March 9, 2018
Cognitive Biases and Risk Management
Decision-making shortcuts can be useful but may lead to inaccurate judgments in complex business situations of high uncertainty.
Risk management competencies can significantly improve decision making in any profession. The bad news is that these competencies do not come to us naturally. They have to be developed. Even if you do not operate in a high-risk, uncertain environment, you should consider the extensive research into what is referred to by scientists as heuristics and biases, cognitive psychology and psychometric paradigm, collectively called risk perception.
The History of Risk Perception
The study of risk perception originated from the fact that experts and lay people often disagreed about the riskiness of various technologies and natural hazards. The mid-1960s experienced the rapid rise of nuclear technologies and the promise for clean and safe energy. However, public perception shifted against this new technology. Fears of both longitudinal dangers to the environment and immediate disasters creating radioactive wastelands turned the public against this new technology. The scientific and governmental communities asked why public perception was against the use of nuclear energy in spite of the fact that all the scientific experts were declaring how safe it really was. The problem, as perceived by the experts, was a difference between scientific facts and an exaggerated public perception of the dangers (Douglas, 1985).
Researchers tried to understand how people process information and make decisions under uncertainty. Early findings indicated that people use cognitive heuristics in sorting and simplifying information which leads to biases in comprehension. Later findings identified numerous factors responsible for influencing individual perceptions of risk, which included dread, newness, stigma and other factors (Tversky & Karneman, 1974).
See also: The Current State of Risk Management
Research also detected that risk perceptions are influenced by the emotional state of the perceiver (Bodenhausen, 1993). According to valence theory, positive emotions lead to optimistic risk perceptions whereas negative emotions incite a more pessimistic view of risk (Lerner, 2000).
The earliest psychometric research was performed by psychologists Daniel Kahneman (who later won a Nobel Prize in economics with Vernon Smith “for having integrated insights from psychological research into economic science, especially concerning human judgment and decision-making under uncertainty”) (Kahneman, 2003) and Amos Tversky. They performed a series of gambling experiments to understand how people evaluated probabilities. Their major finding was that people use a number of heuristics to evaluate information.
These heuristics are usually useful shortcuts for thinking but may lead to inaccurate judgments in complex business situations of high uncertainty – in which case they become cognitive biases.
Cognitive biases are just the beginning
Besides the cognitive biases inherent in how people think and behave under uncertainty, there are more pragmatic factors that influence the way we make decisions, including poor motivation and remuneration structures, conflict of interest, ethics, corruption, poor compliance regimes, lack of internal controls and so on. All of this makes any type of significant decision-making based on purely expert opinions and perceptions highly subjective and unreliable.
Risk management can provide clarity and assurance to decision makers anywhere within the organization, not just the risk management team.
Risk management provides a set of tools to help management see risks, understand their significance to each decision and determine the best course of action with these risks in mind. Risk management may seem simple enough in theory, yet many employees not part of the risk team still do not have the necessary skills and competencies to apply it successfully in practice.
The following are some practical ideas to bring risk management competencies to life, regardless of where you are in the organization (based on the free risk management book “Guide to effective risk management”):
Risk management competencies should become an important attribute when hiring personnel – HR teams should include risk management requirements in all relevant position descriptions when hiring new personnel for the organization. The level of detail will of course depend on the risks associated with each role. Any finance, accounting or investment individual should possess a basic understanding of risk.
Risk-based decision-making in induction training for new employees – New hires come from a variety of educational and experience backgrounds, and, most importantly, each new employee has her own perception of what is an acceptable risk. It is important for risk managers to cooperate with the HR team or any other business unit responsible for training, to jointly carry out training on the basics of risk-based decision-making for all new employees.
Risk awareness sessions for senior management and the board – Executives and board members play a vital role in driving the risk management agenda. Nowadays, many executives and board members have a basic understanding of risk management. Auditors, risk management professional associations and regulators have been quite influential in shaping the board’s perception of risk management. It is important that risk management training focuses less about risk assessments and more about risk-based decision-making, planning, budgeting and investment management. The paradox is that risk management training should not teach management how to manage risks; instead, it should show them how to carry out their responsibilities with risks in mind. Click here to order training for your company.
Advanced training for “risk-champions” – Additional risk management training may be needed for the risk management team and business units responsible for internal control, audit, finance, strategy and others. In-depth risk management training should include: risk psychology and risk perception basics, integrating risk management into culture, basic knowledge of ISO 31000, risk management and decision-making foundations, integration of risk management into core business processes and decisions. Click here to order risk management training for your risk/audit team.
Passive learning techniques – Make risk management information available to employees, contractors and visitors. Place the risk management policy on the intranet and the corporate website. Record and publish risk management training or awareness sessions videos on the dedicated risk management intranet page. Invite guest speakers (risk managers from other companies) to speak to the audit committee or risk management committee and give all employees the opportunity to participate. I have used this in the past, and it worked very well.
Risk management as part of everyone’s responsibilities – It helps to include risk management roles and responsibilities into existing job descriptions, policies, procedures and committee charters. The common approach of capturing risk management information in a single risk-management framework document does not work well.
Risk management integrated into day-to-day work – My experience shows that updating existing policies and procedures to include aspects of risk management works much better than creating separate risk procedures or methodology documents.
See also: 4 Steps to Integrate Risk Management
Risk management is a valuable tool to help employees make business decisions under uncertainty. It works equally well with strategic, investment, financial, project or operational decisions. However, consistent application of risk management requires good knowledge of risk-management standards, risk psychology and quantitative analysis.