A persistent and pervasive risk — economic man (homo economicus)
Please excuse the sexist title, “economic man”, this term was coined at the turn of the 19th century to denote an error in judgment. Homo economicus is Latin for “economic man”, a risk that seldom, if ever, appears in a risk inventory nor is listed as a strategic objective to enhance performance, yet this obscure risk causes more havoc than any other. What is homo economicus and why does it matter? The answer may surprise you!
The definition of homo economicus is a characterization of the behavior of a rational person. A model of this “ideal” person is assumed to exhibit perfect rationality, “as agents, who are consistently rational, and narrowly self-interested, and who pursue their subjectively defined ends optimally.”
Economists have based their models and policies of economic growth, in part, on this simple and erroneous assumption. Economists and researchers doubled down on this fallacy in “efficient market theory”. Both errors in judgment assume investors and organizational leadership have perfection information at all times. This idea may seem irresponsible today however this assumption still persists hundreds of years after it has been roundly refuted. Herbert Simon’s “Bounded Rationality” proved through rigorous scientific analysis the fallacy of this concept as well as on-the-ground reality of successive massive economic collapse, yet we still act as if it is true.
Adam Smith, author of Wealth of Nations (1776) and the Theory of Morale Sentiment (1759) suggests, “The man whose whole life is spent in performing a few simple operations, of which the effects are perhaps always the same, or very nearly the same, has no occasion to exert his understanding or to exercise his invention in finding out expedients for removing difficulties which never occur. He naturally loses, therefore, the habit of such exertion, and generally becomes as stupid and ignorant as it is possible for a human creature to become.” Smith not only excoriates division of labor and Homo economicus but even prefigures Marx’s theory of alienation of labor. Thus, his opening paragraph sets up the standard conception of work specialization only to shatter it later on.”
I can only assume that some have interpreted the “invisible hand” reference by Smith as some unexplainable ability to capture perfect information in the pursuit of their ends.
Simple solutions for complex problems seldom come prepackaged.
Nonetheless, it took centuries to prove the errors in judgment in homo economicus. Thus, I would argue that we are in the early stages of a new level of discoveries in risk management and decision support capabilities. And therein lies a question. How long will it take the risk management profession to recognize the role of human behavior and human factors as a leading cause of risk and cyber vulnerability? Many industries have adopted these learnings yet a robust application of human factors and cognitive science in organizational behavior has not yet occurred.
A few new tools will be needed to redefine risk assessment, risk discovery, and the application of decision processes. Likewise, there is a large and growing corpus of applications to draw upon in combination with traditional risk practice. The biggest change may involve a redefinition of the role of risk professionals.
Instead of managing risks, risk professionals must become designers of risk solutions. Risk design may sound complex but practical examples exist in plain sight throughout industry in car manufacturing, aerospace, and technology design. As we move further along the continuum of digital eCommerce more examples will be required. The simplicity of this focus is that it solves two problems: 1) It manages risks using automation and human-centered processes, and 2) it increases productivity. Yet we know less about our own behavior and the behavior of others than we think we do. These risks happen to be core areas of vulnerabilities in cybersecurity and organizational performance.
Why is homo economicus a persistent and pervasive risk, and why it is important to know?
A short exercise to demonstrate the risk: Imagine the last time you sat in a planning meeting for any project, budget exercise, or strategic plan. Think of the behaviors and processes exhibited by colleagues during the planning and execution phases. How closely aligned are peer behaviors with the definition of economic man. The definition of economic man hinges on “pursuing subjectively defined ends optimally.” The definition assumes a 100% success rate based on intuition! That may be true if the bar is set low enough, but it is certainly not optimal. Everywhere humans make decisions, in the boardroom to the cubicle, there is error, but we don’t really know how much or its impact on performance unless it is quantified.
Technology is closing the gap to achieve economic man/woman. Human failure is the “mother of invention”! AI, bots, IoT, and other early stage digital platforms show promise but come with new risks. The solution is not in technology alone. The greatest opportunity lies in developing a mindset and understanding of the root causes of failures in human performance!
Professional athletes of varied disciplines have hired mental coaches to elevate their own performance. Senior executives have hired executive coaches. The healthcare industry has investigated how human behavior results in medical errors, yet the risk, audit, cyber and compliance professions have resisted change to the determent of ERM broadly.
New digital risks exhibit a multifaceted threat combining physical and virtual risk attributes both internal and external to the enterprise. Yet, with access to oceans of data it feels like the story of a stranded sailor, “water, water everywhere, but not a drop to drink”. Organizations have analyzed yottabytes of data but seldom, if ever, conduct a comprehensive analysis of their decisions after the fact or contemplate the organizational impacts on human performance.
The future of risk management will not rest on off-the-shelf risk frameworks. The future of risk will be designed with a focus on intelligence, insight, monitoring and risk discovery. Data is the new weapon of choice in competitive markets with the best informed the most resilient. The real value in risk practice will be its predictive ability across a range of risk events. These insights are not embedded in internal controls but are expressed as human interactions at all levels of the organization.
