Magazine article Risk Management

The True Character of Risk: To Create an Effective Risk Culture, Organizations Need to Focus Less on Identifying Risk and More on the Human Factors That Influence the Perception of Risk Management

Magazine article Risk Management

The True Character of Risk: To Create an Effective Risk Culture, Organizations Need to Focus Less on Identifying Risk and More on the Human Factors That Influence the Perception of Risk Management

Article excerpt

IT IS NOW TAKEN FOR GRANTED THAT the 2007-2008 financial crisis suggested an urgent need for improved risk management processes, both in the financial sector and more broadly. But of course risk management was a deeply entrenched, highly institutionalized function long before the crisis. In a 2006 survey of business leaders, Deloitte Consulting found that the vast majority of firms had a chief risk officer and enterprise risk management processes. Most of these companies proclaimed themselves either very or extremely confident in their risk procedures. In the years before the crisis, risk management had also become a highly quantified and probabilistic discipline, incorporating metrics like value at risk to offer detailed projections of the exact probability, to a very narrow range of confidence, of some damaging event.

Partly as a result, by 1007, many financial firms had great faith in their ability to manage risk. "A belief had arisen during the late 1990s that bankers had so improved their risk-management and loss-prediction techniques that regulators could rely on them and their financial models to develop capital standards," wrote Gretchen Morgenson and Joshua Rosner in their 2011 book Reckless Endangerment: How Outsized Ambition, Greed and Corruption Led to Economic Armageddon. Reserves could be cut, leverage grown and potentially dangerous financial instruments developed, all because procedural risk management could be relied upon to sound the necessary warnings.

Of course, many of these same companies would soon lead the global economy off a cliff--in significant measure due to the failure of their risk management processes. In response, companies reviewed their risk approaches, added sophisticated new models, and cried to shore up the systems that had just been shown to have serious gaps. They thought, understandably, that it was the processes and models that had failed, and that effective risk management was all about identifying the right risks--mostly external--and assigning them the proper values. This could be called the computational theory of risk. Its basic assumption is that accurate estimates of quantifiable risks will provide senior leaders the information they need to make strategic choices.

But the experience of firms in the 2007-2008 crisis suggests that a different theory might better capture the true source of risk management failures. There is abundant evidence that the fundamental problem in comprehending risk before the crisis was not in processes or models. Risk can be categorized and (partly) measured by such things in ways that help inform senior leader judgment. But risk failures are mostly attributable to human factors--things like overconfidence, personalities, group dynamics, organizational culture and discounting outcomes--that are largely immune to process. In dealing with risk, human factors will defeat procedures every time.

This is the perceptual theory of risk management. The critical foundation for managing risk, this theory suggests, is careful attention to factors influencing the perception of risk by organizations and senior leaders. It is now well established that bias and cognitive dynamics affect the behavior of organizations, but the overwhelming tendency is still to view risk as something objective that can be calculated and precisely mitigated. Yet if the resulting efforts ignore the human factors involved, they will accomplish nothing. The solution, to the limited degree one is available, is to organize the habits, mindsets and decision-making styles of organizations to help mitigate human and organizational factors, not environmental or technical ones. Risk identification can be a procedural and technical endeavor, but truly managing risk and preventing failures is primarily an institutional, cultural and human task.


In the late 1990s, one of the most-admired companies in the United States established a sophisticated risk management unit that soon garnered notice as a best practice for the industry. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.