Although the human element has recently grabbed the attention of cybersecurity and enterprise risk management professionals, little has been done to formalize human factors risk in audit risk assessments. Human factors science examines the relationship between people and the systems with which they interact by focusing on improving efficiency, creativity, productivity, and job satisfaction, with the goal of minimizing errors.
Opportunities exist to enhance risk management by assessing human factor risks. A failure to apply human factors principles is a key aspect of most adverse events in health care, aerospace, auto manufacturing, and many other industries, according to the World Health Organization (PDF).
In a study, "Risk Management and Human Factors," Brendon Coventry, a professor at the University of South Australia School of Psychology, Social Work, and Social Policy, found:
"Evidence has accumulated to demonstrate that the relative risk of a legal claim being made against a medical practitioner is related to a range of factors including: 1) communication failures, 2) continuing professional development, and 3) failures of the systems that are in place to support and assist the medical practitioner in their medical practice (Goodwin 2000). Conversely, research has demonstrated no significant difference in the relative risk of litigation between trauma surgery and elective surgery (Stewart et al. 2005)."
To put this excerpt in a business context, replace "medical practitioner" with "business leader" and "medical practice" with "risk practice." The one common denominator in all organized business endeavors is people.
This excerpt is one simple example of the diverse human factors that exist in any business environment where work processes, staff development, communications, and systems are crucial to managing risks. Human factors risk has been cited as the main cause of cybersecurity failures, operational risk events, and corporate blunders in all industries and is increasingly considered the largest contributor to losses and risk events.
An ISACA Journal article about Verizon's 2016 Data Breach Investigations Report (DBIR) shows the danger of the human factor:
"The latest DBIR reaffirmed the fact that employees continued to play a major role in many of the breaches in the past year. Some 63% of confirmed breaches involved weak, default, or stolen passwords.
Worse, miscellaneous error — staff sending information to the wrong person — accounted for nearly 18% percent of breaches. Despite a wealth of preventive measures, employees remain one of the costliest vectors in a number of data breaches and security incidents, which are increasing at an alarming rate."
Increasingly, courts and regulators are holding the board and senior executives accountable for these events, suggesting that blaming employees is not a viable defense strategy. Conversely, internal auditors are expected to provide assurance that human factors risk is being addressed, yet there is very little formal guidance for audit leaders to leverage.
"The normal sources that guide program evaluation — various documents provided by the U.S. National Institute for Standards and Technology, the International Organization for Standardization, and the U.S. Health Insurance Portability and Accountability Act, among others — provide only vague descriptions of awareness program standards and requirements," according to ISACA.
Training and awareness programs are the normal response to human risk factors, but these efforts are increasingly problematic for IT professionals and employees alike, whose training is often based in theory. "They receive very little hands-on training; thus, the skill sets need to be developed on the job," ISACA notes.
As a result, the value of a cybersecurity degree has begun to decline in the eyes of employers. Surveys indicate that as many as 80% of hiring managers no longer believe a four-year degree adequately prepares students for cybersecurity jobs, according to a 2019 Center for Strategic & International Studies report (PDF).
12 Risk Factors
Chief audit executives (CAEs) can still make a difference in human risk factor assurance through a better appreciation of behavioral and cognitive science concepts. No degree in psychology is needed, only common-sense approaches to assess the work environment.
Before we explore human factor risk assurance, let's be clear about the diversity of human factors that exist beyond human resources, ergonomics, and conduct risks. Industries that use human factor analysis are calling for standardization of human factors audits, so the practice is still evolving, according to the U.S. Nuclear Regulatory Commission and the National Audit Project (PDF).
Human factor risks for auditors to consider fall into 12 categories:
- Organizational governance factors.
- Communications factors.
- Risk appetite factors.
- Workflow complexity factors.
- Transparency factors.
- Legacy operating systems factors.
- Manual processes factors.
- Human-machine interactions factors.
- Decision-making factors.
- Risk assessment factors.
- Customer and third-party interaction factors.
- Problem resolution factors.
Internal audit can incorporate these factors into an audit of human factor risks. Many of the human factor risks involve the board, senior executives, communications, operations, decision-making, the workforce, systems, risk management, and stakeholder interactions. This list is interchangeable depending on the organization; however, let's look at how these risks might impact a fictitious firm.
How a Human Factors Audit Works
RetireRich Inc. has been in business for five years, catering to wealthy Silicon Valley entrepreneurs to protect their wealth. The start-up's board has requested a human factors audit of its risks.
The CAE has assigned a senior team of well-respected internal auditors to evaluate the factors that may lead to human factor risks. The audit plan may include one, many, or all of the 12 human factor risks.
For example, the assessment may include a self-assessment with the board and senior executives (human factors 1-3), followed by an assessment of the outcomes of strategic initiatives. At the operational levels (human factors 4-7), auditors may conduct a staff self-assessment and review data on the operational effectiveness (errors, events, losses, and audit findings) related to each risk. Lastly, auditors may conduct a self-evaluation of the department's oversight performance (human factors 8-12) to assess lessons learned and to determine whether those lessons have been implemented to affect change.
Human factor risk audits require an organization to be open to constructive feedback about its performance. These audits are purely for the benefit of the organization to improve performance and to enhance operations through human factors. When performed correctly, the observations and data internal auditors collect will serve as a road map for strengthening the most important factors in organization performance, the human factor.
Human factor risk audits are part of a discovery process, and their findings should not be used to punish people. Any negative connotations from human factor risk audits will diminish the positives learned in the process.
Lastly, human factor risk audits provide an opportunity for CAEs to provide consultative guidance to build resilience in operations, cybersecurity, and enterprise risks. These audits also engage the entire organization in process improvement when taken seriously. Some organizations will achieve outsized gains in productivity, and most will teach their organization the importance of good risk management through self-evaluation.
James Bone is executive director of GRCIndex and principal investigator at the Cognitive Risk Institute in Lincoln, R.I.
Want to be a part of Your Voices? Click here to learn how to contribute a blog post.