The IMT Blog: Ixnay Ceteris Paribus

GDPR is Phase One, Facebook Spurs Phase Two

jfarrell@intelligentmanagementtrends.com (John Farrell) — Thu, 26 Apr 2018 14:00:00 GMT

The graduation season is upon us when commencement speakers will once again task college graduates with the mission to change the world. This once meant inventing new products or processes, creating new art forms, or expressing individual ideas to improve the lives of others. Now it increasingly means launching a startup that incorporates its world-changing intentions in its mission statement.

When coupled with an entrepreneurial spirit that urges employees to move fast and deal with consequences later, there is little room to deliberate risk considerations. The globally-networked digital economy offers companies the opportunity to truly change the world in just a few short years. This creates tremendous opportunities, but also breeds serious business and social risks.

Dominant young companies like Facebook, Amazon, and Uber gained success by rushing forward while not waiting for societal and government regulatory approvals. Yet the more a company asserts a mission to change the world, it should apply an equally weighty seriousness to risk management strategies for both the intended and unintended consequences of its organizational objectives.

Facebook softened its original motto “Move Fast and Break Things” geared toward its developers to a cautionary “Move Fast with a Stable Infrastructure” in 2014 and a more socially palatable “We Learn as We Go” in light of more recent criticism. Expect this motto to change again since it does not inspire confidence when politicians are asking if you can self-regulate.

Setting the Fulcrum for Balancing Trust with Regulatory Control

Companies once grew at a slower pace than legislative processes. There was an opportunity to debate negative outcomes of business practices and set regulatory controls before the damage could become too widespread. The opposite is true today. The speed of business innovation and expansion is far faster than our increasingly sluggish parliamentary procedures and political deadlocks.

This growing disparity in speed means a greater degree of trust must be placed in the hands of budding entrepreneurs and the executives of rising unicorns. Building a risk-aware culture is a challenge for any business, but it is even more daunting for the new breed of world-changing companies based on management trends that encourage employees to make mistakes and learn as you go.

Collecting personal data on customers and prospects is not new but will become increasingly important to remain competitive. It does not matter if you sell cars, prescribe medication, or provide entertainment. Every business in the digital economy will benefit from catering to personal interests and needs. A personalized customer experience offers progress for both providers and end users alike. All businesses in this new economy will have to carefully manage risks that accompany the management of personal data.

This new era, however, also ushers in weightier responsibilities when companies state a strategic objective to guide users toward a self-defined greater good. Facebook founder Mark Zuckerberg’s bold message to the world is “It’s not enough to just connect people, we have to make sure that those connections are positive.”

We have entered an age when corporate boards and executives are inviting additional responsibilities and burdens of addressing social demands. Companies are not only collecting, analyzing, and communicating data, but also guiding and prescribing answers leveraging AI tools.

Western economies, and the United States in particular, prefer to cultivate entrepreneurship with a light-touch regulatory environment. The swift emergence of world-changing businesses targeting global audiences tests this preference when fundamental rights are at stake.

I am not a supporter of regulatory expansion and its looming threat of stifling creativity. But watching several congressmen during the Zuckerberg hearing threaten to abandon their light-touch regulatory stance seemed hollow and passé when Zuckerberg was practically begging for regulation.

The Internet is growing in importance around the world in people’s lives, and I think that it is inevitable that there will need to be some regulation. — Mark Zuckerberg during his appearance before the U.S. House Energy and Commerce Committee on April 11, 2018

Cynics note Facebook would certainly welcome new regulation that could lock in its current dominant status while setting a higher bar for other developing social media companies. But Zuckerberg’s statements are more likely an admission that the responsibilities of taking on a broad social agenda are either too burdensome or too tempting for abuse.

The question for legislative bodies is where to set the fulcrum that balances trust in a cultivating business environment for entrepreneurs against regulatory oversight that protects fundamental individual rights. Historically, regulation addresses the externalities that may not be the primary concerns of companies. Now legislators must address the risks associated with companies that offer what are perceived to be public platforms for conducting business and social interaction.

The current top concerns for western democracies are (1) the use of personal information, and (2) the control of content. The first is an issue of privacy rights. The second tests the boundaries of free speech rights.

How the EU Got the First Step Right with GDPR

Back in 1995, the public Internet was on the rise as a new frontier that left many questioning the opportunities and the risks it posed. As a consultant with International Data Corporation at the time, I had a contract with the European Commission to report to the Directorate-General for Communications Networks, Content and Technology on developing technology trends as they considered setting policy directions for the newly-formed European Union.

While presenting the latest activities of Netscape, Yahoo, Compuserve and industry exchanges, Vlassis Venner (my best recollection of the Director-General’s name) interrupted me with a quizzical look and asked, “John, what are we going to do about this?”

I was dumbfounded by the question with the multiple thoughts running through my head. Information wants to be free. Does he want to stop this progress? I am glad I live in the U.S. The land of the free, the bold, and the brave who will embrace this change with a sense of opportunity and progress.

After two decades, I realize I owe Mr. Venner an apology for my thoughts. I had assumed he, as a government power broker, sought to impose control over information and manage who received and benefited from the flow of data. Now I know he may have been more prescient and concerned about privacy rights for individuals.

The EU’s GDPR (General Data Protection Regulation) is the first major legislation and regulation for democratic countries in the digital economy that empowers the individual to protect their personal information and right to privacy. The EU got it right by focusing on a core principle for individual protection rather than imposing restrictions and controls on companies.

I am sorry Mr. Venner.

Facebook Triggers the Next Phase of Individual Protections

After the high-profile appearance of Mark Zuckerberg before both House and Senate committees, the United States is certain to follow GDPR with its own legislation to protect privacy rights. But the Facebook case also calls for more serious discussion and a second phase of legislative action to protect a second pillar of individual rights — free speech.

Zuckerberg assertively declares his company has a higher duty to ensure the connections and communications on the Facebook platform are positive yet leaves “positive” undefined and does not outline a clear approach to managing risks associated with this responsibility.

To date, the U.S. Congress has chosen to let companies define and manage the gray lines of what is considered acceptable Internet content. This forces the battlegrounds of political discussions and social outrage into individual companies where the loudest voices, individual dictates, or group think decision biases may endanger broader concepts of free speech.

How will Microsoft ban offensive language across its product lines? How will Twitter and Snapchat identify and control hate speech and bullying?

The United States currently contends with outrage over free speech zones, political speech deemed hate speech, dog whistles, and forced group identity. If the changing perceptions of what is acceptable discourse in the U.S. is so unruly among 326 million people, how can Facebook possibly take on the risks of defining, identifying, and managing risks around content for over two billion users in more than 200 countries? Stating an altruistic mission to enable positive connections is one thing. Taking on the risks of controlling Russian meddlers in US and European elections, Diamond and Silk in the US, anti-Rohingya propaganda in Myanmar, and German joke tellers targeting foreign leaders is another.

Who will set the risk management standards? The U.S. public turns to Congress. Congress defers to companies. Companies rely on their users.

In response to Senator Mazie Hirono’s question about racially-targeted real estate advertising, Zuckerberg noted “most of the enforcement today is still that our community flags issues for us when that comes up.”

In response to Senator Thune’s questions about the steps Facebook takes when evaluating the line between legitimate political discourse and hate speech, Zuckerberg offer this statement:

So, from the beginning of the company in 2004 — I started in my dorm room; it was me and my roommate. We didn't have A.I. technology that could look at the content that people were sharing. So — so we basically had to enforce our content policies reactively.

People could share what they wanted, and then, if someone in the community found it to be offensive or against our policies, they'd flag it for us, and we'd look at it reactively. Now, increasingly, we're developing A.I. tools that can identify certain classes of bad activity proactively and flag it for our team at Facebook.

Later, he notes:

Hate speech — I am optimistic that, over a 5 to 10-year period, we will have A.I. tools that can get into some of the nuances — the linguistic nuances of different types of content to be more accurate in flagging things for our systems.

But, today, we're just not there on that. So a lot of this is still reactive. People flag it to us. We have people look at it. We have policies to try to make it as not subjective as possible. But, until we get it more automated, there is a higher error rate than I'm happy with.

Any concerns here?

The added risks of taking on socially-conscious mission statements is not limited to digital businesses. Starbucks states its mission is “to inspire and nurture the human spirit – one person, one cup and one neighborhood at a time." They were fine with the statement until they realized they needed to shut down their stores for a full day of employee sensitivity training.

