Blind Spots in Risk Identification Can Be Driven by Recency

As humans, we exhibit a number of cognitive biases and tend to think in certain ways that can cause us to wander from the path of rationality or good judgment from time to time.

One such bias involves the phenomenon of most easily remembering those things that have happened recently, compared to remembering something that may have occurred a while back. For example, talent managers express concern that employee performance reviews often reflect what an individual’s performance has been lately instead of their true performance throughout the evaluation period.

Thinking Differently

This “recency effect” principle is described by psychologists as a belief that recent experiences will continue on as they have. So we tend to think that what is happening around us today will continue for the foreseeable future. In business, this can be a real source of unanticipated disruption to the company, the stockholders, and the board.

For example, top executives don’t believe that the quality of their products could degrade suddenly and lead to customer injuries, or may not see an emerging competitor with superior technology coming to take their best customers this year. And because they believe their company employs only the best people, leaders and board members may not foresee a scenario where the CEO could divert significant capital into a poor acquisition, or one that is rife with fraud — with either result significantly impacting the acquiring company’s reputation and results.

So recency bias impacts how we think about risk events. When we consider risk to our strategic goals and objectives, it causes us to sometimes discount the likelihood of unexpected events occurring, and instead assume that people, markets, and customers will continue to behave in much the same way as they have previously. If we don’t at least play out the possibility that changes may be occurring – in other words, evaluate options not on the current path — we won’t be prepared to handle any resulting impact. As a result, discounting or ignoring unobvious options precludes planning with appropriate responses that would enable us to recover quickly – the “resiliency” needed to survive and thrive.

Closer to Home

Beyond business survival, having a recency bias can also affect our personal lives – perhaps even impacting the safety of our families. We have to be continually looking beyond today’s observations of the world and consider what may happen in the future – given that various cycles exist in the world, and things that have occurred previously can occur again. Economic cycles, cycles of war, and even the rise of political protest and societal instability will appear regularly in the ebb and flow of events over time.

Our weather here in Michigan is a great example. History shows us that within the space of a few days, the weather can go from one extreme to another and catch many people unprepared.

Over the past few weeks we have enjoyed temperatures in the 40s and 50s, hitting 57 degrees in Detroit on January 12th and 56 degrees in Lansing on January 21st. As a result, many expect the winter to continue to be mild. However, these extremely mild weather patterns have occurred in the past – and in some cases, foretold the arrival of massive snow storms. Two such storms occurred in the final days of January in two different years following unusually warm temperatures and rain.

The storm of January 27-28, 1967 resulted in the shutdown of Chicago, Detroit and much of Michigan for several days, leaving thousands of vehicles and travelers trapped in driveways, streets, parking lots and on highways due to massive snow drifts many feet high. The Governor of Michigan declared a State of Emergency as people were trapped in their homes and trucks were unable to transport goods of any kind across the State. Those with emergency food and fuel were able to adapt to the changing weather and “ride out the storm” more easily, but over 20 people lost their lives — primarily due to the exertion required to dig out of the snow.

Then exactly 11 years later on January 27, 1978 another massive storm — later deemed to be worse than the earlier one — blanketed most of Michigan and again halted commerce. But with this storm, below-zero temperatures, combined with winds gusting over 50 mph, produced wind chills down to negative-50 degrees for the next month. Business and individual resilience was again tested, but to a much greater degree given the extended period of frigid conditions.

Enhancing Risk Intelligence

Identifying potential sources of business risk takes effort. While weather change may be an easily foreseeable event, our failure to take action and prepare for a crisis may come from the human bias toward normalcy surrounding recent conditions. Likewise in business we may dismiss outright or give only passing consideration to events that could occur but have not been observed lately.

Properly managing your risk, whether at home or in your organization, requires a disciplined process for identifying and evaluating events and other factors that could derail achievement of your objectives. This should include unlikely changes in the business, economic, political and other environments.

