One objective but multiple risks

February 17, 2018 18 comments

One of the problems with ‘traditional’ risk management, which relies heavily on the periodic review of a list of risks (a risk register or what COSO calls a risk profile), is that it considers one risk at a time.

But there will usually be more than one risk that might affect the achievement of any objective. (I find it difficult to think of any objective where there is a single source of risk.)

So how do you consider the aggregate effect of these risks?

How do you know whether the level of risk to your objective is acceptable?

The level of risk for each individual source of risk may be within what you call acceptable (based on risk appetite or criteria).

But the level of risk to an objective could be unacceptable when you consider all the sources of risk.

For example, if you have the objective of opening a new office and delivering additional revenue, many things might happen to affect its achievement, such as:

  • Delays in the ability to open the office such as obtaining electrical supply, final inspection approvals, and so on
  • Issues hiring local personnel to staff key functions
  • Challenges connecting the new office to enterprise systems, such as security issues, a new language, and additional privacy regulations
  • Changes in the local economy
  • Adverse coverage in the local press
  • Problems with labeling your products in the local language and complying with local labeling regulations
  • Supply and logistics issues
  • New products or changes in price from a local competitor or a global competitor that wants to challenge you in the local market
  • Turnover among key contacts at the companies you have targeted for sales
  • …and so on

How do you aggregate these different sources of risk?

Some organizations and consultants are wedded to the idea that the level of risk can be quantified and calculated as the magnitude of a potential effect (or consequence) multiplied by its likelihood. There are several problems with that, including:

  • There is almost always a range of possible consequences, each with its own likelihood, not a single point.
  • That range could include both positive and negative consequences. For example, the risk of a change in the value of a foreign currency (compared to your own) can be positive or negative.
  • It is difficult, if not impossible, to put a value on some sources of risk – such as employee safety.

But, let’s assume we can get past those and we have five sources of risk. For each, the potential (adverse in each case) effect is assessed at $100,000 and the likelihood is 10%. So, the simple calculation gives us $10,000 for each.

Do we simply calculate the aggregate level of risk at $50,000?

No. Let me explain with a hypothetical.

You are standing on the side of the street.

There is a 10% chance of rain; a 10% chance of being mugged (it’s a bad area); a 10% chance of meeting your mother-in-law; a 10% chance of being hit by water thrown up by a passing car; and a 10% chance of a bird using you for target practice.

Is there a 10% chance of every single one of them happening? Even if there is a 10% chance of each happening within a year, will they all hit on the same day?


Unless there is a single event or situation – a common point of failure (something that triggers more than one effect) – the likelihood of them all occurring is the product of their likelihoods:

10% * 10% * 10% * 10% * 10% = 0.001%

Coming back to the five sources of risk, each of which is assessed at a 10% likelihood of $100,000, unless there is a single and common triggering event or situation, the likelihood of a $500,000 effect is inconsequential: 0.001%.

But can we ignore the fact that there are multiple potential sources of risk to a single objective?

Not at all.

Would you live in an area prone to earthquakes? I do.

Would you live in an area where there is a relatively high level of burglary? I do.

Would you live in an area that is likely to flood?

Would you live in an area where the level of noise is high?

You might choose to live where just one of these applies. But would you live where all of them apply, and probably others as well?

Common (and business) sense tells us that when there are more sources of risk, even if each one individually is acceptable, you are less willing to take a risk.

In the example, while there is a 10% chance of a specific one hitting, there is a 50% chance[1] that at least one of the five (we don’t know which) will hit and a 10% chance[2] that two or more (we don’t know which two) will hit.

(Maybe some of you more mathematically included readers will correct the above and/or explain how to aggregate sources of risk that don’t even get measured the same way (such as compliance risk, employee safety risk, reputation risk, and so on)).

I have faith in the human power of common sense.

The keys are:

  1. Understand that a single objective, project, or plan has multiple sources of risk.
  2. Understand the level of each and whether it is acceptable – and why.
  3. Consider whether there is a common point of failure.
  4. Carefully consider whether, with all the information about what might happen, it makes business sense to take the risk.

I welcome your thoughts and perspectives.

[1] The likelihood of A or B is the addition of their individual likelihoods. There are 5 pairs, so 5 * 10%.

[2] The likelihood of A and B or A and C and so on: 10 pairs, each with a likelihood of 10% * 10%.


Risk visualization

February 9, 2018 11 comments

I have to agree with the author of Are we witnessing the demise of the risk register (and the rise of risk visualisation)?

He says, “I loathe risk registers”.

So do, but for different reasons.


He loathes them because “they are boring, one dimensional and poorly prioritised lists that lack context and often serve to satisfy a requirement rather than a purpose”.

Now that’s true.

But I loathe them because they are risk-centric and not objective-centric. They don’t help understand the likelihood of success: the achievement of objectives, the satisfactory completion of projects, and so on.

I do agree with him that staid reports can be replaced with far more interesting and useful visualizations.