The low lying fruit has been picked and the next level of intelligence will take time.
The next level of risk intelligence will be defined by enhanced risk performance. It must be measurable, contribute to reductions in inherent and residual risk, and enhance human and organizational performance. How should an organization assess its performance openly and honestly? What needs to change to discuss the opportunities and the challenges with more clarity? Answers to these questions largely depend on one’s perception of risk and opportunity.
Human behavior is being mined in marketing channels to find value involving engagement with the firm, but human behavior is largely ignored within the firm to understand the risk of organizational behaviors with the exception of punitive actions. The opportunity for creating massive value to the firm lies in a better understanding of internal behaviors and connections across the firm. More on this topic and the opportunity in upcoming articles. What I am proposing now is simply a fresh look at risk as an inhibitor of human performance at the enterprise level.
Intelligence is great but what about actionable information?
What percentage of decision-making is “gut” vs “data”?[1]
Spoiler alert: One survey does not answer the question but clues are found in a survey from a BI-Survey report, “58% of our respondents say their companies base at least half of their regular business decisions on gut feel or experience, rather than on data and information. The reasons for not using data as the basis for business decisions are manifold and range from not having the necessary information available to thinking that instinctive decision-making is good enough. Economist called this process, satisficing, a mashup of two words, “satisfy” and “suffice”, a “good enough” outcome. But is it?
“Digging a bit deeper, we found that “best-in-class” companies base their decisions more on information (60%) while “laggard” companies base a worryingly high 70% of their decisions on gut feel.
A lot of money has been spent on data analytics, yet we still trust our own intuition to data. Experience does help and estimates from experts do correlate well with models. But few people are super modelers, and those that are certainly are not pursuing their ends solely subjectively.
Risk Discovery: Change is the mother of risk (and human behavior is in constant change)!
We often assume continuity, but change is constant
Competing and conflicting perceptions of risk and opportunity color conversations in most objective setting situations. The processes of reconciling different views of risk are some of the most challenging conversations to resolve. These are the situations where good practice can facilitate better decision-making. The importance of developing a flexible process of checks and balance allows for voices to be heard and decisions shared.
The best attributes to ensure good practice is patience, clear objectives tied to measurable outcomes, controlled experimentation, and shared decision-making. Risk discovery and risk solution design are two new concepts used to address these errors that are both obvious and novel.
Risk discovery is not a typical risk assessment. This is a process of understanding the nature and characteristics of specific risk types that have yet to be discovered. The symptoms and potential magnitude of a problem may be used to prioritize the discovery process. Depending on the complexity of the problem and importance to operational execution a robust cost/benefit analysis will be needed. Risk discovery assumes that residual risks exist that have not yet been explored but would be impactful. Many of these risks reside in human to human interactions or human to machine interactions.
For example, contractual agreements transfer and accept implied and explicit risks between each party but how many firms quantify the potential exposure of a whole book of business by organization? How is profitability defined? Has the relationship grown creating concentration risk? Have rebates and incentives eroded profitability? Etc. Many of these potential residual risks have never been subjected to rigorous analysis before.
Researchers have found a common correlation in subjective decision-making and errors in risk acceptance. This is the reason human error risk is persistent and pervasive. Wherever there is subjective decision-making there is error, but few firms use this information in discovery. What should the future of risk assessment look like? Where are the blind spots? What level of confidence does one have in the predictive ability of existing risk processes? How does risk management measure the contribution it makes to organizational performance?
These questions are answered by developing a risk discovery process. Secondarily, but more importantly is the risk solution design process. Risk design is the innovative side of risk management. Risk design looks beyond internal controls to reimagine workflow processes that are straight-through with checks and approvals. Good risk design enables efficient operations and touchless risk controls. I will address these two new approaches in upcoming articles on Risk Discovery and Risk Solution Design in more detail.
What Is the Bottom Line?
Every organization has residual risks in their organization as a byproduct of people making decisions (or not making key decisions) in the pursuit of their subjectively defined their ends. That does not make them bad people. It simply means risk professionals should develop processes to understand these risks and the materiality in operational risks they contribute, positively and negatively.
These risks are present in every organization but are hidden because they either show up randomly or have become endemic to operations and ignored as business as usual. Researchers found success in identifying untapped value in operations using widely available tools to uncover and propose solutions for these hidden risks. Examples and use cases will be presented in upcoming articles.
Start to look around your organization to see if you recognize these risks and let’s discuss them! No names or details. See if you see these risks and behaviors in your firm?
These posts are designed to encourage discussion and thought as well as constructive feedback. We may not have all the answers, but we like to ask interesting questions!
Please join us! jbone@grc-index.org
Executive Director,
Cognitive Risk Institute
[1] https://www.forbes.com/sites/karlsun/2018/06/26/the-decision-making-dilemma-when-to-trust-your-gut-vs-the-data/?sh=799eabb11041