Show me the money Information ?

In our last article we covered the importance of getting the security and resilience basics right, whilst maintaining a forward look to scan the threat landscape for warning signals. This article looks at the key role information management plays in supporting the risk identification, assessment and management process, including emergency response.

In our world of increased connectivity and complexity, how well information is managed can make the difference between an organisation being able to confidently make informed judgements about threat and risk, to them having no option but to act out of an “abundance of caution”, with the additional consequential risks this type of approach can bring, together with the financial burden of trying to cover all bases in a ‘scattergun’ approach.

Highly reliable organisations including those with a robust Security Management System (SeMS) recognise the importance of making best use of the information the organisation is able to access. The collection process should start before you need the data.

To enable risk assessment groups to be able to operate effectively, they need access to all relevant data sets, be able to analyse and make sense of it, for example understand its timeliness and reliability.  Unfortunately some organisations don’t have ready access to incident data and would find it difficult to rapidly produce a report for the board, or even answer relatively simple questions such as how many thefts did the organisation suffer over a particular time period, what time and day of the week features most significantly.  

This creates additional work for organisations who still rely on the pen and paper approach, and have to manually sift through reams of weekly and monthly reports to establish the data sought.  Lack of standardisation of reporting further frustrates the process, and this can also be a challenge with incident reporting systems where there are too many similar incident categories to use. 

From experience, keeping reports simple, yet structured creates more consistent data for the organisation.  The easier you make the reporting, the greater the chance you have of incidents actually being reported.  Every incident, or problem is not only a warning signal of a potential crisis in the making, but also an opportunity for the business to improve.  The greater the quality of your risk and resilience picture, the easier it will be to analyse and manage the identified risks, and develop robust resilience plans.

Organisations with an established SeMS, will, as part of their corporate assurance process, have a dedicated group to review the risk register on a regular basis, ensuring it reflects the threat landscape the organisation operates in.

As we discussed in our first article, organisations need to look inwards and outward when searching for threats and risks. Mature organisations will have an ‘Industry Watch’ agenda item, covering external events in the sector which could impact their business activities. This is a great opportunity to learn from others. One characteristic of highly reliable organisations is their ability to learn lessons quickly. This is regardless of whether the lesson is an internal one, or identified during their industry watch activities or collaboration with other sectors.

The COVID-19 pandemic has significantly changed the way organisations are able to work, and provides us with opportunities to ‘use the difficulty’ and introduce innovative ways to work remotely. For example, developing virtual risk assessment groups (vRAG).

As organisations resume business the need for robust risk search, analysis and assessment couldn’t be greater. Initial insights into the pandemic response suggests that action only began to be taken once the outbreak was formally declared as a pandemic, rather than when the flurry of warning signals began to emerge from China. The nature of 21st century crises is such that organisations need to be agile and timely in their response to the detection of warning signals.

Risk Managers will often need to get an organisational view of the potential impacts of a particular warning signal.  In our fast paced world, the longer the delay in assessment, the greater the potential risk to the organisation and its people.  

Traditionally the Risk Manager has emailed or telephoned the relevant stakeholders to seek their views.  Despite this seemingly being a simple task, without a unified platform with multiple channels (voice, email, SMS etc), it can be difficult, ineffective and unreliable.  

Emails can get delayed, lost or simply just ignored due to work pressures. Even if an email is responded to, people’s email boxes are such that key messages can easily get lost, and that one snippet of missing information could mean that the risk manager, or risk group, doesn’t get an accurate picture on which to base their assessment.  

Collating email responses from multiple stakeholders can also be challenging, again with the risk of information being ‘lost’ in the email chain.  Similar to simplifying reporting, the easier the information gathering process is, the more likely it is to be used without loss of essential data.  

It’s important for organisations to ‘see’ (recognise) warnings, and the need for (assessment) speed cannot be overstated once a warning signal is seen/detected.

Immediate action needs to be taken to gather further insights and start the analysis process. This is not about seeking perfection, but rather having sufficient information from across the business, and externally where relevant, to enable the risk manager, or RAG, to make an informed judgement, and provide strategic direction to the Board.

Waiting to try and get the perfect picture is likely to create additional risks for the organisation, delaying what may be urgent mitigation to avert a crisis state.

The ability to gain organisation-wide insights to agree a common picture (one version of the truth), is vital.

Timely response action trumps perfection, and preventing a crisis state is far easier than trying to survive a crisis, which can be catastrophic for the organisation. The assessment we initially provide the Board will, in many cases, be all that we know at that moment in time. It’s important to recognise that action may need to be taken before we have the complete picture. The RAG’s assessment will be based on data analysis, instinct and good judgement.

Communicating with our Boards is important, and much has been written about the challenges security managers often have trying to speak the language of the board, and influence key decision makers.

What is presented to the senior management team must be concise, accurate and informative, clearly articulating our key messages.

We need to calibrate the Board’s expectations, as risk management and threat assessment are not exact sciences, they are reasoned judgements based on the best possible information we are able to gather about the ‘warning’. Sometimes it will be necessary to shout the warning loudly, to highlight the potential scenarios that could develop, and ensure the message doesn’t get lost in the day to day organisational noise.

The existence of a good risk management methodology, supported by helpful technology and systems, will help with prioritisation and high-volume information management, ensuring organisations can rapidly identify warning signals, assess their potential impact, communicate them across the business, and manage their risks and responses sensibly.

Subscribe

Subscribe to our newsletter to stay up to date with our most recent articles and updates.