I don’t know whether they still do this, but executives at SAP used to have a great visual depiction of the current level of performance and the status of risks on each of the revenue opportunities they were responsible for.

This is how I described it in World-Class Risk Management.

In my last year with SAP, one of the risk management leaders showed me an iPad app he was developing for the senior executive team. Each would be able to see, on a single screen, each of his or her objectives with an indicator as to whether everything was “green” (on target), “yellow” (potential issues), or “red” (serious issues). By clicking on the objective, the executive could drill down to the next level and see detailed information about its status. That information would include both performance and status information, presenting the information that the executive needed to understand and initiate appropriate actions.

This is risk information, integrated with performance information, that helps executives make decisions not only to manage risks but to optimize outcomes and achieve objectives.

I also saw a tablet app for information security managers. A network diagram indicated the level of attacks and the related level of risk (as defined by the CISO) at each point. If there was an attack that met defined criteria, an alert would appear on the screen.


If we want to help people make informed decisions, it is not enough to give them a report with the information.

It is essential that the information is highlighted for their immediate attention and presented in an actionable form.


I spent some time on the web looking for examples of visualization tools and graphics that would fit the bill; but while I found some articles and some links to books, my search was in vain.

Does your organization use graphics, charts, or other 21st century tools to provide decision-makers with the information they need – current performance and the state of the road ahead?

Is it better than what I have included in my book?

Please share. I also welcome your comments.


It’s not about risk management

February 3, 2018 43 comments

I have said many times that it’s not about managing risks: it’s about managing the achievement of objectives.

It’s about being successful.

Success is measured through the achievement of specified objectives.

We improve the likelihood and extent of success if we understand what might happen, both good and bad, as we strive to achieve our objectives.

The “what might happen” is risk, but the focus should not be on managing them individually but on being successful – taking the right level of the right risks.

The CRO (or equivalent) should be concerned with helping leadership run the organization and achieve its objectives, rather than helping them manage a list of risks.


Let me explain what I mean with a hypothetical story.


The executive team has come to the point in their monthly meeting where they review the report of the Chief Risk Officer.

The CEO invites the CRO to join them.

CRO: “Here is my monthly risk report. As you can see, every risk, whether strategic, operational, technology, or other, remains within our defined risk appetite. While the level of a few individual risk areas has increased, they have not escalated to merit a ‘high’ risk rating. We are continuing to monitor them.”

CEO: “Thank you. Do any of you have any comments or questions?”

CIO: “Yes, I do. I see that you are reporting that cyber risk has increased, although it remains at a yellow rating, which I believe indicates that it needs to be monitored but no additional actions are required. Can you tell me why you see the risk level increasing?”

CRO: “Certainly. The Chief Information Officer’s assessment is that opening our new office in Poland increases the risk level. It’s not only that we now have additional network points that may be vulnerable, but as I understand it crime groups from the region may choose us as a target.”

CIO: “Thank you. The CISO had discussed that with me and we had come to that same conclusion. But you also show IT systems risk as increasing. Is that because we are adapting our systems so they can support additional languages such as Polish and currencies such as the zloty?”

CRO: “That is correct. I think that is what you and I agreed last week.”

CIO: “It is.”

He is interrupted just as he was about to ask another question.

COO: “You show supply chain risk as increasing. I agree with that assessment. Is it because there may be disruption in our supply of products to the new market in Poland?”

CRO: “That is correct. The VP of Supply and Logistics is concerned about transportation during winter as well as the possibility of rail strikes.”

EVP Sales: “You know, I am also concerned about Poland. You show revenue-related risks, including credit risk, as within tolerance. But I only see the likelihood of hitting our first year targets for Poland as 85%. I don’t that’s as OK as your report indicates.”

CRO: “But when we met, you said that the overall risk to revenue was not high yet and the CFO said the same about credit risk.”

CEO: “Am I missing something here? It sounds like your risk report tells us about enterprise-level risk in a number of categories, but doesn’t help us with specific programs and projects. Is that right?

CRO: “Well I am following the global risk framework and what our consultants told us when we set the program up. This is their recommended report format, with a heat map on the second page. I would be happy to give you a separate report on Poland-related risks.”

The CEO is clearly disturbed and asks the CRO to step out. He then continues.

CEO: “Clearly the Poland project is increasing our risk in a number of areas. Do we need to have the CRO run a separate report or should we talk about it now, without him?”

COO: “Poland is my project. I would like everybody involved to stay after the meeting. Let’s talk about whether the prospects for Poland justify taking these risks. If we are going to potentially miss our revenue targets and, at the same time, increase risks around credit, cyber, and so on, perhaps we should reconsider.”

CEO: “Good idea. But I want to be part of this discussion as we have made this a key part of our strategy, with Poland being just the first step into Eastern Europe, in our discussions with the analysts and investors. In fact, it is possible that after considering what we now know we may want to delay or move into Croatia first. Let’s finish the rest of the agenda and then continue. Can everybody stay a little longer?”