To improve our chances for success, we must be aware that bias may exist as we complete our assessment. In addition, we must evaluate both the range of potential outcomes and how quickly things can change – the velocity – in addition to the impact on the organization. Techniques to assess both the upside and downside impact on our objectives could include business plan scenario analysis, war gaming, and even conducting game theory workshops in situations where external player actions will impact our decisions and plans. Where signals or mechanisms do not exist to provide sufficient early warning for the approach of adverse events, we must develop more robust response plans to minimize the impact on our organization, its employees and customers.

About the Author: Jay R. Taylor is CEO of EagleNext Advisors in Detroit, Michigan after having led Strategic Risk Management and serving in various global executive internal audit roles for General Motors Company. Jay focuses on enabling business growth and opportunity through risk-enabled decision making and better board governance. He is a Founding Member of the Private Directors Association Detroit Chapter and in 2016 became a National Association of Corporate Director’s Governance Fellow. Jay can be reached at jay.r.taylor@comcast.net.
Advertisements

Culture: The One Element Most Critical for the Board’s Management of Risk

Private Director’s Association – December 2016

pda-newletter-bannereditor-banner

Something More Fundamental

Previous articles in this forum on the topic of risk management focused on such things as the need for a risk register and improvement opportunities for board-level reporting. But today, I want to take directors back to something even more fundamental — something that explains both the “failure to thrive” in so many businesses — and the colossal failures in giants such as VW, Wells Fargo, and General Motors. It is also the key to enabling successful strategy execution. What is it? Culture.

Given everything a company must do, what makes culture so important? How does this link to business growth over time? What can board members do to impact the risk culture and enhance oversight? What indicators should we be looking for? These questions are being asked in board rooms and court rooms all over America today, and are discussed below.

Importance of Culture

Let’s begin with some reasons why board members and senior leaders should be concerned about culture.

Peter Drucker, a recognized leader in the development of management education, is often credited with saying that “culture eats strategy for breakfast”, meaning that great strategies can be enabled or resisted by strong enterprise cultures. A bad culture can also surround and destroy organizational creativity and initiative. Joe Tye, CEO of Values Coach, the leading authority on values-based leadership skills and strategies, said “when strategy and culture collide, culture will win. Culture provides a level of risk prevention that cannot be attained with strategy alone”.

At a recent leadership conference in Washington, D.C. for corporate directors, I heard a keynote speaker state that “risk is not knowing what is going on around you”. Earlier, when I was involved in helping to change the dynamics around risk taking at General Motors, our CEO talked about culture as a set of specific behaviors exhibited by leaders and modeled by the team – which could be either positive or negative. In other words, it was about the ways in which people acted when no one was looking. But how can a company model and reward the desired behaviors to fix or improve the culture? The answer starts at the top with the actions of the board and CEO.

Pamela Bilbrey and Brian Jones, in their book Ordinary Greatness: It’s Where You Least Expect It… Everywhere, said, “Every organization has a culture. Unfortunately, many, if not most cultures developed by happenstance…” As board members, we cannot afford to let this occur. Culture should be planned and fostered.

James S. Turley, former chair and CEO of Ernst & Young, chairs the audit committee at both Citigroup and Emerson Electric Co., and serves on the boards of Northrop Grumman Corp. and Intrexon Corp. His advice to directors: “You want to create a ‘culture of candor and credible challenge’ [that allows directors] to ask the uncomfortable questions of management.” When the culture in the organization does not support open communication with the board, big problems can occur. As directors, we need tools to help us understand the organization’s current environment to assess what improvement may be needed.

Pointing the Way

As a director, what are some of the questions we could ask, or indicators to look for, that might tell us about the health of the risk culture?

  • Is the CEO active in creating the culture for the organization? Is he or she modeling the right behaviors?
  • Is there appropriate tone at the top, both during and outside of board meetings?
  • During strategy, product, and investment discussions, is there transparency around business assumptions, openness to respectful but challenging views, and identification of emerging risks to the business model beyond the immediate planning horizon?
  • Is there a willingness to bring forward bad news? Is there an understanding that failure may occur, but the business cannot grow and prosper without taking smart risks?
  • Has the board established clear expectations for timely identification and handling of risk, particularly those around business goals and objectives? Is there clear risk ownership?
  • Not everything should be filtered through the CEO. Are other executives and risk owners present at board meetings and allowed to take questions directly?

