Advice for Risk Managers: Ask the Tough Questions

The New York Times author David Leonhardt recently published a puzzle that I recommend all governance personnel attempt. Take a second to give it a try before reading this blog, but if you’re pressed for time, I’ll outline the basic premise.

The puzzle asks that you find the rule in the following pattern of numbers by guessing other sets of numbers that may or may not obey the rule. The sequence that obeys the rule is:

New York Times puzzle for risk managers

You may think you have the puzzle figured out already, and if you guessed, say, the sequence 4, 8, and 16, your pattern would also obey the rule; even so, it’s likely you guessed wrong.

The combinations of 1, 2, 3 and 12, 15, 17 also satisfy the rule, because the pattern is simply that each number must be larger than the one before it.

The problem Leonhardt so artfully illustrates is one of confirmation bias, and it’s related to the gap in organizational procedures that risk managers need to provide systematic ERM programs and ERM software tools to engage others to overcome this complacency and bias. As Leonhardt writes, “we’re much more likely to think about positive situations than negative ones, about why something might go right than wrong and about questions to which the answer is yes, not no.”

iStock_000010215093XSmall-300x199.jpg?width=300Risk managers must pose the inherently uneasy question, “What can go wrong?” in order to uncover risks that would never have been identified until it is too late. By challenging assumptions and seeking out subject matter experts to contribute their observations, risk managers are not only better preparing their businesses for the downside of risk, but are also reaffirming which strategic initiatives are worth pursuing.

Corporate America is full of examples where risks were not explored, even though the risk was known in plain sight all along. Executives of Detroit’s Big Three didn’t recognize the threat of new manufactures from abroad improving their products over time, and becoming even stronger competitors. Wall Street and the Fed made the same mistake during the financial crisis by ignoring the warning signs that every 20 years or so the housing market goes down after a sustained rise.

Risk managers can endear themselves to their colleagues by helping them discover and mitigate potential downsides, thus improving the likelihood that goals are achieved. They also need to systematically prioritize risks in order to understand where risks are connected across business silos, and which of these risks they should focus their limited time and resources on.

Asking your organization’s subject matter experts on the front line questions such as, “What aspect of our cybersecurity defenses are weak?” can lead to the escalation of risks known to front line personnel and yet unknown to the level of management that allocates resources to prevent incidents from becoming catastrophic. Recently, several organizations that thought they were covered by insurance for cyber risk, but found out the hard way that their failure to meet the “minimum required practices” for cybersecurity risk management disqualified their ability to receive a claim payment in the millions, even though they had dutifully paid their premiums for years. Their front line managers knew the security practices to follow, and yet they did not have a system to prioritize, escalated and implement minor cost initiatives that would have saved them millions in losses due to the breaches that occurred because they were complacent, and thought they would just be covered by insurance.

Risk managers make the greatest impact to their organization by helping others to escalate the risks that would otherwise go unconsidered, and casting transparency on the “unknown knowns.”



Fulfilling the role of Risk Manager can be challenging when the board and senior management aren’t sure what to expect from your program. Download our eBook, Presenting Risk Management to the Board for our advice for risk managers on making your discoveries resonate with leadership.

Votes: 0
E-mail me when people leave their comments –

Steven Minsky, CEO and Founder of LogicManager, is a recognized thought leader in risk management. Steven is well known for his precinct abilities to guide organizations through future risk events. Steven is a frequent speaker in the Energy, Financial Services and Cyber industries. While the first wave of COVID-19 caught many organizations by surprise, Steven predicted the pandemic impacts in January of 2020 and swiftly published action plans to help organizations prepare.

You need to be a member of Global Risk Community to add comments!

Join Global Risk Community

    About Us

    The GlobalRisk Community is a thriving community of risk managers and associated service providers. Our purpose is to foster business, networking and educational explorations among members. Our goal is to be the worlds premier Risk forum and contribute to better understanding of the complex world of risk.

    Business Partners

    For companies wanting to create a greater visibility for their products and services among their prospects in the Risk market: Send your business partnership request by filling in the form here!