A Behavioural Approach to Two Risk Challenges: Part 1
3rd December 2016 | Roger Miles
The new age of ‘regulated behaviour’
Consider this: In many organisations, there is a group of senior and middle managers whose main job is to design risk controls. You can find such people in the Civil Service, at regulatory agencies, and across many business and public sector organisations. Their work entails designing regulations, guidelines and operational notes aimed at steering the rest of us towards safe and acceptable working practices.
For reasons about to become clear, since around 2006 these designers of rules have been looking carefully at developments in the analysis of human behaviour. In particular, they’re interested in what is now known about patterns of unconscious influence on our human behaviour that lead to benefits, harm and costs to others. Whether or not you’d noticed it yet, the influence of this field of study known as behavioural economics (BE) has been steadily increasing. Its reach now affects how everyone in the financial sector goes about their work, thanks to new rules and regulators governing conduct of business. The science influences not just the design of the new conduct rules but also related practices in marketing, fraud control, and human resource management. Regulators’ use of behavioural economic principles has large and costly implications for many aspects of life in organisations. Two areas in particular deserve a closer look.
In case you’re unfamiliar with this topic, here is a brief recap. BE has become a hot news topic since becoming the fashionable tool of choice for politicians looking to fix a range of social problems, from public healthcare to bad bankers. BE’s recent surge in influence arguably began when two national leaders (namely President Barack Obama and former Prime Minister David Cameron) started drafting behavioural experts to advise on ‘nudge’-based social programmes. Although those experts described their work in fancy words (such as ‘libertarian paternalism’ or ‘choice architecture’), the premise of ‘nudging’ was simple: to change people’s attitudes to making choices, just change the way you present the choice itself.
For example, governments historically had found it difficult to get people to provide for retirement by taking out a private pension plan, meaning that with an ageing population, national treasuries faced a steeply rising bill for public pensions. Behavioural economic studies had meanwhile showed that people generally aren’t good at long-term planning, as we tend to live more in the present moment. The U.S. and UK governments applied a ‘nudge’ to this problem, by changing the assumption behind workplace pension schemes, from ‘opt-in’ to ‘opt-out’. Thus, you now have to choose notto pay into a pension, otherwise your payments are taken automatically. Good for your future, and good for government finances – though also, say some critics, too much state intrusion.
You may well wonder what all this behavioural economics stuff has to do with day-to-day business. Whilst it raises many points of policy concern for business and other organisations, trend analysis highlights in 2017 point to the fact that we should expect a sharp rise in the cost of two risks, in particular, that arise from staff behaviour in the workplace. These two risks are connected, but we’ll consider them separately first, as they are very different in nature. Both show how behavioural economics is affecting our working lives and cost bases.
First Kind of Exposure: Cyber-crime; the value of enhancing situational awareness
Behavioural economics is not only used by public policy-makers for the public good; there is also a darker side, where the bad guys use behavioural insight for criminal profit. Whilst the political advisers were busy designing ‘nudges’, a bunch of hackers were busy reading all the same textbooks and starting to put some of the same behaviour-control techniques to work to compromise corporate security, especially around business information systems. Known as ‘social engineering’, this dark-side use of nudging is now a huge threat. It’s therefore desperately important now that we understand this new risk and work together to prevent it.
Asked what they have done to manage cyber risk, most organisations still say: beefing up the IT department, firewalls, virus checks, and so on. All those countermeasures are useful, certainly, but beware: the main focus of cyber risk has shifted to a place that many organisations haven’t yet recognised, and which needs a new approach to manage. Hacker entrepreneurs now know that most organisations’ weakest link is not the IT system itself, but the people who use it. From the hacker’s point of view, why waste mental effort trying to crack a coded entry point, when it’s so much easier just to persuade a friendly employee to let you in?
In resource management terms, organisations are at the limit of what systems-based controls (firewalls, vigilant IT teams, etc.) can achieve. From now on, the weakest point of defence is the staff in the general office. Hackers know this and are now two jumps ahead. Using various covert approaches, they are not looking to attack the system directly, so much as to subtly manipulate the behaviour of staff into letting them in. These covert approaches take many forms, such as note-gathering, whaling, baiting, phantom helpdesks, and priming.
In summary, think of the threat like this: You may have fitted your front door with a super-secure lock. But the bad guys, disguised as nice guys, persuade your staff to leave the keys in the lock, allowing the bad guys to walk on in. The problem is not with the door, but with how staff perceive ‘good’ and ‘bad’. This is why a change of approach is needed.
Having recently run a survey on this, it’s clear that most organisations still have a big gap between good intentions and actually rolling out any proper countermeasures against the new threat. Most of all, organisations need to make a big jump forward in situational awareness: to re-train staff in ‘working risk-aware’. Realistically, if painfully, during the next year I expect to see at least one major brand, and possibly a national infrastructure provider, brought down by a socially-engineered attack. Don’t let it be yours.
The second part of this article will examine the other biggest human-factor cost: Conduct Risk.
About the author: Dr Roger Miles researches behavioural risk and the impacts of conduct regulation. He counsels Boards on human risk factors and uncertainty, and delivers bespoke risk workshops for leadership groups in government, NGOs and the professions. He teaches risk-related psychology at graduate schools including Cambridge University and the UK Defence Academy. He co-edits the LSE's annual Behavioural Economics Guide and publishes best practice guidance notes through professional bodies including British Bankers' Association (BBA), the Association of British Insurers (ABI), Global Association of Risk Professionals (GARP) and the Institute of Operational Risk (IOR).
Click the button below to purchase Conduct Risk Management and quote code BBLCRM20 at check-out to get 20% off your purchase.