Michael Walford-Williams on Ethical Hacking of Human Controls

How can we assess the level of human risk we’re running in a control framework? Unlike technology, humans aren’t always reliable and how they behave under pressure may well be different to how they behave in normal situations.

My guest on this episode, Michael Walford-Willaims is a risk professional who specialises in how to plan for when things go wrong, covering areas like business continuity, operational resilience and crisis management.

Michael helps companies by testing out the human components of control frameworks to see where there might be weaknesses. He goes into organisations and tries to ethically hack them by trying to circumvent controls with human elements — that might be trying to get a fraudulent invoice paid or simply tailgating employees to see if he can get physical access to buildings.

His work serves two purposes:

Firstly it identifies potential weaknesses in controls. If he can get a fake invoice paid, then so can a fraudster. If he can get access to buildings, then so can thieves. By seeing how easy it is to bypass controls, organisations can get a better handle on their risk profile. Until you’ve actually tested the human controls, it’s impossible to know how weak or strong they actually are.

Secondly, it serves as a training exercise. Just like a fire evacuation drill, it’s better to have employees learn what to do or not do, by experiencing a simulation, than letting them learn from real-life situations.


This is human risk management in action. Of course there are ethical components to the work that Michael does — how far is it appropriate to test out your employees and what do you if you discover they are the weakest link in your security chain?

As Michael explains, we have to also think about what impact the exercise will have on those involved in it. If you think you’ve been tricked by your employer, that you’re somehow not trusted, or that your employer is prepared to deceive you and therefore the organisation is unethical, the exercise could actually make things worse. So the expertise Michael brings isn’t just about testing the proverbial fences. It’s planning exercises that don’t cross ethical lines and then using the information gleaned from them, sensitively and intelligently.

About Michael
Michael has worked for over 15 years in various aspects of risk management and compliance with a specialism in Business Continuity and Crisis Management and more recently third party risk management. He has worked in a number of countries globally having been based in London, Singapore and New York. Working in house and for the last 7 years as a consultant, Michael has worked across many industries for some of the largest organisations in the world including some of the worlds largest banks. and through his work in the field of crisis management has worked on a number of major incidents including the Japanese Tsunami and Fukushima incident, terror attacks in Mumbai, Boston and Moscow and numerous natural disasters, and technology & infrastructure failure related incidents. In 2014 Michael worked to set up one of the UK's first CrowdFunding platforms and as head of Operations and Compliance oversaw the first successful direct FCA authorisation of a platform for both Debt and Equity-based crowdfunding. Michael continues to work as a consultant as has just set up a new brand "Westbourne" to pull together a number of offerings in the risk management space.

You can contact him via LinkedIn: https://www.linkedin.com/in/michael-walford-williams-2302a78a/