|

The Role of Human Behaviour in Effective Risk Management

The ISO 31000 risk management standard and the NIST Cybersecurity frameworks among others, have adopted new guidance that suggest considerations into behavioral factors must be included and considered during risk assessments.

Human behavior is identified as the weakest link in risk management and security. Human factor risks will continue to increase in the fast-paced digital economy, digital transformations and the business impact of the Covid-19 pandemic. To that end, we suggest that when conducting risk assessments, the first major risk to examine is People and Culture Risk.

In a Harvard Business School article by Robert Kaplan, appropriately entitled, Risk Management- the Revealing Hand, the following is noted,


“Well-documented psychological and sociological biases within organizations lead them to overlook important risks and to systematically underestimate and under manage those they do identify.”

The above quote, I submit, equates to one of my maxims: if you can’t think it you don’t act on it. And this, in my respectful opinion, is what many of the leaders/decision makers suffer from with respect to risk management.

Regulators and auditors have also joined the fray in ensuring human behavior is factored into effective risk management principles. The United Kingdom regulator, the Financial Conduct Authority (FCA), has incorporated Conduct Risk into a structured regulatory framework as part of a strategy to better supervise wholesale banks. International institutions are hiring psychologists, anthropologists and behavioral scientists to oversee organizational culture and to comply with certain regulations. Additionally, major corporate entities like Walmart, Pepsi, Google and Amazon have created a new C-Suite role for a Chief Behavioral Officer.


Consideration of Behavioral risk must be factored in because of the following concepts/practices:

  • Risk perception
  • Adversarial thinking (as it applies to cybersecurity risk)
  • Lateral vision/thinking
  • Risk culture
  • Conduct risk
  • Cognitive biases
  • Heuristics
  • Ethnographic issues

The above is not an exhaustive list of considerations but it does demonstrate a major shift in risk practice requiring risk practitioners to become “risk solution designers” as opposed to managers of risk or as is found in many institutions “gatherers of risk” where they are primarily concerned with compiling information which they then call a risk register and where risk management is treated like a compliance issue.

Further, the misallocation of risk assets or the misidentification of risks distracts organizations from the key risks that threaten their organizational objectives. When risk resources are misallocated or reactively responding to events that aren’t necessarily risk events, the real threats that matter to the business goes unidentified and untreated.

Be advised: the uninspected/the unidentified usually deteriorates,

Similar Posts