Musings of a Cognitive Risk Manager
Risk management has undergone a sea change over the past few decades, yet risk management practices have evolved very little. Though organizations enjoy robust technological capabilities, they grow more fragile and vulnerable to massive systemic risks all the time. What’s needed? A risk program centered on human behavior and decision-making.
Before beginning a discussion on human-centered risk, it is important to provide context for why we must consider new ways of thinking about risk. The context is important because the change impacting risk management has happened so rapidly we have hardly noticed. If you are under the age of 25, you take for granted the internet as we know it today and the ubiquitous utility of the World Wide Web. Dial-up modems were once the norm, and desktop computers with “Windows” were rare except in large companies. Fast-forward 25 years: today we don’t give a second thought to the changes manifest in a digital economy for how we work, communicate, share information and conduct business.
What hasn’t changed (or what hasn’t changed much) during this same time is how risk management is practiced and how we think about risks. Is it possible that risks and the processes for measuring risk should remain static? Of course not; so why do we still depend solely on using the past as prologue for potential threats in the future? Why are qualitative self-assessments still a common approach for measuring disparate risks? More importantly, why do we still believe that small samples of data, taken at intervals, provide senior management with insights into enterprise risk?
The constant is human behavior!
Technology has been successful at helping us get more done when and wherever we need to conduct business. The change brought on by innovation has nearly eliminated the separation of our work and personal lives, and, as a result, businesses and individuals are now exposed to new risks that are harder to understand and measure. The semi-state of hardened enterprise but soft middle has created a paradox in risk management: the paradox of “robust yet fragile.” Organizations enjoy robust technological capability to network, partner and conduct business 24/7, yet we are more vulnerable or fragile to massive systemic risks.
Why are we more fragile?
The internet is the prototypical example of a complex system that is “scale-free” with a hub-like core structure that makes it robust to random loss of individual nodes, yet fragile to targeted attacks on highly connected nodes or hubs. Likewise, large and small corporations are beginning to look more like diverse forms of complex systems with increased dependency on the internet as a service model and a distributed network of vendors who provide a variety of services no longer deemed critical or cost effective to perform in-house.
Collectively, organizations have leveraged complex systems to respond to customer and stakeholder demands to create value, unwittingly becoming more exposed to fragility at critical junctures. Systemic fragility has been tested during recent denial of service attacks (DDoS) on critical internet service providers and recent ransomware attacks, both of which spread with alarming speed. What changed? After each event risk, professionals breathe a sigh of relief and continue pursuing the same strategies that leave organizations vulnerable to massive failure. The Great Recession of 2009 is yet another example of the fragility of complex systems and a tepid response to systemic risks. Do we mistakenly take survival as a sign of a cure to the symptoms of systemic illness?
After more than 20 years of explosive productivity growth, the layering of networked systems now poses one of the greatest risks to future growth and security. Inexplicably, productivity has stalled because humans are becoming the bottleneck in infrastructure. Billions of dollars are currently rushing in to finance the next phase of internet of things that will extend our vulnerabilities to devices in our homes, our cars and eventually more. Is it really possible to fully understand these risks with 19th century risk management?
The dawn of the digital economy has resulted in the democratization of content and the disintermediation of past business models in ways unimaginable 20 years ago. I will spare you the boring science behind the limits of human cognition, but let’s just say that if you can’t remember what you had for dinner last Wednesday night, you are not alone.
But is that enough reason to change your approach to risk management? Not surprisingly, the answer is Yes! Acknowledging that risk managers need better tools to measure more complex and emerging risks should no longer be considered a weakness. It also means that expecting employees to follow, without fail or assistance, the growing complexity of policies, procedures and IT controls required to deal with a myriad of risks may be unrealistic without better tools. Twenty-first century risk management approaches are needed to respond to the new environment in which we now live.
Over the last 30 years, risk management programs have been built in response to risk failures in systems, processes and human error. Human-centered risk management starts with the human and redesigns internal controls to optimize the objectives of the organization while reducing risks. This may sound like a subtle difference, but it is, in fact, a radically different approach – though not a new one.
Human-factors engineers first met in 1955 in Southern California but [its] contributions to safety across diverse industries is now underappreciated. We don’t give a second thought to the technology that protects us when we travel by car, truck or airplane or undergo complex medical procedures. These advances in risk management did not happen by accident; they were designed into the products and services we enjoy today.
Each of these industries recognized that human error posed the greatest risks to the objectives of their respective organizations. Instead of blaming humans, however, they sought ways to reduce the complexity that leads to human error and found innovative ways to grow their markets while reducing risks. Imagine designing internal controls that are as intuitive as using a cell phone and allow employees to focus on the job at hand instead of being distracted by multitasking! A human-centered risk program looks at the human-machine interaction to understand how the work environment contributes to risk.
I will return to this concept in subsequent papers to explain how the human-machine interaction contributes to risk. For now, let’s suffice it to say that there is sufficient research and empirical data to support the argument. To further explain a human-centered risk approach, we must also understand how decision-making is impacted as a result of 19th century risk practices.
Situational awareness is a critical component of human-centered risk management. One’s perception of events and comprehension of their meaning, the projection of their status after events have changed or new data is introduced and the ability to predict how change impacts outcomes and expectations with clarity facilitate situational awareness. The opportunity in risk management is to improve situational awareness across the enterprise. Enterprise risks are important, but they are not all equal and should not be treated the same. Situational awareness helps senior executives understand the difference.
The challenge in most organizations is that situational awareness is assumed as a byproduct of experience and training and seldom revisited when the work environment changes to absorb new products, processes or technology. The failure to understand this vulnerability in risk perception happens at all levels of the organization, from the boardroom down to the front line. The vast majority of change introduced in organizations tends to be minor in nature but accumulate over time, contributing to a lack of transparency or “inattentional blindness” impacting situational awareness. This is one of the many reasons organizations are surprised by unanticipated events. We simply cannot see it coming!
Human-centered risk management focuses on designing situational awareness into the work environment from the boardroom down to the shop floor. This multidisciplinary approach requires a new set of tools and cognitive techniques to understand when imperfect information could lead to errors in judgment and decision-making. The principles and processes for designing situational awareness will be discussed in subsequent articles. The goal of human-centered risk management is to design scalable approaches to improve situational awareness across the enterprise.
Human-factors design and situational awareness meet at the “crossroads of technology and the liberal arts,” to quote the visionary Steven Jobs. These two factors in human-centered risk management can be achieved by selecting targeted approaches. These approaches will be discussed in more detail in subsequent articles, however, I invite others to participate in this discussion if you too have an interest in reimagining new approaches to risk management.