Categories
Uncategorised

Data privacy and the challenge of “risk empathy”

Protecting your customers’ data is at the intersection of three organisational competencies that companies already struggle with. Together these amount to a lack of what we might call risk empathy.

Risk empathy is the ability to feel the risks that others face. It’s clear that this is a struggle for many organisations. British Airways (BA) may well be the first high-profile test case for enforcement of the EU’s General Data Protection Regulation (GDPR) but it won’t be the last.

While you might say GDPR only relates to citizens in the EU, the essence of BA’s record fine is a failure to protect personal information and payments data. GDPR certainly offers the most aggressive regulatory protections for these types of breaches, but similar protections are already in place in other jurisdictions – including Australia – and the trajectory of regulation is clear.

In any case you shouldn’t think this-wont-happen-to-us. The core organisational deficiencies that impact your ability to feel risk empathy are familiar to many organisations. If you want to improve your ability to feel risk empathy you have to solve the following organisational challenges:

  1. Organisations are traditionally not good at managing the risks relating to the conduct of others. Take, for example, the issues raised during the Banking Royal Commission around conduct risk and our ability to guarantee all parties are working in the interests of customers.
  2. Data management itself has also been a challenge to many organisations. Data governance discussions too often begin with the creeping realisation that “we thought that was somebody else’s problem…”
  3. Organisations are not good at managing risks they don’t own – or rather that aren’t explicitly represented in the executive accountabilities that would ensure risk mitigations are properly designed and funded.

Data breaches are right at the intersection of these challenges.

In the case of British Airways data was stolen. A third party had to commit a criminal act – but it’s BA that must pay the price.

This is different to the Cambridge Analytica case where the problem was primarily that Facebook and its partners configured features under their control to share data beyond the consent obtained from its customers.

BA’s fine is GDPR’s way of pricing this type of risk. It is a call to consider the risk to the individual who is actually the subject of the data.

Managing “data subject” risk is different to managing other risks an organisation might face. If a risk impacts your organisation you might choose to accept the risk, or perhaps cultural deficiencies might mean the risk is never even raised. There is also a personal risk involved – if the risk event occurs somebody in the executive team will likely be held to account.

But when data subject risks are discussed you have to remember that the data subject – your customer – isn’t in the room. Somebody has to speak for them with a voice that is strong enough to get your organisation to act differently.

Categories
Uncategorised

Missing Lesson from the Banking Royal Commission

We missed something in the spectacle of the Royal Commission. Sure, it’s fascinating to watch what we think of as rich and successful figures struggle. But these are real people doing a difficult job. What the RC also revealed is that managing large organisations is hard.

As commissioner Haynes himself did multiple times during the commission, we need to make an important distinction. On one hand there are all of those omissions, negligent behaviours, and people not knowing things they clearly should have known. The distinction between these things and a deliberate decision to commit a criminal or unlawful act – either as an individual or an organisation – is important.

Breaking the law is obviously wrong and at the very least different to situational incompetence. But it’s on the other side of that distinction that the interesting business of running a global bank – or any large organisation – occurs.

Think also about the line in between these distinctions – or rather the same distinction but for the actions of others. Things like detecting criminal activity, or ignoring it, or having an obligation to not create environments that might incentivise the criminal acts of others. This is genuinely difficult.

We might sometimes think it seems like executive roles just go to the people who want them most. We interpret this in all sorts of ways like ambition, and greed, and politics. But there is an institutional side to this dynamic too. It’s that our organisations are near impossible to manage.

You might be able to manage your place in an organisation. At any level of any organisation you know when this is happening: that’s not my job, we need to do that but we don’t have time or budget, not my problem. But when that process happens at an executive level it becomes: only let me know exceptions, only the top 3 exceptions, that will negatively impact financial performance, and that’s not what I’m focusing on this quarter.

You can scream “but it’s your job to be across everything!” all you want. The question is how?

The leaders in our major organisations typically get paid well. Some of us might question whether they deserve it – but those people tend to question it based solely on competence or based on their view of the institution as a whole. This is niave in at least two ways.

If you don’t understand the value of an effective free-market banking system you don’t really know your history and have likely never tried to build a small business without a loan.

Secondly, you’re naive to think the salary is only priced on competency. Maybe the risk of sitting in front of a royal commission was always built into the salary. At any rate, the management is there to free the owners from lots of difficult and time-consuming decision-making. Part of the purpose of the role is to act as a buffer against a problem we haven’t yet solved.

So the missing lesson is that we genuinely don’t know how to manage our large organisations. Particularly, if by manage we mean full, multi-dimensional management that takes into account all activity and all the economic, community, and moral impacts of the organisation.

I have some ideas about this – I’m sure we all do. As a hint – I don’t say “Information Management IS Management” for no reason. But the discussion we have to have is how we build real management systems that augment the people who are responsible for the management of our organisations.