People risk is one of those topics organisations recognise as being important, but then often push into an ‘HR issues’ cupboard rather than engage with strategically. When something goes wrong, the script is surprisingly familiar. Generally, culture is blamed, training is proposed, a policy may be rewritten, maybe a few people are fired, and everyone hopes the outcomes will be better next time. The trouble is that none of these responses really treat people risk as a discipline. Instead, it is treated as atmosphere, reputation management, or a moral lecture about conduct.

The foundational move is both simpler and tougher: people risk is the predictable way human behaviour, capability, relationships and organisational conditions shape outcomes. It deserves the same rigour we apply to financial, operational, strategic and safety risks. A recent UK example makes the point well. In February 2026, the House of Commons Public Accounts Committee criticised National Savings and Investments’ transformation programme (originally Project Rainbow) and described a “good news culture” that meant decisions weren’t made and disagreements weren’t resolved. The programme has been reset, is years behind, and costs have ballooned, with the committee highlighting weak risk management and a lack of reliable information to support key decisions.

That phrase “good news culture” is doing a lot of heavy lifting here. It may sound like an attitude problem, but it’s really a risk control failure. If bad news can’t travel, organisations can’t correct course. If challenge is unsafe or unwelcome, optimism replaces evidence. If governance cannot get clear information, oversight becomes performative. In other words, while culture may be real, culture may also just be the label we reach for when the underlying mechanics are in fact accountability, incentives, decision rights, and information flow. That’s why a foundational approach to people risk management starts upstream, before symptoms become risk events.

Many organisations only notice people risk when it shows up as a spike in grievances, attrition, errors, near misses or compliance breaches. Those are lag indicators. They tell you that something is broken, not what changed beforehand. The risk discipline is to understand the conditions that make those outcomes more likely, and to monitor those conditions with the same seriousness you would apply to monitoring liquidity, cyber exposure or supply chain fragility. Most of these conditions sit across overlapping layers. At the individual level, people bring their own biases, emotions, energy limits, competence and self-interest to every decision and action. Under time pressure, judgement narrows. Under strong pressure from incentives, corners get cut. People respond to norms, status, loyalty, fear, belonging and peer pressure. If reporting bad news is punished, silence becomes rational. At the system level, people adapt to the reality of job design, workload, process clarity, decision rights, leadership signals and measurement. If workloads are unsustainable, error becomes inevitable. If roles are unclear, decisions get made by whoever appears to be in charge.

Organisations tend to over focus on the individual because that feels controllable. But recurring issues are rarely individual problems; instead they’re signals of design. The NS&I story is instructive because the culture critique sits alongside a more concrete governance critique: Insufficient skills to deliver the programme, weak planning and poor-quality information for decision making. People risk management isn’t about being nicer, softer or more compliant; it’s about understanding that organisations are human systems operating under pressure, and that human systems behave predictably.

Organisations that perform well over time are not those with the most aspirational values statements. They’re the ones that design work, leadership and governance around how people actually behave, then monitor the conditions that make good behaviour easier and harmful behaviour harder. And when someone says, “it’s a culture problem”, they don’t stop there – they identify what, exactly, in the system is producing that culture, and what they’re going to change.

---