Public sector bodies are notoriously risk averse but seem willing to accept huge amounts of ‘red’ risks in their risk registers, especially relating to technology. When I look at some of these registers, I am left thinking – if this was an airline, would I fly with it?
Talking to a group of local authority finance directors about cyber risks, we discussed how they decide what to spend on information security and how they make judgements about the levels of risk that their organisations are prepared to accept. The general view was that it is difficult to take money from frontline services to spend on IT and that the impact of a cyber breach is more ‘manageable’, comparatively, than dealing with the consequences of a child or vulnerable adult dying in care. These are the sorts of tough judgements that public sector organisations face.
You have four broad options: (a) Avoid the risk completely by not undertaking that activity. (b) Transfer the risk via insurance or other means. (c) Just accept the risk, and go ahead regardless. (d) Seek to really understand the risk in terms of likelihood, impact and mitigation. You also need to think about ‘resilience’ – the ability to recover. This means not only anticipating problems but also having in place robust contingency arrangements. These are the types of discussions and judgements that risk registers are intended to engender and support.
All too often, however, it feels as if the risk register has become a tick-box exercise, where marking something ‘red’ somehow seems to abrogate management of responsibility. Dealing with the consequences of something like a cyber incident then costs many times the costs of investing robust information security. It is akin to a householder who only invests in modern locks and alarm systems after they have been burgled and their possessions lost. The cost to TalkTalk, for example, of dealing with its 2015 security breach was about £60 million; many times the cost of implementing more up-to-date cyber security.
I recently attended a talk by Levison Wood, the explorer, writer and TV personality, to a large group of IT professionals, where he encouraged them to review their attitudes to risk. He had recently returned from walking the length of the Himalayas, a six-month journey of over 1700 miles from Afghanistan to Bhutan, which was televised on Channel 4 as a five part documentary series. His views are ‘risks are good’. We only make progress by taking risks and understanding risks allows us to prioritise our actions and evaluate our options. He also said that many people tend to confuse ‘risk’ and ’threat’. The threat may appear huge because the impact is massive, but the risk is low. He favoured Chindit approach with their motto ‘the boldest measures are the safest’.
Just remember, cautioned Levison, ‘there is no problem so bad that you cannot make it worse!’
Levison Wood of course has the advantage that he is unlikely to ever face the challenge of explaining his actions to the Public Accounts Committee or face scrutiny from a group of local politicians.
However, the wider point is that we tend to look at risks in isolation. Risk management and performance management are opposite sides of the same coin. The harder you strive, the more you push and the leaner your organisation, the greater the concomitant risk. Managing risks is an essential part of making things happen. Also, spending on information security should not be seen as investing in IT, or simple risk reduction, but investing in better and more responsive services, and enabling greater modernisation and efficiency.