Behavioral economics has begun to garner gradual acceptance by economists and risk professionals as a rigorous discipline that may serve as an alternative perspective on uncertainty and risk decision-making. Unfortunately, industry acceptance of behavioral economics has not translated into more advanced risk management practices or enterprise risk management programs. The 2008 Great Recession is the most recent example of the failure of traditional enterprise risk management programs. The Committee of Sponsoring Organizations (COSO) has led the development of ERM programs and, more recently, the adoption of Governance, Risk & Compliance (GRC) technology platforms that mimic its framework. The COSO ERM framework and GRC platforms have focused primarily on subjective risk assessments, internal controls over financial reporting, and check-the-box measures that have provided a false sense of assurance. A narrow focus on internal controls, strategy, and compliance has caused organizations to develop blind spots to the risks that prevent firms from becoming more responsive to rapid change inherent in a digital business environment and the asymmetric risks of cybersecurity. The goal of this article is to develop a contextual model of a cognitive risk framework for enterprise risk management that frames the limitations and possibilities for enhancing enterprise risk management by combining behavioral science with a more rigorous analytical approach to risk management. The thesis of this paper is that managers and staff are prone to natural limitations, what Herbert Simon called “Bounded Rationality”, by failing to leverage Bayesian probability predictions resulting in errors of judgment due in part to insufficient experience or a lack of data to draw reliably consistent conclusions with great confidence. In this context, a cognitive risk framework helps to recognize these limitations in judgment. The Cognitive Risk Framework for Cybersecurity and the Five Pillars of the Framework have been offered as guides for developing an advanced enterprise risk framework to deal with complex and asymmetric risks such as cybersecurity risks.
“A major task in organizing is to determine, first, where the knowledge is located that can provide the various kinds of factual premises that decisions require.” – Herbert Simon
Background
In a 1998 critique of Amos Tversky’s contributions to behavioral economics (Laibson and Zeckhauser) discussed how Tversky systematically exposed the theoretical flaws in rationality by individual actors in the pursuit of perfect optimality. Tversky and Kahneman’s Judgment under Uncertainty: Heuristics and Biases (1974) and Prospect Theory (1979) demonstrated that actual decisions involve some error. “The rational choice advocates assume that to predict these errors is difficult or, in the more orthodox conception of rationality, impossible. Tversky’s work rejects this view of decision-making. Tversky and his collaborators show that economic rationality is systematically violated and that decision-making errors are both widespread and predictable. This now incontestable point was established by two central bodies of work: Tversky and Kahneman’s papers on heuristics and biases, and their papers on framing and prospect theory.”[1]
Much of Tversky and Kahneman’s contributions are less well known by the general public and misinterpreted as a purely theoretical treatment by some risk professionals. As researchers, Tversky and Kahneman were well-versed in mathematics, which helped to shine a light on systemic errors in complex probability judgments and the use of heuristics in inappropriate contexts. As groundbreaking as behavioral science has been in challenging economic theory, Tversky and Kahneman’s work centers on a narrow set of heuristics: representativeness, availability, and anchoring as universal errors. The authors used these three foundational heuristics broadly to describe how decision-makers substitute mental shortcuts for probabilistic judgments resulting in biased inferences and a lack of rigor in making decisions under uncertainty.[2]
Cognitive Risk Framework: Harnessing Advanced Technology for Decision Support
In the thirty years since Prospect Theory data analytics expertise and computational firepower have made significant progress in addressing the weakness in Bayesian probabilities recognized by Tversky and Kahneman. Additionally, the automotive industry and Apple Inc., among others, have been successful in incorporating behavioral science in product design to reduce risk, anticipate human error, and improve the user experience adding value to financial results. This paper assumes that these early examples of progress point to untapped potential if applied in constructive ways. There are distractors, and even Tversky and Kahneman admitted to inherent weaknesses that are not easy to solve. For example, observers are skeptical that laboratory results may not replicate real-life situations; that arbitrary frames don’t reflect reality as well as a lack of mathematical predictive accuracy.
Since Laibson and Zeckhauser’s (1998) critique of Tversky’s contributions to economics, a large body of research in cognition has evolved to include Big Data, Computational Neurosciences, Cognitive Informatics, Cognitive Security, Intelligent Informatics, and rapid early-stage advancements in machine learning and artificial intelligence. A Cognitive Risk Framework is proposed to leverage the rapid advancement of these technologies in risk management however technology alone is not a panacea. Many of these technologies are evolving yet additional progress will continue in various stages requiring risk professionals to begin to consider how to formalize steps to incorporate these tools into an enterprise risk management program in combination with other human elements.
The Cognitive Risk Framework anticipates that as promising as these new technologies are they represent one pillar of a robust and comprehensive framework for managing increasingly complex threats, such as cyber and enterprise risks. The Five Pillars include Cognitive Governance, Intentional Controls Design, Intelligence and Active Defense, Cognitive Security & the Human Element, and Decision Support – Situational Awareness. A cognitive risk framework does not supplant other risk frameworks such as COSO ERM, ISO 31000, or NIST standards for managing a range of risks in the enterprise. Traditional risk frameworks focus primarily on the administration of policy, and procedure, organizing resources, and auditing the implementation of risk processes. The missing elements in traditional risk frameworks are two-fold: 1. Traditional risk frameworks largely ignore the science of risk analysis; and, 2. Traditional risk frameworks only tangentially incorporate human factors resulting in gaps in the leading cause of vulnerability in cyber risks and failure in decision-making under uncertainty – human error.
A cognitive risk framework is presented to leverage the progress made to date in risk management practice and provide a pathway to demonstrably enhance enterprise risk using advanced analytics to inform decision-making in ways only now possible. At the core of the framework is an assumption about data. A cognitive risk framework is designed to leverage the analytical capabilities of automation.
