A culture of risk


The best security system in the world can’t stop a risk-ignorant employee from jeopardising an organisation. The solution? Invest in your people.

The company decided to be tough on security. It installed a multi-million-dollar security system complete with all the widgets and appliances you’d expect of a high tech solution. On-site security staff patrolled and monitored the building 24/7. But one weekend the company was brought to its knees by an attack that lasted four hours. The culprit? A door left ajar by a well-meaning employee.

It’s a tale ripped from a textbook on how security systems fail, but David Turner, Global Risk Management Speaker & Consultant, assures me it’s real. Only in retrospect, by looking at who came through the door, to whom they spoke and figuring out why they left the door ajar, could the client see that the system meant nothing without risk awareness in its staff. And it’s unfortunately common.

“You can have the latest software but 85% of the time the problem will come from the person sitting behind that laptop, how they are inducted, how they are trained, how they understand risk and how they use it correctly,” says Turner. “We’re way too dependent on our systems and procedures when we should be looking at people first.”

Documents aren’t enough
Risk policies and procedures do not influence risk culture unless they are understood and put into practice. In other words, simply having those documents isn’t good enough, you need people to activate them.

“A lot of companies have risk standards and procedures but people who are trying to deliver those, trying to put risk practices in place, still don’t get the basis of risk management,” Turner explains. “We have lots of technology and the same amount of breaches. Why? It’s still not getting through to Joe Bloggs on the ground. He doesn’t understand risk management and that is a risk in itself.”

According to Turner, about 75% of procedures are never put into practice or used correctly. “That’s a massive amount of paper and information no one reads. The stuff they do read is quite laborious and they are not coached through it,” he says. He believes the most effective method of changing risk behaviour is the hands-on approach: workshops. “It enables people to see risk management in a fun, engaging, interesting way.”

Workshops also allow staff to role-play different contingencies and contribute to the way the organisation assesses risk and handles issues. When staff have ownership of a risk process, they are more likely to practice good risk management of their own accord, which is far more powerful than having a manager yell at them for doing the wrong thing. “Do it a few times and you can see the risks decreasing quite rapidly. There’s huge amounts of value being added,” says Turner…Click HERE to find out more about this article