A Behavioural Approach to Two Risk Challenges
The new age of ‘regulated behaviour’
Consider this: In many organisations, there is a group of senior and middle managers whose main job is to design risk controls. You can find such people in the Civil Service, at regulatory agencies, and across many business and public sector organisations. Their work entails designing regulations, guidelines and operational notes aimed at steering the rest of us towards safe and acceptable working practices.
For reasons about to become clear, since around 2006 these designers of rules have been looking carefully at developments in the analysis of human behaviour. In particular, they’re interested in what is now known about patterns of unconscious influence on our human behaviour that lead to benefits, harm and costs to others. Whether or not you’d noticed it yet, the influence of this field of study known as behavioural economics (BE) has been steadily increasing. Its reach now affects how everyone in the financial sector goes about their work, thanks to new rules and regulators governing conduct of business. The science influences not just the design of the new conduct rules but also related practices in marketing, fraud control, and human resource management. Regulators’ use of behavioural economic principles has large and costly implications for many aspects of life in organisations. Two areas in particular deserve a closer look.
In case you’re unfamiliar with this topic, here is a brief recap. BE has become a hot news topic since becoming the fashionable tool of choice for politicians looking to fix a range of social problems, from public healthcare to bad bankers. BE’s recent surge in influence arguably began when two national leaders (namely President Barack Obama and former Prime Minister David Cameron) started drafting behavioural experts to advise on ‘nudge’-based social programmes. Although those experts described their work in fancy words (such as ‘libertarian paternalism’ or ‘choice architecture’), the premise of ‘nudging’ was simple: to change people’s attitudes to making choices, just change the way you present the choice itself.
For example, governments historically had found it difficult to get people to provide for retirement by taking out a private pension plan, meaning that with an ageing population, national treasuries faced a steeply rising bill for public pensions. Behavioural economic studies had meanwhile showed that people generally aren’t good at long-term planning, as we tend to live more in the present moment. The U.S. and UK governments applied a ‘nudge’ to this problem, by changing the assumption behind workplace pension schemes, from ‘opt-in’ to ‘opt-out’. Thus, you now have to choose notto pay into a pension, otherwise your payments are taken automatically. Good for your future, and good for government finances – though also, say some critics, too much state intrusion.
You may well wonder what all this behavioural economics stuff has to do with day-to-day business. Whilst it raises many points of policy concern for business and other organisations, trend analysis highlights in 2017 point to the fact that we should expect a sharp rise in the cost of two risks, in particular, that arise from staff behaviour in the workplace. These two risks are connected, but we’ll consider them separately first, as they are very different in nature. Both show how behavioural economics is affecting our working lives and cost bases.
First Kind of Exposure: Cyber-crime; the value of enhancing situational awareness
Behavioural economics is not only used by public policy-makers for the public good; there is also a darker side, where the bad guys use behavioural insight for criminal profit. Whilst the political advisers were busy designing ‘nudges’, a bunch of hackers were busy reading all the same textbooks and starting to put some of the same behaviour-control techniques to work to compromise corporate security, especially around business information systems. Known as ‘social engineering’, this dark-side use of nudging is now a huge threat. It’s therefore desperately important now that we understand this new risk and work together to prevent it.
Asked what they have done to manage cyber risk, most organisations still say: beefing up the IT department, firewalls, virus checks, and so on. All those countermeasures are useful, certainly, but beware: the main focus of cyber risk has shifted to a place that many organisations haven’t yet recognised, and which needs a new approach to manage. Hacker entrepreneurs now know that most organisations’ weakest link is not the IT system itself, but the people who use it. From the hacker’s point of view, why waste mental effort trying to crack a coded entry point, when it’s so much easier just to persuade a friendly employee to let you in?
In resource management terms, organisations are at the limit of what systems-based controls (firewalls, vigilant IT teams, etc.) can achieve. From now on, the weakest point of defence is the staff in the general office. Hackers know this and are now two jumps ahead. Using various covert approaches, they are not looking to attack the system directly, so much as to subtly manipulate the behaviour of staff into letting them in. These covert approaches take many forms, such as note-gathering, whaling, baiting, phantom helpdesks, and priming.
