Risk in the Real World
Risk is “the potential of gaining or losing something of value”. There are two parts to that statement, firstly potential, and the second, value. Sounds simple. But to translate these two components into something that actually means something, these abstract terms need to be made real. They need to resonate with each pair of eyes and ears.
So what will it take for people to change behaviour based on someone else’s declaration of a risk? They not only have to understand the principle to change their behaviour, but also to internalise that principle; accept that a given risk could affect them in some way, either practically or emotionally.
With the user accounting for, in some estimates, around 70% of the total risk landscape in an organization, establishing that hook, making a given risk real to each person, is the trick for managing risk in the enterprise. Worthy statements of danger, quoting abstract catastrophes in far off places to organisations you have no connection with, are nigh on worthless. Make it personal, make it ‘close’ to the individual, and you’ll effect a change in behaviour. Otherwise, you’re relying on policy awareness and practice education, with monitoring and enforcement to drive both home. And that is hard, time consuming, expensive, and ultimately only likely to be partially successful. Build a practical program of cultural change, couched in a message that resonates at the individual level, and you won’t have to try too hard, for too long.
Another facet to a message, is not to preach. If you frame a message as an accusation, or warn that the demons of doom will befall them if they do something wrong, it will have a diluted effect.
Finally, wrap the message in a story, but keep it short. If you can relay your biography in a tweet, you’re in the ball park.