Being a security risk and intelligence professional for all my working life, the collection and understanding of information to gain knowledge has been a core activity. Indeed, one of the aims of the intelligence process is to transform data into knowledge which is actionable. From my perspective, there is no downside to gaining and using knowledge to build and maintain company resilience, to identify opportunities, and to inform threat and risk management.
What’s not to like about knowledge?
In the past, corporate culture was largely to identify and manage security threats and risks and investigate issues to their full extent. There was a presumption that a corporate entity needed to know everything it could so it could exploit favourable opportunities, understand its performance, and take defensive measures as appropriate. At the same time, for threat and risk issues a major consideration was, and still is, fear of liability and the accepted corporate position was that there was no defence in not knowing what you should know. Over time and almost imperceptibly, however, some companies have become circumspect about their appetite for knowledge of threats and security risks.
Not Knowing By Not Looking
Business knowledge is embraced and is essential for success, but security threat and risk knowledge is often perceived as troublesome because it largely identifies problems that need addressing; addressing costs money as well as time and can be potentially disruptive. This and the potential legal and reputational exposure sometimes mean that the knowledge itself becomes perceived as the risk.
At lower levels of a business, fear of knowledge about security issues is usually less because impacts are likely to be operation, relatively easy to address and it is clear where the buck stops – the hotel manager. Knowledge aversion starts further up the chain of command where the potential impacts exponentially increase, implications become increasingly complex and issue ownership less clear. Security knowledge is likely to identify systemic problems, mismanagement, management misconduct, regulatory compliance issues, strategic financial or data losses and reporting misstatements for instance; all potentially Executive Committee and Board issues. This is where knowledge itself becomes subject to risk appetite, often influenced by the legal risk appetite and personal interest/self-preservation.
Unlike nearly all other risks, the knowledge risk appetite is relatively easy to establish: it is when a lawyer or senior manager says: “Do we really need to know this?”; “Stop looking”; or “This is a stone we do not wish to look under”.
Another indicator of knowledge risk appetite is paranoia about discussing security and intelligence issues in e-mails for fear that it could be discovered in evidence. It is rarely considered that such e-mails could provide evidence that the company acted appropriately and did a good job!!!
Knowing and Doing Nothing About It
The knowledge risk calculation has become what is easier to defend and manage? ‘Not Knowing (by not Looking’) versus ‘Knowing and Doing Nothing About it’. In the former, the company looks incompetent and in the latter, the company is criminally negligent: which has the greater likely impact? Ethical considerations aside, ‘Not Knowing by Not Looking’ seems the best option because the culpability and punishment can be pushed down the chain of command. “Knowing and Doing Nothing” is more likely to bring about the CEO’s departure.
The motivation to protect the CEO should not be underestimated; for this reason, CEO’s are not always given ‘bad knowledge’. This then allows them to claim that they knew nothing about the issue and to avoid accusations of lying. This is why when strategic crises break, CEO’s can come across as unconvincing; they may not have been fully and honestly briefed. Alternatively, the company has not understood what has happened because its low knowledge risk appetite has prevented it from looking and understanding.
When Fear of Knowledge Gets in the Way
The ’fear of knowledge’ can also impact communication between the Executive Committee and the Board. Executive Committees can be sensitive to Board ‘interference’ and without knowledge or with only limited knowledge, the Board’s ability to provide oversight and influence on behalf of shareholders can be severely hampered.
Knowledge can be a ‘tricky customer’ that empowers some and threatens others.
Knowledge of security threats and risks is essential for the protection of the business as well as of its stakeholders, reputation, assets, and people.
Companies which are uncomfortable with such knowledge for whatever reason will be unable to gain utility from it and likely be unsighted at critical moments. Because of the issues described in this blog, it is a good idea for companies to issue a policy to formally authorise the collection of security threat and risk knowledge, to specify how it is to be used and by whom, to direct knowledge handling and to instill the presumption to look and discover. In this way, uncomfortable knowledge will be engaged with and appropriate actions will be taken rather than dodged. This will make companies less vulnerable and more resilient.
Questions for Consideration:
- What is your company’s relationship with knowledge?
- Does your company have a ‘Knowledge Policy’ and ‘Knowledge Ways of Working’?
- Does your company have a formal knowledge collection and usage plan?
If your organization needs help implementing knowledge risk management, Contact us to learn more about how we can help.