A short trip around the Finextra website can clearly demonstrate that there's no shortage of potential solutions to support the risk identification and management process. There's systems, tools and advice available in spades. So why, with all of this help
available, do crises occur? I'm convinced that it's attitude, not the lack of systems, that creates crises either on a corporate or global scale. And it all stems from a concept known as Groupthink - a concept that was identified by social psychologist Irving
Janis in 1972.
The principle attributes of groupthink are defined as:
- Illusion of invulnerability -Creates excessive optimism that encourages taking extreme risks.
- Collective rationalization - Members discount warnings and do not reconsider their assumptions.
- Belief in inherent morality - Members believe in the rightness of their cause and therefore ignore the ethical or moral consequences of their decisions.
- Stereotyped views of out-groups - Negative views of the "enemy" make effective responses to conflict seem unnecessary.
- Direct pressure on dissenters - Members are under pressure not to express arguments against any of the group's views.
- Self-censorship - Doubts and deviations from the perceived group consensus are not expressed.
- Illusion of unanimity - The majority view and judgments are assumed to be unanimous.
- Self-appointed ‘mindguards' - Members protect the group and the leader from information that is problematic or contradictory to the group's cohesiveness, view, and/or decisions.
Does any of that sound familiar? Have we seen this before? Take a look at the table below:
HBOS prior to the 2007 Banking Crisis
Fired their Chief Risk Officer for flagging excessive risk taking
Internal audit warnings ignored, SIMEX letters rationalised and ignored
Internal audit warnings ignored regarding segregation of duties and effectiveness of back office processes
Not an exhaustive survey by any means, but enough anecdotal evidence to support the principle that Groupthink has played a major part in these crises. Why else would these internal risk issues be ignored and in some cases, the messenger promptly dismissed.
The problem is, how do we deal with Groupthink, particularly when it's senior management who are leading the charge? More rules, strengthening of risk , audit and compliance departments won't help when the management team just won't listen and takes action
to bury the unwanted news of a "dissenter".
What's needed, I would suggest, is a system of information exchange between Oversight & Assurance departments with their regulator, so that financial information and prudential returns can be viewed in the light of outstanding control and risk issues. That
way some evidence of a management that refuses to act might make it's way top someone who can do something about it.