A new breed of socially-conscious companies is taking hold. Intentions beyond financial viability are admirable but must come with a recognition of the responsibilities to integrate risk management principles to proactively anticipate and manage the associated weighty risks. The missteps of Facebook and Starbucks are two risk management failure examples that reveal building effective risk cultures are part of promoting a social agendas.

Government has a role in ensuring companies are prepared to meet these challenges not by imposing controls on companies but by reinforcing individual rights. GDPR is the first phase that emphasizes protections for personal information and privacy rights. The U.S. can use the Facebook discussion to shift into a second phase that better defines and sets protections for free speech.

A Defense of Enterprise Risk Registers...Sort Of

jfarrell@intelligentmanagementtrends.com (John Farrell) — Thu, 29 Mar 2018 14:10:00 GMT

Enterprise risk registers are a target for derision among many in the risk management profession and those forced to take part in populating them. They are often viewed as imposing time-consuming exercises with questionable value that directs attention and resources toward risks themselves rather than an organization’s primary objectives.

However, risk registers can fill a vital role when considering risks in the flow of business decision making processes and will become even more critical as the speed of decision making accelerates. You will just not recognize them as they exist today.

What is a Risk Register?

A risk register is a database of known risks a company would like to address as it pursues its objectives. Accompanying each risk are facts such as its description, category, causes, probability of occurrence, consequences, proposed responses, stakeholders, risk owners, controls, and a record of past events, responses, and loss experiences. Organizations may use risk registers for projects, within a business unit, and/or at an enterprise level.

To consider the debate over the value of a risk management register, it is useful to separately analyze (1) the information as a database, (2) the process that populates it, and (3) software platforms used to develop and manage it.

The Pros of Risk Registers

Risk register information databases can:

Provide a go-to reference when initiating decision processes.
Identify both threats and opportunities.
Help inform risk-reward tradeoff analysis.
Feed predictive analytics that help assess decision outcomes.
Help optimize enterprise-wide risk mitigation strategies and insurance policy coverage.
Present evidence of compliance with regulatory requirements.
Highlight facts for risk statements in SEC filings, including annual reports.
Support positive ratings from credit agencies.
Document governance, roles, and responsibilities.
Help set and confirm risk controls.
Support audit analysis and reporting.

Processes used to populate risk registers today can:

Make employees consider risks relevant to their roles.
Help build a risk-aware culture across an organization.
Create a sense of personal accountability for risk management.
Facilitate creative thought about new and emerging risks.

Risk register software platforms can:

Enable a structured approach to risk identification and assessment.
Help set standards for assessing the likelihood and consequences of potential risks.
Help integrate analysis across an organization to inform C-level decisions.
Facilitate integrated risk analysis for enterprise mitigation and insurance coverage strategies.
Help automate data collection and analysis.
Support project team, business unit, and cross-enterprise communication.
Facilitate reporting to boards, shareholders, regulatory entities, ratings agencies, auditors, and other stakeholders.

The Cons of Risk Registers

Risk register information databases can:

Narrowly focus on only the most obvious top-known risks when long-tail risks and emerging risks are the primary cause of business failures.
Build a collection of past data that may not appropriately inform decision making under current and future business conditions.
Reflect a white-washed view of risks considered presentable to top management or external stakeholders rather than an honest assessment of true organizational risks.
Concentrate on standalone risks rather than a set of integrated risks in the context of organizational objectives or specific decisions.
Skew toward risks as negative threats that need controls rather than presenting opportunities.
Have missing or incomplete data that create risk blind spots.
Provide a static view of risks when market dynamics can change abruptly.

Processes used to populate risk registers today can:

Impose cumbersome time-consuming standalone processes outside the flow of normal business activities.
Occur on a quarterly or annual process cycle instead of within ongoing, dynamic, real-time business decision-making conditions.
Build a database as an end product which is subsequently ignored.
Prioritize the fulfillment of external reporting requirements over internal needs.
Focus on potential negative consequences to set controls rather than considering risk-reward tradeoffs.
Create the illusion of fully addressing risks.
Set a risk-centric activity disconnected from specific business objectives and decisions.

Risk register software platforms can:

Concentrate too much on risk list development, regulatory requirements, and controls versus decision support and identifying opportunities to leverage risks.
Lack the context of business objectives and decision making.
Require time-consuming manual input.
Impose a process that grates against well-established business practices.
Extend data requirements beyond what is necessary for effective risk management.
Struggle to provide standards flexible enough for use across business functions and risk sources.
Sometimes lack the ability to access a full set of relevant and critical data sources.
Include an inconsistent set of qualitative and quantitative assessments that are difficult to integrate across a risk portfolio.
Limit creative and open thought.

Changing the Current State of Risk Registers

A review of the pros and cons of risk registers reveals some strong potential benefits if integrated more seamlessly with organizational decision making. However, many businesses currently fall victim to the negative aspects of standalone risk register development and use.

Quarterly or annual exercises designed to populate and update risk registers may help optimize insurance portfolios, inform risk statements, and provide positive evidence to address regulatory and credit agency interests, but these value points remain divorced from decision-making processes.

While the information within risk registers has plenty of potential value, complaints tend to center on the tedious process needed to create “risk lists” and their perceived lack of value for use within the flow of normal business activities. Many ERM and GRC software platforms often just reinforce this negative perception.

Accentuating the positives and minimizing the negatives of risk registers calls for:

Constantly updated, broad-ranged risk information to feed into analytics that support real-time business objective setting and decision making.
Risk identification and assessment processes that integrate with ongoing business activities.
Software that can help automate risk identification and assessment and integration with business objectives and decision making.

The first point may seem to run counter to the need to reduce process demands for populating risk registers, but the solution lies in balancing human versus automated input requirements. Monitors, sensors, all forms of enterprise software, and third-party data providers are exponentially building sources for risk information. Nearly all of the information needed to identify risks to populate registers can exist in company data lakes and should eliminate any need to create lists from scratch.

Setting the Value of Human Versus Automated Processes

When employees participate in blank-slate risk identification exercises, the process typically begins with listing all known business risks before imagining potential new and emerging risks. There is a point along this continuum where the value of automated risk identification and human risk identification cross. Future concepts of risk register development and use will better leverage the strengths of both automated and human assessments.

Advancements in technology and machine learning now offer automated risk identification with higher accuracy and less bias than humans. Machine learning analysis of information associated with any system (operational or decision processes) can even uncover previously ignored risks. Individuals currently use statistical analysis to uncover key risks to populate risk registers, but AI engines can improve this process by assessing more data and a wider variety of information with less bias at a higher speed in real time.

The weakness of automated AI-driven risk analytics is the same as any statistical analysis. It can only predict future outcomes based on past data and whatever future considerations it is fed. This is where human thought processes and problem solving are still superior to any automation.

While automated analysis is more efficient for assessing past data, humans can better assess real-time anomalies (once detected) and imagine future conditions for new risk considerations.

Effectively integrating risk management with decision making calls for more automation to prepopulate risk registers in the context of specific business objectives and decisions, while leaning on human participation to confirm this initial list, consider real-time anomalies, and imagine future risk factors. Emphasis on these human strengths should encourage greater individual engagement and value perception.

The Future State of Risk Registers

In essence, a well-managed data lake is a raw risk register. It should provide all the potential information sources necessary to analyze decision systems and identify risks related to any business objective. Risk management software will have the ability to filter all related risk factors, probabilities, and consequences based on past information and present a prepopulated list to decision makers.

An individual or team should be able to (1) set an objective and decision context, (2) have a prepopulated set of initial risk considerations presented to them, (3) assess real-time dynamics, and (4) add potential new and emerging risks. Once a full list of risks related to a specific objective or decision is identified, it will be easier to determine the needs to address risk owners, risk responses, controls and other factors associated with risk registers.

This capability exists today, but it will take some time for companies to implement and realize this approach. The first priority should be identifying and assembling (currently used and potentially useful) information sources related to each major organizational objective. Then test automated AI-driven risk analysis in cases where current risk identification exercises use a significant amount of human resources. Business analytics thought leaders, Tom Davenport and Rajeev Ronanki, offer their advice on incrementally building AI automation into current business processes in this Harvard Business Review article “Artificial Intelligence for the Real World.”

