Skip to content

Our Privacy Statement & Cookie Policy

All Thomson Reuters websites use cookies to improve your online experience. They were placed on your computer when you launched this website. You can change your cookie settings through your browser.

Enterprise risk management

When good strategic decisions go bad, is behavior to blame?

Ellen Davis  Director, Workflow Proposition Marketing

Ellen Davis  Director, Workflow Proposition Marketing

Everyone who has worked as a manager in an organization knows this phenomenon – a decision that is taken at a senior level turns out to have an impact or a result that was not predicted by those who took the decision. Sometimes the decision itself is blamed. Sometimes external factors or, occasionally, the organization’s inherent dynamics – for example, a breakdown in processes or controls – get the blame. More recently, it’s likely that someone will clear their throat and blame “poor risk management.”

None of these conclusions is, in itself, wrong. But over the past two years, organizations are becoming increasingly aware of the need to look beyond the textbook governance, risk and compliance (GRC) staples of controls, processes and risks for a deeper understanding of what makes good decisions go bad. Now senior executives and boards – as well as regulators – are beginning to explore the idea that it’s the interaction of the behaviors with the traditional suite of GRC concepts that usually causes the best strategic plans to come unstuck.

Fundamental audit, risk and compliance errors

Everyone who has taken a basic economics course has heard of the theory of rational expectations. This is the assumption that people do not make systematic errors when predicting the future, and deviations from perfect foresight are only random. So, for example, if you are buying a new photocopier for your office, the theory of rational expectations would assume that you have perfect knowledge of all of the photocopiers available for purchase, including their pricing and features. It would then assume that you make the choice about what photocopier to buy based on that perfect information.

Such a theory would also assume that the person taking the decision has a deep understanding of the organization’s photocopying needs – the volume of copying, the use of color and the possible need to have the photocopier networked.

This sounds logical and is often the way most of us assume the world works. Tools that are with us every day, such as Internet search engines, are designed to help us all have the perfect foresight that we crave when taking decisions.

Other solutions that help leaders in organizations bring together the information they need to make informed decisions include GRC solutions that harvest audit, risk, compliance and internal control information from across the business. Or board portal solutions that help organizations compile and disseminate board or senior leader meeting packs. Or regulatory intelligence solutions that curate content about supervisory activities around the world that can impact the business.

These solutions – which help executives make better sense of the world around them – are growing more and more essential to navigating the complexities that decision makers face.

Creating a new context for GRC information

What has changed over the past two years, however, is that some senior leaders are realizing the need to take this important GRC information and consider it more carefully in the context of the people – and the behaviors of those people – who are stakeholders in any decision that is taken.

This means putting GRC information into a new context – the context of behavioral psychology. This is because experts who are studying “when things go wrong” at organizations are finding that it is the way that people’s behavior interacts with risks, controls and processes that enables most unforeseen “emerging risks” to develop and cause damage.

But just what do we mean by behavior? Decision makers in organizations should consider both the subconscious and the conscious factors that impact the way people behave.

On one hand, there is a set of naturally occurring, largely preprogrammed human responses, including reflexes and heuristics – these are often called “biases.” On the other hand, there are our learned responses, which individuals acquire adaptively in the course of growing up, socializing and working in teams. These are our behaviors.

One easy way to remember the difference is to think: “Wired or acquired?” Bias is hardwired into an individual’s brain at birth. In contrast, each person’s set of behaviors is socially acquired. To put it another way, behavior forms as individuals interpret information about risk, and what’s “acceptable,” according to their evolving personal understanding of how the world works, as conditioned by upbringing and surroundings. It’s true that after a while, a trait of behavior may take on the appearance of a bias. However, a bias (essentially nature) and a behavior (nurture) work in different ways.

Once these two concepts are understood, it is easier to see how each affects how individuals make decisions in practice. Decisions are informed both by an individual’s “brains being made that way” (heuristics, biases) and by the things individuals do because they’ve learned that this is how to survive and thrive (behavior).

