Why Risks have outgrown the “E” in ERM
It would be an understatement to say that the risks we deal with today are the same ones the world encountered in 1985, the year the Committee of Sponsoring Organizations of the Treadway Commission (COSO) was formed.
Mainframe computers still required their own climate controlled rooms, the Internet was a fledgling technology, Wall Street still moved paper stock and bond certificates between investment houses by bike couriers and R.E.M. was the hottest band at the time.
A lot has changed since …. except how risk management is practiced and therein lies the problem!
Science and technological advancements have made inroads in all of the industries noted above, including the music industry, yet risk management frameworks and guidance lack little to no scientific grounding, theoretical framing or technological revolution in how risk is practiced or understood.
COSO did not add the “E” in ERM until 2004, long after Silicon Valley and cybercriminals made enterprise risks less relevant in a transition to a new digital economy without borders or boundaries and reliant on connected devices, supply chains and outsourced third-parties that defy containment using manual processes and a narrow focus on “internal controls”.
We are firmly in the first phase of Industry 4.0, the Hybrid Phase, where 19th century technology is digitally connected to next generation solutions. No one knows when and how the digital “umbilical cord” between the past and future will continue to be connected or how the cord will be detached but what is becoming obvious is risk management will be left behind without radical new thinking and new approaches.
Like many industries in the 1980’s, technology is disrupting risk practice as well. Private equity, Silicon Valley and Wall Street investments in smart technology is beginning to disintermediate how industry manages risk. Early investments in risk platforms of today will pale in comparison to advancements in decision-support technology in the near future. The operative word is “decision-support”.
What most existing risk frameworks and guidance fail to provide is clarity in decision-making about risks. Decision management is a human risk factor that has not been fully accounted for in any of the leading traditional risk frameworks or regulatory guidance. The first, and only, risk mandate that requires confidence intervals, the Basel Capital Accord, is still not capable of preventing the rise of systemic risks that impact global economies. The Great Recession of 2008/2009 is the latest example but there are plenty more.
The truth is that no risk standard alone is capable of keeping up with the pace of business and industry innovation without a dynamic approach to decision management. The case for decision management, as a basis for advanced risk management, is growing. Let me provide a few simple examples for context.
Risk-based capital regimes like Solvency II, NAIC, Basel III/IV require financial institutions to put in place a system of governance and controls that demonstrate capital adequacy and require tests of the validity of risk-based decisions.
After any major business failure, lawyers, regulators, shareholders and others evaluate the judgment of management. It is judgment that is evaluated to determine if senior executives should have known better or exercised proper due diligence in the course of taking the decision. It stands to reason that decision-making is a risk management process that deserves further attention.
Everything starts with a decision: strategic planning, cybersecurity, risk management; the process of decision-making in the face of uncertainty is the predicate test to determine if the decision-making process was reasonable given the risk.
I call this process cognitive governance. Cognitive governance is a set of established processes that inform the reasonableness of the decision-making process. Many organizations conduct “after-action” reviews, but few use formalized processes to evaluate the decision-making process before an event or failure occurs.
At this point, you may be thinking, I don’t agree that “my” decision-making processes are made without reasonable due diligence. First, let me say that no successful company or executive who has failed believed that their decision-making was flawed until after they fail. It is important to note here that failure is not a character flaw. Everyone makes mistakes, even very successful people. But the challenge in risk management is how do you improve or fine tune your decision-making processes to enhance successful outcomes?
To be clear, I am not suggesting you can decision-proof decision-making, but I am suggesting that you can evaluate decision-making in ways that tell a story about errors in judgment that lead to bad outcomes and use that information to improve risk management and decision-making in the process.
A new book from Dan Kahneman, Olivier Sibony and Cass R. Sunstein, “Noise”, describes how two subjective judgment errors helped insurance executives realize how subjective judgments by underwriters and claims adjusters cost their firm millions of dollars. The two judgment errors are Noise and Bias: Biased errors are Predictive; Noisy errors represent the dispersion of judgments by individuals when the facts and circumstances are the same. Kahneman suggests that while bias has garnered more attention, noise is a bigger problem in society at large and is largely ignored in analysis.
I will not delve in the details here, consider this a primer for a series of articles on how to incorporate these findings. What I have found, however, in my research is that A.I. developers use the same equation as the authors of noise to improve machine learning algorithms.
Error = Bias + Noise + Variance
Some believe that bias and noise are two sides of the same coin however there is general agreement that methods to reduce bias and noise improve predictive accuracy, at least in machine learning and, quite possibly, in subjective judgment by humans. It is important note that Kahneman offers a huge caveat on this point. The book, Noise, is premature and will require further analysis according to Kahneman.
So, what is the point?
The point quite simply is that ERM is not the litmus test of a good risk management program. The process of decision-making, with all its strengths and weaknesses, is the true test of a robust risk management program. We are not teaching risk professionals the science of risk. We have been practicing the art of risk management which has led to disparate approaches and methodology and largely explains the NOISE in risk outcomes.
The second, less obvious point, is that risks are no longer neatly contained inside the enterprise bubble. The “E” in ERM no longer captures the scope of risks organizations are exposed to in a virtual-hybrid operating environment.
To be candid, ERM represents minimum guidance. Like the foundation and frame of a home ERM and other traditional risk guidance, like ISO 31000, NIST and others these frameworks are the bare minimum. Humans don’t live only in the foundation and framing of a home. A home is made of many rooms each with its own purpose. Risk management begins in the design of the home and in your risk programs as well.
The decision to build a home in a flood, fire or earthquake zone requires the architect and builder to design the home to withstand the risks posed by nature. Risk professionals must also design their risk programs to withstand the risks inherent to the objectives of their organization. That starts with the right tools, training and an understanding of the frailty of decision-making.
I look forward to laying out these concepts periodically in follow up articles in coming months and going in detail to explain how to infuse the human element into your risk management program.
#cognitivehack #cognitiveriskframework #humanelement