All business managers should be considering where machine learning can create efficiencies and add value in current business processes. Risk identification and risk register development are processes ripe for this analysis. It will help transform risk registers from time-consuming standalone database exercises to valuable in-process, decision-support resources that can unleash more creative risk-taking considerations.

Yes, risk registers will live on, but not in the form you recognize them today.

Considerations for Decision-Centric Risk Management Resources

jfarrell@intelligentmanagementtrends.com (John Farrell) — Sat, 24 Feb 2018 15:08:00 GMT

Most ERM and GRC vendor offerings currently fail to enable the power and value of applying risk management principles to business decision-making processes. If risk management is about making better decisions, then we need to reset the perspective of what qualifies as a valued risk management resource.

The Challenge of Embedding Risk Management in Decision Processes

Updates to the COSO ERM and ISO 31000 standards emphasize the need to address risks in the context of organizational objectives and decisions. While the talking points among risk management professionals have progressed, the practical application to management decisions throughout an enterprise is still a significant challenge.

Some of the hurdles include:

The perception of risk management as a standalone function or process.
Building an executive-led, risk-aware organizational culture.
The need to clarify risk management responsibilities across an enterprise.
A market filled with risk management vendors that emphasize risk registers, insurance portfolio management, and regulatory compliance.

Risk management still suffers from the belief it is a time-consuming add-on activity that is just a gating decision control. A reeducation effort is necessary to present risk management as a decision enabler that can raise and optimize organizational value.

The Requirements for a Risk-Informed Decision-Making Process

Integrating risk management and decision making is about (1) people using (2) decision-making processes ingrained with risk management principles and (3) the best information available while leveraging (4) technology to accelerate and optimize decisions and their outcomes.

Some of the relevant risk management principles that apply include assessing and addressing the options, tradeoffs, and uncertainties associated with decisions in the pursuit of business objectives. You can find further details in this post on ten steps of an effective decision-making process.

In this context, risk-aware decisions require a system of people, process, information, and technology resources guided by a risk management framework.

As enterprises establish this framework within their organization, it is impossible to build all the resources necessary to identify, assess, and address the range of risk sources they face over time to fully inform decisions. External vendors can fill resource gaps, enhance decision processes, and add risk expertise.

How Vendors Can Support this Process and Fill Resource Needs

Risk registers, insurance products, and regulatory compliance solutions play a role in supporting decisions, but the practical integration of risk management and decision-making processes across an organization demands a broader spectrum of vendor capabilities beyond those of today’s ERM, GRC, or RMIS solution providers.

Consultants support organizational change, redefine roles and responsibilities, and help implement new processes. Risk experts help identify, assess, and offer advice on how to address specific risk sources and events.

A wide variety of software vendors enable technology solutions that

manage and analyze past risk information,
monitor and identify real-time risk conditions, and
predict future risk events and consequences.

Advanced technology and developments in machine learning are extending predictive analytics using vast information sources to now prescribe optimal business decisions. This raises the demand for big data information sources needed to train deep learning models. Risk information and databases are a critical component for building risk-informed decision systems.

Businesses make decisions under dynamic conditions. Changing variables may demand course corrections at any time. This means risk management in support of decisions must continually assess past, present, and future information. The great news is that the convergence of risk management concepts with information technology advances now has the potential to significantly enhance business decision-making proficiency in dynamic business environments.

The collection of service, software, and information product vendors in today’s market presents what can be a confusing array of offerings to assess when considering risk management resource needs. Some ERM providers strive to address as much of the risk management process and system requirements as possible, but no single solution can address all the functionality and people, process, technology, and information resources needed to integrate risk management considerations with decision making.

A Taxonomy to Classify Vendors that Support Risk-Informed Decisions

Intelligent Management Trends takes a fresh look at the vendor marketplace in the context of enabling risk-informed business decision making. A newly released report, “Risk Management Resources Market Taxonomy, Trends, and Vendor Classification,” translates industry risk management standards into enterprise resource requirements and tackles the challenges of connecting these resource needs to marketplace vendors.

The report identifies the core factors, segments, and vendors that constitute the risk management market from the perspective of optimizing business decisions and offers a holistic categorization of services, software, and information resource offerings that support risk management systems.

The objectives of this research and industry taxonomy include:

Facilitating vendor-enterprise dialogue by clarifying vendor capabilities in the context of specific risk management resource needs.
Offering risk management service, software, and information vendors a market-wide perspective to consider their own value positioning, portfolio development, partnership, and acquisition strategies.
Providing enterprises a classification taxonomy to help decipher how external vendor offerings can provide, supplement, or enhance their risk management system resources.

The report includes market drivers, trends, and extensive vendor examples to substantiate each market segmentation category and definition.

Receive a Free Report Copy in Exchange for Your Feedback

You are invited to receive a complimentary copy of the IMT report, “Risk Management Resources Market Taxonomy, Trends, and Vendor Classification,” in exchange for your suggestions and feedback with points of agreement and disagreement. A limited number of free copies (15) are available, so click this link now to request your copy.

For a more detailed description of the report, including the table of contents and a list of figures, click the following link:

Lead Users of AI in Risk Management Processes Take Hold

jfarrell@intelligentmanagementtrends.com (John Farrell) — Wed, 19 Jul 2017 12:18:00 GMT

Every analytical process and decision point across enterprises are open targets for artificial intelligence. That is not hype. It is just a matter of time before data scientists, software programmers, business consultants, and business managers at least consider ways in which AI could enhance decision making in every crevice of your organization.

Now to pull back the reins. Only ten to twenty percent of potential markets tend to be early adopters of innovative technology. This means at least 80% of all business managers today probably believe AI is all hype, while at least 10% are moving forward implementing some form of artificial intelligence in their business practices.

A GARP study conducted the beginning of this year confirms these general adoption trends hold true for the use of AI in corporate risk management practices. Their survey of 220 risk professionals (and supplemental in-depth interviews) found only 15% are now using AI in their risk management function and 70% have no current plans to implement it. Looking forward, 46% do not believe AI will play a significant role in their risk management toolkit for at least another three years.

These results are not surprising in a profession where reliance on spreadsheets, word documents, PowerPoint, and qualitative assessments as primary tools is not uncommon. Most risk management processes can still benefit from the expanded use of traditional statistical analysis, predictive analytics, and risk management software packages, but now is the time to look ahead for AI adoption plans. C-suite use of Monte Carlo simulations has grown in recent years. The acceptance and integration of machine learning techniques should not be too daunting for a next step.

Machine Learning for Risk Analysis, Predictive Capabilities, and Decision Support

The broad category of artificial intelligence refers to the ability of computing resources to mimic human intelligence beyond directly programmed commands. This includes capabilities such as deciphering questions, identifying visual, auditory, and data inputs, cross-analyzing a wide range of information, and offering some form of a conclusion.

Machine learning is the branch of AI most relevant for supporting risk-informed decision making as it focuses on discovering patterns in data and categorizing or predicting outcomes.

Like traditional business intelligence and predictive analytics tools, machine learning uses a variety of statistical methods. The range of methods are generally classified into: (1) regression analysis to determine independent and dependent variable relationships; (2) classification to identify and label dependent variables; and (3) clustering to discover the general characteristics of groups of observations without any predetermined dependent or independent variable.

Unlike traditional business intelligence and predictive analytics tools which use specifically chosen variables built on structured quantitative data, machine learning allows the flexibility to use unstructured data (not just quantitative) and the program determines variables and coefficients to use on its own.

The first two method categories (regression and classification) require supervised learning with outcomes scored and used as feedback to help train a program to refine its model. Clustering, in contrast, uses an unsupervised learning process that discovers patterns using neural networks with dynamically changing variables and weights as it churns its own modeled system to find key features of the given dataset.

Machine learning improves upon traditional business analytics tools given its ability to use a large variety and volume of information without any of the predetermined static relationships used in traditional models. The dynamics of machine learning allow it to constantly improve precision as it ingests more information. Information that may now include unstructured text (e.g. email and social media content), visual, and auditory inputs.

Given these qualities, machine learning can provide decision support by presenting likely outcomes while considering risk variables that are either initially known or unknown to decision makers in any business environment. Risk managers should welcome an innovative approach that

can help address ambiguous variables, unstructured data, and unknowns.

