Over the last thirty years, the prevailing belief has been that process, technology and technique, manage risk. While it is true that processes and engineering & technology controls play a significant role in our risk strategy, it is ultimately people that manage risk. The dilemma is that people are very complicated; we don’t always act logically, and we can’t simply be poked once to produce the desired outcome. We have all sorts of quirks that persist in our heads and gut responses. When presented with uncertainty this will cause us to act or behave differently. Sometimes it is just raw emotion that drives our actions, choices, and responses. For example, road rage – compliant and safe on paper, but a major risk to others at the moment. If we do not factor people into our risk models, it will translate into a process that is very ineffective.
So how do we get our people to manage risk more effectively?
Well, it all starts with first educating the individual and group to recognize and understand the risks that they come across – overcoming risk blindness. From here there is an opportunity to shape their attitude towards those risks, which in turn affects behavior; and behavior shapes the risk culture of the organization.
An industry that illustrates risk management through people the best, in my opinion, is the health and safety programs. For instance, the construction industry (this is mainly because failure is quite tangible and visible). Companies with a strong risk posture operate with regular safety orientations, safety training, daily hazard assessments, incident reports, near miss reports, daily safety toolbox or team meetings, safety meetings, safety audits, etc. The purpose behind the frequency and repetitiveness of this process, which is to help the individual and group identify, assess, and manage the risks they see – or in other words, take ownership of the risks they encounter. The successful companies (which can be large or small) are those who strategically use the near miss reports, or reports of an incident that did not cause damage or injury but could have resulted in one.
These reports tell a story and allow for a tailored discussion with individuals and groups to help overcome the frequency and flawed thought process leading into the near miss. Now some companies in the construction industry will argue that they have all those meetings and forms and still have a weak risk posture. Well, the problem is they are going through the motions of safety compliance, but have failed to reach the individual.
Full disclosure, I think this industry is a leader in risk management it is also rife with bureaucracy. The system can get caught up in the process of compliance. Creating a false sense of security and can lose the spirit of the main objective – keeping people safe. Again it is people that manage the risk and not the process.
The notion of people managing risk should not be a surprise in the IT world. As many technologists are employed just to manage the aftermath of end users, despite the technology solutions in play.
We need to do a better job at seeing and understanding where people are coming from. The psychology of human thinking, and more importantly how bias plays a role in risk assessment. This will make our processes way more effective – and yes, keep our IT people sane.