When something goes wrong, 99.999999% of the time it’s because somebody made a poor decision (at least in hindsight).
You ask the individual responsible, “What were you thinking?”
That is quickly followed by, “You weren’t thinking, were you!”
The BIG one, the root cause of failure and the greatest source of harm to any organization and its success, is the likelihood of a wrong decision that has major ramifications.
I discussed this in World Class Risk Management and extended the discussion in Making Business Sense of Technology Risk, where I made a distinction between strategic decisions (which include setting objectives and strategies) and tactical decisions.
We should be concerned if the likelihood of poor decisions, especially but not limited to important ones, is higher than we can tolerate.
What are the root causes of poor decisions?
There are many, including:
- Poor framing of the decision
- The wrong people making the decision
- Relying on information that is not complete, accurate, or up-to-date
- Not seeking all relevant information
- Cognitive and other bias
- Not including others that either have relevant information or who might be affected by the decision
- Not considering all relevant options
- Poor identification and assessment of what might happen, both good and bad, for each option
- Failing to understand the ramifications of the decision when it comes to the achievement of enterprise objectives
- Putting personal or team benefits ahead of those of the organization
- Poor communications
- Inadequate change management
- ….and so many more
As you look at your own decisions, those of your team, your peers, your partners, and elsewhere across the extended enterprise, do you have reliable assurance that informed and intelligent decisions will be made?
What can and should you and others do about it?
I think there are roles for both risk and audit practitioners.
I welcome your comments.
- Common sense on cybersecurity - July 20, 2022
- Auditing at the speed of risk with an agile, continuous audit plan - June 22, 2022
- Do smaller companies manage risk better than larger ones? - May 18, 2022