Advice for Risk Managers: Ask the Tough Questions

The New York Times author David Leonhardt recently published a puzzle that I recommend all governance personnel attempt. Take a second to give it a try before reading this blog, but if you’re pressed for time, I’ll outline the basic premise.

The puzzle asks that you find the rule in the following pattern of numbers by guessing other sets of numbers that may or may not obey the rule. The sequence that obeys the rule is:

You may think you have the puzzle figured out already, and if you guessed, say, the sequence 4, 8, and 16, your pattern would also obey the rule; even so, it’s likely you guessed wrong.

The combinations of 1, 2, 3 and 12, 15, 17 also satisfy the rule, because the pattern is simply that each number must be larger than the one before it.

The problem Leonhardt so artfully illustrates is one of confirmation bias, and it’s related to the gap in organizational procedures that risk managers need to provide systematic ERM programs and ERM software tools to engage others to overcome this complacency and bias. As Leonhardt writes, “we’re much more likely to think about positive situations than negative ones, about why something might go right than wrong and about questions to which the answer is yes, not no.”

Risk managers must pose the inherently uneasy question, “What can go wrong?” in order to uncover risks that would never have been identified until it is too late. By challenging assumptions and seeking out subject matter experts to contribute their observations, risk managers are not only better preparing their businesses for the downside of risk, but are also reaffirming which strategic initiatives are worth pursuing.

Corporate America is full of examples where risks were not explored, even though the risk was known in plain sight all along. Executives of Detroit’s Big Three didn’t recognize the threat of new manufactures from abroad improving their products over time, and becoming even stronger competitors. Wall Street and the Fed made the same mistake during the financial crisis by ignoring the warning signs that every 20 years or so the housing market goes down after a sustained rise.

Risk managers can endear themselves to their colleagues by helping them discover and mitigate potential downsides, thus improving the likelihood that goals are achieved. They also need to systematically prioritize risks in order to understand where risks are connected across business silos, and which of these risks they should focus their limited time and resources on.

Asking your organization’s subject matter experts on the front line questions such as, “What aspect of our cybersecurity defenses are weak?” can lead to the escalation of risks known to front line personnel and yet unknown to the level of management that allocates resources to prevent incidents from becoming catastrophic. Recently, several organizations that thought they were covered by insurance for cyber risk, but found out the hard way that their failure to meet the “minimum required practices” for cybersecurity risk management disqualified their ability to receive a claim payment in the millions, even though they had dutifully paid their premiums for years. Their front line managers knew the security practices to follow, and yet they did not have a system to prioritize, escalated and implement minor cost initiatives that would have saved them millions in losses due to the breaches that occurred because they were complacent, and thought they would just be covered by insurance.

Risk managers make the greatest impact to their organization by helping others to escalate the risks that would otherwise go unconsidered, and casting transparency on the “unknown knowns.”