What is the hardest risk to avoid? The risk you didn’t anticipate. The answer may seem obvious, after the fact, however most firms seldom analyze why. What is not so obvious are the decisions leading up to the risk event. It is human nature to assume that we understand risk and will avoid it just in time. Yet, time and again we are surprised.
Somewhere along the way, a consultant categorized risks into awareness buckets of “Knowns,” “Known Unknowns” and “Unknown Unknowns.” Unfortunately, categories of risk do not protect us from the effects of a risk occurrence. Senior executives do not like surprises and, more importantly, they expect risk professionals to detect and prevent them before they occur!
Let’s examine whether these events are really “Unknown Unknowns” or, quite simply, the avoidance of decision making that could have minimized or contained the risk. Cognitive research suggests that blind spots in decision making account for up to 90 percent of large operational risks across all organizations. Very few firms take the time to re-examine failed decisions, fearing where the truth may lead.
More frequently than not, an executive is quoted as saying, “in hindsight, we should have done X, Y or Z,” once the extent of the damage has been revealed. A huge amount of resources are spent to “correct” the problem and the blame is inevitably assigned with a vow to never repeat that mistake again.
What Can We Learn?
The failure to closely examine where decision making led to blind spots is an opportunity lost to learn valuable lessons and to lead by example. Mistakes are inevitable and most result in small errors of judgment with little impact. Strategic errors of judgment may be costly, but they are extremely informative. Even worse, when firms refuse to examine their decision-making processes, they are doomed to repeat them, resulting in potentially catastrophic results.
Some believe financial service firms exhibit this blindside. After being bailed out during the “Great Recession” by the U.S. government, the level of risk taking in markets has reached new heights. The opportunity to lead by example and re-examine bad behavior has been lost in the rush to gain market share and profit from increasingly risky new products. Yet financial service firms are not the only example!
Firms large and small have largely ignored warnings to build more robust Internet security to protect customer data. Today, the news is littered with examples of breaches in data security. These public notices do not capture the magnitude of the problem, however, since most are not fully disclosed, leading to millions of dollars in losses to hackers from around the world.
Decision risk may be the most costly risk of all!
Cognitive Risk Management: A More Enlightened Approach
Let’s be clear. Risks cannot be completely avoided, nor can we prevent firms from making costly mistakes. It is equally important to shatter the myth, or expectation, of the risk professional having supernatural abilities to “see around corners” to detect and prevent risks before they happen. We don’t live and work in protective bubbles built from risk frameworks, processes and internal controls. Internal controls are important, but they do not operate in a vacuum absent individual judgment.
Strong risk management is a derivative of good judgment.
An interesting observation should be noted here: COSO Enterprise Risk; Basel I,II, and III; ISO 3000 and Federal Sentencing Guidelines all make reference to human behavior, but none suggest effective approaches to address or detect deviations from expected behavior. Regulatory agencies and external auditors note the importance of decision risk, but remain silent on remedies for detecting, correcting and preventing change in [expected] management behavior.
The traditional tools in use today are not effective for mitigating the hardest risk to avoid.
Today’s risk professional must consider looking to the behavioral sciences to address this most pervasive risk common to every organization.
Making decisions under uncertain conditions.
What makes this risk more complicated is that it is transitory in nature. Meaning that decision making becomes more complicated as the certainty of outcomes become harder to predict. In other words, how does flawed decision making morph into bad behavior?
The intent is not to solve these problems, but to suggest new approaches to detect these subtle changes and put processes in place to mitigate the impact of both behaviors. Let’s call this a Behavior Risk Heat Map for now. Collectively, these measures would provide a “gut check” for the Board and senior executives. These measures need not be formally documented, but could be the basis for a discussion to build consensus.
Considerations for Building a Cognitive Risk Framework:
- We tend to underestimate the downside of new risks – plan accordingly.
- All humans use “heuristics and biases” to make decisions – understand where limits to intuition may lead to blind spots.
- Conventional wisdom leads to the illusion of understanding – do your homework thoroughly and accurately.
- The halo effect created by group think often leads to the illusion of consensus – disagree smartly.
- “Less is more” – complex strategies and products are often fiction disguised as “the next big thing” – ask a 9-year old if they understand it.
- “Jumping to conclusions” should be reserved for competitive sports. Run simulations before committing to a full implementation.
- And lastly, we all tend to seek short cuts and substitute “mediocre” for “better” solutions. Don’t assume the easy answer is the correct one to pursue.
Keep in mind that the hardest risk to avoid is the one that you did not anticipate so ask yourself – What am I missing?
It might make the difference between success and failure.
James Bone’s career has spanned 29 years of management, financial services and regulatory compliance risk experience with Frito-Lay, Inc., Abbot Labs, Merrill Lynch, and Fidelity Investments. James founded Global Compliance Associates, LLC and TheGRCBlueBook in 2009 to consult with global professional services firms, private equity investors, and risk and compliance professionals seeking insights in governance, risk and compliance (“GRC”) leading practices and best in class vendors.
