is a list of common risk management objectives that may be supported by a thoughtful employee monitoring program.