Overcoming Bias in Risk Management

Protiviti Board Perspectives
Overcoming Bias in Risk Management

With respect to risk management, bias has always existed and always will. It is human nature and inevitable. It is not unusual to find evidence of groupthink, dominant personalities, overreliance on numbers, disregard of contrary information, disproportionate weighting of recent events, and tendencies toward risk avoidance or risk-taking in any organization. So, the question is not whether bias exists, but rather how bias within the risk/reward decision-making process can be managed.


Few would argue that the 2008 financial crisis was one of the most spectacular failures in risk management to date. There are so many causal factors and culpable parties, we cannot possibly cover them all. The warning signs were ignored by regulators, financial institutions and academia. The question is: Why? One view suggests two primary reasons:1

  1. “Not invented here” bias, which is the unwillingness to adopt an idea because it originates from outsiders, leading to errors in group judgments, such as missing out on new opportunities or failing to recognize risks.
  2. Confirmation bias, which is the tendency to search for, filter or interpret information in a way that confirms existing preconceptions or initial decisions and ignores contrary insights.

Both reasons contribute to “groupthink” in which participants suppress their divergent views in an effort to create consensus.

Other forms of cognitive bias likely involved include the framing effect, anchoring, belief, availability heuristic, hindsight, outcome, and even the ostrich effect. The various forms of bias and the groupthink phenomenon they encourage often result in a desire for harmony in an organization, meaning there is greater weight placed on “getting along” than on expressing disagreement on the things that matter. This emphasis on conformity can result in a group ignoring alternative views and salient contrary information and, as a result, reaching risk/reward decisions that may miss the mark badly.

Key Considerations

Following are some thoughts on ways to overcome bias in risk management:

Focus on improving processes rather than blaming people – Focus on the process, and encourage people to come forward and escalate issues so they can be addressed in the cool of the day rather than allowed to fester and evolve into formidable problems. Above all, avoid a shoot-the-messenger culture.

Recognize that risk management can lead to conflict – and that’s a good thing – Tension is inevitable between value creation and protection. For example, how does an organization balance its credit policy with its sales strategy? Does a trading operation establish appropriate limit structures when empowering personnel to authorize trades? If prudent public safety considerations are considered to be more important than cost and schedule considerations, how does management know that decisions are being made appropriately across the organization?

The point is that each of these matters leads to dialogue between risk management and front-line and customer-facing personnel. If risk is to be managed, healthy tension is a good thing. For this to happen, risk management must be positioned properly. For example, in industries with a high-risk profile, such as financial services, the chief risk officer (CRO) or equivalent executive should be viewed as a peer to line leaders and have a direct reporting line to the chief executive officer, as well as a reporting line to the board or a committee of the board. Furthermore, the board or the appropriate committee should conduct mandatory and regularly scheduled executive sessions with the CRO.

When making risk/reward decisions, reduce the danger of groupthink – It is not unusual for groups to form opinions or make decisions without having engaged in robust debate or listened to dissenting views. Time allocated to decision-making may be limited to such an extent that the organization could, in a rush, make a mistake. That is why efforts should be made to ensure all views are heard from the right sources and considered. See the sidebar at the right for some suggested techniques to minimize groupthink during the risk/reward  decision-making  process.

Conduct a premortem – While we can never say with certainty that we know what we don’t know, we can apply techniques that encourage managers to think strategically on a comprehensive basis by focusing on the big picture. The “premortem technique” is a process for engaging managers in contrarian “devil’s advocate” thinking without encountering resistance. The idea is to assume a critical strategic assumption is no longer valid, provide the reason(s) why from a point in time in the future and explain what that development (i.e., an event or a combination of events) might mean to the organization. Alternatively, more extreme scenarios can be incorporated into stress tests of financial models supporting critical investment decisions and operating plans.

We may not be able to identify “black swans” until they happen, but at least we can assess how much they might hurt by considering the cost of being unable to execute aspects of the strategy. If management doesn’t like what it sees as a result of this contrarian analysis, then steps should be taken to improve early warning capabilities, contingency plans and response readiness.

10 Techniques for Minimizing Groupthink
•    Keep the group at a manageable size.
•    Focus on risks that truly matter (rather than the trivial many).
•    Designate a facilitator, and don’t allow higherups to dominate.
•    Engage diverse experiences, and avoid “yes” people.
•    Avoid beginning with a desired outcome.
•    Distinguish between divergent and convergent dialogues.
•    Accept conflict and devil’s advocacy as the norm, and understand why dissenters disagree.
•    Seek diverse external perspectives.
•    Consider the consequences of a wrong decision.
•    Value the differences by looking for synergies in multiple points of view.

