Behavioural science at the heart of risk management

Why physical defences are not enough

When managing an organisation’s security your environment is complex. Whether you are operating in places marked by fragile political structures, social tension, economic inequality, or navigating the threats of activism, political change, or the risks of reputational damage; your world is complicated. Traditional security approaches have relied heavily on physical defences, guards, technology and controls and codified procedures. While these remain a vital part of the toolkit, they are insufficient.

A well protected perimeter will deter intrusions, but they are a barrier in both the physical and also psychological sense: they all get in the way. This ‘psychological barrier’ is pervasive, and puts up obstacles between your guards and your staff, between your staff and your clients, between your business and the local population, and so on. Something as simple, obvious and necessary as a perimeter with access control introduces psychological factors that act negatively for a business. The trick is to manage this.

The role of behavioural science

Behavioural science, at its core, helps us understand why people act the way they do, by understanding them at a more profound, but practical level. Risks emerge from the people within and around your operations, and these may be caused or triggered by the way you do your business. Behavioural science recognises that people hold attitudes that drive their behaviours, and offers techniques to identify and mitigate these. There are many ways this approach can improve risk management and security, but I shall start with two examples:

Strengthening company culture to avoid insider threats

Some of the most damaging incidents originate from within. Insider threats stem from dissatisfaction, anger, and alienation and are usually the results of being poorly managed or not valued. It is company culture that determines whether these conditions will thrive or not. A culture that allows a negative attitude to develop, perhaps through poor experience, increases insider risks. Strengthening organisational culture is therefore a critical line of defence. 

Creating a culture takes time, and is an enterprise wide activity rather than security alone. When employees believe in the mission of the organisation and feel respected as part of it, they become defenders of the business rather than a risk to it. This means the business’s culture has to be discernible: the attitudes held across the business, and the behaviours that reflect this, must be consistent and genuine. They must also start from the top.

Good procedures are easy to implement, so everyone does: regular dialogue between management and staff, clear grievance and reporting channels, visible recognition of contributions, etc. But procedures are the bottom of the cascade from culture-attitudes-behaviours-procedures, so if the procedures are not consistent with the rest of the cascade, they will fail at some point.

But creating the right culture isn't just about reducing risk. Done well, the company’s success is something employees wish to see and will support: it can produce significant business benefits.

Building local trust as a security strategy

Trust is one of the strongest security assets an organisation can build. It is also one of the hardest to create, and one of the easiest to lose. It pays to recognise that employees and communities are not passive bystanders; they are stakeholders. When people feel included and benefit from operations, and when their interests are aligned with those of the business, they are more likely to protect them. When they feel excluded they may merely fail to support them properly, or worse, actively undermine them. Building and strengthening trust is critical. This is not a new insight, but behavioural science offers a model against which to do this well.

A company that is interested in and seeks to understand the attitudes of the local population can create the conditions for better trust. This interest in the local population is a direct consequence of the company culture, and of the C-Suite’s interest in the issue. Of course, it is one thing to genuinely and profoundly understand what your local population really think, but it is another to try and improve this. Local populations can discern a business’s culture (its intentions, concerns, care, and interest in them) very easily. They will see the behaviour of company staff all day, every day. If these behaviours are inconsistent with corporate messaging, it is very obvious. To avoid this, and to improve local trust, the company must hold genuine values as part of its culture: a culture that is held as the attitudes of the staff, and expressed in simple day-to-day behaviours. Trust flows from the consistency in these.

High trust relationships have wider benefits for a business. Where strong trust exists, a business stands to gain from the local population’s support far beyond the fence and gate. Local populations, supportive of the business, can detect issues and problems further way and far earlier, and offer the advantages of improved foresight. Locals are often the first to detect suspicious activity, and if they have confidence in company representatives they will share vital information that can stop an incident before it happens.

The future of security

Geopolitical tension, environmental protests, activists, shifting local dynamics, and many other complex issues are reshaping the security landscape. The reliance on guards and fences is no longer sufficient. In its place, companies must adopt a nuanced model that places people at the heart of risk, security, and resilience.

Culture, attitudes, and behaviours are the foundation of effective security. They create the processes and procedures that are genuinely effective, and they mitigate the inherent problems of physical security measures and resultant psychological barriers.

By investing in these, and applying the techniques of behavioural science, a business can create and develop trust and human understanding. In turn, this enhances companies' abilities to safeguard assets, protect staff, and sustain their reputation and operations in even the most volatile regions. The costs of ignoring ‘cultural intelligence’ are high: alienated stakeholders, insider threats, passive support or indifference, local hostility, all lead to disruption. By contrast, getting it right can lead to benefits beyond just effective risk management through the creation of a mutually supportive workforce, and a cooperative local population; both aligned to, and invested in, the success of the business.