The meeting continues without the CRO.


My point: it’s not about managing risks, even at the enterprise level.

It’s about managing the organization to deliver success: making informed decisions.


The most effective risk management involves quality risk-informed decisions when the CRO is not present.


How would you advise the executive team? What would you suggest to the CRO?


I welcome your comments and observations.

How should you assess the effectiveness of risk management?

January 26, 2018 15 comments

If an organization seeks to perform at world-class levels, it needs to have highly effective processes and practices for managing what might happen – risk.

They should be assessed and the results shared with the board by several:

  • The CEO, perhaps delegated to the COO or CFO
  • The chief risk officer (if there is one)
  • The head of internal audit

My good friend, Alexei Sidorenko of the Risk Academy recently shared a video on the topic.

He makes some good points, suggesting that assessors consider:

  • Organizational performance
  • Evidence that risk was considered in key decisions
  • The culture of the organization

I think there is more that can and should be done.

I also disagree with the idea that organizational success has a clear correlation with the effectiveness of risk management. Poorly run companies can be lucky and well-run ones unlucky.

In addition to addressing the topic in World-Class Risk Management, I covered the topic in a 2017 IIA post: How Should You Audit and Assess Risk Management?

I said:

Risk management is about:

Setting the right strategies and objectives to deliver value, considering what might happen (risk).

Understanding how the achievement of objectives may be affected by events and situations as management and staff execute those strategies.

Acting to modify the likelihood and effect of those events and situations, recognizing that each event or situation can have multiple consequences — some favorable and some adverse.

Ensuring that decisions are informed and intelligent, whether in setting or modifying strategies, or in executing them every day through management decisions across the extended enterprise, such that the right levels of the right risks are taken.

Monitoring and reporting so that board members and senior managers understand not only the levels of individual sources of risk, but whether they are likely (or not) to achieve each of their objectives.

I also said:

You could audit and assess risk management in a number of ways. For example:

  • An audit of compliance with corporate risk policies and procedures.
  • Assessing risk management maturity, using one of the available risk management maturity models (I have a few in World-Class Risk Management).
  • Assessing whether the principles for effective risk management are achieved (drawing on those in ISO31000:2009 or in COSO ERM 2017 — see here for a discussion).

I personally like a risk and objectives-based approach to pretty much any audit. Here the objective is to manage risk at desired levels. There are multiple risks to achieving that objective (again, described in detail in my book), such as failures to:

  • Include the appropriate people in decisions, where risk is taken.
  • Obtain reliable, current, and timely information on which to base decisions.
  • Address cognitive bias, which can affect both an individual and a group’s assessment of risk.
  • Ensure the desired attitude towards risk: behaviors that are influenced by the culture of the organization, a location, function, or business unit.
  • Obtain buy-in from all key individuals at all levels of management.

This is what I recommend for anybody seeking to audit and assess risk management (or the management or risk).

  • Understand risk management and its principles. The ISO31000:2009 and the 2017 COSO ERM Framework are just two possible sources, but I would also recommend my book and that of John Fraser, Implementing Enterprise Risk Management: Case Studies and Best Practices.

  • Understand what the organization needs from risk management. Start with understanding how and where decisions are made and risks taken. In fact, understanding who makes decisions and therefore takes risk is critical to understanding how risk is managed. Is it centralized or decentralized? Do individuals have a lot of autonomy and decision-making or is consensus required? Is risk dynamic, volatile, or relatively stable?

  • What are the risks to effective risk management? What could go wrong and what needs to go right for there to be reasonable assurance that the right levels of the right risks are taken? (“Right” means what is desired and possibly approved by the executive management team and the board.)

  • What controls are in place to address these risks?

  • Is the design adequate? If the controls are operating consistently as designed, is there reasonable assurance that risk will be managed at desired levels?

  • Perform controls testing to obtain assurance that they are operating effectively as designed.

  • Assess the results of your work. Where is risk management on the maturity curve? What can and should be done to improve it at an appropriate cost? Recognize that one of the costs may be slowing down decision-making and losing operational opportunities.

  • Communicate the results and your insights.

Let me add to that now.

Why not have a series of discussions with decision-makers? Include all the top executives, but also include a good number at varying levels of management across the organization.

Consider questions like these that ask the opinions of the executives, the ones running the organization:

  • Do you (the executive) believe that risk management (which could mean a function or a set of policies and procedures) helps you be successful? Does it increase the likelihood of achieving your and the organization’s objectives?
  • Does it (risk management) help you make better decisions?
  • Does it meet the needs of the organization?
  • Does everybody use/practice risk management as well as they should?
  • Where could improvements be made?
  • Do top management and the board receive the information they need, when they need it?
  • Do the filings with the regulators sufficiently explain how the organization addresses risk?
  • Should a greater or lesser investment be made in risk management?
  • Does risk management give you a competitive advantage?
  • What would you change?


I welcome your thoughts.