Current Inroads for Machine Learning Adoption

New processor designs that integrate memory and processing more efficiently, AI accelerators, GPUs, cheaper storage, and the expansion of sensors and general data collection, are all part of the emerging technology drivers making AI technically and economically more feasible today. Investment capital, well into the billions of dollars, and the attention of the world’s top data scientists and data engineers, are now bringing AI to fruition more than six decades after research in the field first began.

Much of the early AI development efforts have focused on training machines to recognize and classify input data for purposes like speech recognition, visual identification, and deciphering questions (e.g. IBM Watson). Pattern recognition has also enabled AI programs to make user recommendations based on other individuals with similar interests (e.g. Amazon, Spotify, Netflix, etc.).

Many of the brightest AI minds are now working on driverless cars to convert environment and situation recognition into driving commands. Then there are the artistically-minded who are testing AI’s creative capabilities for producing unique art, music, books, and movies.

Since machine learning must be trained with substantial amounts of data, business use cases are tied to specific business functions and decision points where historical and current data are readily accessible. Some AI examples with risk considerations include the following:

Modeling credit risks
Detecting credit card fraud and money laundering
Predicting mechanical failures and maintenance requirements
Detecting cyber threats
Identifying spam and phishing emails
Flagging financial reporting irregularities for audit review
Scanning social media for reputation risks
Anticipating and identifying supply chain disruptions
Predicting customer loyalty concerns
Developing agricultural planting and irrigation cycle recommendations based on environmental conditions
Managing third party risks and vendor performance

All these examples are frontline management concerns where computer models can learn from historical data, differentiate regular and irregular patterns, and flag potential risks for further investigation.

The Challenges, Pros, and Cons of Implementing AI Tools for Risk Management

Awareness levels and cultural concerns typically pose the greatest organizational challenges for innovative technology adoption. They are the top challenges for the use of AI solutions in support of business decision making. Other concerns such as complexity and cost are dissipating for basic solutions. Open source algorithms are available for in-house development while many AI-based vendor software solutions offer free entry points for simple data sets to test its value for broader tasks.

Opting for in-house development will certainly require more time and expense as you acquire data engineering talent and run through machine training with multiple test cycles. But regardless of opting for a vendor service or an internally developed solution, implementation success will depend on your ability to assemble large data sets to train and refine models.

Some of the arguments for implementing AI to support risk-informed decision making include the following:

The process of assembling data for machine learning will help expand the consideration of more risk factors in the context of specific business objectives.
It will help embed risk identification and risk assessment in frontline decision-making processes.
It will enable the use of a greater variety and volume of new data sets to help improve predictive capabilities.
It will consider both structured and unstructured information.
It will help reduce (but not eliminate) the model bias that is inherent in the choices of variables and coefficients used in static models.
It will help extend risk considerations beyond just the core known risks and offer the potential for dynamically discovering new and emerging risks.
Predictive capabilities will improve over time as input information grows.
It will facilitate real-time risk identification and risk analysis.

Some of the factors that may weigh against implementing AI include:

The cost and time to build and train unique models.
The potential downside of using predicted outcomes from machine learning as prescriptive decisions rather than considerations for business decisions.
The erosion of personal accountability for decisions associated with the prior point.
The biases that may still exist from historical data selection for training and the choice of statistical algorithms used in the models.
The challenge of communicating to decision makers that AI models will still provide probabilistic answers and should not be used as certainties.
Current organizational standard practices, culture, and role responsibilities for risk management and auditing may have to adjust to accept new risk identification processes as well as documentation capabilities and limitations.
The black box aspects of the clustering machine learning techniques, particularly those leveraging deep learning models, may not lend enough insights for the basis of decision making that must be documented to meet regulatory requirements.

Planning AI Adoption to Support Risk Management

The adoption of machine learning and other AI technology is not hype. It is happening now and will accelerate based on supportive technology trends, the attention of top data scientists, and plenty of eager venture capitalists. It is time to add AI to your risk management strategies and practices.

Not all enterprise investments in AI will pay off, but today’s successful adopters will certainly gain tremendous decision-making efficiency over their competitors. MasterCard proved it was not going to hold back on its AI investments when it recently acquired AI specialist Brighterion to extend its fraud protection and data protection capabilities. In a market with limited AI skills, an acquisition like this is a two-pronged competitive tactic that gains highly-valued resources while also reducing the independent pool of skilled programmers available for competitors.

If you are a risk management software vendor, you should already be implementing, or at least assessing, your strategy for integrating machine learning and other artificial intelligence with your offerings. If you are a risk management consultant, expand your advisory services for machine learning solutions that will help your clients identify, analyze, and manage their risks. (Also make sure you leverage IMT's custom research services and research reports!)

As for enterprise risk managers, a past IMT post addressed a worrisome risk professional awareness gap for disruptive technologies. Quantitative skills, business practice knowledge, creativity, and the ability to leverage artificial intelligence are all important attributes for successful risk managers for emerging business trends.

The GARP research found risk professionals tend to perceive AI as a product or service they can purchase from a vendor rather than an integration of machine learning techniques and programming with internal business processes and analytics. It also discovered 60% believe risk management has no role in assessing the use of AI in their overall organization.

AI adoption is a strategically important issue for just about all enterprises today. Risk managers should make sure they have a role in determining its optimal use.

While AI has made significant inroads to support risk management in specific core risk-exposed frontline functions in many businesses today, enterprise risk managers can expand AI use in three ways:

Investigate and promote the potential use of AI-based programs across unique frontline functions in your organizations.
Develop plans to use machine learning for integrated enterprise risk analysis to help uncover and communicate where organizational value is at risk and where it can be enhanced strategically and operationally.
Help build a culture of using machine learning that supports human decision making rather than dictates prescriptive answers.

The GARP survey notes a lack of AI adoption models and case studies may be hindering AI planning and investment efforts among risk professionals. If you would like to share your experience, struggles, and successes in adopting AI for your risk management practice, contact us at IMT. We research and develop insightful case studies that advance risk-informed decision making and would like to highlight the successes and challenges of implementing machine learning and other AI tools.

All Models Are Wrong. Long Live Forecasting Models

jfarrell@intelligentmanagementtrends.com (John Farrell) — Wed, 05 Jul 2017 14:15:00 GMT

Dr. Gerard Adams, a distinguished professor of economics, once began a 1980s class lecture describing the intricacies of assembling hundreds of data series and correlations that comprised the highly touted Wharton Econometric Forecasting Model. At the end of the modeling process, he would sit at a boardroom table with Nobel laureate Laurence Klein and the rest of their WEFA colleagues to review the results of the highly complex model. They would stare at the output for a few minutes, quietly place the report down on the table, and state in near unison…there is no way in hell that will happen.

Welcome to the world of forecasting models.

Forecasting capabilities have progressed significantly in the past thirty years, but Google any combination of derogatory words and the term “forecasting models” and you will find plenty of venom unleashed on the dark science of predctive modeling. The harshest comments tend to target weather and economic forecasting models.

Nassim Nicholas Taleb, who proudly counts himself among the current model detractors, recently tweeted “All models are wrong. Some are lethal.”

I will assign a 99.999% certainty to Taleb’s statement. While examples of spot-on model predictions exist, their degree of success falls within the range of blind squirrels finding nuts and broken clocks showing accurate results twice a day. No model stands the test of precision over time, but that does not mean we should abandon their use.

The Value of Predictive Models

Venturing into the danger zone of interpreting Taleb, his comments on models are less a criticism of algorithmic accuracy than a rebuke of how we use and rely on models. Models do not offer answers, but they can help guide business decision making if used in the right context. Taleb’s best known criticism targets the turkeys who act on modeled likely outcomes while ignoring the possibilities of tail risks, especially those carrying profound consequences if they occur.

If all models are wrong, and they should not eliminate consideration of any potential outcomes, why use them? Static models are fine for academic and theoretical purposes to help discover how systems function and to assess the influence of an isolated variable when holding all others constant. But as this blog space emphasizes, the use of ceteris paribus analysis is futile for business decision making. Dynamic business environments require dynamic models.

Models earn their poor reputation when used as a reference only at the beginning of a planning process. All models, from economic and financial investment models to weather and cyberattack models, represent dynamic systems with constantly changing variables. Any snapshot of a future prediction becomes increasingly irrelevant and error-prone as the system variables change over time, especially in systems with highly volatile variables.

The value of models is their ability to not only support business analysis and plan development, but also guide corrective actions throughout the execution of a plan.

