When making any decision, from deciding what to have for dinner to buying a house, it’s possible that many biases will come into play. For example, a previous deal for a house that fell through may well result in anxieties that it could happen again. Alternatively, the meal you made last week was so good you’re confident you can make it again without using the recipe. While not realising it, perceptions may be subject to certain types of biases that affect our everyday decision making. For risk and compliance managers, it is important to be aware of these biases, how they can affect risk identification and how to limit their role in clouding judgment.
Which biases affect risk management decisions?
When undertaking risk identification, assessments, or attending risk committee meetings, there is the potential that the biases influencing the outcome of those sessions mean that you are liable to arrive at your conclusions without considering alternatives. This could lead to the failure of identification of key risks. When identifying risks, several biases may come into play:
As a species we have evolved to care about what others think about us; this is at the root of unconscious bias. We want other people to approve of our views and opinions, and so we seek out others who will “confirm” our position. In the context of risk identification, we may only seek the views of people in our organisation who will tell us what we want or expect to hear. By doing this we may fail to capture the full range of risks facing the organisation.
When we know that a large number of our peers or colleagues feel a certain way, we are more likely to align our opinions with theirs. Many biases are rooted in fear; of being excluded or being perceived as different. In order for the right decisions to be made, all views should be considered. Often, junior or more recently-employed staff will agree with their seniors, nervous that their idea is a bad one. For this reason, conducting risk identification in workshops alone could be a risk in itself as the output may be a result of groupthink.
Naturally, we are most likely to flag up risks that relate to what is at the forefront of our mind. In risk identification, this form of bias is most commonly related to one’s workload or what’s in the press at the time. For example, if there are a series of high-profile cyber attacks in the news, a board member may identify it as being high up on the risk agenda. However, for that particular organisation, other risks may be a greater, albeit lower in their consciousness. If you are not directly involved in discussions on the issue, significant risks may be missed out, or ignored as part of the identification process.
Our decisions are often informed by the first thing we see. An everyday example of this is when we see a higher price for a certain brand in a shop, making all the other brands seem very cheap, even if they are not. We tend not to question the first price or piece of information we receive and we “anchor” our perception to that original point. In risk identification, the way a question is introduced or how it is phrased may create a subconscious anchoring bias in the respondent’s mind.
Status quo bias
From a behavioural standpoint, we tend not to embrace change easily. Our brains prefer to make quick and easy decisions. We like things to stay the same. And from a risk perspective, this means that we tend not to question what is already in existence on our risk registers. Just like anchoring, we assume that because it’s already there, it must be for a good reason. We need to challenge this approach so that we can ensure all relevant risks are surfaced and addressed.
This form of bias informs our decision-making more than you may think. When assessing why something may have gone wrong, we often feel that this issue was avoidable all along. When decisions are made based on hindsight bias, a blame culture can be created. Further, hindsight bias can result in changes in processes that are not only unnecessary, but potentially harmful to the business.
Do biases play a role in your decision-making?
The simple answer is yes. Whenever we make decisions there are a number of biases that can come into play. Being able to recognise the drivers for these biases is what will help to identify them and ensure that they can be challenged where necessary so that informed choices and decisions can be made in regard to seeking risks and opportunities.
How to stay on the right side of bias in risk management
When carrying out risk identification, processes should be in place to identify biases and mitigate the danger of it informing decisions too heavily. VinciWorks carries out a three-step process to identifying risk: surveys, interviews and workshops. Surveys ask broad questions of people from across the organisation in order to capture the widest possible perspectives on risks that threaten or provide opportunities for the firm. We then follow-up on the survey by collating the responses and conducting interviews with key stakeholders to gain a deeper insight into how and why the risks identified may manifest. By conducting one-to-one interviews, we minimise the risk of bias by asking challenging questions and providing an independent perspective, playing the role of “devil’s advocate”. Conducting surveys and one-on-one interviews minimises the risk of groupthink, allowing people to provide their own opinions on issues that may impact the business.
Lastly, we run risk identification workshops, often with the C-Suite or Risk Committee, presenting the findings of the surveys and interviews and highlighting trends that have emerged as a result of the data gathered. This helps to focus the group on areas that require immediate attention as well as stimulating discussions on outlying risks. The workshop ensures that bias is minimised because the independence and experience of the facilitator ensure that all participants are given an equal opportunity to share their views, groupthink is minimised, and the status quo is challenged.
By reducing bias as part of the risk identification process, organisations are better able to make decisions that will ensure their resilience.
Risk identification masterclass
We are running a half-day risk identification masterclass at the Law Society on 17 October for anyone who has responsibility for creating, managing and updating risk registers. Delegates will be presented with the latest and most effective risk identification methods that will assist them in obtaining a 360° view of risk in their organisation. They will also be given the opportunity to test these methods with other delegates at the session. Round-table discussions within small groups will assist in sharing challenges as well as workable, proven solutions.