Collaboration between the business risk and IT security teams

January 20, 2018 4 comments

OCEG and MetricStream[1] have made available a free illustration on the topic of How Business, IT and Security Teams Gain a Common View of Risk:

OCEG Illustration Agility and risk

As usual, there are some good points in the OCEH/MetricStream work.

But, also as usual, I have some problems.

There is no such thing as IT risk, nor cyber risk or information security risk. These are just sources of business risk.

We should be concerned about how a failure to manage any of these areas might affect the achievement of business objectives.


Let’s take two situations.

In the first, the company is about to release a breakthrough new product.

In the second, the company is mid-cycle on its latest release and is starting to consider how to move forward in the next generation.

In both cases, success of the business is dependent on keeping its intellectual property (details about its product and related marketing and sales plans) safe. The likelihood of a breach and subsequent theft of its IP is identical.

But the effect on the business, and therefore the level of risk, is far more in the first than the second case.


It is fairly easy to come up with similar scenarios. Consider a retail chain and its dependency on the reliability of its computer systems. First, think of the level of risk should the systems go down mid-week in February. Now think of the level of risk should they fail during the week prior to Xmas or Thanksgiving.

How about a start-up company that finds out that its financial systems have been penetrated by a crime syndicate? Is the risk the same six months before going to investment banks and starting the process to go public as it would be in the midst of a public offering? Clearly not.


Yes, all of the groups included in the illustration need to be working together. But let’s add in the strategy and planning groups, operating management, and perhaps everybody else.

You need to consider how a failure in the use or management of technology could affect the operation of the business today and in the future if you want to manage risks (and their sources) effectively.


Take each of your business objectives and plans. Now, figure out what might result from a technology-related failure (noting that ‘technology’ extends beyond the IT function). Then, what are you going to do about it?


I welcome your comments.


BTW, I strongly recommend joining OCEG ( Membership of the nonprofit is free and there are lots of resources, including webinars.

[1] Full disclosure: I have worked with both but am independent.

The worst audit report I have seen

January 17, 2018 7 comments

I have seen a few candidates for this title, but one stands out. This is how I described it in my best-selling book, World-Class Internal Audit: Tales from my Journey:

… I was with a large savings and loan company (very similar to a mid-size domestic bank). After a few years in their internal audit department, leading among others the IT audit team, I had moved into IT management with responsibilities that included information security. Randy, one of my former IT auditors and a gentleman that I had hired and thought well of, was performing an audit of our information security program. He met with me to review his preliminary findings.

Randy told me that we had a serious control weakness in that we didn’t change the phone numbers people used to dial into the data center. They needed to be changed at least once every quarter; otherwise there was a risk that over time the numbers would become known by hackers.

I agreed with Randy that changing the phone numbers reduced the risk that they would be compromised. However, as I pointed out, once somebody called the number they had to provide a userid and password. They were at the gate to the castle, but needed a key to open the front door. After three attempts, the userid was locked. In addition, changing the phone numbers frequently had three results: first, users would write them down and keep them in an easy-to-find location – a security issue; second, users would forget the number and be unable to do their work without calling the security help desk for assistance; and third, all of this carried a cost that was probably higher than the value of any risk reduction.

The risk reduction would be minimal because even after somebody was able to dial in, enter a valid userid and the correct password for that userid, they needed to get past additional security defenses. They had opened the front door of the castle but there were still a portcullis to navigate and additional doors to each of our systems and databases. The operating system (IBM’s VM system) demanded a second userid and password. To enter an application, access a data base, or perform other functions, required at least one more – a third – access authorization.

I explained to Randy that the dial-up number was only the prelude to needing at least three additional levels of authorization before being able to steal data or damage our systems. In addition, I showed him an article about a tool used by hackers to automatically dial phone numbers until they detected the tone from a network modem – indicating a dial-up connection; the hackers could find out phone numbers even if we changed them! He agreed but said that changing the phone number was necessary.

By now, I was starting to lose my patience. I had hired Randy because he had a good combination of technical knowledge and common sense. Why couldn’t he see that this was a silly recommendation? So I asked him why it was necessary.

Randy’s answer: because a book by a notable IBM expert said you should change your dial-up phone numbers at least quarterly! Instead of using his common sense, he was relying upon advice from somebody who had no knowledge of our environment, the risks, and the costs.

I asked Randy to go back to his manager, a very experienced IT audit director who had been hired from outside the company to take my old job. Unfortunately, that individual told Randy to keep the point in. It was only taken out after the head of internal audit saw my response to the audit finding that explained how there was little to no risk but significant potential for business disruption and cost by changing phone numbers frequently. Incidentally, my manager (a senior vice president) and his manager (an executive vice president) were both quite concerned about the politics of disagreeing with an audit finding, but they trusted me to see it through.

Unfortunately, there was more to this report. I included this in my other internal audit best-seller, Auditing that Matters.

