The risk manager’s role in countering unconscious bias

Black board with the word RISK in the middle
Making risk management decisions can often be clouded by unconcious bias

Risk managers have a unique and privileged position in terms of being able to recognise and assist in countering unconscious bias, either explicit or implicit. When assessing and discussing risks, we are given direct access to what happens in all areas of the business and have the opportunity to observe behaviours first hand. When we notice biases as part of our role, we can help to implement measures or nudges that encourage a change in behaviour and improve culture.

Here are some practical techniques that can be used to counter the risk of unconscious bias influencing our business decisions.

Pre-meeting or workshop surveys

While conducting surveys is a standard technique for risk assessments, it is helpful in reducing bias from several perspectives. It helps to focus the conversation in subsequent meetings and elicits a personal view of the subject at hand, thereby avoiding groupthink.

For example, when running an assessment session with the board, each person will have their own agenda when it comes to risk ownership and appetite; by asking the group to provide separate responses, there is less chance of group influence, especially if a meeting is running short on time and people are rushing their decisions. It may also mean that trends are identified in the responses and attention can then be focussed on the outlying risks which warrant further discussion.

Learn more: VinciWorks’ risk workshops

Scenario planning and Pre-mortem technique

Scenario planning brings risks to life so that participants can feel the need to make changes in relation to a particular risk and the possible outcomes. They become more emotionally invested in finding the best solutions.

Likewise, desktop exercises and simulations help identify gaps in business continuity and crisis management plans, should an incident occur. It also offers the opportunity to identify any biases in the behaviour of those involved in managing the crisis so that these can be reviewed appropriately. The more emotionally charged a learning experience is in relation to countering bias, the better it is remembered.

Curiosity and challenge culture

It may be helpful to bring in a trusted, independent party to play the role of “devil’s advocate” in meetings when significant decisions are being made. Recognising that challenging the decision-making process is about making better business choices, and is not personal, means that creating this role can help take the heat out of considering alternative options. The independence of this individual means they can ask questions about why a specific decision is favoured and alternatives which may be considered. Creative or alternative channels of thinking can be pursued and the risk of bias is reduced.

Alternatively, someone who feels strong opposition to a proposal can be asked to find one or more arguments in favour so they can see another perspective. This can be framed as a hypothetical perspective to show them there is no need to commit to the position; explain that this is part of a robust decision-making process so that the best outcome can be found. Encouraging a sense of empathy increases the strength of feeling for other perspectives and helps debiasing “stick”.

Techniques for meetings

In meetings which encompass a wide range of participants, it can be helpful to ask the least senior person in the room to speak first. When the most senior person in the room makes the opening comments, others may be inclined to agree in order to seek approval from that individual, further reinforcing the overconfidence bias, sunflower bias and contributing to groupthink. Ideas and innovations may be missed if people are not given the opportunity to offer their perspective.

Prior to a meeting in which a significant decision is to be made, participants could be asked to write down their views, thereby avoiding groupthink. You might ask them to create a list of pros and cons if there is a limited scope for the decision, allowing them to bring persuasive arguments to the session. Considering alternative perspectives on a decision will help to alleviate confirmation bias.

As risk professionals, we may be called upon to present ideas and recommendations in meetings on challenging subjects with limited time. Our audience may be subject to a myriad of biases towards our subject, and we need to be alive to the drivers for this behaviour. To engage the group, rather than presenting a traditional business case, consider turning this on its head and focus on what the business may lose rather than gain if the proposal is not accepted. This helps capture their attention as it taps into the loss aversion bias and can create a need to feel involved in the subject.

Risk management compliance

Part of the role of a risk manager may be to assist in the enforcement of, or measure, compliance across the organisation, whether this is in terms of legal or regulatory requirements, or internal policy decisions. Even though there may be financial penalties for the firm for non-compliance, often people just do not engage with compliance processes, regardless of any ethical considerations.

To challenge this behaviour, it can be helpful to communicate what other colleagues, departments or similar firms or industries are doing in order to harness the power of the herd instinct and increase compliance. Noting the social norms can influence behaviour, as long as the data you are providing is accurate. For example, 8 out of 10 business units have completed their online anti-bribery and corruption training or 95% of new joiners have completed their induction programme.  This provides a social cue as to acceptable behaviours which in turn motivates people to return the desired outcome.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.