A lack of time, information, and wanting to avoid difficult trade-offs means all of us tend to rely on our experience, impulses, gut feelings, and rules of thumb when making decisions.  These shortcuts – or cognitive biases – can be helpful, particularly when we need to make decisions quickly.  But they can also mislead.  Their potential impact of cognitive biases on risk management can be profound. 

There are two main reasons:

1. Risk management is where important decisions about uncertain future events meet too little reliable information.  This means cognitive biases influence what decisions we think we need to make.  They also fill information gaps when we make the decisions we have decided we need to make.  
2. We are “cognitive misers”; we don’t like to expend mental energy on entertaining uncertainties, which is obviously what risk management is all about. Instead, we prefer to seek closure and to ‘do’.  This can lead us to limit our thinking about the future, our objectives, and our options.

Some definitions and assumptions before we go further:

A cognitive bias is when an individual creates their own subjective reality from their perception of an input. As a result, an individual’s construction of reality, not the objective input, dictates their behavior.  There are some examples below.  We all do it; it isn’t a fault but a feature.  For example, it is what once caused our ancestors to run from a rustling in the undergrowth long before they actually saw the tiger stalking them.  

• Risk management currently most often involves implementing controls aimed at preventing negative events and making plans to mitigate the consequences of the negative events an organization is unable to prevent.    
• Most risk managers have access to far too little reliable information to make well-informed risk management decisions.  Most risk data is currently analyzed only in silos of incomplete information, so the analysis is inherently unreliable, and in any event, is rarely shared.  Data on risk management is even rarer, so there is almost no analysis and nothing to share. 

When important decisions about how to prevent potentially significant but uncertain negative future events meet too little reliable information, risk managers have no choice but to fill gaps, both real and perceived, with their own biases.  For important risks like sexual abuse and misconduct (SAM) risk, the combination of inherent uncertainty and rarity, too little reliable information, and biases can cause poor decisions.  The impact of cognitive biases on SAM risk decision-making is likely made worse by the nature of SAM and the discomfort many have with even thinking about the subject, never mind talking about it.  The negative consequence of poor SAM risk management decisions is that minors and vulnerable adults are less safe than they should or could be. 

Risk, biases, and risk management being what they are, biases can never altogether be eliminated from risk management decision-making.  The challenges with minimizing the negative impact of biases are that there are so many of them, that they are so hard to see in ourselves, and that each is minimized in its own way.  

The most helpful element in minimizing most biases is more reliable information – see below.  And because the impacts of different biases are minimized in different ways, different types of information – data, detailed analysis, expertise, and experience – are needed, which is why BOKRIM develops each of these types of information about SAM risk and its management.   

The following are some of the biases that are more relevant to SAM risk management decision-making. 

• Anchoring bias is the tendency to fix on initial information as the starting point for making a decision and failure to adjust for subsequently collected information.  For example, 15 years ago, a big SAM settlement was $250,000.  Now, though a big settlement is $25,000,000, SAM risk management has hardly changed.
• Availability bias leads decision-makers to use the information that is most readily available to them when making a decision, however incomplete, inaccurate, or unreliable the information may be.  As SAM is so rare, most people’s available information is that SAM doesn’t happen at all.
• Belief bias is when one’s evaluation of the logical strength of an argument is biased by one’s belief in the truth or falsity of the conclusion.
• Confirmation bias involves seeking information that supports one’s initial conclusions or past choices, putting little weight on things that challenge our views, and not gathering information and data objectively.  The fact that SAM doesn’t happen can lead a SAM risk manager to conclude they are doing everything they need to, to make it so.  That SAM is objectively rare anyway, matters much less.
• Recency bias means decision-makers favor recent events over historic ones.
• Risk aversion is a preference for a sure outcome over a gamble with higher or equal expected value.  Managing SAM risk the way it has always been managed seems safer than trying new approaches.

Given that all of us make poorer decisions than we would like because of our cognitive biases, what can a SAM risk manager do to minimize the negative effects of their biases on their SAM risk management decision-making?  

Thinking about the future

Most of us think too narrowly about future outcomes.  We make one best guess and stop there. 

One guess doesn’t work for risk, apart from anything else because risk is the product of potential frequency and potential severity.  For an inherently rare risk like SAM, one reasonable first best guess might therefore be that we shouldn’t worry too much about it.  Given SAM’s potential consequences, however, another would be that we should never stop thinking about it.  

Reliable information on frequency and severity is essential to explore a reasonable compromise between doing nothing and doing nothing else.  Reliable information, in this case, is data on frequency and severity in appropriate contexts, with adjustments for trends and known or expected developments, understanding any specific strengths or vulnerabilities that might skew comparable or trend assessments, and obtaining alternative perspectives.

Thinking about objectives

For many organizations, their primary SAM risk management objective is to comply with regulations that govern how they are required to manage SAM risk.  This is the natural consequence of being given regulations to follow, not wanting to think about uncertainty and wanting to ‘do’, and organizations facing serious penalties if they fail to abide by the regulations.  

But SAM risk management rules are designed to ensure SAM risk isn’t managed poorly.  They don’t enable it to be managed well.  It is arguable that SAM risk has exploded so much in the last 15 years because we have focused too much on observing regulations which have changed very little and have broadly ignored how much SAM risk has changed.

What if, instead of setting the observation of regulations as an objective, we chose to go beyond them?  What objectives could be aimed for?  

Risk management best practice recognizes this weakness in regulatory regimes.  Risk management best practice is enterprise-wide risk management (ERM).  The focus of ERM, and an alternative objective for SAM risk management, could be to seek to positively influence the impact SAM risk has on the organization’s ability to achieve its most important objectives.  

Because an organization’s objectives can be too distant from the everyday concerns of a SAM risk manager, more SAM risk-specific objectives may be more reasonable.  These could include ensuring minors and vulnerable adults are as safe as the SAM risk manager can make them or minimizing the total cost of SAM risk and its management.  

Alternative perspectives help to identify additional, potentially more valuable objectives.  And reliable information on how to meet those objectives, such as data on the most effective SAM risk management practices or on the total cost of SAM risk and its management, is also required.  Then, we also then need metrics to ensure we are achieving our chosen objectives.  Those come from experience and expertise, both of which also enable their understanding and effective calibration.

Thinking about options

Like anything else, to make good SAM risk management decisions, we need a decent range of options.  We also need some reliable way of ranking our options.  

Options for managing SAM risk mean thinking beyond the regulatory framework most organizations abide by, and might include, for example, the ERM-based options few organizations currently consider.  Then, there are always different ways different options can be used.  Some ways are more effective than others and, for example, some are more expensive, some are more time-consuming, some require more tech, and some require more training.  All these criteria matter but they matter in different ways and amounts for different organizations and different SAM risk managers.  They are also found in different forms of information beyond hard data, such as in other’s experience and expertise.  

To understand more about how BOKRIM enables SAM risk managers to think broadly about future outcomes, objectives, and options, take a look at how the BOKRIM platform develops and shares SAM risk and risk management data, analysis, experience, and expertise.