Economic issue: risk management

FINANCIAL TIMES OCTOBER 27 2004

Ready for when things go wrong

Jon Boone finds good communication is essential to ensure that staff do not wreak havoc either in a crisis or on a quiet day

Someone rings you up, claiming to be a journalist interested in talking to you about how your company protects itself from criminals intent on stealing your information, damaging your property or perhaps ruining your reputation. What do you do? Michael Handley, operations director at MHG Corporate Risk Specialist Services, promptly puts down the phone and calls back.

“That’s the first rule of management right there. It may seem silly but employees have to be shown that there is a real risk of people giving information out – particularly in the morning when people are off guard and more likely to let something slip.”

Unfortunately for journalists everywhere, Mr Handley is not the only risk management specialist who has made it his mission to persuade usually incautious employees to raise their guard.

Risk consultants everywhere are dead set on getting all workers, from receptionists upwards, to take the business of minimising risk and assessing future hazards seriously.

According to Jeremy Ward, a risk consultant at Symantec, which specialises in information security, it is particularly important for all members of staff to be trained to be risk-conscious, if only because the communications revolution has made it all the easier for an unwary employee to wreak havoc. “Let’s face it, the people far down the corporate food chain are often just the sort of people who have access to amazing amounts of data that could be incredibly risky if it got in the wrong hands.”

He believes that the particular problems surrounding computer crime call for a bigger cross-industry, and government effort.

Even a US-style Cyber Security Awareness Month (yes, it exists) would not be a bad idea, he says.

John Colley, chairman of (ISC)², a training body for information security professionals, says that the first rule for raising risk awareness in a company is not simply to preach a series of diktats to workers but to explain the risks involved.

“You need to say, ‘Look, these are the risks that we are facing and this is why we do things like regularly changing passwords.’ They need to understand why this affects their jobs – put simply, if the company goes bust as a result of your actions, you will also have to find another job.”

One of the pitfalls to such an holistic approach is the vast range of problems that a workforce needs to be kept alive to, says Steve Fowler, chief executive of the Institute for Risk Management.

“The danger of inventing terms like risk management is it becomes the preserve of specialists. There are a number of disparate specialisms each of which claim to know everything about risk and you often find that all the branches of risk only come together at the chief executive level.” One way around this problem, according to Eddie Niestat, from the PA Consulting Group, is to adopt the approach used by ANZ, the Australian bank.

“They used to be pretty lousy at risk management but developed a programme to assess the company’s risk that got as many people involved as possible. In one way or another they had a third of the bank involved in developing it and that helped to circulate the issues and to give all employees a sense that they owned the programme.”

Even when such a plan is in place for mitigating risk it is sometimes hard, says Mr Fowler, to keep a high level of awareness. “I have seen so many business continuity plans that take up a series of A4 binders and are kept on a shelf somewhere, usually in the building that is at risk of being blown up. People need to know what to do in the heat of battle. You need to have skeletal plans in place that everyone understands.” Top-notch internal PR is also called for, says Dr Ward. “There is no point starting something up and leaving it up on the corporate web site until it gathers the internet equivalent of an inch of dust. It needs to be changed regularly and made relevant to things that are happening in the company and in the outside world.”

“The corporate website should be like a daily newspaper with snappy headlines that people can relate to and want to read about.”

Mr Niestat agrees, saying firms should do everything. “You need to put stuff out on the internet, you need really effective presentations and a monthly news letter. When you combine all these things you get to a position where everyone is being subtly and subconsciously bombarded all the time.”

Senior management should not, however, just lead by exhortatory emails, but also by example, says Simon Dawson, head of corporate investigations at Risk Advisory.

“Most fraud is committed by the organisation’s own employees and most damaging fraud committed by senior management. That’s why it’s important to create an anti-fraud culture so that people behave with honest and integrity – it is tremendously powerful if senior management are behaving properly.”

Companies also need to set up mechanisms for reporting risks, says Mr Colley.

“The people whowork at the sharp end know what the risk is, but people in higher levels of management may not understand the issues. They need something to get the message through, perhaps just an email address that people can use to get their concerns through the management chain.”

In the end, however, firms should trust their employees to do the right thing when things go wrong.

Mr Fowler quotes Marshal Pétain’s view that “A plan is always perfect until battle commences”.

Or, as paraphrased by Mr Fowler: “When the shit hits the fan, it’s down to people.”