In a business setting, organizational objectives set desired destinations. In the planning stage, models can help

determine the resources, timing, and road map needed to reach the destination,
identify the potential risks associated with the business plan, and
develop contingencies using scenario analysis.

In the execution stage, dynamic modeling can provide the basis for ongoing monitoring and assessments of risk variables and trigger decisions to enact contingency plans.

Consider how far models have progressed for use in road trips. Back in the old days, we used a fold out map, weather conditions, and advice from friends to help plan the best route to a destination, how long it would take, and the gas needed.

Now, Google Maps, using a model based on historical traffic patterns, road conditions, and real-time Waze data, can provide highly accurate route options and time expectations. We can easily plan a primary route and contingency routes while adding additional considerations like fueling options and restaurants along the route. The model’s usefulness also does not end after the planning stage. Google Maps’ real-time updates can identify accidents and traffic patterns that will alter our original plan and offer alternative routes to our destination.

Similar to the models that power navigation systems, our business planning models should facilitate ongoing monitoring and dynamic assessments as we carry out business plans.

The Future of Dynamic Modeling

The future value of models depends on their ability to help establish business plans, conduct scenario planning, and provide the basis for monitoring changes in decision variables and risk factors as plans are executed. The progress in modeling and monitoring factory manufacturing operations gives evidence for how models can greatly enhance proficiency in plan execution. This approach to system modeling is now extending to other industry sectors and business functions to support planning and business decision making.

The 2011 tsunami in Japan and floods in Thailand which exposed major supply chain weaknesses across the globe, particularly for computer and auto manufacturers. Supply chain modeling and monitoring platforms from companies like Resilinc now eliminate much of the risks of single sourcing, material premiums, and factory shutdowns.

In another example, IBM/The Weather Company and Monsanto/Climate Corp. have invested heavily in building models for agricultural production. Their model forecasts, variable monitoring, and decision guidance are now in use across the world.

Looking ahead, this melding of system modeling and real-time monitoring will extend to enterprise decision making. Consider today’s executive dashboards as a type of crude system model. Dashboards will typically include a set of key performance indicators (KPIs) and perhaps a set of key risk indicators (KRIs). Program developers and individual executives presumably choose to display specific KPIs and KRIs based on their important roles as variables and outcomes in the systems they manage.

The value of most dashboards can be further enhanced by clearly presenting a model of the business system with explicit probability and weights associated with each factor presented. Real-time monitoring would then better facilitate when to shift to contingency plans as specific variables approach critical thresholds.

Predictive modeling and business analytics have advanced tremendously since the days of the WEFA Econometric Forecasting Model. The complexity of current business decision making models ranges widely from those built on basic statistics or advanced statistics to deep learning neural networks.

Regardless of the source and development details, business decision makers should use all models with healthy skepticism. IBM, and others advancing the use of artificial intelligence, tend to avoid positioning new AI models as replacements for human decision-making processes and instead refer to technical solutions that augment decision making.

Taleb is correct to note static models are poor predictors of actual business outcomes. The value of business models is instead their ability to help explain systems and dynamically guide decision making until an objective is achieved.

Risk Management is a Decision Enabler, Not a Control

jfarrell@intelligentmanagementtrends.com (John Farrell) — Mon, 26 Jun 2017 13:45:00 GMT

Risk management principles can help optimize every strategic, operational, financial, and resource decision in pursuit of organizational objectives but often is relegated to a control on business decision making.

Five influencer groups have culpability in positioning risk management as a control rather than an enabler. Will the repositioning of risk management as a core principle for effective decision making take an evolutionary path or does it need a full makeover? A review of the macro dynamics of these five stakeholder groups that define risk management offers some signs for future progress.

1. Risk Management Defined by Insurance Industry Trends

While insurance represents just the transfer portion of enterprise risk response REITA options (reduce, eliminate, ignore, transfer, or avoid), direct spending on gross insurance premiums totaled 8% to 9% of GDP in OECD nations over each of the past ten years.

The sheer magnitude of insurance expenditures demands focused expertise within business enterprises to manage the intricacies of insurance coverage portfolios. For many businesses, insurance policy management is the primary, or even sole, focus of risk managers.

In these cases, the role of risk management in decision making is a binary control dependent on policy coverage. Are we covered or not? Can we move forward or not?

As noted in our June 15^th post, Can your Enterprise Risk Manager Handle the Role Tomorrow?, an insurance market primarily addressing physical asset hazards was fine for protecting enterprise value in the bygone economy based on manufacturing and bricks-and-mortar operations. Most of today’s business value, however, exists in the intangibles of information in the cloud, intellectual property, and brand reputation. The latest Ocean Tomo analysis placed the intangible value of S&P 500 corporations at 87% in 2015 versus 17% in 1975.

The insurance industry has struggled to develop standard products for cybersecurity and reputation risks, but its best inroads for intangible value coverage involve innovative partnerships with public relations firms and cybersecurity experts that integrate risk assessments, crisis planning, and crisis management offerings with insurance coverage.

Airmic’s June conference speakers warned insurance is still far from serving today’s enterprise risk management needs. The insurance industry is on a path of evolving the positioning of risk management from “Are we covered?” to “Are we prepared?”.

2. Risk Management Defined by Industry Analysts

In the wake of corporate management and accounting scandals, including Enron and WorldCom, Sarbanes-Oxley (SOX) set standards and regulations for management and reporting accountability. The industry analyst community assessed the demand for greater transparency and meshed the key concepts of risk management and controls. Michael Rasmussen, in particular, assessed the challenges from his perspective as a Forrester Research analyst at the time and outlined the potential for consultants and software vendors to support the integration of governance, risk management, and compliance (GRC) to elevate ethical decision making.

While GRC components are inexorably linked for the purposes of assuring effective controls on decision making, the power of risk management as a decision enabler tends to be lost in the broader scope of GRC. The potential fines and penalties associated with SOX and ensuing regulations were the driving force behind U.S. investments in GRC software and business processes.

The market acceptance of the GRC acronym became a convenient tag for Gartner and other analyst firms to apply to anything associated with risk management. Most of these firms are still struggling with how they apply the GRC term to functional or specific risk source categories (e.g. financial GRC, IT GRC, eGRC, etc.).

The GRC concept presents a useful model for connecting enterprise functional responsibilities for accountability and adherence to governance demands and regulatory requirements. Risk management, however, must also define its standalone value for optimizing decision making. The analyst perspective needs a makeover and will be aided by those like Intelligent Management Trends that seek to bend the market value of risk management back toward supporting effective decision making in the context of business objectives.

3. Risk Management Defined by Vendors

Risk management consulting offerings can range from risk assessment services and organizational consulting to decision support and insurance advisory services. The Big Four and other large networked advisory firms tend to address risk management more holistically, but they also follow the money. The money in this case concentrates on advancing financial risk management in the financial sector, as well as ensuring regulatory compliance across industry sectors.

As for risk management software vendors, up to this point they have focused on what technology historically does best…manage data and enable repeatable well-established processes. Most use the GRC acronym and gravitate to risk registers, regulatory libraries, and compliance assurance. Others, like risk management information systems (RMIS) were originally developed to enable efficient claims processing.

Some of the GRC and RMIS vendors are now evolving to integrate decision support based on risk management principles. Other risk software vendors founded on more holistic ERM concepts are already there. You can access IMT’s complimentary Perspective “Defining an Enterprise Risk Management Vendor” using the following link for more information on the vendors now positioned as, or evolving to become, true risk management vendors.

While the core historical value of technology is data management and business process enablement, augmented intelligence is quickly emerging as an additional value to support decision making. This is an opportunity for vendors to align risk management concepts more directly with efficient business decision making.

4. Risk Management Defined by Industry Standards

With the backdrop of corporate ethical failures and financial failures, industry risk management standards such as ISO 31000, COSO Enterprise Risk Management, and the King Reports, set definitions and guidance for identifying, assessing, and addressing enterprise risks over the past fifteen or so years. Auditors and regulators have used these guidelines to assure effective controls, accountability, and compliance are in place within corporate entities.

ISO, COSO, and King IV entered revision processes in the past few years with calls for more practical directions for implementing risk management in support of decision making. Tim Leech of Risk Oversight Inc. is one leading voice advocating a shift of standards to focus on objective-centric ERM.

