With Adam EnnamliChief Risk Officer at General Bank of Canada, former VP O&T at Thomson Reuters. Advisor to the Global Board on Strategy and Risk.
Risk models in Credit Suisse they had pointed out the risks before the $5.5 billion Archegos loss. Silicon Valley Bank’s risk metrics showed clear warnings before their collapse. In both cases, sophisticated hazard systems worked as designed. However, both institutions failed. The reason? Human behavior overwhelmed risk controls.
The paradox of modern risk management
While risk models are becoming more powerful and more sophisticated, we risk that practitioners are faced with a paradox: we often put too much faith in these systems. This overconfidence makes our organizations more vulnerable to basic human biases.
FTX is a perfect example. Despite having advanced trading systems and risk controls, the firm collapsed because its leaders allegedly ignored fundamental risk management principles and let overconfidence drive their decisions.
This creates a critical challenge for risk management: How do we bridge the gap between technical excellence and human psychology?
Three Fatal Patterns: Why Smart Institutions Fail
Three psychological patterns appear repeatedly in major risk management failures:
1. Success Bias: The leadership of Silicon Valley Bankbuoyed by years of growth, they are discounting warnings about their concentrated deposit base. The previous success became their greatest vulnerability.
2. Bypass Relationship: Hazard warnings for Chief were available at institutions across Wall Street. Some acted on these warnings, while others let business relationships influence their risk decisions. The difference in results was completely.
3. Groupthink in a crisis: During The crisis of Evergrandedespite clear risk indicators, many investors held their positions, collectively believing that China’s real estate sector was “too big to fail”. This group thinking individual behavioral biases are reinforced.
Constructing behavioral circuit switches and practical application challenges
Supported by regulatory guidelinesfinancial institutions are implementing measures to address these psychological blind spots. These include dedicated teams to challenge prevailing views, monitoring behavioral indicators that often predict problems before quantitative metrics show problems, and recognition systems for early risk recognition.
The process usually involves watching for soft signals—such as unusual excuses for crossing boundaries, changes in communication patterns, or resistance to supervision. These behavioral indicators often appear before traditional metrics show technical problems.
The path to conduct risk management varies significantly between institutions. Big Wall Street banks can invest in specialized behavioral risk teams and sophisticated monitoring systems. However, smaller institutions need more cost-effective approaches. A mid-sized regional bank could start by simply introducing a “devil’s advocate” role at risk committee meetings or implementing basic communication monitoring without expensive technology.
Cultural and regional differences also shape how behavioral risks manifest. For example, during the market volatility of 2022, European banks generally exhibited different patterns of behavior than their US counterparts, which translated into different results during Bank stress of 2023.
Despite significant implementation challenges, emerging technologies present promising solutions.
The Next Frontier: AI and Human Behavior
As artificial intelligence (AI) reshapes risk management, the human factor becomes even more critical. Artificial intelligence can process vast amounts of data and identify patterns, but it cannot yet fully account for human psychology. The danger is not that the models are wrong, but that people misinterpret or ignore their results – or just give up.
Before making important risk decisions, leaders should ask:
• Do we avoid the hard conversations about this risk—or, simply put, do we take the easy way out?
• What emotional biases might influence our judgment—are things so good that we fear hearing something we don’t want to hear?
• Did we actively seek out and seriously consider opposing views—or would it make things too uncomfortable?
• Are relationship concerns inappropriately influencing our risk assessment—ie, are we afraid of upsetting someone?
Needless to say, implementing behavioral risk controls requires significant investment—both financial and cultural. A basic behavior tracking system usually costs between 1%-3% of an institution’s risk management budget. However, the real investment comes in changing organizational culture and decision-making processes.
Successful institutions approach this as a gradual transformation:
1. Start with low-cost, high-impact changes (such as restructuring risk committees).
2. Implement basic monitoring of communication patterns and decision-making rationales.
3. Build incrementally more sophisticated systems based on lessons learned.
4. Invest in training and culture change programs.
Creating Real Risk Information
The next generation of risk leaders must move beyond the false comfort of pure quantitative analysis. Organizations will eventually accept that every risk decision passes through human filters and build systems accordingly to oversee all aspects, not just binary ones.
This means creating:
1. Decision protocols that actively address common biases.
2. Feedback loops that record patterns of behavior.
3. Warning systems for psychological risk factors.
4. Cultures where questionable assumptions are rewarded.
The Future of Risk Management
In today’s environment, the companies that succeed are not just those with the best mathematical models and computers. The real winners are those who understand how people really behave and make decisions accordingly. When companies combine good technical tools with a deep understanding of human behavior, they do better options than their competitors.
After all, in risk management, understanding what makes people act is just as critical as understanding what makes markets move, and we must accept that they are not always the same thing. The institutions that thrive in the next decade will be those that master not only the science of risk management, but also the human art of it.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Am I eligible?
