The psychology of risk avoidance
Stephen Bounds — Fri, 06/09/2013 - 10:10
This isn't a post about the NSA's extensive efforts to defeat any attempt to communicate securely over the Internet, although it may appear that way at first blush.
Rather, it's about the psychology of taking extreme steps of avoidance of one, narrow risk without regard to consequences and risks in other areas. Now risk avoidance is normal and healthy: if you narrowly miss getting hit by a car, choosing to only cross at traffic lights from then on is a proportional and healthy response to reducing risk. But if you decided never to cross a road again, that would be a disproportionate response. You would find yourself doing increasingly ridiculous things just to avoid an activity that is perfectly safe in an appropriate context.
However, in an organisational context employees are often put in a situation where their success is measured entirely on ensuring a particular event, or preventing a class of events from occurring. And when the required outcome is 100% or 0%, the only rational response is to avoid risks at all costs.
The most obvious example is security. There is rarely a reward for security managers to achieve a "reasonable balance of risk and productivity". As Mike Rothman recently complained with some justification:
How do you even know if you're doing security well? If you beat back the attackers, what happens? Nothing. Actually, you don't get kicked in the teeth that day. So there's that. If you miss something ... get ready to take your lumps. It's a thankless job. And your incentive to excel is keeping your job – which on most days doesn't feel like an incentive, right?
Records managers, CEOs, customer service officers, public relations officers – everyone is asked for perfection and no-one is rewarded for what works best, all things considered, in the long run. Bruce Schneier expresses the underlying problem eloquently:
We're afraid of risk. It's a normal part of life, but we're increasingly unwilling to accept it at any level ... Some of this [is due to] the fact that we put people in charge of just one aspect of the risk equation. No one wants to be the senior officer who didn't approve the SWAT team for the one subpoena delivery that resulted in an officer being shot. No one wants to be the school principal who didn't discipline – no matter how benign the infraction – the one student who became a shooter. No one wants to be the president who rolled back counterterrorism measures, just in time to have a plot succeed. Those in charge will be naturally risk averse, since they personally shoulder so much of the burden ...
We need to relearn how to recognize the trade-offs that come from risk management, especially risk from our fellow human beings. We need to relearn how to accept risk, and even embrace it, as essential to human progress and our free society.
So how do we have that conversation? How do we move from individual responsibility to a shared consensus on what outcomes matter? How do we recognise that people respond to incentives and that you cannot unilaterally reduce a risk in a human system without consequences? Schneier again:
An earthquake isn't able to figure out how to topple structures constructed under some new and safer building code ... But a terrorist will change his tactics and targets in response to new security measures. An otherwise innocent person will change his behavior in response to ... living in a surveillance state.
If you reward people solely on trying to prevent risks that are largely uncontrollable – particularly those that involve human behaviour – you will be crippling the productivity of your whole organisation in a myriad of ways. So if you're a leader: don't. Instead, follow three simple principles:
- Share responsibility and accountability for success wherever possible
- Understand that systems are responsible for far more failures than individuals, and
- Seek to build holistic, resilient capabilities instead of implementing narrow and crippling constraints
Our expertise in complex systems analysis, combined with a deep understanding of technology and modern, agile management and leadership techniques makes knowquestion uniquely positioned to find strategic solutions to your tough problems. Contact us today.