UK Test and Trace – How to avoid failing at risk management

UK Test and Trace – How to avoid failing at risk management
19/10/2020 Comments Off on UK Test and Trace – How to avoid failing at risk management CISO Blog, DPO Blog, Operational Resilience Blog, Security Advisory Blog EditoratLarge

The UK Test and Trace system has, again, come under fire for IT Glitches. The latest “glitch” is the manifestation of an obvious data quality risk. The test and trace system is overriding address information provided by student end users with data held in a central source.

This issue has occurred because some bright spark decided the central data must be more accurate. This person had not envisaged the real-life scenario of students going off to university. That these healthy young students wouldn’t have prioritised registering with a local GP in the first weeks of arriving at a university. The system subsequently overrode data and registered positive cases of Covid-19 as occuring back in the student’s home town – and not in their university town! The resulting impact is that areas with low rates of infection are being put in higher levels of lockdown than is required because the data is incorrectly presenting increased infection rates.

This error was an obvious and completely predictable event. Many of us who work in IT Risk Management plant our faces and ask ourselves:

“Why did such an obvious fault end up in a finished product?”

The fact is there are many reasons such an obvious fault end up in a finished product. From experience though, the most common reasons relate to the way organisations assess and assess and manage risks. This article will highlight some of the common reasons organisations fail to identify, and then manage, such obvious risks.

Common problems in risk management

In no particular order, here are some of the most common reasons why risk management fails.

What do you mean inherent risk?

A common practice is to go straight to assessing the residual risk of an activity before fully understanding the residual risk. Residual risk is the risk associated with an activity without any controls at all. The worst case scenario so to speak. A good example is to imagine a big sack of money lying on the ground in the middle of a large public space. What would be the risk of losing this money given those conditions? What would be the likelihood of someone simply taking that money? We know the impact already – it’s the value of the money in the sack (and the value of the sack). It’s the reputational damage attached to the person entrusted with that sack of money – noone is going to entrust another bag of money to that person. It’s the penalties associated with losing that money. It’s the lost interest. It’s the cost of regenerating that income. It’s the lost opportunities that money could have provided That’s your inherent risk.

The challenge for a lot of people undertaking risk assessments is that they find it difficult to visualise such an inherent scenario because, in most cases, we’re not starting from a completely uncontrolled state. They can’t see past the basic controls that are already in place – effective or otherwise.

“That would never happen in a bank because we do X, Y & Z”

The thing is, if you don’t assess the inherent risk, you may end up in a situation where you are mismanaging your collective portfolio of risk. This could mean the cost of mitigating risk could be too expensive or worse too little to mitigate the risk to an acceptable level.

Only once you understand the risks inherent to an activity, can you then apply appropriate controls to get to the correct residual risk level.

Thumbsucking

Whether assessing inherent or residual risk, there is a tendency from those taking part in a risk assessment exercise to guess or “thumbsuck” the likelihoods and impacts. Even where there is good data available, it is often ignored. Take the Test and Trace issue. We have a few hundred years of data related to students migrating from their home addresses to student halls in September and October. There is data available from GP Surgeries showing how many students register in these months. This could be compared to that of how many students attended universities in those cities and towns. Using this data could have informed the decision on how data quality would be maintained….but self-evidently…it was not.

Guessing likelihood and impact instead of using data in risk calculations will result in next to useless assessments. Even if the data is incomplete or limited, use the data avaialable and then put in place measures to collect more data – but don’t just guess!

Lip Service

Going through the motions. Ticking the boxes. It’s cynical but occurs more often than it should.

“It’s only a small project, what’s the point?”

Paying lip service to a risk assessment. Doing the bare minimum without thinking things through properly will just result in avoidable incidents. It may be a small project from a revenue perspective but that doesn’t stop it becoming expensive should something go wrong. Some of the biggest breaches often start with the compromise of a system thought to be insignificant.

Instead of thinking that customer portal is not that important because it only has names and emails…think things through…what’s the worst that could happen?

Unchallenged Assumptions

In a bid to make things a little less onerous, we must make assumptions about activities we put under the risk assessment spotlight. It’s perfectly reasonable to make assumptions. The issue is where we blindly take those assumptions and use them as a security blanket. Take Operation Cygnus for example. The planning assumpton was that the NHS would be faced with a flu-based pandemic. One of the risks called out was limited supplies of vaccination. It seems noone factored in to the planning the likelihood of a pandemic where no vaccination existed. It’s not inconceivable to face a situation where no vaccination exists but nothing in the exercise documentation suggested the planning assumption was validated…at least we know it was a poor assumption now!

Once you know if could happen then you can assess the inherent risk…and then put in place appropriate mitigation. We know the inherent risk of failing to prepare for a pandemic where a vaccination doesn’t exist…how might things be different had we put in controls ahead of time for such a scenario?

When making assumptions, always rigorously challenge. Ask “what if”. Ask others to come up with “What ifs” too. It doesn’t matter if you think “that could never happen”. If someone has thought of a scenario, then it could absolutely happen.

Flattering Light

Have you ever heard a project manager say “If we present these risks accurately, we won’t get sign-off for the project” or “The Board are risk averse, they won’t approve a project with so many critical risks.” You’re not alone (unless you have never heard these phrases). There is a tendency amongst those trying to get an initiative signed off to make it look risk free. To make it look as if the reward comes with little or no consequence. But, as with everything in life, there is always a consequence.

You can still present material risks in a flattering light. Demonstrate first you understand what those risks are and then present them positively by showing how they will be managed with good, effective controls.

Lastminute.com

We’ll do the risk assessment at the end. We haven’t got time to spend on that assessment because we have so much to do to get the product launched. We have senior management putting pressure on us to get this done by end of this quarter…

…and the risk assessment people only highlight problems. They add complexity and want extra things building into the project. Their issues take us away from delivering the core offering…the thing that will make us money whilst all they do is make things more expensive!

It’s true, risk assessment help people find problems. Sometimes these problems could be massive and could derail a project or cause a project to go over budget. Surely though, tt is better to find out the red flag at the beginning of the project. Before all the time and effort has been invested in something that will ultimately be canned just before launch because what you want to do is illegal?

Do the risk assessment up front. It may be difficult to hear some projects just won’t get off the ground. It may be frustrating that you can’t implement something in exactly the way you wanted. But dodging a bullet or making a few compromises will be worth it in the end when the projects that do get signed off actually deliver!

Avoidance of Risk Assessment is not Risk Avoidance

So some food for thought. Failing to understand inherent risk, fault assumptions and guesswork, making everything look rosy when it isn’t and paying lip service to risk management are all sure-fire ways to lose money. Implementing an effective risk management system and assessing risks early will not only stop you losing money, it will more than pay for itself!

Tags
About The Author