Behavioral Risk: The Hidden Costs of Human Bias

Key Takeaways

1. Transparency: Encourage open discussions about assumptions and decision-making processes to uncover hidden biases.
2. Technology: Use automated tools to reduce the influence of human judgment where possible, such as automated vendor risk scoring or exception tracking.
3. Accountability: Ensure ownership for decisions around SAOR risks, third-party evaluations, and policy exceptions, with checks and balances to challenge biased decisions.

Table of Contents

• Overconfidence: The Illusion of Certainty
• Anchoring: The Danger of First Impressions
• Loss Aversion: Fear of Letting Go
• Building Bias-Aware Organizations
• Turning Awareness into Action
• Controls: Biases in Design and Assessment
• Audit Findings: Biases in Identification and Reporting
• SAOR: Bias in Operational Risk Management
• TRP: Bias in Third Party Risk Management
• Policy Exceptions: Bias in Approval and Enforcement
• Why Behavioral Risks Matter in These Domains

Overconfidence: The Illusion of Certainty

How to Mitigate Overconfidence

• Encourage Devil’s Advocacy: Designate a team member to challenge optimistic assumptions during planning discussions.
• Use Pre-Mortems: Before finalizing decisions, brainstorm potential ways the plan could fail. This shifts the focus from “What could go right?” to “What might go wrong?”
• Back Decisions with Data: Rely on objective data rather than gut feelings to build forecasts.

Anchoring: The Danger of First Impressions

How to Mitigate Anchoring

• Revisit Initial Assumptions: Periodically reassess decisions as new information becomes available.
• Compare Multiple Scenarios: Encourage teams to explore a range of possible outcomes, not just the one tied to the anchor.
• Train for Flexibility: Regularly practice decision-making in simulated crises to help teams adapt quickly to changing data.

Loss Aversion: Fear of Letting Go

How to Mitigate Loss Aversion

• Frame Decisions Positively: Highlight the potential gains of a decision rather than just the avoided losses.
• Set Clear Exit Strategies: Define criteria for when to abandon a failing project before emotions come into play.
• Promote a Growth Mindset: Encourage teams to view setbacks as learning opportunities rather than failures.

Building Bias-Aware Organizations

• Invest in Training: Equip employees with tools to recognize and counteract cognitive biases. Workshops or e-learning modules on decision-making psychology can make a difference.
• Adopt Structured Decision Processes: Use checklists or decision matrices to ensure all key factors are considered, reducing reliance on intuition alone.
• Psychological Safety: Create an environment where team members feel comfortable challenging groupthink or raising concerns about biased decisions.

Turning Awareness into Action

Controls: Biases in Design and Assessment

• Overconfidence: Teams might assume that existing controls are sufficient because they haven't failed before. For example, if a control hasn’t been triggered for years, decision-makers may become complacent, overestimating its effectiveness without testing its relevance to emerging risks.
• Anchoring: When designing controls, teams might stick too closely to initial risk assessments. If the risk landscape changes—say, a rise in cybersecurity threats—but controls remain anchored to older assumptions, organizations can be left exposed.
• Loss Aversion: Resistance to changing outdated or inefficient controls often stems from a fear of "losing" the time, money, or effort previously invested in those controls.

• Periodically review and test controls against current risks.
• Use independent audits or peer reviews to challenge assumptions about control effectiveness.
• Encourage adaptive control frameworks that evolve with the risk landscape.

KRIs: Biases in Selection and Interpretation

• Overconfidence: Teams might prioritize metrics they believe are easier to monitor rather than metrics that truly indicate risk. For instance, focusing on high-level financial ratios while ignoring operational KPIs tied to frontline risks.
• Anchoring: If a historical KRI threshold is set too low, future decision-makers may stick to it, even when changes in the business environment suggest it should be adjusted.
• Loss Aversion: Teams may resist retiring ineffective KRIs because they've been part of the reporting framework for years, even if they no longer add value.

• Regularly validate KRIs against evolving risks to ensure they remain relevant.
• Incorporate external benchmarking to avoid relying solely on internal metrics.
• Use dashboards and data visualization tools to explore trends without getting anchored to specific numbers.

Audit Findings: Biases in Identification and Reporting

• Overconfidence: Auditors might underestimate the need for deeper investigation if prior findings were minimal, assuming everything is still under control.
• Anchoring: Initial findings during an audit can set the tone for the entire process. For example, uncovering a minor issue early on might lead to dismissing the possibility of more serious, systemic problems.
• Loss Aversion: Auditees may resist acknowledging findings that suggest prior decisions were flawed, leading to a culture of defensiveness rather than improvement.

• Rotate audit teams periodically to bring fresh perspectives.
• Train auditors to explicitly check for biases in their own evaluations.
• Encourage open dialogue with stakeholders to ensure findings are viewed as opportunities for growth rather than blame.

SAOR: Navigating Bias in Operational Risk Management

• Overconfidence: Risk owners may overestimate their ability to manage operational risks without sufficient controls or monitoring, leading to gaps in risk coverage.
• Anchoring: Initial risk ratings or historical loss events might anchor decision-making, resulting in an underestimation of new or emerging risks. For example, focusing solely on risks that have materialized in the past while ignoring evolving threats like automation errors.
• Loss Aversion: Teams may resist decommissioning outdated operational processes that no longer align with organizational priorities, fearing disruption or sunk costs.

• Scenario Testing: Challenge operational risk assumptions by running diverse scenarios, including "black swan" events.
• Dynamic Risk Registers: Regularly review and update risk registers to reflect current realities, avoiding reliance on historical data alone.
• Cross-Functional Reviews: Involve diverse teams to reduce groupthink and bring different perspectives to operational risk assessments.

TRP: Bias in Third Party Risk Management

• Overconfidence: Organizations might assume a long-term vendor poses minimal risk simply because they’ve performed well historically, neglecting to account for changes in the vendor’s financial health, compliance status, or market conditions.
• Anchoring: Initial assessments of a third party, such as their certification status or prior performance, may anchor perceptions and prevent organizations from revisiting risks as conditions change.
• Loss Aversion: Decision-makers might resist switching vendors due to the perceived hassle and cost, even when a new vendor offers lower risk and better value.

• Implement ongoing risk assessments instead of relying solely on periodic evaluations.
• Use data-driven risk scoring models to reduce the influence of subjective judgment.
• Train procurement and vendor management teams to recognize and counteract biases in their evaluations.