The psychology of risk: What shark attacks teach leaders

I live in Western Australia where shark attacks are a thing.

They’re rare, but the human behaviour around them is fascinating – and it’s taught me about how poorly we often deal with remote – but scary – risks.

On a typical summer morning, there are dozens of people swimming at my local beach, anywhere up to 50 to 75 metres out from the shore.

But the day after a shark attack (which might have happened some distance away), the number of swimmers drops dramatically and suddenly we’re all freaking out and swimming much closer in.

Then, over the following weeks, everyone slowly creeps back out to the deeper water until things eventually return to normal.

What’s fascinating about this is that the risk has remained static – nothing has changed. Not the sea, the season or the shark population. Or our understanding of it all.

The risk stays the same – only our fear changes.

Because our internal risk management calculator gets hijacked by a cocktail of biases – recency bias (recent events feel more likely), availability bias (events we know about feel more likely), negativity bias (we exaggerate negative outcomes) and the bandwagon effect (other people freaking out makes it more likely we will too).

The consequence of this – to our own lives and society more broadly – is zero. It doesn’t matter if we swim with our rotating hands dragging along the bottom for a few weeks or miss a few swims.

But the problem is that the same phenomenon plays out in organisations all the time, with real consequences:

• A one off compliance breach leads to 50 new procedural steps
• A single employee robbing money gives rise to a whole new bureaucracy
• An embarrassing media story leads the CEO to micro-manage all external communications
• One extravagant purchase leads to a whole new executive approval layer

And I’m not saying we won’t ever need to update our risk management controls following a bad event.

But I am saying we should be both surprised and embarrassed when we do.

Because – while we’ve come to see post-event changes in controls as expected, even virtuous – post-event changes reflect a failure by pre-event leadership to:

1. Correctly quantify the risk
2. Define our risk appetite
3. Put in place adequate controls
4. Effectively monitor risk changes

Or – if we have done these three things and we’re going to change things anyway – we’re just irrationally freaking out like me at the beach after a shark attack. Because nothing has changed. Not the risk or our understanding of it. Yet we’re putting in place new controls anyway – often at great organisational expense. And what for? To soothe our bias-hijacked brains? To cover our arses in case something goes wrong again?

It becomes risk management theatre that prioritises our selfish personal needs to do – or be seen to be doing – something in the here and now vs the long term needs of the organisation to manage risk well.

Because the purpose of risk management isn’t necessarily to get risk down to zero (even if that were possible). It’s to balance the costs of risk exposure with the costs of risk control, over the long term.

So, next time something goes wrong, resist the very human urge to react and put in place more controls. Instead consciously check in with your recency, availability, negativity, bandwagon effect and other biases to see how they might be skewing your judgement. And soberly review whether the event has credibly revealed some new information that shows that the risk has changed – or was different to what you’d thought.

And don’t blindly celebrate others for impulsively assuming the risk has gone up and that new controls are needed. Evaluate risk management revisions with a critical mind. Maybe there’s a good justification for them. Or maybe it’s just expensive therapy for board and executive anxiety masquerading as risk management.

Because the risk will have often remained static. And it might just be that the controls were appropriate, but that this was the rare – but ocassionally expected – case where things go wrong.

Above all else, make sure everyone’s acting in the organisation’s best long term interests – not just trying to soothe their own short term anxieties.