Despite the calls for a new emphasis on objectives and decision making, the standards organizations seem to be opting for a simpler presentation of the existing process guidelines to aid the communication of core concepts rather than shifting the underlying perspective of risk management. The future direction for standards seems to be an evolutionary path, but the debate among risk professionals on risk management value will continue to build pressure for change.

5. Risk Management Defined by Risk Managers

The future direction of risk management depends on the emergence of new risk managers. The general trends of the insurance industry, industry analysts, vendor offerings, and the standards organizations may exert heavy influence, but risk managers will determine the practical application of risk management principles within their own organizations.

Our last blog post explored the potential skill sets for future successful enterprise risk managers. IMT is optimistic a new breed of actuaries or other quantitative risk management analysts can emerge with enough creativity and practical experience to accelerate the use of risk analysis in decision making processes across all business functions.

Since experience is a key qualifier, changes driven by risk managers may evolve in the next few years until more revolutionary risk managers develop the capability to leverage new data sources and analytical tools enabled by emerging data acquisition, AI, and visualization technology.

Risk management associations will provide the communication platform for advancing the decision and objective-focused practices among risk managers.

A Risk Management Value Evolution or a Makeover?

If the value of risk management is to shift from a control to a decision-making enabler, the five influencer groups and macrotrends outlined above point to an evolutionary process on balance. The greatest hope for faster change lies with a refocused insurance industry, emerging machine learning technology, and a potential new breed of risk managers who can apply risk quantification across enterprise risk sources.

Perhaps new terminology and acronyms are needed to accelerate more risk-aware decision making in support of enterprise objectives, but there is no need to add more confusion when the core principles of risk management already provide the basis for increasing management proficiency. This Ixnay Ceteris Paribus blog is dedicated to highlighting the trends that integrate risk management principles, management best practices, technology, and burgeoning data sources to enable optimized decision making (subscribe here).

Risk management should not be a control. Instead it should underlie the process for identifying where the marginal return equals the marginal cost of taking risks in support of enterprise objectives. Scenario analysis is making inroads into corporate boards, offering an opening to accelerate the effort to build robust, or anti-fragile, organizations and decision-making processes based on risk management principles.

Can Your Enterprise Risk Manager Handle the Role Tomorrow?

jfarrell@intelligentmanagementtrends.com (John Farrell) — Thu, 15 Jun 2017 13:41:00 GMT

The structure of roles and responsibilities for enterprise risk management is still far from settled in most companies. The lines of defense model places operational managers on the frontline as the most knowledgeable and capable of identifying and managing specific ongoing risks, but there is less certainty in how other roles are playing out in practice.

Risk managers particularly have less clarity settling into elevated enterprise roles. They have a responsibility to educate and support the frontline managers on one hand, and inform and engage the board on another. In practice, some are mired in a checkbox world struggling to differentiate their value from compliance officers. Others stay solely within the confines of managing the policy portfolio for insurable risks.

It may just take some time to crystalize their distinct enterprise role as risk management strategies progress, or perhaps the skill requirements for enterprise risk managers have fundamentally changed.

That may be a strange statement to make for a relatively young profession. Skill requirements are certain to change as the risk management function evolves. However, two trends encumber the enterprise risk management profession: (1) the historical focus of the role, and (2) the vastly changing dynamics of emerging risks today.

Settling into a Comfort Zone of Known Risks

David Druml of Enterprise Risk Specialists, provides an insightful ERM history highlighting the narrow path taken by risk managers focusing on insurable “pure risks” rather than the broader risk management perspective first outlined by Robert Mehr and Bob Hedges in their 1963 book “Risk Management in the Business Enterprise.” While risk managers developed standard tools and expertise for the narrow set of known pure risks, financial managers developed a separate set of tools to address the financial risks prevalent in the 1970s.

Similarly, other significant enterprise risks spawned unique expertise and means of assessing specific risk categories (e.g. information technology risks, geopolitical risks, reputation risks, model risks, etc.). Now, as risk management trends bend back toward an integrated risk perspective for more efficient management across the enterprise risk portfolio, are risk managers up to the task?

Turning to the Next Ideal Enterprise Risk Manager

The criteria for a successful enterprise risk manager are unique to each company depending mostly on company size, industry, and geographic location.

In startups and small companies, a CEO may rely on his own broad business skills, supplemented with support from insurance agents, brokers, or risk consultants, to address known risks. In certain industries where risk management is a core business value delivered to customers, risk professionals well-versed in the business model are necessary even in small companies (i.e. financial risk experts in financial management, engineers in construction, IT security experts in cloud computing companies, etc.).

Once companies reach a mid-size stage, however, the enterprise risk manager should have broad business knowledge and skill sets to both (1) help set risk management standards for first line risk managers across business functions, and (2) communicate the top and emerging risk concerns to the board. Any risk managers still focusing purely on insurance policies or regulatory compliance will miss the opportunity to play a more vital role in guiding risk-aware corporate strategies and enhancing organizational value.

The first wave of enterprise risk managers generally rose from the insurance sector, financial sector/corporate treasury roles, and engineering while creatively extending risk management perspectives based on their personal experiences. Highly-lauded risk manager Hans Laessoe notes with an engineering background he had to Google “strategic risk management” when Lego asked him to address the long-term challenges for company faced.

Experience in underwriting, insurance brokerage, financial management, and auditing provided the basic skills for many of today’s enterprise risk managers as they expanded their corporate roles, but Chartered Financial Analysts (CFAs) and Financial Risk Managers (FRMs) often suggest an educational background more strictly focused on mathematics may be better preparation for implementing creative risk analysis across the multiple risk sources for an enterprise today. The Society of Actuaries established the Chartered Enterprise Risk Actuary (CERA) program in 2007 for this purpose. The CERA Global Association now oversees the CERA certification standards and has credentialed over 3,000 individuals globally.

While various educational backgrounds and risk management certifications may provide some of the tools for analyzing risk factors, risk managers need hands-on experience to unlock the creativity necessary to integrate enterprise risk analysis. A review of seventy enterprise risk management job offerings on LinkedIn (see word cloud) reveals business process knowledge and an average of at least five years of experience are common requirements. Certifications, with most mentions of CRMA, CISA, and CPA, are required for less than a dozen of the positions.

Airmic sounded the warning to the risk management profession at its annual conference this week as it released the findings of a recent survey of insurance and risk managers. New business models are necessary to move beyond conventional risk management approaches that protect physical assets. The intangible value of S&P 500 corporations has grown from 17 percent forty years ago to 84 percent today. Three-quarters of the survey respondents believe the risk management profession must undergo significant change to address today's organizational challenges.

Airmic’s chairman, Clive Clarke noted a deeper understanding of digital trends is now necessary in the profession and warns:

“The type of skills required of a risk manager in ten years’ time will therefore be quite different to the skillset of the 40 and 50 somethings running the industry today. We need to adapt as a profession and open the door to graduates or we will be facing a huge gap in knowledge and experience.”

The insurance sector recognizes the need to address intangible assets and emerging risks critical for companies moving forward. Can the rising enterprise risk managers lead this more holistic vision for risk strategy within their organization rather than merely follow the trends of new insurance products and services offered by external vendors?

The successful risk managers of tomorrow will likely require a mixture of a mathematical mindset, knowledge to leverage AI tools, experienced insights into business operations, good communication skills, and creativity. Lots and lots of creativity.

You Won't Get Fired Using a Good Decision-Making Process

jfarrell@intelligentmanagementtrends.com (John Farrell) — Mon, 22 May 2017 13:05:00 GMT

There are two broad categories typically used to justify firing a decision maker. The first is when they egregiously neglect a basic component of a decision-making process. The second is having a string of poor outcomes. The latter usually traces back to the former. No one is fired for following a good management decision-making process.

Historical Thoughts on Business Decision Making

The science of management decision making is still young. The progression of decision making styles and concepts within the past century draws on theories from economists, behavioral psychologists, statisticians, business consultants, and seasoned managers.

