We look at how to make sure you're properly examining all of the risks with online services.
Your youth group is planning a three day trip to Dartmoor. As group leader it’s your first time leading a trip like this. You feel anxious. There’s a lot of risks. But it’s a great opportunity for your young people, some of whom have never left the city.
Instead of the trip you could stay and do activities in your group’s normal building. Here you know the risks. There are fewer of them and they are better known. It feels safer. But it doesn’t offer the same benefits as a trip up the moor.
So you’ve researched the trip’s risks. There are several, some of which were similar to those at your regular youth sessions, and some of which were specific to taking a group of city kids to a wild place with unpredictable weather, limited mobile reception and dangerous hounds.
You’ve also assessed the risks and identified ways to mitigate them. Some risks remain but together with your manager and team you’ve decided to accept these. Because the benefits outweigh the risks. Your risk appetite is probably neither too conservative, nor too reckless.
It’s the same for those of us trying to understand digital safeguarding risks. We are like that youth leader planning their first ever trip. After a season or two they’ll be a pro and so will you. But for now we all need to learn the ropes…
Assessing online risks involves an identical process to assessing offline risks
The youth leader’s approach to risk is the same one you’ll need to take when assessing different ways of engaging with your users online.
You’ve probably got many engagement tools to choose from. Zoom and WhatsApp are common. Some will carry specific risks, some will share generic ones, and each will offer greater or lesser benefits to your users and your staff. You have to assess the risks, identify mitigating actions, then decide how much risk you’re willing to accept in pursuit of supporting your users. In this you’re trying to generate a reasonable level of caution coupled with a reasonable appetite for risk.
“Risk appetite is a way of describing the level of risk you are willing to live with, because of the benefits of doing so.” — Jess McBeath, Online Safety & Digital Citizenship Specialist, Jess Ltd
What is a reasonable level of risk acceptance?
The only way to decide what level is reasonable is to go through the process. It’s the only way of taking care and doing right by everyone involved. Doing right by them includes not making decisions on your own. At the least you should have other staff involved, and sign off from senior staff, CEO or Board.
And even if after all your analysis and mitigation something does go wrong you’ll be more ready for it and more able to respond. Plus you’ll know you’ve done your best to assess and decide.
Online safeguarding has many similarities to offline safeguarding
The Dartmoor trip includes some similar risks to running a youth centre session. In the same way online delivery presents many similar risks to offline delivery. Here’s a few examples.
- Running a video call with someone at home, presents similar safeguarding risks and privacy considerations as visiting them at home.
- Bringing people together online where they can privately message each other presents some of the same risks as when they meet face-to-face.
- Your boundaries when working face-to-face extend offline to include what you have visible in the background of your video call.
- Choosing a place to meet that is easy for your users to get to and feels comfortable to be at becomes choosing a platform that is easy for them to access and comfortable to use.
- Securing rear entrances to your high street location becomes securing your online calls with passwords.
Whether you’re doing group or one-to-one work, video or non-video, you and your team can learn the risks involved. Part 2 of this guide will include links to more examples.
“Some issues will be just an online version of an existing offline risk. Some will be additional online issues that you didn’t have to think about before.”- Jess McBeath
Similar overarching principles
Two key principles apply whether offline or online, whether on Zoom or up on the moor.
Secure the person
The biggest way of mitigating risk is to guide and train your staff in behaviour that keeps things safe. It’s not costly to send your staff on a basic online safety course. And of course it’s normal to introduce new policies to your staff and expect them to follow them.
“Secure the person. If the person is practising good security then then the device and platform become safer.” — Declan Doyle, Ethical Hacker at Scottish Business Resilience Centre
Use your existing risk management processes
Your organisation will already have a risk review process. Likely it’s a standing agenda item at quarterly meetings. Make it more often as you start this work. Then expand the amount of time spent on it quarterly.
You can’t control everything online, or offline
You have a duty of care but that doesn’t mean you can control everything that happens on your trip to Dartmoor. It’s the same online. For example:
You can’t control what your users do with a platform when they aren’t using it with you. Just as you aren’t responsible for what they do on their walk home from your coffee shop meeting. But you can check they are old enough to sign up or meet you on their own.
You can’t control if your young people decide to share contact details with each other on a group call and what they do together afterwards. Just like you can’t control whether they do this on Dartmoor then meet up independently afterwards. But you can give them good relationship advice.
You can’t control online platform privacy policies. Just like you can’t control who sees your client visiting your domestic abuse drop-in service. But you can give them good privacy advice.
Risks will remain
“Risk can’t be eliminated completely. It’s a part of everything we do, so we should probably try to understand it objectively.” — Lucas Allen, CEO Ln2X
Just like there’s no guarantee the trip will go smoothly, no online platform is 100% safe. There are always risks.
But you can mitigate them:
- Through the platform choices you make.
- By guiding and training your staff in the basics of online safety and security (at least)
- By advising your users on keeping themselves safe.
- By following a robust review process that keeps your eyes on the risks.
But that’s all you can do.
Sometimes you will accept a risk in order that you can provide an accessible service rather than one no one can use.
What you define as ‘acceptable risk’ is up to you. But the best way to decide what is acceptable is to understand and document them through a robust process.