When I was a Vice President in IT with Home Savings of America, one of the functions that reported to me was the Information Security team. This was an area that I had built from nothing into a team of three experts who had implemented the ACF2 security system and several other measures. But, when we were audited after just one year of operation, the audit report gave us no credit for the work we had done; instead, it pointed out the areas we had yet to complete and concluded that security was inadequate.

The issues that the audit report raised were not only known to us, but were on the work plan that we provided to the internal audit team! All the recommendations in the audit report were already planned and had been included in our reports to senior management.

This report was of no value. It just made us angry.

What would have been useful would have been a report that informed management and the audit committee whether we were:

  • Making the desired progress
  • Adequately staffed and resourced
  • Sufficiently supported by senior management
  • Addressing the issues with an appropriate risk priority
  • Completing each task with an appropriate level of quality

In other words, internal audit could have pointed out where we were on the path to effective information security that met the needs of the organization.

Such an audit report would have provided value to top management and the audit committee.

The IT audit manager believed that it was his obligation not only to report security weaknesses to the board, but to recommend that we remediate them on an expedited basis.

It didn’t matter to him that correcting the deficiencies was part of our implementation plan for the ACF2 product and we had reported the status to senior management. Those facts, that we were aware of the issues, had planned appropriate corrective actions, and made senior management aware of the situation, were not mentioned in the report.

Instead, the issues were described as internal audit ‘findings’.

I asked the audit team a series of questions:

  • Do our implementation plan and the remaining action items adequately address the issues? The answer was “Yes”.
  • Do we have the resources to take corrective actions faster? The answer was “No”.
  • Have we properly prioritized the work of the information security team, including the work to be completed on the ACF2 project? The answer was “Yes”.
  • Are you going to recommend that we get the additional resources necessary to complete the actions faster, as you have suggested? The answer was “No”.

As a result, the report to the board and top management was misleading. It was neither fair nor balanced. It described a situation that implied that we were not acting as we should, when in fact they agreed with everything we were doing.

This is a story that has a message.

Every audit report needs to communicate the true state of affairs, and that can be more than describing factual situations. Context is critical. All relevant facts need to be included.

Every audit report needs to tell a story about whether management has reasonable controls in place to manage risk at acceptable levels.

Every audit issue or finding has to be explained in terms not only of whether the risk is acceptable (and to which objective) but whether management is acting appropriately.

The IT audit manager responsible for this audit didn’t care about risk or balance. Frankly, not only was he very much a rules-based instead of principles-based auditor, but I suspect he was using the audit report as a way to make himself look better.

What do you think?

This happened to me. Have you seen similar reports?

An example of game theory in risk management

January 13, 2018 12 comments

Many liked the post on Risk and Game Theory with Ruth Fisher (my co-author on the piece). We were asked for more, especially an example or two.

As with the last post, I will set the stage and then Ruth will share how game theory can be used.

This is more an article than a blog post, as the explanation of how to solve the problem takes a while. It is also, at times, complex. If you want, you can skip some of the technical stuff (equations and so on).

The main thing, for me, is to understand that the optimal action to address the identified risk has to consider not only the perspective of the ‘owner’ of the risk (Management) but also the perspectives of the other two parties (the Employees and Competitors). Game theory factors how the other parties will react into the process of making the decision of how to respond to the risk.

Your comments and reactions are welcome.


One of the risks identified by many organizations as significant and included in the risk disclosures required in corporate filings, such as the annual and quarterly filings with the U.S. Securities and Exchange Commission, is the loss of key personnel.

Here is an extract from IBM’s 2016 Annual Report on Form 10-K:

The Company Depends on Skilled Personnel and could be impacted by the loss of Critical Skills: Much of the future success of the company depends on the continued service, availability and integrity of skilled personnel, including technical, marketing and staff resources. Skilled and experienced personnel in the areas where the company competes are in high demand, and competition for their talents is intense. Changing demographics and labor work force trends may result in a loss of or insufficient knowledge and skills. In addition, as global opportunities and industry demand shifts, realignment, training and scaling of skilled resources may not be sufficiently rapid or successful. Further, many of IBM’s key personnel receive a total compensation package that includes equity awards. Any new regulations, volatility in the stock market and other factors could diminish the company’s use, and the value, of the company’s equity awards, putting the company at a competitive disadvantage or forcing the company to use more cash compensation.

Assessing this risk is not simple.

Arguably, the risk is different for different groups of personnel such as:

  • The CEO
  • The direct reports to the CEO
  • Their direct reports
  • Middle management
  • Individuals with critical skills or knowledge, such as those leading innovation and product development
  • Other personnel where the loss would be significant but replacements might be found within a reasonable period

So let’s focus on the risk of losing people in the critical skills or knowledge category.

IBM’s discussion focuses on losses due to others offering greater compensation. No mention is made of losses due to employee morale problems and so on – so I will focus on compensation.


At first blush, this may seem fairly straightforward. But in real life identifying the risk, assessing its level, and evaluating whether it is acceptable is only a start.

