Wash Out Your Ears – The importance of listening during risk assessments

listening-ears1I can’t tell you the number of times I have sat on the other side of the table during a risk assessment or audit and not only been talked at by the auditor but also not even listened to. Unless what I or my colleagues are saying are a part of the accepted script the auditor expects to hear it can often fall on deaf ears.

It doesn’t matter if what I am saying is germane to the topic in hand, explains in more technical detail, or even if it addresses a number of questions old or yet unasked, the auditor blindly continues, or even just appears to switch off. How can this lead to a successful audit or assessment? To some, an audit or assessment is a sequence of activities to be completed in a set order and a set pace, and that will never result in quality findings. Approaching an audit or risk assessment from a less mechanical perspective will often derive results in unexpected ways.

Simply listening will give you at least two things:

  1. More information. It may not always be immediately relevant, but at some point in the day it will help you form a larger and more complete picture.
  2. Unprepared auditees will sometimes talk themselves into trouble! Nerves can make people do very silly things, and letting people engage their mouths before their brains can lead to some startling insights.

When you combine the above points you can often find what I call the “over specific response” occurring. What this means is that people will also sometimes be very specific in their responses, for instance when asked if a particular procedure has been tested, the response “Yes, this procedure has been tested” gives rise to so many other questions such as “when, where, and by whom?”, and yet at a casual listening it is a very positive response. Listening to the exact response and unpicking the precise verbiage is vital.

Additionally, there is one other aspect of listening that should be observed; that is, carrying on listening even when the other person has stopped talking. Just as nature abhors a vacuum, human beings as social animals abhor a silence. Staying silent for longer than is comfortable (at least to them) very often produces more talking and more information than they originally intended. When I first presented this thought just over a year ago in a risk forum a member of the Metropolitan Police in the audience later asked me if I had ever had interrogation training, as this was exactly one of the approaches they used! I would certainly never suggest that an audit or assessment is an interrogation, but there is very much an art to getting the maximum amount of information out of someone trying to give you the absolute minimum.

One rule of thumb to take away in this instance is a quote I first read in The Leaders Workbook by Kai Roer (@kairoer):

Try to keep in mind that you have twice as many ears as you have mouth, implying you should spend more time listening than talking.

That’s a pretty good ratio for any risk assessment or audit I think.

Tags: , , , ,

About Thom Langford

An information security professional, award winning security blogger and industry commentator. Available as a speaking head and presenter on topics relating to information security, risk management and compliance.

2 responses to “Wash Out Your Ears – The importance of listening during risk assessments”

  1. Girish Krishnamoorthy says :

    Great blog Thom! I would say that as a risk assessor or an auditor, “listening” skills play a vital role as listening clearly makes us to create a holistic picture of what is expected and what needs to asked next. The person who is answering tends to give away more information than usual and its the assessor or auditor’s capability to understand and analyze it. General perception is that an auditor should ask more questions, but the truth is that simple listening would get you more information than asking more questions. I have experienced this multiple times during an audit or a risk assessment.Thanks again!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: