The Critical Importance of Incident Reporting

Value and reward staff for its "first line of defense" role, Michael Humphrey says

Friday, September 6, 2019

By Jeffrey Kutler

Security incidents are inevitable. Responding to and resolving them begins with a fundamental first step: reporting. Michael Humphrey points out that it is “only human” not just to make mistakes, but also to avoid bringing attention to them.

Incident Reporting: Turn Bad News into Valuable Insights

Overcoming that behavioral barrier is a matter of tolerance and trust, says Humphrey, who retired in 2018 as head of security for the U.K. National Crime Agency and spoke on an Operational Risk Trends and Taxonomy panel during GARP's 20th Risk Convention. He also contributed to GARP Risk Institute's report, Building Operational Resilience: The Critical Need to Learn from Failure.

“Your staff are often your first line of defense,” Humphrey says in a GARP video interview. Employees need to get the message that “we really value you . . . and trust that if something doesn't look right, tell us, because we want to make sure that we are not the next company in the headlines.”

In what Humphrey describes as a “blame culture,” fear of recrimination discourages incident reporting. A “rewarding culture” acknowledges that mistakes will be made “because we're all human beings. I defy anyone to say they haven't made a mistake at some point in their life.”

Whatever the mistake may be, he adds, “Tell us straightaway, and we can do something about it. That is the right thing to do.”

Humphrey says that in regulated industries, “a robust and straightforward reporting mechanism” is advantageous not just from a security and operational standpoint. Regulators who are satisfied that procedures are in place will be “less likely to fine you.”

“It is in a company's interest,” he says, “to make sure staff are rewarded for reporting things when they go wrong.”

As Humphrey wrote in his GARP Risk Institute paper, “Incidents, like accidents, will happen. They are often preventable, but still occur. Accepting your organization will inevitably be, or has already been, subject to a security incident, the key thing is to make sure you are ready.”

For the previous interview in the Insights from Risk Leaders series, with Jacob Rosengarten of Wolf/Rosengarten Group, click here.

Video production by DeLisa White

We are a not-for-profit organization and the leading globally recognized membership association for risk managers.

weChat QR code.
red QR code.

BylawsCode of ConductPrivacy NoticeTerms of Use © 2024 Global Association of Risk Professionals