It can be quite complicated, even for what seems a simple risk like the potential to lose people, to figure out what to do about it.

Most risk managers, unfortunately, don’t pay enough attention to the response to risk.


Here’s a hypothetical situation:

  • The company is very concerned about the loss of critical personnel in its product development team, in particular those working on the next generation product slated to be released in the next year. They have lost staff to their competitors at an unacceptable rate and believe that further losses would harm their ability to maintain their technological edge in the market and introduce a product on time that will excite customers at a reasonable price
  • It is possible that staff members could take their knowledge and information about the company’s products (its intellectual property) to a competitor
  • Failing to introduce the next generation product into the market on time could be devastating to revenue, market share, customer retention, share price, and so on
  • If no action is taken, management assesses the likelihood of losing key personnel (30 are working on the next generation product out of a population of 50 engineers) as:
    • No losses in the next 12 months: 15%
    • 1-2 engineers: 50%
    • 3-5 engineers: 25%
    • >5 engineers: 10%
  • The average potential loss (considering the effect on revenue, customer satisfaction, market share and other goals) for each of these scenarios is in a range:
    • No losses: $0
    • 1-2 engineers: $1 million
    • 3-5 engineers: $10 million
    • >5 engineers: $50 million
  • The risk is seen as unacceptable and action is needed – as long as the cost is less than the reduction of risk achieved
  • Management believes that the compensation package (salary, benefits, and bonus) is competitive. It is in line with what they believe others are offering. However, that has not stopped staff from leaving – presumably for more money
  • One option is to increase salaries for the 30 key personnel at a cost of $450,000 per annum. However, that may create a problem with other personnel in equivalent positions who have similar skills and experience
  • Another is to increase bonus awards for the 30, also at a cost of about $450,000. However, those are linked to corporate performance and are not assured. Competitors may offer hiring bonuses and higher salaries
  • A third option is to offer retention bonuses to the 30 (at a similar cost). However, if other team members (such as in Quality and Inspection) leave, that may also derail product development
  • Bonuses could be awarded in a similar amount for successful completion of the new product. However, individuals on other teams could feel slighted and leave. That would have a detrimental effect on customer satisfaction and longer term goals: the other engineers support customer implementations, provide maintenance, and are working on the products planned for release in 2019
  • There is a limit to the company’s ability to increase compensation packages – the strain it would put on profit margins and corporate earnings targets. The risk of missing those targets would be affected by increased salaries or bonuses
  • Another option is to leave compensation where it is but dedicate Human Resources personnel to monitoring morale in the engineering unit. In addition, invest $500,000 in software that will monitor employee (internal) social media posts and messages. However, there is a risk to morale if the engineers find out about the monitoring
  • An employee has suggested upgrading the engineers’ work environment with expensive coffee machines, free soft drinks, a running track, a foosball machine, access to a gym, and free upscale meals in the cafeteria. This would cost at least $250,000 per year and would be available to all employees, not just the engineers
  • The Human Resources manager suggested making employee retention a key factor in middle management’s performance appraisal. But this is not considered likely to make a significant difference to the level of risk.
  • To empower middle management in retaining key personnel, upper management has given responsibility to middle management for deciding which option(s) to implement.


So, Ruth, how would game theory help the management team assess each option for addressing this problem and then determine the best approach? How would it bring into the equation the reactions of the engineers, other employees, and competitors?

Ruth is going to pretend to be a consultant that has been hired by management to help them figure out what to do.

They chose her because they recognize that they have to consider how others (competitors and employees) will react to what they choose to do. That is the essence of game theory.


Thanks for the setup, Norman.

Let’s start by defining the players in the game. The players are those individuals, groups, or entities whose actions and payoffs are interconnected.

In the case at hand, the risk is that one player will take an action: the Competition lures the Company’s Key Employee away by offering a higher salary or other incentive; then, a second player reacts to the actions of the first player: one or more Key Employees accept the higher salary and leave the Company to work for the Competition.

The second player’s response to the first player’s action affects the payoff of a third player: Without the Key Employee, the Company is less able to successfully finish the new product on time, and so expected Company profit falls.

The third player thus anticipates the possibility of the actions that might be taken by the first and second players with yet another action: The Company knows that it won’t be able to successfully complete the new product without the Key Employees. So if the Competition offers a Key Employee a higher salary or other incentive to leave, the Company will respond to the Competitor’s action with a counter-action: offering the Key Employee a higher salary, a bonus, or other incentives to stay. The Company may, and this is what I will advise, take one or more pre-emptive actions that will reduce the likelihood that Key Employees will take offers from the Competition.

We see, then, that the actions taken by each of the players—the Company, the Key Employees, and the Competitor—affect the payoffs (profits and compensation) each player receives. These players thus form a game.

Norman’s descriptions yield a configuration of the Employee Retention Game as illustrated in Figure 1:

Figure 1

Ruth Figure 1

Expectations of Losses

The Company believes Key Personnel on the project team may leave the company to work for Competitors with the probabilities and associated losses to the Company presented in Figure 2.

