Perceptions of Risk
Why we seldom agree on Risk
The topic of risk is hotly debated among and between risk professionals and executives responsible for managing risk in all organizations. Discussions of risk are fraught with a range of emotions and baggage for various reasons the majority of us seldom fully understand because each side often starts with their own perceptions of risk that some share and others do not. Nonetheless, the management of risk is one of the most important roles any organization must address successfully to navigate the complexities of life and business today.
Fortunately, researchers have studied the challenges in conflicting risk perceptions to help us better understand the dynamics at play and to inform strategies to improve risk management as well as develop more sophisticated risk analysis techniques. Let’s breakdown the reasons the topic of risk is so complicated and then introduce strategies to improve ways to structure risk conversations more productively.
Risk as Feelings versus Risk as Analysis
Broadly speaking, two diverse conceptions of perceptions of risk exist with varying degrees in between. The two groups are composed of people who perceive risk emotionally and people who perceive risk as an estimate or probability that can be quantified. The “risk as feelings” groups is larger than the “risk as analysis groups” and generally speaking there is distrust between the two groups. Throughout this analysis, I will attempt to separate and explain my views and present the researcher’s view of the dichotomy of risk perceptions.
This picture may evoke an emotional response but don’t prejudge just yet!
Anyone who has had to explain risks to senior executives understand the complexity of discussions of risk.
Risk assessments are political exercises that involve competing values, process issues, and power dynamics that can derail conversations about risk. Not only do executives and others dread these discussions but the topic can easily go off the rails if the right context is not established up front.
This lesson was brought home to me when the president of a division asked for a risk assessment by department so that he could report an overall risk metric to the board of directors. After explaining that an aggregate risk score does not add up to a measure of risks across the firm he insisted on a risk matrix. Once a risk grade or color scheme is introduced that highlights degrees of risk by department the heads of those departments became actively involved in understanding how risk assessments were conducted!
The challenge in communicating risks to management is that the term risk does not contain a singular definition. There are multiple conceptions of risk: Risk as a hazard, Risk as a probability, Risk as a consequence, Risk as a potential adversity or threat and many more. This partly explains why simplistic risk matrices are considered useless or fail to provide insights into the risks that matter to senior decision-makers. Context does matter but is often ill-conceived at the outset.
Subjectively defined risk analysis versus Objectively defined risk analysis
The second problem in risk perceptions is how others perceive objectively (quantitative) defined risk analysis (probabilities and consequences of risk).[1][2][3] Unconsciously, people reject quantitatively defined risk analysis and apply (or substitute) their own subjectively defined distribution of outcomes. Researchers have noted that both subjectively and objectively defined risks are incomplete at best and misleading at worst. Nonetheless, we persist at providing one perspective without qualifying both sides.
We call this fallacy WYSIATI or what you see is all there is. This often occurs when a superficial analysis of a risk or an event is conducted with easy to find data or data that confirms a preconceived outcome. The failure to seek alternative data sources or counter narrative outcomes may lead to misleading conclusions.
You may have heard that all models are wrong, but some models are useful! The fact is that we all suffer from the same fundamental problem, an objective ignorance of the future! Scientists use the terms estimates or measurements to denote the potential error in their analyses. Unfortunately, many business executives expect more precision than is reasonable in projections of risk. Risk professionals must deal with imperfect data which requires the application of assumptions and judgments which can be influenced by factors that lead to more error than anticipated.
There are few uniform ways to characterize many risks (even among expert risk analysts)
Risk characterization is a challenge even with simple measures of risk. Remember the challenge the Center of Disease Control (CDC) experienced with describing the risk of Covid? This was not so much a failure by the CDC, as it is a fundamental challenge in providing a clarifying characterization of risk. Especially, a novel risk with complex features that targeted known and unknown vulnerabilities in each person.
One example of the challenges in risk characterization used in academic research is the characterization of the counting of fatalities. Fatality risk can be expressed as Death per million people in the population, Death within X miles of exposure, and Loss of life expectancy associated with exposure to a hazard. Each of these characterizations will provide a measure of fatality risk but users may come to different conclusions depending on which characterization is used.
The communication of risk factors has become paramount in the face of a global pandemic, but complaints spread as the messaging changed over time through each wave of the virus. Covid is an extreme case where politics overtook the guidance (or attempts at guidance from the CDC). Some people believed they were supernaturally immune from contracting and becoming sick from Covid while others took precautions and still do today.
Disparate responses to Covid has led to more than 1 million deaths in the U.S. alone, and approximately 600 million deaths globally. Yet, the true number of deaths is disputed because of our inability to define death caused solely by Covid. What lessons have we learned from this experience to prevent the misinformation and disinformation that spread and resulted in unnecessary death? One of the lessons is a need for enhanced risk communications that is more effective at behavior modification. A secondary lesson is that we still have much to learn about perceptions of risk and the amplification of risk events.
Reconciling Perceptions of Risk
We will never eliminate different perceptions of risk, but we can quantify and begin to predict a divergence in risk perceptions. Risk surveys have been used to quantify perceptions of risk across diverse groups to capture a picture of divergent risk perceptions. Qualitative risk characteristics can be measured to get a point in time picture of perceptions of risk. The process of mapping perceptions of risk is critical for starting a robust discussion of risk perceptions and determining how people feel about key risks and what should be done about them.
Over time, periodic perception of risk surveys will demonstrate how risk perceptions ebb and flow from one period to the next. The insights this process brings to discussions demonstrate how some risk perceptions are situational and transient, while others are constant.
Social Amplification of Risk
Research has demonstrated that perceptions of risk can be influenced by the social amplification of risk. The Covid pandemic is the most recent case of social amplification of risk. Adverse events, such as a global pandemic, cyber breaches, supply chain disruption, social media, etc and other factors get amplified in the social sphere resulting in an immediate impact on perceptions of risk.
Corporate executives should not minimize the social amplification of risk and the impacts these events have on the emotional state of individuals and the organization writ large. Individuals respond to the social amplification of risks differently and have trouble processing their emotional response to significant new risks. This is where risk communications becomes a critical tool for addressing new exogenous risks and providing guidance and clarity for how the organization either is impacted by these new risks or is not.
The key take away is that different perceptions of risk are present in all organizations and an understanding of the dispersion of these perceptions will help leadership and the board navigate these events more successfully in the future. Risk management is not an exact science, like the laws of physics, but that doesn’t mean organizations can’t do a better job of addressing divergent perceptions of risk and hopefully improve discussions of conflicting risk perceptions. By developing tools to understand and measure the dispersion of risk perceptions senior leaders will be better prepared to address and fine tune the risk appetite of the firm.
James Bone is a cognitive risk consultant and risk researcher for the Cognitive Risk Institute (GRCIndex), founder of the first cognitive risk framework for ERM and cybersecurity and author of Cognitive Risk and Cognitive Hack: The New Battleground In Cybersecurity and ERM. jbone@grc-index.org. www.grc-index.org.
[1] https://www.psychologytoday.com/us/blog/the-inertia-trap/201303/why-are-people-bad-evaluating-risks
[2] https://www.nytimes.com/2020/06/30/smarter-living/why-youre-probably-not-so-great-at-risk-assessment.html
[3] https://www.govtech.com/em/preparedness/why-some-people-think-they-arent-at-risk-for-coronavirus.html
