Sometimes things go wrong. Sometimes it is minor, sometimes major. And sometimes those things are done consciously only to learn the error of their ways later, other times it is done unconsciously.
This is true of many areas of life. And definitely true in digital transformation efforts. Most organisations have processes in place for managing these ‘incidents’ as they are called. (If you don’t have a process in place, please change that). Incidents include large scale data breaches (e.g. Equifax in 2017) but can also include leaving a laptop or phone in a taxi or a security plan in a hotel room.
The fact that incidents happen is not overly interesting, it’s more interesting to think about how we respond.
Most organisations respond from a perspective of organisational risk. Largely reputation risk. Ideally, the incident gets ‘cleaned’ up and not made public. This is understandable and sometimes preferable.
However, sometimes the incident involves information about people or compromises systems in which other people’s data is held. If we approach incident management through the lens of ‘duty of care’ would our approach change at all? Most definitely it doesn’t mean that all of sudden we would be going public in the media about an incident, but would it change our approach?
Would our starting point be the people we seek to serve rather than ourselves? Would it change the order of the steps in our incident management plan?
Perhaps. And perhaps not. It’s worth asking the question.