CRO DIARY: We are so busy chasing the next “sexiest” risk, we miss the forest for the trees

Recently, I sat down to do my weekly Wednesday live stream. Normally I share stories, answer questions and discuss lessons I learned as a Chief Risk Officer, but this time I wanted to talk about something else. Something that has been troubling me for a while. The fundamental flaws in decision making and risk management.

If you’re in risk management or have a curiosity for the subject, here are four takeaways from my latest YouTube and LinkedIn live stream.

We are so busy chasing the next “sexiest” risk, we miss the forest for the trees

Do you notice how our risk focus changes from year to year. Do you remember when companies were incredibly worried about foreign exchange risks? I bet you don’t. That risk has come and gone. Now it’s just normal part of doing business in the global economy. Last few years the focus shifted to cyber risk. Now, too, that risk is fading away to make space for the current risk du jour, climate change. Instead of focusing on cyber security, everyone is focusing on the effects of climate change. Climate change risk number one in the WEF Risk Report 2020, no surprises there. Do you want to guess the risk of the month right now? That’s right, pandemics, COVID-19 specifically.

Why is that? Why do we tend to fixate on one particular risk at a time, while ignoring the others? Well, I can guess why, because many institutes and most regulators still push the one risk at the time silo agenda. Maybe it’s time to look beyond single risks to the actual root cause?

Problem 1: Attempting to manage one risk at the time will always fail

My hypothesis is, and this is important, that we should be less worried about specific risks, which come and go, but instead we should be focusing on how people make decisions under uncertainty. This is fundamentally different to how risk management works at the moment. I believe the problem is not that executives don’t think about cyber or pandemic risks when setting the strategy, the problem is that executives don’t think about any risks enough or do it haphazardly.

As I explain in the video, the hypothesis is that we tend to make decisions ignoring the way uncertainty affects our choices. Management tends to consider only the risks that someone directly called out or that are top of the news at the moment. This way of thinking leads to a “hive mind” mentality around one or two particular threats, ignoring the other 999 risks. Someone points out cyber security, and then, suddenly, everyone is obsessed with it! It becomes the risk that everyone needs to be concerned with, leaving the other risks in the dust. The one who shouts the loudest or has the decision maker’s ear often wins. 

Many risk managers, this is especially evident at RM1 events that FERMA or RIMS host, are too busy chasing the unicorn – the holy grail, so to speak – of risk (which, right now, is climate change). But even when we get there, we won’t have “solved” the risk problem. Instead, we need to dive deeper into the decision-making process. Risks don’t happen by themselves, risks are interconnected, correlated and affect multiple revenue and cost drivers simultaneously. Looking at one risk at the time, any one risk, is plain silly.

Key takeaway: measure how uncertainty affects decisions or objectives, all of the uncertainty, not just one sexy risk. 

Problem 2: The decision making process itself is pushing people towards cognitive biases, overestimates or underestimates of uncertainty

On top of the one risk at the time mentality, the decision making process itself, with very few exceptions, forces people to ignore most of the risks associated with the decision… If you take a look at most management textbooks / frameworks / management gurus and see how they describe the decision making process, you’ll find something along the lines: research some numbers, put them in a formula, get a single point estimate and compare options. The choice with the better number wins. For investment project management, for example, you want to know the NPV (net present value) and IRR (internal rate of return). Let’s say there are two potential investments or two technologies that can be used for delivering the project . Textbooks would say to calculate the NPV and IRR to determine which investment has a better performance and choose that one.

The problem is that these single point estimates have almost zero chance of materializing. They’re discrete and have no range. In other words, they don’t take into account uncertainty. If you have a decision with ten different uncertain inputs (say, probability of construction time, foreign exchange fluctuations, economic headwinds, and more) and you calculate NPV or project duration taking averages of each, then the likelihood that your calculated result will actually happen is practically zero. To be more precise, it’s less than one-thousands of a percent. It is almost zero! Let me repeat that, calculating NPV as a single point estimate is guaranteed to lead to bad decisions. Same with budgets, KPIs, M&A valuations, anything. Using single point estimates for future uncertain events is bad. 

