A Behavioural Approach to Two Risk Challenges: Part 2
3rd January 2017 | Roger Miles
In this continuation of the last instalment of exposure to risk, Roger Miles explains the second kind of risk that could be leaving companies exposed to attacks.
In the first part of this article, I highlighted how two new forms of ‘people risk’ have been able to grow fast during the past three years, for want of better corporate approaches of addressing them. The first risk was an advanced new form of cyber attack, social engineering. This risk is becoming acute because criminals’ use of behavioural insight is colliding dangerously with naïve business practices.
In one respect, that threat has a parallel in the second form of behavioural risk, described below. This second risk emerges not from organised crime but from the collision of the new conduct regulation of financial services with (again) business practices that haven’t yet adjusted to a changing reality.
Second Kind of Exposure: Costs of misconduct
Whilst the black-hat hackers develop ever more creative ways to get your staff to leave the front door open, over on the government side there’s another behaviour-control initiative producing equally dire losses. Also putting behavioural economic principles to work, a new conduct control regulatory agency arrived in 2013, in the shape of the UK’s Financial Conduct Authority (FCA).
Unless you knew this, because you already work in a bank compliance department, you might be very surprised to find out just how huge the cost is of this new form of behaviour-based risk control. UK banks have had to expend all of the new capital that they raised for themselves in the past three years – that’s over £30billion – on paying out conduct regulatory costs: fines, re-dress, re-organisation, and so on. In other words, all that new money that banks might otherwise have been lending to customers, they’ve had to spend on dealing with the new wave of behaviour-based regulation. And, says the Bank of England, the banks will need another £40bn to cover conduct costs for the next three years or so.
Of course, some people will say that banks brought these costs upon themselves by being careless in the first place. Banks respond, with good cause, that conduct rules are evolving so fast that it is often hard to keep up and to understand the new regulator’s intentions, which change periodically.
More concerning for any firm regulated in the ‘conduct space’ is a wider growth in regulation itself using those behavioural economy principles. Conduct prosecutions make big money and big headlines for cash-strapped governments. They also hand politicians back some much-needed voter credibility after the debacle of the bank bailouts: nothing says ‘consumer champion’ quite like a government minister presiding over the jailing of a bad banker. This scene is an increasingly common sight in some jurisdictions where conduct rules have been rolled out even more aggressively than in the UK – notably Australia, under the ASIC control regime. Back in the UK, other branches of government have started to adopt FCA-style behavioural regulation principles; they include the Competition and Markets Authority, which potentially affects every business in the land. Around the world, many other regulators are looking to follow the FCA’s lead in exacting far bigger fines, and in pursuing individual senior managers rather than diffuse corporate brands.
Certain firms in the financial sector are about to find that these two forms of behavioural risk overlap, threatening catastrophe. It is already happening. For example, one brand that recently suffered a hacker-induced systems failure (already quite expensive), then found itself facing prosecution for misconduct (a whole lot more expensive) since the hack had created ‘customer detriment’. Bizarrely for this firm, being a victim of hackers’ criminal misbehaviour then morphed into themselves becoming the public villain in a misconduct enforcement for allowing the crime to happen.
For the rest of us who aren’t bankers, the impacts of both these forms of behavioural risk will only rise – unless we take realistic steps to anticipate and head them off. New forms of threat require us to adopt new approaches to managing risk. The highest priority is to give back the confidence to all staff that their own intuition is a reliable source of early warning of misbehaviour, either within the organisation or incoming from the outside. Meanwhile, most staff don’t even know about hackers’ ‘social engineering’ tricks; or what constitutes ‘misbehaviour’ under conduct regulation. Why not start by telling them what both these risks look like, in practical detail?
More than that, though, organisations of all kinds need to build a new layer of situational awareness– of how to ‘work risk-aware’ in daily practice. As a practical starting point, a one-day workshop on this topic transforms staffs’ responsiveness to behavioural risks, speeds up early warnings across the organisation, keeps the bad guys away from your front door, and (if you’re already conduct regulated) saves a stack of fines. There is plenty else you can do, of course. Whatever preventive steps you do take, it’s no longer an option to do nothing – unless you want to star in the next set of bad news headlines.