A Contextual Model of a Cognitive Risk Framework for ERM

Behavioral economics has only recently begun to garner gradual acceptance by mainstream economists as a rigorous discipline that may serve as an alternative perspective on decision-making.  However, the broad acceptance and growing adoption of behavioral economic theories and concepts – along with advancements in computational firepower – present opportunities to put into practice practical applications for improving risk management practice.

The goal of this article is to develop a contextual model of a cognitive risk framework for enterprise risk management that frames the limitations and possibilities for enhancing enterprise risk management by combining behavioral science with a more rigorous analytical approach to risk management.  My thesis is that managers and staff are prone to natural limitations in Bayesian probability predictions, as well as errors in judgment due in part to insufficient experience or data to draw reliably consistent conclusions with great confidence.

In this context, a cognitive risk framework helps to recognize these limitations in judgment.  The Cognitive Risk Framework for Cybersecurity and the Five Pillars of the framework have been offered as guides for developing an advanced enterprise risk framework to deal with complex and asymmetric risks, such as cyber risks.

“A major task in organizing is to determine, first, where the knowledge is located that can provide the various kinds of factual premises that decisions require.” – Herbert Simon

Background

In a 1998 critique of Amos Tversky’s contributions to behavioral economics, Laibson and Zeckhauser discussed how Tversky systematically exposed the theoretical flaws in rationality by individual actors in the pursuit of perfect optimality. Tversky and Kahneman’s Judgment under Uncertainty: Heuristics and Biases (1974) and Prospect Theory (1979) demonstrated that actual decisions involve some error. “The rational choice advocates assume that to predict these errors is difficult or, in the more orthodox conception of rationality, impossible. Tversky’s work rejects this view of decision-making. Tversky and his collaborators show that economic rationality is systematically violated and that decision-making errors are both widespread and predictable. This now incontestable point was established by two central bodies of work: Tversky and Kahneman’s papers on heuristics and biases and their papers on framing and prospect theory.”[1]

Much of Tversky and Kahneman’s contributions are less well-known by the general public and misinterpreted as a purely theoretical treatment by some risk professionals. As researchers, Tversky and Kahneman were well versed in mathematics, which helped to shine light on systemic errors in complex probability judgments and the use of heuristics in inappropriate contexts. As groundbreaking as behavioral science has been in challenging economic theory, Tversky and Kahneman’s work centers on a narrow set of heuristics: representativeness, availability and anchoring as universal errors. The authors used these three foundational heuristics broadly to describe how decision-makers substitute mental shortcuts for probabilistic judgments, resulting in biased inferences and a lack of rigor in making decisions under uncertainty.[2]

Cognitive Risk Framework: Harnessing Advanced Technology for Decision Support

In the 30 years since, Prospect Theory data analytics expertise and computational firepower have made significant progress in addressing the weakness in Bayesian probabilities recognized by Tversky and Kahneman.  Additionally, the automotive industry and Apple, among others, have been successful in incorporating behavioral science in product design to reduce risk, anticipate human error and improve the user experience, adding value in financial results. It can be assumed that these early examples of progress point to untapped potential if applied in constructive ways. There are distractors, and even Tversky and Kahneman admitted to inherent weaknesses that are not easy to solve.  For example, observers are skeptical that laboratory results may not replicate real-life situations – that arbitrary frames don’t reflect reality as well as a lack of mathematical predictive accuracy.

Since Laibson and Zeckhauser’s (1998) critique of Tversky’s contributions to economics, a large body of research in cognition has evolved to include big data, computational neuroscience, cognitive informatics, cognitive security, intelligent informatics and rapid early-stage advancements in machine learning and artificial intelligence.  A Cognitive Risk Framework is proposed to leverage the rapid advancement of these technologies in risk management; however, technology alone is not a panacea.  Many of these technologies are evolving, yet additional progress will continue in various stages, requiring risk professionals to begin to consider how to formalize steps to incorporate these tools into an enterprise risk management program in combination with other human elements.

The Cognitive Risk Framework anticipates that as promising as these new technologies are, they represent one pillar of a robust and comprehensive framework for managing increasingly complex threats, such as cyber and enterprise risks.  The Five Pillars are:

1. intentional controls design
2. intelligence and active defense
3. cognitive risk governance
4. cognitive security informatics
5. legal “best efforts” considerations

A Cognitive Risk Framework does not supplant other risk frameworks, such as COSO ERM, ISO 31000 or NIST standards for managing a range of risks in the enterprise.  A Cognitive Risk Framework is presented to leverage the progress made in risk management and provide a pathway to demonstrably enhance enterprise risk using advanced analytics to inform decision-making in ways only now possible.  At the core of the framework is an assumption about data.

One of the core tenets of Prospect Theory is the recognition of errors made in decision-making derived from small sample size or poor quality data.  Tversky and Kahneman noted several observations where even very skilled researchers routinely made errors of inference derived from poor sampling techniques.  Many recognize the importance of data; however, organizations must anticipate that a cross-disciplinary team of expertise is needed to actualize a cognitive risk framework.  Data will become either the engine of a cognitive risk framework or its Achilles’ heel and may be the most underestimated investment in ramping up a cognition-driven risk program.  A Cognitive Risk Framework anticipates much more diverse skills than currently exists in risk management and IT security.

Data is but one of the considerations in developing a robust Cognitive Risk Framework.  Other considerations will include developing structure and processes that allow ease of adoption by practitioners across multiple industries and in different size organizations.  While it is anticipated that a Cognitive Risk Framework can be successfully implemented in large and small organizations, risk professionals may decide to adopt a modified version of the Five Pillars or develop solutions to address specific risks, such a cybersecurity as a standalone program.

It is anticipated that if cognitive risk frameworks are adopted more broadly, technology firms and standards organizations would take an active role in developing complementary programs to leverage these frameworks to advance enterprise risk using advanced analytics and cognitive elements.

[1] LAIBSON/ZECKHAUSER Kluwer Journal @ats-ss8/data11/kluwer/journals/risk/v16n1art1 COMPOSED: 03/26/98 11:00 am. PG.POS. 2 SESSION: 15

[2] https://pdfs.semanticscholar.org/b4ab/dc36dee6df5b3deea53e3b1b911191f67382.pdf