It was a few years ago on a Tuesday afternoon in April when ‘nothing’ happened. I was working at a national charity and everything seemed normal. Everyone was going about their business:
- Our frontline staff were delivering services;
- Our volunteers were giving their time and help;
- Our fundraisers were raising funds and our supporters were continuing to donate;
- Our shops were trading; and,
- We were answering our ‘phones, paying our suppliers and collecting money.
On the surface, all was as it should be: expected and routine – no threats or vulnerabilities were being realised – ‘nothing’ was happening.
The invisible threat
The reality was quite different. Our organisation was under attack. This is not hyperbole – we really were. Our systems were being subjected to a distributed denial of service (DDoS) attempt. In plain language, there was a coordinated effort to crash our systems by someone with the technical know-how in pursuit of some larger, nefarious gain.
In our IT team life was far from ordinary. One 40-minute period on that April afternoon saw a huge spike in traffic that set alarm bells ringing. Despite this, our defences held and we were protected and safe – a testament to the talented group of IT professionals who worked there. However, as far as the rest of the charity was concerned, nothing happened: things kept running, people kept working. The whole scenario that was being played out was invisible to them.
Such events represent both the challenge and the value of risk management. It’s great that such events do not stop or disrupt the work of an organisation, but how do risk professionals measure and communicate the value of incidents that have no obvious or immediate impact on front-line delivery?
Making the case
Like many of my peers, I have found myself sat across from a colleague who is unconvinced about the value of risk management. Typical responses include, “We’ve been doing X for years and nothing has ever gone wrong. Why do I need a risk management function?” It’s a simplistic but powerful retort. They are not explicitly against risk management as a practice but remain sceptical about its value.
So this is our challenge. When things are not going wrong or the threats we’ve identified or modelled aren’t being realised, how do we convince colleagues and stakeholders about the value of managing risk and committing resources to it?
Fortunately, we are surrounded by examples that can help.
- Individuals and businesses routinely take out insurance with the hope that they’ll never have to make a claim. We may all grumble about the cost but we don’t deny the peace of mind that this brings.
- Many people invest in security software that regularly scans their device for possible threats and viruses. For around a £1 week, they get peace of mind when the results of the regular scans show ‘No security risks detected.’
- Business continuity professionals regularly run simulations to test preparedness and resilience in the event of significant events such as fires, floods, etc. These are incidents that they never want to see materialise, but the exercises are used for valuable learning, to make changes and updates in plans and approaches.
Those engaged in enterprise risk management don’t routinely make use of the ‘near miss’ as a basis for managing risk, yet colleagues in related disciplines do and is something we could adopt to improve the services we provide. Health and safety professionals routinely capture such information and use this data to identify patterns and potential early warnings of weaknesses and vulnerabilities that may harm an organisation. This approach embodies the philosophy of ‘prevention rather than cure’ and the idea of an organisational learning culture.
Communicating value not cost
For me, the message here is that we have examples to draw on but don’t use these as part of our approach to communicate the value of nothing. There is often a focus on measuring the costs and resources expended in protecting an organisation from harm but a failure to measure and communicate the value protected. There’s also merit in the consideration and challenge of how things work. At worst this can be little more than a theoretical and intellectual pursuit that does not support the organisation’s aims. However, used well, it can also open up new insights about how things operate or provide opportunities into new services or products.
I believe it’s a question of value not cost and this is probably where we can change the communication and messaging of our work with colleagues. The DDoS example cited above provides a helpful case study. The defences put in place by the IT team represented a considerable investment in terms of financial cost, not to mention the ongoing investment made in regular communications to colleagues through education and awareness programmes. But the time, money and reputation that were protected was of far greater value.
A professional contact of mine has a saying that that they routinely repeat to me… “it’s better to have it and not need it, than to need it and not have it.” I totally agree, but we also need to tell colleagues the value of having it. It’s time for us as risk professionals to start making the case.