When it comes to risk management and security innovations, most of the advancements came because of errors and mistakes. That is, something went horribly wrong. Someone died. Someone was hurt. A company was sued. A lot of money was lost. This is the reason insurance actuarial professionals exist and why your car insurance goes up after you have had one too many speeding tickets. The risk industry has historically “baked” the risk into decision making and instead of trying to avoid threats, practitioners prepay for the risk and suffer the consequences when the worst happens. Although some innovations have come from a fair amount of chance and exaptation, security and risk professionals are still led by near misses and mistakes. 

Why is innovation in the risk management practice led by failure? The 25-year-old ERM paradigm came from grave financial losses and economic collapse. Metal detectors and access control measures came when enough attacks occurred on private and public property. Employee and client health monitoring came after a global pandemic forced the issue. Major upgrades to cyber security infrastructure and monitoring came after a few unlucky corporations lost millions of dollars and sensitive information. All these innovations were probably needed and could have been in place BEFORE the failure of security and risk monitoring, but they weren’t. There is a severe lack of projection and future planning in security and risk, and this is partially due to a combination of perceived cost and professional laziness.

There is some hope that innovation in risk and security will be more proactive and develop from other ways. Some of the mobile monitoring apps created to report traffic and other events, were repurposed, or adapted to create health reporting apps and other important security information. The advent of modern communications technology led to the arrest of several extremists on their way to destroy private property and riot in Wisconsin. Luck rarely plays a role in security and risk management innovations, although some cyber and access control vulnerabilities have been discovered by harmless and unplanned intrusions that led to improvements. There are very few examples of security experts designing and enhancing their capabilities through serendipity, unless discussing the stumbling upon information that helped to make a risk program change. Most security and risk management innovation results from collective development and exaptation or by living through exploited vulnerabilities and losses.

The security and risk management professions are lagging and are slowest to adapt for a reason. The culture focused heavily on “learn from mistakes” as opposed to “proactively prepare for the future.” Humans, for that matter, typically prefer to overreact than over prepare. Time and time again, we learn the hard way and do not appreciate the importance of security and risk management innovation. Going to trade shows, conducting scenario planning, and reviewing emerging technologies is only part of the answer. The culture of the leadership must evolve and support a more proactive and innovative programmatic approach. Without the support of the corporate or organizational leadership, crisis will follow crisis, and we will only learn from painful mistakes. Let us advocate for a more proactive and strategically supported risk management culture. It may save your business and lives.