Risk Management and Decision-Making: The Limits of Human Expertise
An interview with Douglas Hubbard
“Statistical models outperform human experts in many different fields… My goal is to figure out the best way of integrating them to improve human performance.”
As disruptions and crises become more common, it’s time we accepted risk as part of our existence. For businesses to remain competitive in the face of growing uncertainty, they need to get better at risk management and decision analysis.
Enter Douglas Hubbard, a management consultant, author and speaker who specialises in decision and actuarial sciences. He invented the Applied Information Economics (AIE) method, which forms the basis of Hubbard Decision Research — a company he founded in 1997. HDR uses quantitative analysis to help both small businesses and large corporations across a range of industries find solutions to complex problems.
As a successful author, Doug has sold over 100,000 copies of his books in 8 languages and published articles in several academic journals. In this interview, we discuss The Failure of Risk Management: Why It’s Broken and How to Fix It (2nd edition, 2020).
What are the main problems with risk management in its current form? What impact does this have on the business world and beyond?
Rather than improving decisions, lots of the methods that are widely adopted in business and government for risk management actually make them worse. According to Tony Cox, one of the first risk management PhD researchers from MIT, these methods are ‘worse than useless’; not only are they a waste of time, but they also add error to unaided intuition. In other words, if you just followed your gut without using these methods, you might actually make better decisions.
Unaided intuition is the baseline that all decision-making methodologies need to improve upon. Fortunately, there’s a lot of research on this. We know that some methods produce measurably better results, but they aren’t currently being used.
What solutions do you propose in your book?
There are a broad set of relatively simple quantitative methods that show a measurable improvement. American psychologist Paul Meehl spent several decades collecting over 150 studies that compared human experts to simple statistical models. He only found about 6 studies in which humans performed as well as, or slightly better than, the statistical models. This research covered a wide range of problems — including diagnoses and prognoses of diseases, the outcome of sporting events and horse races, and the likelihood of failure for small businesses. In each of those areas, the statistical models performed better than human experts with decades of experience.
This is why it’s difficult to gain expertise in risk management; it’s not a given that experience will result in learning. Feedback is essential in order to convert experience into improved performance, and that feedback needs to meet 3 criteria. First, Daniel Kahneman and Gary Klein’s psychological research suggests that this feedback has to be consistent for it to be effective; it’s no use just getting feedback on a small fraction of the decisions you’ve made.
Second, the feedback needs to be almost immediate. In risk management, if you say that something is 5% likely to happen next year — with a resulting loss of between $5 million and $50 million — you’re not going to find out for certain whether or not that was correct, because it probably won’t happen in the next year. So, if it hasn’t happened yet, how do you know whether your estimates were correct?
The third criteria is that it has to be unambiguous feedback. If I estimated that the impact of an event would be moderate, how would I know whether I was right if the event occurred? It’s ambiguous.
So, feedback must be consistent, immediate and unambiguous — but that’s not the reality for risk management. It doesn’t matter how much experience you have; all you can do is look at studies and trials that measure the performance of different components of risk management methods.
Can you explain what Applied Information Economics (AIE) is?
AIE is the practical application of a set of quantitative methods to real-world business decisions. It’s based on Bayesian statistics — especially the idea that there is a current state of uncertainty and you need to make some observations to update the interpretation of probability. Risk management takes this to the next level, because even a relatively simple business model can have a lot of uncertainties and variables. In this case, it’s not obvious which of those things you should spend more time measuring.
I coined the term ‘Applied Information Economics’ to address a particular phenomenon that I saw when computing the value of information for each uncertain variable in a model. You can work out the monetary value of measuring something by using a decision analysis or game theory method. I was doing this systematically, often with large IT development projects involving detailed business decisions about investing millions in new technologies. What I found was that these companies tended to measure things that had very little chance of improving a decision, instead of focusing on the high value measurements that would have been more impactful.
At first, I referred to this phenomenon as the ‘IT measurement inversion’ because of my initial sample set. But as I expanded into other areas — like military logistics, entertainment, aerospace, Big Pharma and United Nations environmental projects — I realised that this trend wasn’t limited to IT. Almost everybody was systematically measuring the wrong things. So, that’s the problem that Applied Information Economics tries to solve; we work out the economic value information and then use it to improve decisions.
What is the difference between risk analysis and decision analysis? Can the same methods be used for both?
That’s a really good question. I would prefer to stop using the term ‘risk analysis’ because it’s just part of decision analysis; it’s problematic to separate them. The decision analysis field, which has been around for decades, deals with many of the problems I just mentioned. Risk is always present in any decision, so decision analysis, by definition, involves risk assessment. Imagine a shoe store that only sells the left shoe — it just doesn’t make sense. You have to do both together.
In Chapter 4 of your book, you introduce the one-for-one substitution model. How does this model work and what are its primary use cases?
We were trying to replace the risk matrix — a popular method used in different industries like oil and gas, IT and cyber security. The risk matrix is a 5-by-5 diagram with likelihood ratings on one axis and impact ratings on the other, each on a scale of 1 to 5. When people plot a point on this diagram, it feels like they’re doing some analysis but actually they’re just using ambiguous scales. This is a phenomenon called the analysis placebo: we adopt a method that seems structured and then follow the rules because we don’t get immediate feedback. This makes us feel more confident about our estimates and decisions, even when they’re measurably worse than before.
One-for-one substitution takes the simplest quantitative model into which the risk matrix can be directly translated. We turn each dot on the risk matrix into a row in a table. For that row, we estimate a quantitative likelihood of an event occurring per year, as well as the range of financial impact. Even if this is subjective, it’s not necessarily a problem because some subjective estimation methods majorly outperform others. I think people sometimes assume that ‘subjective’ means ‘not quantitative’, but there are plenty of quantitative methods that you can apply to subjective estimates. All sorts of errors can be avoided simply by not using ambiguous scales like 1-to-5, high/medium/low or red/yellow/green.
