How Being Human Affects our Assessment, Evaluation, and Response to Risks

Norman Marks, CRMA, CPA, is a vice president for SAP and has been a chief audit executive and chief risk officer at major global corporations for more than 20 years.


I have been reading with great interest a piece by Lloyd’s, Behavior: Bear, Bull or Lemming (shared by David Hancock).

It talks about how we are shaped, both as individuals and as members of groups, in our perception of risk — including how we respond and, therefore, make decisions.

I recommend downloading, or even better, printing and reading the entire document carefully. Don’t be put off by the way in which it seems to talk to underwriters: it works for and applies to us all. It has value for:

  • Board members, who need to understand how the personalities and experience at both board and executive levels will shape strategy and risk decisions.
  • Executive management in their understanding of their own and their team’s biases and other factors that may influence how they evaluate and treat risks.
  • Risk practitioners in their shepherding of an effective risk management program.
  • Internal audit and other assurance providers, who assess risk management — and who may need to change their approach in light of these findings (such as thinking carefully about how they phrase every question).

I have selected a few sections that I found insightful.

  • “Behavioural theory tells us there are many unintended filters which distort the way we think about risk. [All] professionals will benefit by being aware of these biases, leading to clearer thinking and a better management of risk.”
  • “The presentation of risk or “framing” leads to biases which are powerful, even amongst technical experts. Risk descriptions phrased in positive language lead to an underestimation of risk. Perception of risk is often not economically rational; and those managing risks should be aware of this.”
  • “When managing risk, the culture within a firm is critical. Studies of disasters often indicate that the problem was not with the processes, but that they were ignored or over-ruled. Attitudes within an organisation such as risk ethics in meetings, internal communications and behavior of senior managers are critical to setting the tone.”
  • “We tend to downplay risks if we can’t think of examples of them, and how risks that look the same superficially are often treated the same. We also tend to anchor our assumptions on last years’ value or on what our initial guess suggested — often in the face of new and compelling evidence.”
  • “‘Normalisation’ processes typically lead people to accept higher levels of risk for an established and long-run process with which they have become familiar. On the other, ‘sensitivity’ processes tend to heighten perception of risk in relation to a new and rapidly developing activity or issue.”
  • “There is considerable evidence that most people tend to perceive lower risk from activities that give them some benefit (reward, pleasure, privilege) irrespective of the availability of evidence on levels of risk.”
  • “Experts are more likely to define risks as less significant than lay groups and likely to be more accurate in their perceptions of risks.”

Please share your thoughts on reading this. What resonates, and what do you disagree with?

Posted on Feb 15, 2012 by Norman Marks

Share This Article:    

  1. It all resonates.  There is a huge amount of relevant behavioral science out there (and lately, behavioral economics) that we ignore at our peril. 

    This stuff has profound application for compliance programs as well as risk management.  For example, many of the same cognitive biases that undermine risk managers' perception of business risks also reduce the perception by a defalcating employee of his risk of getting caught (self-serving bias, Dunning-Kruger effect, motivated reasoning, overconfidence), of the wrongness of behavior in the first place ("social proof", conformity pressures and group dynamics, deference to [the wrong] authority) and of the impact and therefore the severity of the wrongdoing (devaluation of harm diffused across a population of victims and of harm that occurs in the more or less distant future).

  1.  A very important area, and I agree that the Lloyds report is good.

    I have been encouraging people in the UK to think about these issues for some time, but - as we can see from the up-take at present - there is something about this topic that often makes it hard for Internal Auditors to get engaged with.

    I think it may be that a number of auditors have a strong personal preference for the logical, rational side of life (this may be why they became auditors) and this soft stuff doesnt fit in with this.. 

    Sadly though, this is - in reality - the place where so many things can go wrong! Here is hoping that over time, as the rational approach (inevitably) fails, IA as a profession will start to engage more seriously with behavioural risk and assurance issues  ~ here's hoping and in the meantime, I'll continue to work with the clients I have who are interested in this stuff and have seen the benefits it gives..

  1.  It is an remarkable report & very practical.

    The element of risk is always backed with human emotions & it varies substantially.

    People tend to be defensive while taking risks because even the capacity of the businesses are also different. An small SME will be more cautious while taking risks in business as it is futuristic the element of failure would affect quiet deep & there is nothing wrong in it. 

    As menioned there is no point in not agreeing in the Llyods report but don't fully agree with just culture being more critical in the process of decision making. As mentioned earlier it could also be the capacity of the company to engage in it. The risk factor negatively has greater impact on the SME as its resources, funds, capacity would also be limited & still the culture could be aggressive still may not have feasibility to go for it??.




Leave a Reply