Conversely, here are some of the indicators that the risk culture may not be effective:

  • Unclear objectives for the organization and each group or function
  • Lack of awareness at the staff level of the company’s long-term and short-term strategies and objectives
  • Allowing unethical practices or failing to address noncompliance with policies
  • Using extreme “stretch” goals to drive the business, or too much focus on short-term goals
  • Lack of attention to regulatory failures or issues raised by risk owners or auditors
  • Shooting the messenger – bad news is not well received by management
  • Failing to train leaders on the basics of managing their risks; inconsistent or nonexistent understanding of risk, leading to unwanted “surprises”
  • Absence of visible processes to measure performance, manage business change, or manage risk.

The Rewards

According to scholars at the Enterprise Risk Management Initiative in the Poole College of Management at North Carolina State University, fostering meaningful conversation is key to shaping the right risk culture. Importantly, the board and management need to exercise best practices in governance. Management and the board should encourage open discussion and foster trust in the organization to drive certain behaviors. A busy schedule should not interfere with the important conversations that need to take place to manage risk.

Culture should not be left to happenstance, but instead should be driven by thoughtful consideration by the board. We need to develop greater confidence in management’s ability to navigate risk to achieve company objectives more often. With that comes not only the ability to truly know what is going on around you, but fewer performance surprises. Organizations that are agile and can act quickly in the face of new or changing risks will be able to successfully pursue greater levels of risk and reward.

I will end with a quote from Lou Gerstner, former IBM CEO, who said, “When I came to IBM, I probably would’ve told you that culture is just one among several important elements in any organization’s makeup and success – along with vision, strategy, marketing, financials and the like… I came to see, in my time at IBM, the culture isn’t just one aspect of the game – it is the game”.

 

This Article is Classified as: BOARD OPERATIONS – Communication and Culture, in the PDA Body of Knowledge.  Published at http://privatedirectorsassociation.org/images/downloads/Newsletters/pda_newsletter_december_2016.pdf

 

 

 

3 Tips to Better Align Directors and Internal Auditors on Technology Risk

stock-photo-modern-network-and-telecommunication-technology-computer-concept-server-room-in-datacenter-room-289036955

Many directors have questions about their organization’s cyber security posture and the effectiveness of the groups (including internal auditors) that are responsible for providing assurance on risk management and control.  In this posting, I discuss some causes of blind spots and suggest actions.

I recently spoke at a technology symposium attended by IT audit directors from many of the largest companies in the U.S.  The purpose of my talk was twofold: share insights from conversations with corporate directors regarding their role in strategic risk oversight, and help audit executives understand the pressures that boards face so that internal audits can better align with shareholder needs.

During the exchange, I conducted anonymous polling to understand why significant gaps can exist between board director expectations and what internal audit teams are actually able to deliver.  Below, I describe some highlights from the session and encourage directors to probe more deeply about their organization’s defenses during cyber security updates and other presentations.  Directors should also request action plans from management that will close any significant gaps.

How well are internal audit teams addressing strategic IT risk?

According to a recent study[1], two out of three board members believe internal audit should have a more active role in evaluating an organization’s strategic risks.  This implies that management has defined, and internal auditors have obtained and assessed, the organization’s strategic plans including the specific business and IT-related initiatives that will advance its goals.

In this regard, polling of participants at the symposium showed that only 76% agreed that their organization had an IT strategy, while the remainder (24%) felt there was “somewhat” of a strategy in place.  Where a definitive strategy does not exist, auditors may struggle to provide the board with needed assurance around related control and risk management practices.

Internal auditors are effective when they assess the management of the organization’s most important risks, particularly those impacting company objectives and strategy.  When asked at the symposium whether their audit teams assessed the management of some or most of the strategic risks in their organization,

  • 65% agreed they perform these strategic audits, while
  • 35% acknowledged being aware of company strategy and objectives, but said they did not assess how well the related risks were being managed.