Figure 2

Ruth figure 2

The Company believes that with probability 50%, 1 or 2 Key Personnel on the project team will leave the Company to work for a Competitor (see Figure 3, row [2]). If this happens, the loss to the Company will be around $1 million (column [C]).

That would be painful but tolerable. However, there is an additional 35% possibility of additional losses. Losing more than 5 Key Employees would be catastrophic.

One consultant from a major accounting firm suggested establishing a ‘risk appetite’. But management is not sure that means anything tangible to them. They believe that the right approach, with which I agree, is to understand the options, how they will change the risk at what cost, and then select from them the one or more that make good business sense.


Management Options

The possible actions identified by Management to prevent Key Employees on the project team from leaving are shown in Figure 3.

Figure 3

Ruth figure 3

The first thing to note is that each option costs less than the $1 million loss projected if 1 – 2 Key Employees leave.

But we don’t yet know how likely each of the options is to succeed.


Talks with the Company about Employee Satisfaction

Before attempting any further analysis, I need to talk to both Management and the Project Team.

A conversation with the Management Team, including the Human Resources representative, tells me:

  • The Company believes it is already paying towards the high end of the salary range for these engineers. Surveys conducted by Human Resources indicate that the Company is actually paying the same or more than its competitors.
  • The Company recently completed an employee survey. Morale seems to be high and most employees say they are proud to be working there.
  • Management is open to paying bonuses for completing the project on time and on budget, but it is less comfortable with retention bonuses that are not linked to satisfactory completion of the project.
  • Neither Management nor Human Resources knows much about working conditions at the Competitors. Management does know that its people often have to put in long hours (including weekends) and improvements in working conditions would be within its budget.
  • Management is confident that the Competitors are very concerned about the Company’s next generation product. The Competition would be willing to spend a lot of money to derail the project, even if that meant hiring people they didn’t need away from the Company. For that reason, Management is 90% confident that any increase in salaries paid by the Company would be matched by competitors.

A separate conversation with the Human Resources person told me that:

  • In exit interviews, engineers that have left said they liked their manager – so that is not a problem. They also had enjoyed working for the Company.
  • They said that significant hiring bonuses offered by the Competitors were the main reason they were leaving. It was not dissatisfaction with the Company. It was the opportunity to move to a new home, pay for a child’s college tuition, or cover another major cost that was attractive.

I met with a group of Key Employees after that. They told me:

  • Overall, they enjoyed working for the Company and were proud of the work they were doing. They were looking forward to completing the project and letting the world see the next generation product.
  • They were tired of working many hours although they knew that it was necessary. They all said they needed a space where they could relax on a long day or weekend.
  • Friends who had left the Company and joined Competitors were not always happy with the move, but they had been financially stressed. They had only been given small salary increases but substantial hiring bonuses.

The Employees I met with did not admit to actively looking for new jobs and appeared to be happy where they were, even after hearing from—and even visiting—friends who had left.


Assessing the Options

I met with the Management Team to assess each of the options in Figure 3.

We quickly dismissed option #5, Monitor Morale, as being very unlikely to prevent anybody from leaving. This might be a viable option for the longer term, especially if combined with other actions. But it would not help enough in the short term, before the project is completed.

Management didn’t like the first option, increasing salaries. They had 90% confidence that the Competitors would at least match the salaries. In fact, Management thought it at least 50% likely that the Competition would respond to the Company’s salary increase by increasing Competitors’ salaries even more. But Employees might see raising salaries favorably. We estimate that raising salaries would reduce the likelihood of losing key people as follows:

  • 1-2 people would drop from 50% to 20%
  • 3-5 would go from 25% to 5%
  • More than 5 would drop from 10% to 2%

However, this remaining level of risk would be problematic.

The second option, increasing bonuses that are tied to corporate performance, was the pick of the Human Resources representative. It wouldn’t make the engineers a group receiving special treatment. But Management estimated this will reduce the likelihood of losing personnel by less:

  • 1-2 people would drop to 40%
  • 3-5 would now be 15%
  • More than 5 would still be high at 5%

The level of risk would remain unacceptable.

The third and fourth options, retention bonuses and bonuses for successful completion of the project, drew mixed reviews. Management prefers option #4 (success bonus) but think Employees would prefer #3 (retention bonus) because it is more certain. They believe #3 will reduce the likelihood of losing personnel to 5%, 5%, and 2% (which is acceptable), and #4 to 13%, 5%, and 2% (which is marginally acceptable).

Management is uncertain how Employees will react to the option of upgrading the work environment. In fact, a couple of Managers think that it might negatively affect productivity. But Human Resources and the other Managers favor the option. They just don’t know how effective it will be.

