A truism of cyber-risk is that most events occur because of actions a person takes, not because of the electronic safeguards in place. My favorite is the “Candy Drop”, where a USB drive is dropped in a parking lot outside of HQ and someone picks it up and plugs it into their computer. In hindsight we say, “Why would anyone do this?”, yet in our minds we know we are very curious.
Enterprise Risk Management (ERM) has the same issue. We take the time and build robust assessments. We identify weaknesses and create action plans. We document the heck out of it. And we make the business owners responsible for their risks. It all sounds good on paper.
The human component is the one that, quite often, trips us up. Personalities, egos, experience, competence, HIDDEN AGENDAS… all can lead to risk management failure and make it look as though all the work that was done was for naught. And yet we can’t get away from these basic HUMAN things. Harvard Business Review (3 reasons you underestimate risk, July 17, 2014) identifies three reasons we underestimate risk;
1) Reward obscures risk. When things are going well, we tend to fly high and lose ourselves in the thrill of the reward.
2) Sunk Costs. Studies show that we may tend to avoid looking at our losses in life, and that some people are more averse to this than others.
3) Future Aversion. The problem of assuming is that because of the future is unknown it cannot be tested. As a result when faced with decisions about the future, we may rely solely on present data rather than trying to assess and test the unknown.
Let’s look at an example.
A financial institution takes the time and creates an organized and well-documented ERM program. It has all of the things anyone would want in it. Risk appetite is defined, Key Risk Activities (KRA‘s) are identified, SMARTER charts are completed, a reporting mechanism is developed, everyone goes through training and ownership is taken on by the business units. While going through the process key exposures are identified and addressed and, in short, everything seems to be working well. The auditors, regulators, Board of Directors really like it and management has made it an important component of the organization. But….
The program was developed during good times and now it looks like a downturn is on its way. The Bank looks to the ERM program to see what actions need to be taken. The risk appetite is tightened and capital is being conserved. But….
While reviewing the troubled loans, it becomes obvious that lien perfection has not entirely been followed through on, leaving the Bank with an increased exposure to loss. The manager of the area promptly retires an now the Bank comes to realize that the manager (30 plus years of experience) had not been identifying the function’s risks correctly. Losses increase, a regulatory action is initiated and the board is not happy. What happened? The short answer is that we are human.
More importantly, how does ERM help in addressing the problem? As a part of your ERM program there should be a process for when bad things happen. This provides an organized way to address the issue and prove to others you have the problem identified and are working to fix it.
This bridges the gap between risk assessing and risk management and can be considered an important component in successful risk management.