When asked about barriers in the organization preventing them from auditing strategic risks,

  • 43% indicated that there were no barriers in their organization, however
  • 21% indicated that management was resistant to them being involved in strategic risk areas, and
  • 14% indicated the board was not interested in having the risks assessed, and
  • 14% lacked awareness of the strategic direction, while 7% responded, “don’t know/not applicable”.

Clearly, these areas need discussion and perhaps greater attention by the board and the Chief Audit Executive (CAE) to reduce or close any expectation gaps.

Are you able to withstand a cyber-security attack today?

With all the attention given to cyber security in recent years, you might expect that a large percentage of major organizations in America rate themselves as well protected.

However, when asked whether they felt their company could currently defend itself successfully against a sophisticated cyber-security attack,

  • 33% of poll respondents at the symposium indicated they could successfully do so,
  • 48% felt their company’s defenses were not sufficient, and
  • 19% were unsure.

These polling results showing that two-thirds of the executives lack confidence in their defenses do not surprise me.  Large, complex organizations are naturally more vulnerable to security events because of the broad “attack surface” created when deploying technology and application systems across dealers, suppliers, venture partners and others.  However, in those cases I expect that the board and internal auditors would have significant dialogue around the effectiveness or ineffectiveness of company defenses and discuss the timing of steps agreed by management to remediate the deficiencies.  Transparency with the board is critical.

Where does the Board want assurance on controls?

When building the internal audit plan, it is important that the audit team have an understanding of areas where the board would like to receive assurance from the audit work.

In the polling, 73% of participants said that they had a good understanding of the areas where their board wanted assurance and actually had performed audits in those areas.  However, 26% said they either had not asked their board for their input on coverage, or were aware of board “hot buttons” but did not perform audits in those areas.  Expectation gaps can arise around internal audit performance when they have not gathered requirements from their most important “customers”. 

While 69% of participants felt the board should hold the CAE accountable for internal audit’s failure to deliver what the board wants, 25% felt that the audit committee itself was responsible for any such failure; after all, the audit committee typically retains, oversees, and evaluates the performance of the CAE.

Tips for Better Alignment around Technology Risk Management

Now that we have a better understanding of the sources of potential blind spots, directors can use the following lines of inquiry in board meetings to get issues on the table for resolution.

#1 – Inquire whether the internal auditors understand and are assessing your organization’s technology strategy.  Some organizations hold their strategic plans “close to the vest” and may not be sharing them with the CAE.  However, the audit team cannot hit a target that they cannot see.  Where the target or strategy is non-existent, the board should understand the reasons.

#2 – Ask for assurance that the auditors prioritize and focus on the most critical cyber risks.  Directors should understand whether management has performed a thorough risk assessment.  Where gaps in defenses are noted, management should be taking steps to reduce the potential impact of a breach.  Internal audit should be providing value-added recommendations where needed. For example, performing an internal audit assessment of the company’s “crown jewels”, which are the most valuable or important digital assets, will help to bring attention to areas needing heightened levels of protection.  You cannot protect everything, so be sure to put your resources where needed most.

# 3 – Ensure that management is not restricting the auditors from doing their job.  To be effective, the CAE and internal audit team needs the visible support of the board to enhance their ability to be independent and objective in their work.  The CAE should discuss with the audit committee any differences of opinion with management regarding the audit plan to reduce the likelihood of undue influence on coverage of important risk areas.

Conclusion

Directors, management and internal auditors have shared objectives when it comes to protecting the organization from downside risk.  Likewise, aligning the three groups in pursuit of strategic goals and objectives will help the organization take advantage of opportunities to pursue growth and long-term value creation.

———–

[1] “Six Audit Committee Imperatives: Enabling Internal Audit to Make a Difference”, by Jim DeLoach and Charlotta Lofstrand Hjelm, a Global Internal Audit Common Body of Knowledge (CBOK) study report, conducted by The IIA and Protiviti, 2016.