Consider two investments. The first has an IRR of 10%, and the second has an IRR of 12% when calculated using the current formulas. Now, let’s suppose we do the math that involves risk. We now have ranges. The first investment now has an interval of 10%-15%, but the second investment has an interval of 5%-13%. Which do you pick? The first one, probably, since it has a higher range and thus a higher probability of having a better IRR. Of course, this is an oversimplification, but it’s a valid point that comparing two individual data points on a continuum of outcomes is meaningless. It’s far more accurate to compare the two continuums directly!

Modern management theory, sadly, encourages decision-makers to make choices without properly considering uncertainty. Management is being forced to create one plausible version of the future, which has almost zero chance of ever happening, fall in love with it and then have to defend their version of the future against other people who have their own single versions of the future! Books on decision science and decision quality seem to be the good exception to the otherwise sad state of events. 

Key takeaway: current, or rather common, decision making processes are not designed to properly account for uncertainty. In fact most management theories actively ignore the uncertainty, pretending we should decision on one probable version of the future and stick to it and use it for remuneration and other decisions. Ignoring uncertainty is not just ineffective, it is fatal. Changing current decision making practices is our number one priority.   

Problem 3: No one looks under the hood 

Ok, obviously not no one, most risk managers don’t. All of the most commonly used risk analysis methodologies leverage mathematical techniques developed well over 50-100 years ago. In fact, almost all sexy risks use the same basic math to quantify risks. Did you know that? Probably. So why do we keep creating silos for the risks, separate events, separate methodologies, separate language. FAIR is a good example. FAIR is the methodology people use to measure information risks. Let’s look under the hood and the glamour. It’s a basic factor model with some Monte-Carlo simulations. Wait, but that’s exactly what you would use for intellectual property risks, compliance risks or any legal risks. In fact, that’s exactly what I did for one of the biggest telecoms in Russia few years before I heard about FAIR, decision trees + Monte-Carlo. You think this is cool? This is exactly what O&G exploration engineers have been using since 1970s or earlier.

To measure risks in strategy, budgeting, operational planning, M&A, investments, capital projects, construction, product design, new drug testing and 1000s of other problems would normally use scenarios or simulations, for example the good old Monte-Carlo (literally old, developed in 1946). Wait, but AI is different, it’s cool. No it isn’t, it’s neural networks, which are old as time.

Therefore, by studying and learning these basic risk analysis techniques, we can ascertain realistic ranges for almost any risk! No matter what the risk is (whether you want to mitigate against the new risk of the year or you want to take into account all of the risks), there are only a few key mathematical concepts that you need to know to tackle any risk! Learn the basics of quant risk analysis at the upcoming offline event htts:// (say RISK-ACADEMY and get 10% off) or at the biggest ever online event

Key takeaway: behind every sexy methodology is a technique or a mathematical concept which is probably 50+ years old. Learn the techniques and you will be able to master any risk on the planet. 

Hear a more detailed explanation of these topics and also hear the answers to pressing questions on CRO Diary Episode 7! Together let’s all improve our decision-making processes by accurately taking into account risk and generating ranges with probabilities, not single versions of the future that will never happen!

RISK-ACADEMY offers online courses


Informed Risk Taking

Learn 15 practical steps on integrating risk management into decision making, business processes, organizational culture and other activities!


ISO31000 Integrating Risk Management

Alex Sidorenko, known for his risk management blog, has created a 25-step program to integrate risk management into decision making, core business processes and the overall culture of the organization.


Advanced Risk Governance

This course gives guidance, motivation, critical information, and practical case studies to move beyond traditional risk governance, helping ensure risk management is not a stand-alone process but a change driver for business.


2 thoughts on “CRO DIARY: We are so busy chasing the next “sexiest” risk, we miss the forest for the trees

  1. The ISO 31000 risk course is advertised at 9.99 while on the platform $49, why the discrepancy?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.