Chester Barnard first generalized the term “decision making” in a business context in his 1938 book on management theory, “The Functions of the Executive.”
Business theorists, including Herbert Simon, James March, Henry Mintzberg, and Peter Drucker, developed the study of business decision making in the decades that followed.
Simon identified issue complexity, time limits, and analytical capabilities as the main decision maker constraints that result in “satisficing” under bounded rationality conditions He believed rational decision making would increase with the ability to gather more information.
Mintzburg countered deliberative decision processes, advocating instead for relationship-driven organizational structures that give rise to decisions based on individual experiences.
Drucker highlighted the role of effective executives as setting the organizational objectives which drive the consideration and analysis of decision alternatives. After analyzing executive roles and studying Japanese business culture, Drucker noted the following in the January 1967 issue of the Harvard Business Review:

“Effective executives do not make a great many decisions. They concentrate on what is important. They try to make the few important decisions on the highest level of conceptual understanding. They try to find the constants in a situation, to think through what is strategic and generic rather than to 'solve problems.' They are, therefore, not overly impressed by speed in decision making; rather, they consider virtuosity in manipulating a great many variables a symptom of sloppy thinking.”

On the value of intuition versus analytically-based decision making, many successful executives, like former GE CEO and business advisor, Jack Welch, strongly side with the benefits of acting on determined gut instincts.
Today’s behavioral economists and psychologists, including Nobel prize-winners Daniel Kahneman and Richard Thaler, add considerations for a variety of individual, group, and information biases that can divert decision making from optimal choices.

In general, management theorists and pundits acknowledge good business decision making is a mixture of science and psychology. For those who support Herbert Simon’s view, current management trends are accelerating toward broader use of more-informed rational decision making. Vast data collection and better data management can foster more effective decision-making processes today compared to the past.

Given the burst of new data, further progress in management proficiency now relies on improving analytical capabilities. An APT/EIU survey of 174 senior managers and executives across world regions and industry sectors found less than one-quarter believed they required more data while 54% stated a better ability to analyze data would most improve their decision making.

IMT analyzes the management trends, technology advances, and data developments that are increasingly supporting a condensed deliberative decision-making process for a broader range of enterprise decisions. In our view, the current developments in data acquisition and data analytics are enabling more efficient decision making that can be both informed and timely.

What is An Effective Decision-Making Process?

Our last post on decision management principles asserted good business decisions are objective-oriented, informed, selective, risk-optimized, accommodating, unbiased, actionable, animating, timely, and documented. The historical theorists and consultants referenced above offered organizational structures, roles, and processes to achieve decision results with these characteristics. Their diverging opinions are mostly rooted in the speed required for management decision making.

From IMT’s perspective, technology innovation that supports improvements to data accessibility and analytics are condensing business decision-making time requirements even for deliberative processes. The following good decision-making process steps reflect the general guidance of past thought leaders and adds details to use as criteria for assessing where consultants, software, and information providers can offer value to enterprise decision makers.

State the Objective

Set the specific organizational objective and the context for decision making. Frame the issue with the organization’s overall strategic, operational, and financial considerations.

Establish Time Requirements

Identify any decision timeframe limits due to competitive, resource, financing, partnership, and customer requirements. Determine the depth to which each decision process step may be pursued. Assess first-mover advantages which could allow corrective actions while still capturing market demand, presence, and mindshare ahead of competitors.

Identify All Stakeholders

Consider all parties affected by the decision outcome and either directly or indirectly incorporate their needs and concerns. Stakeholders are internal and external parties that can include owners, managers, employees, creditors, regulators, suppliers, partners, customers, the community, and others.

Develop Decision Alternatives

Outline multiple potential decisions to help achieve the organizational objective. This may include a set of standard options from past experiences, as well as new creative ideas.

Analyze the Alternatives

Conduct analysis of the likelihood and consequences of risk factors that could affect achieving the organizational objective. Risk appetite and risk management processes take center stage in this step with consideration of the risks directly associated with the decision, as well as overall enterprise risks and risk tolerances, to determine optimal decision outcomes. This step involves balancing data analytics and intuition based on resource and time limitations.

Gain Stakeholder Input

The management gurus differ on the practicality and importance of this step, but decision buy-in and outcomes will improve if stakeholders are given an opportunity to shape the decision. Obtain input from those who will enact the decision, as well as those who will risk and benefit from the decision.

Check Biases

Important decisions rarely incorporate pure objective analytics (if there is such a thing). Assess the potential biases of all decision inputs, including, but not limited to, those resulting from information bias, group think, individual experiences, and desired outcomes. Consider information gaps and data confidence levels. Question all assumptions.

Choose from the Alternatives

According to Merriam-Webster, the etymology of decide is the Latin word decidere – to cut off. Deliberation ends and the lesser choices are dropped to arrive at the optimal risk-informed decision. Note the potential for all alternatives falling short of achieving the objective. In this case, revisit either the objective in Step One or consider new alternatives in Step Four.

Communicate and Enact the Decision

If the prior steps are followed, a willing and able set of participants should be ready to act on the decision. A documented decision should include directives that ensure necessary actions. Many decision failings stem from poor or incomplete communication. While the potential tedium of documentation can dissuade some decision makers from effectively completing this step, most software applications related to decision processes can now help document decisions and support communication to management, implementation teams, auditors, and regulators.

Evaluate the Decision

All good processes include a feedback loop based on the evaluation of outcomes. Decision evaluation should serve two purposes. First, immediate analysis can guide any necessary corrective actions if unexpected or subpar outcomes result. Second, documented decisions and outcomes provide valuable evidence to help guide future decisions.

While not a one hundred percent guarantee, anyone who follows this business decision-making process will maximize their protection against being fired for their decisions and will be more likely to optimize business outcomes.

What Can Get You Fired Based on Decision Making?

What can get you fired? Some reasons will get you fired faster than others. The level of management or owner patience will also depend on the importance of the decision.

Some missteps that will send you packing (in order of a guard-escorted level of severity to a longer-term documented employee action) include:

Ethical violations: This may occur in Steps 3, 6, and 8 if the decision maker ignores important stakeholders, considers personal interests over those of the stakeholders, or caters to a set of non-stakeholders. Expect a guard escort or worse.
Ignoring or misinterpreting organizational objectives: Whether intentional or not, missing the point will quickly send you out the door.
Slow decision implementation: Poor judgment in Step 2 and missing first-mover advantages will eventually show up in lost market share or lack of resources to carry out a decision. Never use time limitations to skip a step. Instead use the assessment in Step 2 to adjust the depth of practical action on each step with an appropriate analytics/intuition ratio.
Evidence of a recurring personal bias: When you give too much weight to your own instincts in Steps 7 and 8, or you are not aware of your own decision biases, negative outcomes may eventually have fingers pointing at you.
One poor outcome: You are usually safe in this situation if you follow the effective decision-making process steps. The exceptions are (1) the decision is so high profile that executives insist on a scapegoat, and (2) you substituted too much gut instinct for data-driven analysis. Sometimes instinct may rule, but, if the result is a poor outcome, a documented analytically-based process may still save you over using undocumented intuition. It will likely even save you through a handful of poor outcomes.
A series of poor outcomes: What happens if a series of bad results occurs even if you follow all the steps of an effective decision-making process? This likely means there is an ongoing deficiency in at least one of the process steps, usually a lack of creativity in developing decision alternatives in Step 4 or relying on poor information in Step 5.

The other explanation for this last scenario is you are the victim of a Black Swan event of a series of poor outcomes that can occur even if you follow all the decision-making process steps with over ninety percent confidence. If you are fired in this circumstance, you can at least leave your position with a clear conscience and your integrity intact.

Ten Management Principles for Making Better Business Decisions

jfarrell@intelligentmanagementtrends.com (John Farrell) — Mon, 15 May 2017 18:18:50 GMT

When considering what constitutes an effective decision-making process, another question takes priority - What is a good business decision? The snarky response from any confident executive is usually “one that makes money.”

Sure, the bottom line return is usually the ultimate criterion for judging most business decisions, but it does not qualify as a general standard for all individuals or all business situations.

The definition of a good business decision depends on the context of organizational objectives, timing, available resources, and risks. Given this fact, are there any qualities or criteria that can define a good decision in any circumstance? This post offers ten business principles to consider, but, in keeping with the blog theme, we first assess the dynamic parameters involved.

Wayward Business Management Trends Shape Current Judgement

On a micro level, single business decisions can only be judged against the unique context and objectives of their specific situation. The factors involved are always changing. But even on a macro level, major trends in management concepts and business outcomes have shifted the definition of good business decisions over time.

As the science of business management practices developed over the past century, unintended consequences, moral hazards, or just pure selfish intent surfaced detrimental outcomes that can result if money-making success is the only focus for judging management decisions.

