Monthly Archives: January 2020

Archived Posts

2020-01-27 by: James Bone Categories: Risk Management What is a cognitive risk consultant?
Davos Switzerland

Having
spent the last ten or more years researching and writing about cognitive risks
I was recently asked what is a cognitive risk consultant? I realized that I
hadn’t explained this very well at all so here goes. It may also help to
understand the path that I have taken to get here.

My
foundational training started with Dr. W. Edwards Deming’s work which applied statistical variance to systems and
systems thinking to human psychology. Later, informed by a laundry list of Nobel
economists, behavioral science influenced how I managed teams, developed
leaders of teams and built sustainable processes in risk management. As an
athlete in college, I also learned that teams are more successful when you
build a program around the people on your team and trust them with a clear
vision and the right tools to learn how to win.

Leadership
is important but if teams are not given the right tools to learn and improve on
their own leadership is not enough. The field of corporate risk management has
largely ignored lessons from the sciences until now. Today, a convergence of
science, technology and cognition is transforming the global economy and how
risks are managed.

These
observations have led me to the development of a cognitive risk framework and
the start of a new path in risk management that puts people first. Cognitive
risk is a process of integrating risk management into how people do their jobs
with the right tools. The challenge however is how to transition from 19th
century legacy processes to a 21st century digital dividend while navigating risk?

The
question or hypothesis that I proposed in developing a cognitive risk framework is, “do existing risk
frameworks discount the role of human behavior?”
The answer is yes but recently
ISO 31000 and NIST Cybersecurity frameworks among others have adopted new
guidance that suggest considerations into behavioral factors and guidance to
start.

New
tools are still needed to evaluate complex risks as business transitions to a
digital environment. Thankfully, technology is evolving to assess more esoteric
risks, like cyber, which are harder to measure. As organizations leverage
digital strategies the impact on human assets and our ability to discern risks
in a digital ecosystem creates cognitive dissonance that we must better
understand.

Cyber
adversaries are also waging a very sophisticated cognitive war to deceive users
over the internet and the airways. These attacks are subtle and becoming so
pervasive that most observers are not aware of the conceit. Think Jeff Bezo’s
cellphone hack as a simple analogy.
Subtle but very effective. Trust in technology is the vulnerability being
exploited in a digital economy.

Regulators
and auditors have also joined the fray. United Kingdom regulator, the Financial
Conduct Authority (FCA), has incorporated Conduct Risk into a structured
regulatory framework as part of a strategy to better supervise wholesale banks.
International banks are hiring psychologists and behavioral scientists to
oversee organizational culture to comply with FCA regulation. And lastly,
public accounting firm, Deloitte, has developed what it calls a Cognitive Risk Sensing platform designed to
aggregate data from social media and other websites to monitor emerging threats
and opportunities to an organization. A foundation for a cognitive risk
discipline in risk management is emerging into a rich and diverse field.

Dan
Kahneman and Amos Tversky’s ground-breaking Prospect Theory, has influenced large
multinational banks, institutions and even public accounting firms to explore approaches
to mitigate the impact of bias in decision-making. The premise is to use
applied behavioral economics to direct behavior, such as culture, to a better
place. A broad and diverse field of behavioral analysts and researchers are
pushing boundaries in medical research, healthcare, NGOs and financial services
to name a few. It should also be noted that all of Kahneman and Tversky’s
“studies” involved well-educated Ivy League college students in controlled
laboratory like environments. Today’s researchers are slowly being given the
change to test these theories in the wild.

The
jury is still out on the scalability of applied behavioral
economic theory

in corporate settings. There may be isolated examples of short-term success in
small scale projects to lever up these initiatives into large scale programs
but success stories are not apparent. To find examples of applied behavioral
economics look no further than cybersecurity, anti-money laundering systems,
smart contract management systems, and insider threat monitoring.

These
systems are getting smarter through a convergence of cloud computing, machine
learning and growth in new applications. Historically, the human-machine
interaction has been softest vulnerability in information security. In an
environment of networked devices and billions of endpoint the scale of
vulnerability is expanding more rapidly than we may fully understand. Human
behavior will continue to be the weakest link until more intuitive security
approaches are designed.

The
Five Pillars of a Cognitive Risk
Framework is proposed as a supplement to existing risk frameworks with an
understanding that [it] too must evolve over time. The goal of a cognitive risk
consultant is to guide an organization through the process of developing a Cognitive Map of the organization to uncover blind spots
across the firm using advanced probing questions, targeted data and technology
to build scale and efficiencies that are hidden beneath the surface. The result
is a strategic plan for aligning enterprise risk management with the key
objectives in organizational performance.

As Kahneman, et al, point out awareness of the effects of bias has done little to improve the quality of business decision-making at the individual or organizational level. I would suggest the same is true for risk management. Each pillar of a cognitive risk framework adds to a multidimensional view on risks providing the board and senior executives with direct insights into the benefits of reductions in unproductive risks and returns on investments in risk management. The outcome of a cognitive risk framework is simplicity in risk management through a science-based approach to governance. To learn more contact Global Compliance Associates LLC.