In the world of enterprise risk management, where objective analysis is essential, a silent threat can undermine even the most robust framework: confirmation bias.

What is Confirmation Bias?

Confirmation bias, the tendency to favour information that confirms pre-existing beliefs, can significantly impair risk identification, assessment and response.

This bias can lead to a skewed perception of risk and its impacts, resulting in inadequate assumptions, mitigation strategies, and poor decision making and outcomes.

How Confirmation Bias Works

  • Seeking Narrow Evidence: We may tend to look for information that supports what we already believe and ignore or downplay information that contradicts it. For instance, a risk manager might focus on historical data that supports a particular risk scenario while ignoring emerging trends or other qualitative information that suggests a different outcome.
  • Biased Interpretation: When presented with ambiguous data, such as an audit report or risk assessment with conflicting findings, a biased individual might interpret the data in a way that aligns with their preferred narrative, downplaying the severity of a potential threat.
  • Selective Memory: When thinking back on past events, we may focus our memory on the the information that aligns with our belief more than the information that doesn’t. If a scenario turned out well, we may classify all decisions on the path there as positive. Confirmation bias can affect how we remember and recall past events related to risk, leading to skewed perceptions, and ultimately hindering any learning we may benefit from through the experience.

Why is Confirmation Bias a Problem in Risk Management?

Confirmation bias can lead to a variety of problems in risk management:

  • Inaccurate Risk Assessment: If risk identification is incomplete or skewed, organisations may fail to recognise or fully take account of critical threats, leaving them vulnerable to unexpected events.
  • Ineffective mitigation: If we identify the wrong risk, we will pursue the wrong mitigation. For example, resources may be wasted on mitigating low-probability high-impact events, while neglecting more likely, though less dramatic, threats.
  • Poor Decision-Making: If we only consider evidence that supports our views, we may make ill-informed or biased decisions.
  • Impedes Learning: By only remembering information that confirms past decisions, organisations may fail to learn from other mistakes and find opportunities to improve.
  • Discourages Innovation: By overemphasising past successes or failures, this can lead to a risk-averse culture that discourages innovation, impacting an organisation’s competitive advantage.

Examples of Confirmation Bias in Risk Management

Examples of where confirmation bias could lead to a suboptimal risk management outcome include:

  • A company that leads in a particular sector or product category may downplay the emergence of a new competitor, as downplaying this will align with their belief that they are the leading firm, even if there are indications suggesting otherwise.

  • A project team might overestimate the likelihood of success because they are invested in the project or have a strong prior track record of delivery; and will disregard or downplay project red flags and warning signs.

  • A business unit may underestimate the risk of a market downturn or change in direction, as it conflicts with a recent investment decision or strategy their executives have made.

How to Overcome Confirmation Bias in Risk Management

Some techniques and habits are useful to instil to address confirmation bias in the risk management process.

  • Be Skeptical: Be on guard whenever receiving new information, data, opinions, judgments and assumptions. Challenge and seek out dissenting views. Play the devil’s advocate by challenging pre-conceptions and opinions where the majority of the group seems set on a particular scenario.

  • Follow Structured Risk Assessment processes: Use structured assessment to ensure all areas are explored completely and diligently. Use scenario planning to explore a range of possible outcomes, not just the most likely.

  • Data triangulation or corroboration: Use more than one source of information; gather information from multiple sources to check for anomalies.

  • Independent or quality review: Bring in a fresh set of eyes untainted by the ups and downs of the process, and less invested in the outcome. For high risk projects or control steps, make a Quality Review an agreed gate.

  • Write down your assumptions: Be clear on what assumptions are being made, giving other stakeholders the opportunity to challenge and scrutinise.

  • Be Willing to Change Your Mind: History is full of examples where closed minds and stubborn leaders have prevented new information from course-correcting a bad decision, particularly where a lot of time, money and emotion is invested in an agreed path. Be open to the possibility that your beliefs might be wrong.