Photo: Alamy
Public sector bodies are notoriously risk averse but seem willing to accept huge amounts of red in their risk registers, especially relating to technology. When I look at some of these registers, I am left thinking: if this was an airline, would I fly with it?
I was discussing cyber risks with a group of local authority finance directors, and how they decide what to spend on information security and judge what levels of risk are acceptable. The general view was that it is difficult to take money from services to spend on IT and it is more “manageable” to deal with a cyber breach than a child or vulnerable adult dying in care. These are the sorts of tough judgments that public sector organisations face.
You have four broad options: avoid the risk completely by not undertaking that activity; transfer the risk via insurance or other means; accept the risk, and go ahead; or seek to understand the risk in terms of likelihood, impact and mitigation. You also need to think about resilience – the ability to recover. This means both anticipating problems and making robust contingency plans.
Risk registers are intended to support discussions in these areas. All too often, though, it feels as if the risk register has become a tick-box exercise, where marking something red somehow seems to abrogate management of responsibility. The consequences of an incident then cost many times more than the costs of robust information security. It is akin to someone who only invests in modern locks and alarms after they have been burgled. The cost to TalkTalk, for example, of dealing with its 2015 security breach was about £60m – many times the cost of implementing more up-to-date security.
I recently heard Levison Wood, an explorer, writer and TV personality, talk to a large group of IT professionals, where he encouraged them to review their attitudes to risk. He had walked the length of the Himalayas, a six-month journey of over 1,700 miles from Afghanistan to Bhutan, which was the subject of a Channel 4 series. His view was “risks are good”. We only make progress by taking risks, and understanding risks allows us to prioritise actions and evaluate options. He said many people tended to confuse risk with threat. A threat may appear huge because its consequences could be massive, but the risk is low. He favoured the motto of Second World War special forces the Chindits: “The boldest measures are the safest.” Just remember, he cautioned: “There is no problem so bad that you cannot make it worse!”
Wood, of course, has the advantage that he is unlikely to have to explain his actions to the Public Accounts Committee or face scrutiny from local politicians.
The wider point is that we tend to look at risks in isolation. Risk management and performance management are opposite sides of the same coin. The harder you strive, the more you push and the leaner your organisation, the greater the concomitant risk. Managing risks is an essential part of making things happen. Also, spending on information security should not be seen as investing in IT, or simple risk reduction, but investing in better and more responsive services, and enabling greater modernisation and efficiency.
