ISACA Now Blog

Knowledge & Insights > ISACA Now > Posts > Shedding the Human Bias in Risk Identification and Analysis

Shedding the Human Bias in Risk Identification and Analysis

Ookeditse Kamau, CISA, MBA, CIA, CRMA, IT Internal Auditor
| Posted at 3:04 PM by ISACA News | Category: Risk Management | Permalink | Email this Post | Comments (1)

During the risk analysis process, information is availed through internal reports, external reports, surveys and face-to-face meetings during risk workshops. The amount of information to be analyzed depends on the risk maturity of an organization, as some risk managers continuously collect information that they deem relevant to improving the risk process. The question is, to what level is the information used objectively? How much reliance is placed on what we remember or what we deem as being important?

Behavioral physiologists believe the amount of information we remember has an impact on how we analyze and rate risks. Prior to analyzing risks, we identify events or threats that can exploit vulnerabilities identified in organizations’ processes and systems. It is during the “What can go wrong?” stage that we need to be careful. In his book “Thinking, Fast and Slow,” Daniel Kahneman notes three factors that can manipulate our minds:

A salient event. Get a team of executives and ask them what is an important asset to their organization. I bet you will get different responses. The level of importance on organizational assets differs, and this bears the most influence on the agenda each executive is pushing. As part of environmental reviews, I have come across some organizations (especially small enterprises) that do not carry out fire drills or train employees on any natural disasters. When reviewing risk registers of such organizations, it is normally not surprising to note that there are no risks pertaining to employees in those organizations.

How were employees’ lives not regarded as critical? At the time of the assessment, memory on what is important shifted to assets management. Risk managers should be mindful that what is deemed important influences which assets are identified as vulnerable, subsequently shaping the risk profile of the organization.

A dramatic event. The majority of risk managers come to the table with a list of serious events for a period, audit reports and market intelligence information. Some events tend to come to mind more quickly than others, especially political events over which the organization does not have control. Deciding which event might translate to one asset being more vulnerable than another can be influenced heavily by recent media or internal incident reports if these reports are not scrutinized carefully.

Personal experiences. We can never divorce our personal experiences from the analysis process. It is indeed every risk manager’s dream that some of the employees can divorce themselves from such during risk workshops, but risk managers also are guilty of bringing along databases of risks they have been compiling for years from different organizations, particularly so for consulting risk managers, who tend to influence their organizations to focus on the risks they identified in similar organizations. However, strategies, policies, processes, organizational structure and culture all change the risk landscape of every organization.

Kahneman further contends that effort is required to reconsider impressions and intuitions by asking questions. Simply because a risk has been identified in an audit report does not mean the risk manager needs to include it in his risk register. Simply because a charismatic executive says everything in his department is on fire does not mean every asset in that department is critical. Risk managers need to develop questions that they can ask to eliminate natural bias. Every report’s merits should be verified.

Without nullifying the importance of the systematic approach risk managers take to identify and analyze risks, it is equally important that risk managers take the cognitive human element into account to develop objective lists of risks and ratings.

Comments

Meticulous Content 

Dear Ookeditse Kamau,

I first read the title of this blog and attracted to this topic. Initially I was just scanning the content but could not resist to read it completely and thoroughly.
I like this article which is brilliantly drafted and explain in simple yet powerful manner to give insight of RA process owners approach in general :)

Regards
Sushil
SUSHIL498 at 5/24/2017 4:57 AM
You must be logged in and a member to post a comment to this blog.
Email