Wednesday, January 20, 2021
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Risk

The Hardest Risk to Avoid

by James Bone
November 7, 2014
in Risk
The Hardest Risk to Avoid

What is the hardest risk to avoid?  The risk you didn’t anticipate.  The answer may seem obvious, after the fact, however most firms seldom analyze why.  What is not so obvious are the decisions leading up to the risk event.  It is human nature to assume that we understand risk and will avoid it just in time.  Yet, time and again we are surprised.

Somewhere along the way, a consultant categorized risks into awareness buckets of “Knowns,” “Known Unknowns” and “Unknown Unknowns.”  Unfortunately, categories of risk do not protect us from the effects of a risk occurrence.  Senior executives do not like surprises and, more importantly, they expect risk professionals to detect and prevent them before they occur!

Let’s examine whether these events are really “Unknown Unknowns” or, quite simply, the avoidance of decision making that could have minimized or contained the risk.  Cognitive research suggests that blind spots in decision making account for up to 90 percent of large operational risks across all organizations.  Very few firms take the time to re-examine failed decisions, fearing where the truth may lead.

More frequently than not, an executive is quoted as saying, “in hindsight, we should have done X, Y or Z,” once the extent of the damage has been revealed.   A huge amount of resources are spent to “correct” the problem and the blame is inevitably assigned with a vow to never repeat that mistake again.

What Can We Learn?

The failure to closely examine where decision making led to blind spots is an opportunity lost to learn valuable lessons and to lead by example.  Mistakes are inevitable and most result in small errors of judgment with little impact.  Strategic errors of judgment may be costly, but they are extremely informative.  Even worse, when firms refuse to examine their decision-making processes, they are doomed to repeat them, resulting in potentially catastrophic results.

Some believe financial service firms exhibit this blindside.   After being bailed out during the “Great Recession” by the U.S. government, the level of risk taking in markets has reached new heights.  The opportunity to lead by example and re-examine bad behavior has been lost in the rush to gain market share and profit from increasingly risky new products.  Yet financial service firms are not the only example!

Firms large and small have largely ignored warnings to build more robust Internet security to protect customer data.  Today, the news is littered with examples of breaches in data security.   These public notices do not capture the magnitude of the problem, however, since most are not fully disclosed, leading to millions of dollars in losses to hackers from around the world.

Decision risk may be the most costly risk of all!

Cognitive Risk Management: A More Enlightened Approach

Let’s be clear.  Risks cannot be completely avoided, nor can we prevent firms from making costly mistakes.  It is equally important to shatter the myth, or expectation, of the risk professional having supernatural abilities to “see around corners” to detect and prevent risks before they happen.  We don’t live and work in protective bubbles built from risk frameworks, processes and internal controls.  Internal controls are important, but they do not operate in a vacuum absent individual judgment.

Strong risk management is a derivative of good judgment.

An interesting observation should be noted here: COSO Enterprise Risk; Basel I,II, and III; ISO 3000 and Federal Sentencing Guidelines all make reference to human behavior, but none suggest effective approaches to address or detect deviations from expected behavior.  Regulatory agencies and external auditors note the importance of decision risk, but remain silent on remedies for detecting, correcting and preventing change in [expected] management behavior.

The traditional tools in use today are not effective for mitigating the hardest risk to avoid.

Today’s risk professional must consider looking to the behavioral sciences to address this most pervasive risk common to every organization.

Making decisions under uncertain conditions.

What makes this risk more complicated is that it is transitory in nature.  Meaning that decision making becomes more complicated as the certainty of outcomes become harder to predict.  In other words, how does flawed decision making morph into bad behavior?

The intent is not to solve these problems, but to suggest new approaches to detect these subtle changes and put processes in place to mitigate the impact of both behaviors.  Let’s call this a Behavior Risk Heat Map for now.  Collectively, these measures would provide a “gut check” for the Board and senior executives.  These measures need not be formally documented, but could be the basis for a discussion to build consensus.