One of the core tenets of Prospect Theory is the recognition that errors made in decision-making are often derived from small sample sizes or poor data quality. Tversky and Kahneman noted several observations where even very skilled researchers routinely made errors of inference derived from poor sampling techniques. Many recognize the importance of data however organizations must anticipate that a cross-disciplinary team of expertise is needed to actualize a cognitive risk framework. Data, or the mismanagement of data, will become either the engine of a cognitive risk framework or its Achilles Heel and may be the most underestimated investment in ramping up a cognition-driven risk program.
Much has been made about Big Data and the promise of collecting and analyzing pools of data to improve strategic decisions across industry, government, and NGOs yet the promise is still not fulfilled. The limitations in Big Data result from a lack of universal structures of data and agree-upon standards for categorizing data that allow organizations to leverage information irrespective of country, language, industry, or purpose. A quote attributed to Albert Einstein still resonates, “Not everything that counts can be counted, and not everything that can be counted counts”. This suggests that values play an equally important role in analytics. The challenge is getting agreement on the values that resonate universally (Kunreuther, Slovic 1996).
A cognitive risk framework anticipates much more diverse skills than currently exists in risk management and IT security. Data is but one of the considerations in developing a robust cognitive risk framework. Other considerations will include developing structures and processes that allow ease of adoption by practitioners across multiple industries and in different-sized organizations. While it is anticipated that a cognitive risk framework can be successfully implemented in large and small organizations risk professionals may decide to adopt a modified version of the Five Pillars or develop solutions to address specific risks such as cybersecurity as a standalone program.
Cognitive governance is the first pillar of a cognitive risk framework as the organizing principle for enterprise risk management. The remaining four pillars serve as the enablers of cognitive governance which is envisioned as a set of tools, technology, and practices that are developed around human factors that complement the administrative functions of traditional risk frameworks. A more robust development of the cognitive risk framework will be published that details the steps and actions an organization may take in implementing cognition into risk management programs.
The fallacy in traditional risk frameworks is there is insufficient guidance for empowering every person in an organization with the tools, practices, and capabilities to manage diverse risks faced at different levels of all organizations. Organizations either use punishment or incentives for employees to comply with mixed results from the boardroom to the shop floor. Traditional risk frameworks are designed as hierarchical command and control processes that are too rigid to be responsive in fast-moving systemic events such as cybersecurity and pandemics that are asymmetric in nature and require new approaches for decision-making under uncertain conditions. Cognitive governance is focused on empowering every person in the organization with better tools, data, and capability to manage risks at each level of the organization.
Traditional risk programs are hierarchical by design and based on maturity models that are rigid resulting in failure during times of stress. This is one of the reasons that information security programs have failed to become proactive managers of security risks. IT security professionals have begun to adopt COSO-based ERM methods in order to better understand risks. Organizations have purchased GRC systems to capture the steps they have taken in a compliance lockstep approach creating bureaucracy in the process while failing to improve their risk posture. Instead of developing situational awareness of IT risks, CISOs are inundated with alerts and compliance protocols. Traditional risk programs largely ignore what people need to understand risk and the tools needed to adequately address the risks that matter on the front line of defense.
A cognitive risk framework starts with people as the center of an enterprise risk or cybersecurity program. Cognitive governance is the first pillar of a cognitive risk framework because the process of understanding risks and developing a shared view of the risks that matter includes understanding the values and drivers of the key decision-makers in the organization. The COVID-19 pandemic has laid bare the disparate views of risk and values. How people act is a better reflection of risk appetite than what people say is important because risks are situational. The cognitive governance pillar starts with a Cognitive Map. A cognitive map is a visual representation of a process of mapping values to risks at different levels of the organization and reconciling the gaps in values to better align risk priorities. Next, the cognitive map assesses whether people have the tools, training, skills, and freedom to address and manage the risks on the front line. Too often, the mantra, “everyone owns risks” is a straw tiger with no teeth. The idea is to create a human-center risk environment where compliance is automated freeing IT and ERM risk professionals to ask better questions about the risks they are facing and provide the tools to address them in a timely manner.
The remaining four pillars are guided by cognitive governance. For example, intentional control design is the second pillar. Intentional control design is the process of building controls that help people understand the risks that matter and automating redundant work that is important but adds little value to organizational success. Compliance should be automated because failure to ensure compliance can result in large operational risks. It adds little value because it ties up time to innovate and leverage talent in the organization to try new things. A cognitive risk framework was created to provide a road map for robotic process automation, machine learning, and artificial intelligence as enablers of situational awareness. CogRisk is the bridge from traditional risk management to a more sustainable risk program.
A cognitive risk framework is focused on people, data, technology, and design solutions to free the organization to innovate, take informed risks, and create nimble operations that are more responsive to change which is the only constant. A cognitive risk framework is human-centered; it recognizes that people are the greatest vulnerability and most important asset of the firm. Organizations have seldom leveraged the full capability of the human asset in a consistent and formal approach until now. Research tells us that the human-machine interaction is the greatest vulnerability in cyber security but evidence in aerospace, the auto industry and others demonstrate that good integration of the human-machine interaction will lead to breakthroughs in performance, better risk management, security, and innovation.
The cognitive risk framework was designed to leverage the human element.
[1] LAIBSON/ZECKHAUSER Kluwer Journal @ats-ss8/data11/kluwer/journals/risk/v16n1art1 COMPOSED: 03/26/98 11:00 am. PG.POS. 2 SESSION: 15
[2] https://pdfs.semanticscholar.org/b4ab/dc36dee6df5b3deea53e3b1b911191f67382.pdf