Ideas for Positive Skepticism in Risk Management

1. Processes and controls exist — this is indisputable. But it is absolutely vital to continually look for gaps in them and not to believe that they are well designed and consistently followed. This positive skepticism goes far beyond audit. For example, having a heavy-duty cross-cut document shredder is good; but if staff behavior is to still leave piles of documents on their desks and then put smaller piles on top of the shredder expecting that someone else would shred for them demonstrates a significant behavioral flaw, which requires immediate correction.
2. In cyber security, having the latest and greatest tools and hardware certainly demonstrates a nice façade. However, if these tools and hardware are managed in a decentralized fashion and / or maintained / operated by people with low levels of personal and professional vigilance, a serious vulnerability still exists.
3. In operational security, the number and location of officer posts doesn’t matter as much as their consistently optimum performance based on clearly and formally articulated objectives. Hong Kong recently increased the maximum allowable working age for a security officer to 70. In most jurisdictions security officers are severely underpaid, undereducated, poorly managed, and switch employers / sites quite frequently. However, most audits / assessments simply take note of an existing security force and their deployment scheme.
4. In technical security, automation systems such as electronic access control, intrusion detection, and video surveillance are sold with emphasis on sales volumes (number of doors, number of locations, etc.) rather than granularly evaluated and agreed fit for purpose, balanced with human capital to deeply understand performance and monitor conditions.
5. In due diligence, the focus is on financial performance, executive profiles, regulatory compliance, and existence of policies. What can and should be evaluated are the organization’s culture, daily behaviors, employee loyalty, and the level of vigilance. Wells Fargo and Volkswagen are great examples of high-performing companies that suffered massive failures and reputational damage because of factors which are rarely on any DD radars.
6. In compliance, regulations draw most attention while internal application is a much harder target. Policies and processes are designed, but without sufficient attention to various attributes of human behavior and reasons why humans tend to circumvent established controls — including compliance practitioners closing their eyes on various violations. This is evident in various failures within the financial sector where employees circumvented established compliance controls to either take massive trading gambles or create fake accounts.
7. In incident management, the current focus is on creation of thick plans to satisfy some regulatory regimes. What’s often missed is the efficiency and effectiveness of the actual incident management process. Volkswagen and Yahoo knew about their massive incidents for a long time, but failed to execute any substantive incident management.

Application of positive skepticism in risk management helps look beyond “facades” of various controls and processes, reduce or eliminate dangerous assumptions, and drive organizational change toward integrity, vigilance, and resilience.

Soar above mediocrity!

www.spherestate.com