Considerations for Building a Cognitive Risk Framework:

  • We tend to underestimate the downside of new risks – plan accordingly.
  • All humans use “heuristics and biases” to make decisions – understand where limits to intuition may lead to blind spots.
  • Conventional wisdom leads to the illusion of understanding – do your homework thoroughly and accurately.
  • The halo effect created by group think often leads to the illusion of consensus – disagree smartly.
  • “Less is more” – complex strategies and products are often fiction disguised as “the next big thing” – ask a 9-year old if they understand it.
  • “Jumping to conclusions” should be reserved for competitive sports.  Run simulations before committing to a full implementation.
  • And lastly, we all tend to seek short cuts and substitute “mediocre” for “better” solutions.  Don’t assume the easy answer is the correct one to pursue.

Keep in mind that the hardest risk to avoid is the one that you did not anticipate so ask yourself – What am I missing?

It might make the difference between success and failure.


Previous Post

Cash Flow, Working Capital and Strategic Planning Top List of Priorities for CFOs in 2015, According to New Study from Protiviti and Financial Executives Research Foundation

Next Post

Anti-Corruption Enforcement in Brazil Heats Up Against Individuals

James Bone

James Bone’s career has spanned 29 years of management, financial services and regulatory compliance risk experience with Frito-Lay, Inc., Abbot Labs, Merrill Lynch, and Fidelity Investments. James founded Global Compliance Associates, LLC and TheGRCBlueBook in 2009 to consult with global professional services firms, private equity investors, and risk and compliance professionals seeking insights in governance, risk and compliance (“GRC”) leading practices and best in class vendors.
James is a frequent speaker at industry conferences and contributing writer for Compliance Week and Corporate Compliance Insights and serves as faculty presenter and independent consultant for several global consulting firms specializing in governance, risk and compliance, IT compliance and the GRC vendor market. James created TheGRCBlueBook.com to provide risk and compliance professionals with transparency into the GRC vendor marketplace by creating a forum for writing reviews on GRC products and sharing success stories on the risk practices that are most effective. James is currently attending Harvard Extension School for a Master of Arts in Management with an emphasis in accounting and finance. James received an honorary PhD in Letters from Drury University in Springfield, Missouri and is a member of the Breech Business School Hall of Fame as well as the Missouri Sports Hall of Fame. Having graduated from the Boston University Graduate School of Education, James received his M.Ed. in Management and Organizational Design in 1997 and a Bachelor of Arts in Business Administration from Drury University in 1980.  

Related Posts

silhouette of businesspeople in meeting with blue cyber background

Cyber Risk Quantification and Prioritization is the Future of GRC

January 20, 2021
man working on smartphone and laptop

Adverse Media Screening: Relying on Google Alone Can Expose Organizations to Risk

January 19, 2021
challenge and solution concept with person standing at large gap

General Counsel Post-Pandemic: A Catalyst for Risk Fragmentation

January 18, 2021
green city papercut on recycled paper background

Managing the Climate Risk Mandate

January 7, 2021
Next Post
Anti-Corruption Enforcement in Brazil Heats Up Against Individuals

Anti-Corruption Enforcement in Brazil Heats Up Against Individuals

Access realtime data

Special Coverage

Special COVID page graphic

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management Coronavirus/COVID-19 corporate culture crisis management culture of ethics cyber crime cyber risk data analytics data breach data governance decision-making diversity DOJ due diligence fcpa enforcement actions financial crime GDPR GRC HIPAA information security internal audit KYC/know your customer machine learning monitoring regtech reputation risk risk assessment Sanctions SEC social media risk technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2019 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
  • Articles
  • Vendor News
  • Podcasts
  • Videos
  • Whitepapers
  • eBooks
  • Events
  • Jobs
  • Subscribe

© 2019 Corporate Compliance Insights