Even if you were not an environmentalist, the daily smog index and the teary Iron Eyes Cody in the 1960s and 1970s made It obvious the criteria for assessing some of our business decisions had to change. The founding of the Environmental Protection Agency shifted the calculation of decision outcomes to support broader social needs. This Air Quality Index map offers some evidence of the positive effects of altering the criteria for making better business decisions in the US.

The 1980s brought scrutiny of management decision-making process time horizons. The US obsession with driving quarterly revenue and profit performance for shareholder value was attacked as inferior to the consensus-building and long-term strategic focus prevalent in the Japanese business culture. Jeff Bezos then proceeded to demolish the notion that a US company could not build market value based on long-term planning. His nearly 23-year old Amazon did not turn a profit for its first nine years, still prefers to reinvest profits, and is currently in a race to become the first trillion-dollar valued company.

More executives now cite building long-term shareholder value as their pithy criterion for good decisions versus the immediate returns sought in the 1980s. Nearly 200 privately-funded start-up companies are now in the $1 billion-valued unicorn club. We can remove revenue and profit generation, at least temporarily, from the assessment of good business decisions.

The turn of the century tested the integrity of business entities. Ethical concerns are always an element of decision assessments, but the spectacularly deceptive practices of Enron and WorldCom raised the consequences of sinister decisions into the multibillion-dollar range. The Sarbanes-Oxley Act of 2002 instituted greater oversight, transparency, and accountability to protect investors.

Finally, the 2008 financial crisis exposed the fragile levels of risk exposure that seeped into the decisions of some of the most systemically important US financial institutions. Once again, regulatory requirements were developed to impose guidelines for risk exposure and governance expectations.

Ten Principles for Judging a Business Decision

Our collective experience at the macro-economic level provides evidence that the criteria for good decisions can change over time. The solutions to past transgressions included attaching costs to externalities (government penalties), reassessing and adjusting the fundamental approach to decision making models, and realigning outcome assessments in the context of organizational value over time.

For any business, the ultimate authority to assess and influence business decisions lies with owners who set overall expectations. Their directives for good business decisions, articulated through board members, now must incorporate not only their own interests and those of their customers, but also the influential pressures from government regulations and third parties like politicians and social activists. At the same time, business schools, academics, the media, consultants, and blog writers offer added opinions for judging business decisions.

With consideration of historical business, cultural, and information technology trends, here are ten general management principles for assessing business decisions from this blog-writing/industry research analyst/consultant:

Objective-Oriented

The business decision is set in the context of specific organizational goals. This may include reaching certain corporate objectives or preventing a competitor from achieving their goals.

Informed

The decision considers all available information about past, present, and future conditions which may help determine outcomes.

Selective

The decision is selected as the best option from a set of considered alternatives.

Risk Optimized

The decision optimizes the balance of risk and reward that is acceptable for the organization's risk appetite, including maximizing the certainty of the outcome.

Accommodating

The decision considers all stakeholder interests including those of shareholders, employees, customers, partners, suppliers, regulators, and the public. This includes addressing and balancing all business, regulatory, and ethical concerns.

Unbiased

The organizational decision is free from personal, group, data, or any other decision biases.

Actionable

The decision confirms and activates available resources. It is both specific and pragmatic.

Animating

The decision gains participation of all parties needed to take action. This can be based on gaining buy in during the decision-making processes or provoking participation by outlining penalties for nonaction.

Timely

The decision is made known to all participants at a point that allows enough time to act given the resource and process requirements and expected customer and competitive responses.

Documented

Any important business decisions should be documented so they may be communicated, defended, assessed, and corrected as needed.

While Monday morning quarterbacking assesses decisions based on outcomes, this set of management principles allows an assessment of business decisions as they are made. Risks always have the potential to create catastrophic results even for the best decisions. A business decision maker can only assure they are taking the proper steps to optimize their choice based on available information at the time of the decision.

Third-party influencers, cultural changes, technology advances, and information accessibility can significantly alter the criteria for assessing good decisions over time. The next Ixnay Ceteris Paribus blog post will translate how the principles of a good decision outlined above can drive the structure of a good business decision-making process.

Stunning Risk Manager Survey Results on Disruptive Technology

jfarrell@intelligentmanagementtrends.com (John Farrell) — Fri, 28 Apr 2017 11:09:00 GMT

These risk manager survey results are stunning. According to the 14^th annual Excellence in Risk Management report published jointly by Marsh and the Risk Insurance Management Society (RIMS), there is a significant gap in risk manager awareness of the use of disruptive technologies. Nearly a quarter of the risk professionals surveyed stated their company does not use or plan to use any of the thirteen emerging technologies presented in the study.

The survey results, released at the RIMS 2017 Annual Conference & Exhibition held in Philadelphia, also found 55% of risk professionals do not conduct risk assessments of disruptive technologies. Stunning.

The RIMS Survey Highlights

The study surveyed over 700 risk managers and C-level executives across industries to obtain their perception of disruptive technology and their company’s ability to identify, assess, and manage related risk factors. Use this report link to review the full details. The list of technologies presented includes telematics, sensors, Internet of Things, artificial intelligence, and other innovative technology advances that many, if not most, companies are at least considering using today.

The most egregious example of the awareness gap:

Perception: 52% of the responding risk professionals say their organization does not use, or plan to use, the Internet of Things (IoT).
Reality: A 2016 Telecommunication Industry study found 90% of all companies will be using IoT within two years. This is supported by multiple technology analyst firms indicating IoT spending is quickly approaching $1 trillion worldwide.

The report authors were a bit overzealous when they presented 93% usage of wearable technology as a counterpoint to the 25% of risk professionals noting use or consideration in their own company. The 93% figure cited a 2015 study by APX Labs (now Upskill) which targeted over 200 companies in only the industrial sector.

Despite the overreach on this one observation, the conclusion of the study is sound. A substantial portion of risk professionals are not aware of innovative technology actually in use or under consideration for use within their own companies.

The survey results are stunning from three perspectives:

It appears personal curiosity and awareness of top technology disruptors may be a missing attribute among many risk managers.

The profile of a successful risk manager includes many skills and personality traits. With plentiful examples of how innovative technology has drastically disrupted retailers, investors, newspaper publishing, photography equipment manufacturers, bookstores, the recording industry, and others, personal interest in emerging technology trends should be a core risk manager attribute.

One of the disappointing observations in the report indicated some risk professionals lump disruptive technologies into the same category as cyber security risks. Perhaps a basic misunderstanding of disruptive technology concepts is a factor.

The success of the risk management profession increasingly relies on the ability to assess emerging risks such as disruptive technology.

Given all the discussion in the profession about risk management lines of defense, risk managers should be proving their ability to guide the proactive identification, assessment, management, and communication of emerging risks as part of the risk management function. While the frontline defense becomes more risk aware, and takes on more risk identification and management responsibilities within their own business unit, a cross-functional, longer-term perspective from risk managers is necessary to support the identification and assessment of emerging technology risks.

The Marsh/RIMS report points out the pace of innovation “leaves many executives struggling to understand how disruptive technologies affect their business strategies, models and operations.” Sounds like a prime role for risk managers. This offers one path to separate from the dangerous perception of risk professionals as list managers of past risk events.

It would be far better if the percentage of risk professionals conducting risk assessments of disruptive technology were closer to 100% rather than 45%.

Risk professionals should be the leading proponents for considering the use of some of the innovative technologies on the survey list!

More study results: only 48% of risk professionals believe their company is using or planning to use sensors for tracking, analyzing, or predicting events, and a meager 28% say their company is using or planning to use artificial intelligence.

How can this be true? Risk professionals themselves should be considering the use of these technologies to help build systems for risk discovery, risk data acquisition, risk data management, risk analytics, predictive modeling, and decision support in just about every industry. Mobile technologies, metering, monitoring, real-time analytics, predictive analytics, machine learning, and cognitive computing are just some of the innovative technologies that can help discover and capture higher volumes of risk information while improving the speed, capacity, and timing of risk analysis.

Disruptive technologies, by definition, threaten a company’s competitiveness or existence. They should be on the emerging risk radar for every organization. Risk managers can help lead enterprise efforts to identify and assess emerging technology trends as they are positioned to coordinate cross-functional risk considerations.

One bit of advice for risk professionals: make sure you educate yourself about the use of wearable technology in your organization before you find yourself an unwitting participant in implantable technology!