No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Cybersecurity

The Emergence of a Cognitive Risk Era: Human-Centered Risk Management

by James Bone
June 2, 2017
in Cybersecurity, Risk
man holding exclamation mark in front of his face

Musings of a Cognitive Risk Manager

Risk management has undergone a sea change over the past few decades, yet risk management practices have evolved very little. Though organizations enjoy robust technological capabilities, they grow more fragile and vulnerable to massive systemic risks all the time. What’s needed? A risk program centered on human behavior and decision-making.

Before beginning a discussion on human-centered risk, it is important to provide context for why we must consider new ways of thinking about risk.  The context is important because the change impacting risk management has happened so rapidly we have hardly noticed.  If you are under the age of 25, you take for granted the internet as we know it today and the ubiquitous utility of the World Wide Web.  Dial-up modems were once the norm, and desktop computers with “Windows” were rare except in large companies.  Fast-forward 25 years: today we don’t give a second thought to the changes manifest in a digital economy for how we work, communicate, share information and conduct business.

What hasn’t changed (or what hasn’t changed much) during this same time is how risk management is practiced and how we think about risks.  Is it possible that risks and the processes for measuring risk should remain static?  Of course not; so why do we still depend solely on using the past as prologue for potential threats in the future?  Why are qualitative self-assessments still a common approach for measuring disparate risks?  More importantly, why do we still believe that small samples of data, taken at intervals, provide senior management with insights into enterprise risk?

The constant is human behavior!

Technology has been successful at helping us get more done when and wherever we need to conduct business.  The change brought on by innovation has nearly eliminated the separation of our work and personal lives, and, as a result, businesses and individuals are now exposed to new risks that are harder to understand and measure.  The semi-state of hardened enterprise but soft middle has created a paradox in risk management: the paradox of “robust yet fragile.”  Organizations enjoy robust technological capability to network, partner and conduct business 24/7, yet we are more vulnerable or fragile to massive systemic risks.

Why are we more fragile?

The internet is the prototypical example of a complex system that is “scale-free” with a hub-like core structure that makes it robust to random loss of individual nodes, yet fragile to targeted attacks on highly connected nodes or hubs.  Likewise, large and small corporations are beginning to look more like diverse forms of complex systems with increased dependency on the internet as a service model and a distributed network of vendors who provide a variety of services no longer deemed critical or cost effective to perform in-house.

Collectively, organizations have leveraged complex systems to respond to customer and stakeholder demands to create value, unwittingly becoming more exposed to fragility at critical junctures.  Systemic fragility has been tested during recent denial of service attacks (DDoS) on critical internet service providers and recent ransomware attacks, both of which spread with alarming speed.  What changed? After each event risk, professionals breathe a sigh of relief and continue pursuing the same strategies that leave organizations vulnerable to massive failure.  The Great Recession of 2009 is yet another example of the fragility of complex systems and a tepid response to systemic risks.  Do we mistakenly take survival as a sign of a cure to the symptoms of systemic illness?

After more than 20 years of explosive productivity growth, the layering of networked systems now poses one of the greatest risks to future growth and security.  Inexplicably, productivity has stalled because humans are becoming the bottleneck in infrastructure. Billions of dollars are currently rushing in to finance the next phase of internet of things that will extend our vulnerabilities to devices in our homes, our cars and eventually more.  Is it really possible to fully understand these risks with 19th century risk management?

The dawn of the digital economy has resulted in the democratization of content and the disintermediation of past business models in ways unimaginable 20 years ago.  I will spare you the boring science behind the limits of human cognition, but let’s just say that if you can’t remember what you had for dinner last Wednesday night, you are not alone.

But is that enough reason to change your approach to risk management?  Not surprisingly, the answer is Yes!  Acknowledging that risk managers need better tools to measure more complex and emerging risks should no longer be considered a weakness.  It also means that expecting employees to follow, without fail or assistance, the growing complexity of policies, procedures and IT controls required to deal with a myriad of risks may be unrealistic without better tools.  Twenty-first century risk management approaches are needed to respond to the new environment in which we now live.

Over the last 30 years, risk management programs have been built in response to risk failures in systems, processes and human error.  Human-centered risk management starts with the human and redesigns internal controls to optimize the objectives of the organization while reducing risks.  This may sound like a subtle difference, but it is, in fact, a radically different approach – though not a new one.

Human-factors engineers first met in 1955 in Southern California but [its] contributions to safety across diverse industries is now underappreciated.  We don’t give a second thought to the technology that protects us when we travel by car, truck or airplane or undergo complex medical procedures.  These advances in risk management did not happen by accident; they were designed into the products and services we enjoy today.