The next step is to look at how biases and behavior impact processes, controls and risks in an organization. Certainly, these can shape the way that senior leaders take decisions – research has shown that even with so-called “perfect” information in a world of rational expectations, biases and behaviors will shape the choices people make. Many senior leaders work hard to raise their own personal awareness of the way these factors can shape their choices. Many organizations talk about making their senior leaders more “risk aware” – and this is in part addressing this need, because enhancing risk awareness is very much about bringing alternative perspectives and scenarios to the table for consideration and discussion.

Thinking decisions through

But decision makers also need to think through what happens once they take a decision – and understand that the choice they make is not then implemented by a set of people who are operating in a world framed by rational expectations. Rather, the people implementing a strategy are subject to biases and behaviors just as they are. These biases and behaviors can very much shape the way these individuals engage with the risks, processes and controls that senior leaders are trying to manage.

Among researchers, there are some well-recognized patterns of so-called “behavioral storm warnings”:

Swiss cheese

Any system of risk management consists of layers, each one containing flaws –conceptual or practical gaps (holes). Sometimes the holes in multiple layers will align, allowing a critical event to pass through unchecked.

Disaster incubation

Most control systems rely on assumptions and beliefs that may be unsound. Catastrophes are simply “spike” events that vividly expose those weaknesses.

Operant conditioning

If people find that nothing goes wrong when they ignore risk controls, they’ll keep on ignoring the controls until something goes badly wrong.

Normal accidents

When designers create a control system full of close-coupled elements, these elements will at some point interact in new ways that produce a catastrophic outcome.


Careless risk-taking or unethical behavior by senior people will encourage others to ignore controls.


People will continue trying to explain a new situation in an old familiar way, until someone gets hurt.


As catastrophe looms, many people won’t intervene until it’s too late.


We intervene to curb risk, using new technologies and measures; they end up contributing to new forms of disaster.

Cognitive shock

An organization loses vital stakeholder support by crossing an invisible threshold of “what’s acceptable now” in its risk-taking and other behavior.

These patterns, along with examples from past events and potential causes, are outlined in a recently published infographic.

Certainly, hindsight is 20/20, and by reviewing strategic decisions that failed against this list of “storm warnings” many organizations may be able to see patterns emerging – particularly when this review is coupled with the analysis of a good set of information around GRC in the organization. Once they are aware of these patterns, they can be more conscious of not repeating them in future, and actively incorporate them into more formal “what if” exercises, such as scenario analysis.

Aligning behavior with GRC

Awareness of how behavior has blown past strategic decisions off course, in spite of a robust approach to GRC, is a good first step. The next step is to explore how the organization can better take behavior into account as another factor to add into the traditional GRC mix.

There are five structured ways to do this:

Create a formal approach to behavior in a risk framework

Understand the behaviors that create risk for the organization, actively track these risks, and learn what can be done to mitigate them. Organizational self-knowledge will provide context for future decision making.

Explore how your regulators are talking about behavior

Supervisors in many industries are waking up to the realization that it’s often poor culture that drives noncompliance. They are doing their own research and beginning to create regulatory frameworks.

Automate compliance systems where possible

Whether it’s reporting on conflicts of interest or ensuring that policies are read and understood, automating parts of the compliance program can minimize risk. The indicators that these systems produce can help to highlight cultural challenges.

Communicate and offer training

Creating a strong risk culture in an organization requires a thoughtful program of communication and training for employees. Helping employees to better understand their own behavior, as well as the goals of the organization and their role in the risk culture that the board is setting, can lead to improved execution of strategy.

Consider having your internal audit team audit your organization’s culture

There are a range of different frameworks for doing this, and it can help senior leaders and the board to identify places where strategic decisions may not be executed in expected ways.

In summary, today’s senior leaders need to look beyond the traditional elements of governance, risk and compliance and consider a fourth factor – behavior – when taking key strategic decisions. Not only do leaders need to ensure that they understand how their own behaviors and biases may impact the way they take decisions, but they need to explore how a particular decision may (or may not) be executed because of the behaviors and biases of the teams who are responsible for doing so. By bringing consideration of behavior to the table, senior leaders have a greater chance of seeing their strategy executed well. They are also more likely to manage any risks with greater responsiveness and improved results.

Learn more

Learn more about Thomson Reuters Risk Management Solutions.

Discover more insight by professionals, for professionals in the Know 360 app.

More answers