    Avoid compromising the quality of your decisionmaking process – Give the following “don’ts” careful consideration:

    • Don’t structure data to fit a preconceived decision – Ultimately, managing risk is about seeking the truth, even when it hurts. Consider the catastrophic 2011 tsunami in Japan, which caused a meltdown of three nuclear reactors. The earthquake model used by the operator’s engineers was based on empirical data dating back to 1896 and disregarded scientific evidence asserting that an earthquake of the magnitude that caused the 2011 tsunami was, in effect, a 1,000-year event. A model based solely on just over 100 years of data will not offer much insight regarding a 1,000-year event. Had the additional scientific data been considered or a different question been asked regarding the consequences of a catastrophic wave hitting the plant, the nuclear power operator would have faced the option of considering formidable investment decisions to mitigate the risk. Geological time is impervious to arbitrary assumptions.2
    • Don’t rely on the smartest or most dominant people in the room – Allowing the experts and dominant personalities to drive a divergent conversation to convergence too soon is a common mistake. Get the facts out. Make sure that everyone whose opinion is valued is heard.
    • Don’t focus on risks everyone knows about – Assessments directed to cataloging known risks are not going to generate new insights for management and the board. Think about what the organization doesn’t know. Focus the company’s risk assessments more on circumstances or potential outcomes that reflect new realities and have not been considered by the organization.
    • Don’t extrapolate the past into the future – Change is not linear. It can be dangerously disruptive. Stuff happens.
    • Don’t draw false security from probabilities – Acknowledge that no one can predict the future with certainty. Playing numerology with probability estimates that are, at best, mere guesses can create a false sense of comfort with “what the numbers say” that does not make the threat of a plausible, extreme risk scenario go away. That is why a high-impact, high-velocity and high-persistence threat warrants an assessment of an organization’s response readiness. If response readiness is low, a focused response plan may be needed.
    • Don’t ignore the limitations of consensus – In traditional risk maps derived from electronic voting, a single point on the grid results from aggregating divergent views. It is possible that one of the divergent views could be correct; therefore, the group should determine whether outlier views are a result of important information the rest of the group doesn’t have.
    • Don’t manage toward a singular view of the future – Given the complexity of the business environment, executives should avoid the kind of overconfidence that is often driven by past success. It is common for leaders to make bets based on what they see in the future. But for the big bets that matter, what if they’re wrong? “What if” scenario planning and stress testing are tools for evaluating management’s “view of the future” by visualizing different future scenarios or events, what their consequences or effects might be, and how the organization can respond to or benefit from them. Their use can transform a risk discussion into a business discussion.

    While the above ideas are not exhaustive, they suggest that overcoming bias in risk management is all about improving risk/reward decision-making processes continuously so that alternative views are expressed and considered. Suppressing dissenting viewpoints, ignoring creative thinking and isolating the organization from outside influences are sure ways for executive management to lose touch with business realities.

    7 “Don’ts” to Heed
    1.    Don’t structure data to fit a preconceived decision.
    2.    Don’t rely on the smartest or most dominant people in the room.
    3.    Don’t focus on risks everyone knows about.
    4.    Don’t extrapolate the past into the future.
    5.    Don’t draw false security from probabilities.
    6.    Don’t ignore the limitations of consensus.
    7.    Don’t manage toward a singular view of the future.

    Questions for Boards

    The board of directors may want to consider the following questions in the context of the nature of the entity’s risks inherent in its operations:

    • Is the board satisfied that business plans and requests for investment funding are presented with a balanced view of reward and risk?
    • Do directors understand the critical assumptions underlying executive management’s strategic, operating and investment plans? And do they evaluate those assumptions with appropriate information from internal and external sources?
    • Are scenario planning and stress testing used by management to challenge assumptions and expected outcomes, address “what if” questions, and identify sensitive external environment factors that should be monitored going forward?

    How Protiviti Can Help

    Protiviti can assist the board of directors and executive management with identifying and assessing the enterprise’s risks and implementing strategies and tactics for managing those risks. We assist companies with integrating their risk assessment process with their core business processes, including strategy-setting.

    We help organizations improve their risk reporting to better inform the risk oversight process and offer an experienced, unbiased perspective on issues separate from those of company insiders.

    1The Failure of Academic and Professional Economists,” Wall Street Economists Institute.
    2Fukushima Tsunami Plan: Japan Nuclear Plant Downplayed Risk,” by Yuri Kageyama and Justin Pritchard, The Associated Press, March 27, 2011.

    Board Perspectives: Risk Oversight (Issue 60)

    Click here to access all series

    Ready to work with us?