Each of these industries recognized that human error posed the greatest risks to the objectives of their respective organizations.  Instead of blaming humans, however, they sought ways to reduce the complexity that leads to human error and found innovative ways to grow their markets while reducing risks.  Imagine designing internal controls that are as intuitive as using a cell phone and allow employees to focus on the job at hand instead of being distracted by multitasking!  A human-centered risk program looks at the human-machine interaction to understand how the work environment contributes to risk.

I will return to this concept in subsequent papers to explain how the human-machine interaction contributes to risk.  For now, let’s suffice it to say that there is sufficient research and empirical data to support the argument.  To further explain a human-centered risk approach, we must also understand how decision-making is impacted as a result of 19th century risk practices.

Situational awareness is a critical component of human-centered risk management.  One’s perception of events and comprehension of their meaning, the projection of their status after events have changed or new data is introduced and the ability to predict how change impacts outcomes and expectations with clarity facilitate situational awareness.   The opportunity in risk management is to improve situational awareness across the enterprise.  Enterprise risks are important, but they are not all equal and should not be treated the same.  Situational awareness helps senior executives understand the difference.

The challenge in most organizations is that situational awareness is assumed as a byproduct of experience and training and seldom revisited when the work environment changes to absorb new products, processes or technology.  The failure to understand this vulnerability in risk perception happens at all levels of the organization, from the boardroom down to the front line.  The vast majority of change introduced in organizations tends to be minor in nature but accumulate over time, contributing to a lack of transparency or “inattentional blindness” impacting situational awareness.   This is one of the many reasons organizations are surprised by unanticipated events.  We simply cannot see it coming!

Human-centered risk management focuses on designing situational awareness into the work environment from the boardroom down to the shop floor.  This multidisciplinary approach requires a new set of tools and cognitive techniques to understand when imperfect information could lead to errors in judgment and decision-making.  The principles and processes for designing situational awareness will be discussed in subsequent articles.  The goal of human-centered risk management is to design scalable approaches to improve situational awareness across the enterprise.

Human-factors design and situational awareness meet at the “crossroads of technology and the liberal arts,” to quote the visionary Steven Jobs.  These two factors in human-centered risk management can be achieved by selecting targeted approaches.  These approaches will be discussed in more detail in subsequent articles, however, I invite others to participate in this discussion if you too have an interest in reimagining new approaches to risk management.


Tags: Cognitive Risk FrameworkInternet of Things (IoT)
Previous Post

TRACE: The Death of Sergei Magnitsky

Next Post

A New Resource for Corporate Counsel

James Bone

James Bone

James Bone’s career has spanned 29 years of management, financial services and regulatory compliance risk experience with Frito-Lay, Inc., Abbot Labs, Merrill Lynch, and Fidelity Investments. James founded Global Compliance Associates, LLC and TheGRCBlueBook in 2009 to consult with global professional services firms, private equity investors, and risk and compliance professionals seeking insights in governance, risk and compliance (“GRC”) leading practices and best in class vendors. James is a frequent speaker at industry conferences and contributing writer for Compliance Week and Corporate Compliance Insights and serves as faculty presenter and independent consultant for several global consulting firms specializing in governance, risk and compliance, IT compliance and the GRC vendor market. James created TheGRCBlueBook.com to provide risk and compliance professionals with transparency into the GRC vendor marketplace by creating a forum for writing reviews on GRC products and sharing success stories on the risk practices that are most effective. James is currently attending Harvard Extension School for a Master of Arts in Management with an emphasis in accounting and finance. James received an honorary PhD in Letters from Drury University in Springfield, Missouri and is a member of the Breech Business School Hall of Fame as well as the Missouri Sports Hall of Fame. Having graduated from the Boston University Graduate School of Education, James received his M.Ed. in Management and Organizational Design in 1997 and a Bachelor of Arts in Business Administration from Drury University in 1980.  

Related Posts

hands typing on laptop, smartphones on the table, work anywhere concept

Oomnitza Delivers IT Management Essential to Business Continuity

by Corporate Compliance Insights
March 9, 2021

Provides critical solutions for the work-from-anywhere environment to address massive shifts in operational models, changed IT ecosystems and technology sprawl...

phishing, scam, hacker business concept in red and blue neon gradients

New Report Unveils the Most Vulnerable Sectors and Departments to Phishing Attacks

by Corporate Compliance Insights
September 14, 2020

Cyberattacks cause great harm to the business world due to their evolving nature, and it is expected that cyberattacks will...

snarling hyena on neutral background

IoT Devices: Lion Cubs Surrounded by Hyenas

by James McQuiggan
July 24, 2020

IoT risk management and security don’t seem to get the attention they deserve until there’s a data breach. KnowBe4’s James...

floating icons, concept of internet of things

What Is Next for IoT Regulation?

by Maria Zervaki
May 1, 2020

Cyberattacks on connected devices continue at a rapid pace, and regulators are well aware of this fact. Access Partnerships’ Maria...

Next Post
A New Resource for Corporate Counsel

A New Resource for Corporate Counsel

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights