John Chesshire

Introduction

Recruitment, due diligence, vetting, background checks, onboarding and probation all help to address the risk of letting the ‘wrong’ people into our organisations, but do we put sufficient effort into exiting people in a managed and controlled way at the end of their time with us? 

Too often our organisations do not always effectively consider - or indeed, manage - the various risks we face when people leave our organisation. This can be our employees, but it can also be in relation to contractors, consultants, temporary or agency staff (etc.). 

When was the last time you examined how efficient and controlled these processes are, whether they operate consistently well across the whole organisation, and whether - crucially - they are effective in practice?

Risk

People leave organisations for many reasons. 

According to the CIPD, the term turnover is used “broadly to cover all leavers, voluntary and involuntary, including those who resign, retire or are made redundant.” 

People exiting an organisation, for whatever reason(s), can pose a range of operational, legal, financial, and reputational risks to the organisation.

Employees leaving an organisation can take considerable knowledge about strategy, research, processes, operations, assets, and security vulnerabilities with them, depending upon their role, seniority, and expertise. This knowledge can present a risk to any organisation, particularly when the reason for the individual departing or exiting is not amicable. 

Losing a key employee or other colleague can also affect the performance and morale of the team and colleagues that they have left behind.

When thinking about people, turnover and existing how does your organisation consider this area of risk? Does it feature in the strategic or corporate risk register? Is it included in the Human Resources (or equivalent) function’s risk register or at the individual department, division or business unit level? When it comes to turnover and exit risks, do they feature anywhere, if at all? 

And what about risk appetite? What is your organisation's appetite when it comes to these types of risk? If the board or governing body haven’t articulated a risk appetite in this area, how much risk - and of what nature - is the organisation willing to put up with at any one point in time?

A role for internal audit

The recent Risk in Focus 2024 survey , published by the European Confederation of Institutes of Internal Auditing (ECIIA) in September 2023, identified human capital, diversity, talent management and retention as the second biggest risk organisations in Europe continue to face. This year, 58% of the 799 respondents, the majority of whom are chief audit executives, cited it as a top five risk - up from 50% last year and 40% in 2022.

Often, when organisations fail to properly manage aspects of their human capital, diversity, and talent management practices, the consequence is increased turnover and the need for exit management activity. Manage these areas better, and fewer people will leave! 

Internal audit must play a greater role in auditing human resources and people risk - something I have written about before here. However, too many internal audit functions still shy away these subjects. 

Returning to our focus here, we can certainly do some good work, whether assurance or advisory, to examine how exit management occurs in our organisations.

Good practices and expected controls

Management - usually in the Human Resources (or equivalent) function - will typically be responsible for designing appropriate exit processes. These should be efficient and effective in design and operation, especially as managers across the organisation, rather than solely in Human Resources, will often be responsible for undertaking aspects of the exit process. 

Given the nature of exit-related risk(s), internal audit should consider the extent to which the following controls are needed and whether they are appropriately designed and operating effectively. 

  • Policy and processes – are there owned, documented, up-to-date and relevant exit policies and associated process(es) or procedures that apply to the different types of individuals leaving the organisation, whether employee, contractor etc.? Have these been reviewed post-pandemic, and do they reflect the current way in which the organisation’s operating model now works, whether in-person, hybrid or remote?
  • Within these policies, processes and procedures, are there clearly articulated roles and responsibilities in respect of Human Resources (or equivalent), other functional areas (such as the Information Technology or Security teams), the local manager and the exiting individual, so that everyone understands what they are accountable for, when, how, and why?  
  • Do these accountabilities cover aspects such as responsibility for: 
    • holding an effective handover or knowledge-sharing session so that critical - or occasionally unique - knowledge does not exit the organisation with the exiting individual. 
    • cancelling access to information systems, applications, premises, and confidential information, and at what stage this takes place in the exit process.
    • retaining all physical badges (etc.) such as ID cards, security access passes (fobs or cards) and keys, and at what stage this takes place in the exit process.
    • collecting all organisational property, such as work phones, laptops, other mobile devices, hardcopy folders and files etc. This should also occur at a defined point in the exit process.
    • reminding the exiting individual of their ongoing obligations in respect of confidentiality and non-disclosure in respect of organisational information etc. 
    • offering and holding useful, value-adding exit interviews, accurately recording the results, and sharing them with relevant stakeholders.  

At an operational level, effective management of ID and access passes (etc.) may be an important consideration for many different types of organisations when individuals exit. 

Obviously ensuring the return of the ID/pass(es) (etc.) by the exiting individual is a key control, as mentioned above. 

To further minimise the risk of unauthorised access to premises and locations when individuals leave, the Security (or another) function should consider maintaining an accurate register of all access passes including returns, cancellation and those that have been deactivated.  

Depending on the range of nature of risk in this area, we may reasonably expect the Security (or another) function to conduct regular audits (with a little ‘a’) of all active passes held by employees and others, as well as immediately ensuring that all unclaimed, duplicate, lost or mislaid access passes are cancelled and/or deactivated.

To minimise the risk of property and information loss we might reasonably expect that the Information Technology function, instructed by local management and/or Human Resources, should ensure that the exiting individual’s access to IT systems is removed or disabled at the right moment. This may be immediately, of course, if the exiting is due to some form of disciplinary reason or gross misconduct (etc).  Whoever is responsible for this should ensure that accurate, clear, and auditable records of when the removal of IT system access(es) occurred. 

Furthermore, we would expect to see that the responsible function(s) - whoever it may be - maintains a register of all assets issued to individuals at both the commencement and during their time with the organisation, and what is returned when they exit. Local management will typically be best placed to ensure that all assets are returned and recorded when individuals leave. Additional thought will need to occur when the workforce operates remotely.

To better manage risks posed by different individuals, and the circumstance of their exit, we might expect larger organisations to formally assess the risk posed from those exiting at different levels of seniority or specialism, and for different reasons for departure. In these organisations, we could expect to see that the relevant function - potentially Human Resources - have developed and documented appropriate procedures to manage the associated risks effectively and efficiently. They should also communicate relevant guidance or instructions to key employees in the relevant business functions or areas.

Conclusion

Exit management is an interesting, important, and relevant subject for internal audit work. There are several key risks and the typical division of roles and responsibilities between different functions and areas makes these risks harder to manage in practice. Inconsistency in practices is also likely given the involvement of local management across the organisation.

Isn’t it about time you included this subject in a future internal audit plan?

John Chesshire, FCIIA

John is a Chartered Fellow of the Chartered Institute of Internal Auditors (FCIIA) and holds various other qualifications and relevant designations. He has over 24 years' experience working in the internal audit, risk management, business improvement and governance fields. He is an Independent Internal Audit Committee Chair, has recently been Chief Assurance Officer for the States of Guernsey and runs his own training company, JC Audit Training Ltd

John’s recent clients include FTSE listed companies, banks, multinationals, central and local government, law enforcement, international charities, professional services companies, as well as international organisations such as NATO, the OECD, and UN Agencies.  He is passionate about internal audit and particularly enjoys working in new and emerging areas of assurance interest, especially in respect of people risk. John is also a member of both ISACA and the IRM.