In summary, think of the threat like this: You may have fitted your front door with a super-secure lock. But the bad guys, disguised as nice guys, persuade your staff to leave the keys in the lock, allowing the bad guys to walk on in. The problem is not with the door, but with how staff perceive ‘good’ and ‘bad’. This is why a change of approach is needed.
Having recently run a survey on this, it’s clear that most organisations still have a big gap between good intentions and actually rolling out any proper countermeasures against the new threat. Most of all, organisations need to make a big jump forward in situational awareness: to re-train staff in ‘working risk-aware’. Realistically, if painfully, during the next year I expect to see at least one major brand, and possibly a national infrastructure provider, brought down by a socially-engineered attack. Don’t let it be yours.
Second Kind of Exposure: Costs of misconduct
Whilst the black-hat hackers develop ever more creative ways to get your staff to leave the front door open, over on the government side there’s another behaviour-control initiative producing equally dire losses. Also putting behavioural economic principles to work, a new conduct control regulatory agency arrived in 2013, in the shape of the UK’s Financial Conduct Authority (FCA).
Unless you knew this, because you already work in a bank compliance department, you might be very surprised to find out just how huge the cost is of this new form of behaviour-based risk control. UK banks have had to expend all of the new capital that they raised for themselves in the past three years – that’s over £30billion – on paying out conduct regulatory costs: fines, re-dress, re-organisation, and so on. In other words, all that new money that banks might otherwise have been lending to customers, they’ve had to spend on dealing with the new wave of behaviour-based regulation. And, says the Bank of England, the banks will need another £40bn to cover conduct costs for the next three years or so.
Of course, some people will say that banks brought these costs upon themselves by being careless in the first place. Banks respond, with good cause, that conduct rules are evolving so fast that it is often hard to keep up and to understand the new regulator’s intentions, which change periodically.
More concerning for any firm regulated in the ‘conduct space’ is a wider growth in regulation itself using those behavioural economy principles. Conduct prosecutions make big money and big headlines for cash-strapped governments. They also hand politicians back some much-needed voter credibility after the debacle of the bank bailouts: nothing says ‘consumer champion’ quite like a government minister presiding over the jailing of a bad banker. This scene is an increasingly common sight in some jurisdictions where conduct rules have been rolled out even more aggressively than in the UK – notably Australia, under the ASIC control regime. Back in the UK, other branches of government have started to adopt FCA-style behavioural regulation principles; they include the Competition and Markets Authority, which potentially affects every business in the land. Around the world, many other regulators are looking to follow the FCA’s lead in exacting far bigger fines, and in pursuing individual senior managers rather than diffuse corporate brands.
Certain firms in the financial sector are about to find that these two forms of behavioural risk overlap, threatening catastrophe. It is already happening. For example, one brand that recently suffered a hacker-induced systems failure (already quite expensive), then found itself facing prosecution for misconduct (a whole lot more expensive) since the hack had created ‘customer detriment’. Bizarrely for this firm, being a victim of hackers’ criminal misbehaviour then morphed into themselves becoming the public villain in a misconduct enforcement for allowing the crime to happen.
For the rest of us who aren’t bankers, the impacts of both these forms of behavioural risk will only rise – unless we take realistic steps to anticipate and head them off. New forms of threat require us to adopt new approaches to managing risk. The highest priority is to give back the confidence to all staff that their own intuition is a reliable source of early warning of misbehaviour, either within the organisation or incoming from the outside. Meanwhile, most staff don’t even know about hackers’ ‘social engineering’ tricks; or what constitutes ‘misbehaviour’ under conduct regulation. Why not start by telling them what both these risks look like, in practical detail?
More than that, though, organisations of all kinds need to build a new layer of situational awareness– of how to ‘work risk-aware’ in daily practice. As a practical starting point, a one-day workshop on this topic transforms staffs’ responsiveness to behavioural risks, speeds up early warnings across the organisation, keeps the bad guys away from your front door, and (if you’re already conduct regulated) saves a stack of fines. There is plenty else you can do, of course. Whatever preventive steps you do take, it’s no longer an option to do nothing – unless you want to star in the next set of bad news headlines.