Is there any way to completely eliminate risk from a decision, transaction or process? Or is it just a case of mitigating inevitable risk?
I suppose the only way that could happen is if you have no uncertainty, or if none of the uncertainties could possibly cause a loss. I don’t know how often that occurs, but there would always be some risk in any decision that is actually a dilemma. Even if the decision is between two good options, the risk is the opportunity loss of not choosing the best one.
What practical steps can an organisation take to assess and improve their risk management strategy?
For one, they can look at a larger set of examples. For example, how does an insurance company calculate my life insurance premium? The only data they have about me is my age, job, past health history and the fact that I’m still alive. All that information affects my premium, but they only know how to measure the impact because they extrapolate from the historical data of other people.
Most organisations aren’t as unique as they think they are. They should look at data from other organisations and ask questions like ‘How often has an event occurred in the last 10 years among Fortune 500 companies?’ Starting with that as a baseline and then narrowing the dataset down to the most similar companies will help them understand how likely it is to happen to them next year. For instance, if they’re worried about an industrial accident, they can research how often that event has happened in similar organisations. The most problematic risks are usually reported when they happen, so that data is publicly accessible.
I spend a lot of time on this topic in the book. I try to address common objections, such as ‘Everybody is unique, so you can’t extrapolate’. If every situation was unique, what claim would anyone have to experience? No one could ever extrapolate from historical observations or memories, which are like statistics but tend to be selectively recalled or even completely reinvented. All I’m doing is being explicit with the math that people often try to do in their heads.
Talking about experiences, in Chapter 9, you compare the efficacy of algorithms and experts. A few chapters before that, you talk about ‘The Limits of Expert Knowledge’ (Chapter 7). Can experts and algorithms be combined to produce the best approach to risk analysis?
They absolutely can, and should, be combined. Figure out what each side is good at and focus their efforts in that space. My team and I have been exploring how to integrate better with ChatGPT. In a way, it’s not that different from integrating with resources and search engines like Google. It’s so easy to do research online now, but a lot of people just assume that their situation is unique and no one has ever dealt with anything like it. When it comes to any of these problems, it’s best to assume that it has probably been measured before and then try to prove yourself wrong. Even if someone hasn’t already answered the same question, the methods they used could help to answer your question.
I think it makes perfect sense to combine human experts with algorithms — creating a cyborg decision-maker of sorts. We’ve done this sort of thing before; the decision to allow students to use calculators in the classroom was just an earlier stage of human integration with technology.
You mentioned the importance of feedback earlier. The benefit of artificial intelligence — and machine learning in particular — is that it can learn and iterate based on feedback.
With tools like ChatGPT, the next major evolution is for them to use more current data. Searching on Google will give you the most recent information because it maps things out on a regular basis. ChatGPT is limited to data from a few years ago and would not be familiar with current events, but it’s still informative. If you prompt ChatGPT to generate a list of the top 10 risks for an oil refinery, a pharmaceutical manufacturer or an insurance company, the responses you get are all plausible. If this list makes you think of at least one thing that you wouldn’t have otherwise thought of, it’s worth doing. We should integrate AI into our workflow, just like we’ve done with other tools.
So, we should use AI tools as a source of inspiration without totally relying on their output, because it still needs human oversight.
In that sense, I wouldn’t treat AI any differently than a human. I don’t trust everything another person does and I don’t necessarily believe everything that comes up on Google. There are quality control methods you can use. For example, I tend to have more confidence in something that has been published in a peer-reviewed scientific journal or replicated with similar results. Paul Meehl has done so many psychological studies and consistently found that statistical models outperform human experts in many different fields. His research has been replicated to death, and it’s one of the strongest findings in any of the social sciences.
Imagine that I gave an expert a list of scenarios and asked them to make judgements about the probability and potential impact of the events in different conditions. If I built a statistical model of the human expert, it would try to predict what the expert would say; it’s not even based on historical data. If I then tracked the outcomes of the model’s predictions compared to the real person’s estimations, the model would be right more often.
Isn’t that neat? As it turns out, humans are so inconsistent when it comes to applying their own experiences that simply removing the inconsistencies — which is what this method does — would reduce the error. In every field this has been applied to — whether it’s determining how popular a movie will be or which small businesses are more likely to repay a loan — the model of the expert performed better than the expert. People tend to look for enhancements where possible, so we’re used to using tools. My goal is to figure out the best way of integrating them to improve human performance.
Can you offer 3 key takeaways from The Failure of Risk Management?
First, just stop using the risk matrix. There’s no point in arguing that at least you’re doing something, because doing nothing is actually better.
Second, it’s relatively easy to switch to simple quantitative models, so start making steps towards them.
The third takeaway is just general scepticism. You’re not going to get immediate feedback on how well your quantitative model is doing, any more than you did with your risk matrix. So, how do you know whether you’re doing better than before? Scepticism should prompt you to research what other people have discovered about the performance of quantitative models. There are lots of things we already know — from experience, studies and trials — that can be incorporated into our solutions.
So, stop using the risk matrix and start using quantitative methods, but remain sceptical.
Some of Doug’s books are available to read on Perlego:
- How to Measure Anything: Finding the Value of Intangibles in Business (3rd edition, 2014)
- How to Measure Anything Workbook (2014)
- How to Measure Anything in Cybersecurity Risk (co-author, 2016)
- The Failure of Risk Management: Why It’s Broken and How to Fix It (2nd edition, 2020)