My discussion with the employees led me to believe they would respond very positively to #6. After discussion, we agreed to estimate that #6 would reduce the likelihood of 1-2 engineers leaving to 15%, 3-5 leaving to just 10%, and the likelihood of more than 5 to practically zero. Management was, again, reluctant but open to a 15% possibility.

A summary of the information gathered on each of the options is presented in Figure 4.

Figure 4

Ruth figure 4

Using the information in Figures 2 and 4, I calculate the probabilities that Key Employees would leave the Company to work for the Competition. These probability distributions are presented in Figures 5A and 5B.

Figure 5A

Ruth figure 5A

Figure 5B

Ruth Figure 5B

Figures 5A and 5B tell us the likelihoods that certain numbers of Key Employees will leave. Under option #4, for example, there is a 13% chance that 1 – 2 Key Employees will leave. If 1 – 2 Key Employees do leave, however, then what’s the likelihood that the project will still be successfully completed and thus success bonuses be awarded? And in the case option #2, if 1 – 2 Key Employees leave, what’s the likelihood that the Company as a whole will meet its performance goals and thus performance bonuses be awarded? We need another set of probabilities that tell us the likelihoods of project and Company success when some Key Employees leave.

Let’s assume everyone agrees on the probabilities presented in Figures 6A and 6B:

Figure 6A

Ruth Figure 6A

Figure 6B

Ruth Figure 6B

Continuing with the example: Under option #4, there is a 13% chance that 1 – 2 Key Employees leave. If 1 – 2 Key Employees do leave, then, from Figure 6, there is an 85% chance that the project will still be successful and the bonus in option #4 will be granted. There is thus an expected probability of 13% x 85% = 11% that 1 – 2 Key Employees leave and that the remaining Key Employees successfully complete the project and receive their bonuses.

Similarly, under option #2, there is a 40% chance that 1 – 2 Key Employees leave. If 1 – 2 Key Employees do leave, then, from Figures 6, there is an 80% chance that the project will still be successful and the bonus in option #2 will be granted. There is then an expected probability of 40% x 80% = 32% that 1 – 2 Key Employees leave and that the remaining Key Employees will receive Company performance bonuses.

Using the information in Figures 5 and 6, I calculated the expected probabilities of project success and bonuses awarded for each of the options. These expected probabilities are displayed in Figure 7.

Figure 7

Ruth figure 7

Given all these different sets of probabilities, we now need to know which options are best for Management. The best options for Management will depend on how Management thinks Key Employees and the Competition will react to Management’s choice of options.


Technical Stuff

It’s time to turn to game theory. It uses expressions like “objective function” and “profit function”.

Let’s start by defining the game. A game includes:

  1. a set of interconnected players
  2. a set of actions available to each player, and
  3. a set of associated payoffs for each player.

We’ve already identified the players in the game, as illustrated in Figure 2.

The next step is to figure out each player’s objective, that is, what he is hoping to achieve. The players’ objectives help us understand two things. First, players’ objectives tell us where they are trying to go, and thus which actions they are likely to take in different situations. Second, player’s objectives (more accurately, their objective functions) tell us how to translate or convert a set of payoffs into an aggregate measure of value. Would a player rather have an apple and two oranges or two oranges and an apple? Similarly, in Figure 5, would a Key Employee prefer the distribution of probabilities under option #1 or option #2? With such a measure of value we can compare different bundles of payoffs received under different scenarios and determine which of the bundles players will prefer.

In the game at hand, the objective of the Company is to reduce the risk of project and Company failure due to key employees leaving to acceptable levels as cost effectively as possible. [While a risk manager may talk about reducing risk to acceptable levels, operating managers talk about achieving a successful outcome – ndm.]

The objective of the Employees is generally to earn money. But Employees also want job satisfaction, which can mean working in a friendly environment, being given ample responsibilities, being recognized for one’s accomplishments, and so on. Employees also enjoy an attractive work environment. Free food and beverages are nice, as well as places to relax and unwind.

The Competitor’s objective for the game at hand is to hire away Company Employees to improve the Competitor’s probability of success, while derailing the Company’s probability of project success.

The actions available to each player are the options each player can take to achieve his objective. The actions available to the Company are the options listed in Figure 4. Key Employees can either stay with the Company or leave to work for the Competition. And the actions available to the Competition are to offer Key Employees salaries and bonuses to leave the Company and work for the Competition.

And finally, the payoff received by each player is the final benefit—product success, compensation, job satisfaction, profit, etc. —he gets when each of the players in the game take an action. Recall that our situation here forms a game because each player’s payoff is affected by the actions the other players take.

This is what I can deduce so far for each of the players:


Middle Management

Objectives: Minimize the likelihood of the project failing or being delayed while maintaining the line on cost. The project will be less likely to fail if fewer Key Employees leave to join the Competition.

Possible Actions: Award all or select Team Members increased compensation, monitor morale, and/or upgrade work environment.

Payoffs: Corporate success and personal compensation depend on the success of the project.

Objective Function: The objective function that Middle Management (as proxy for the Company) seeks to optimize looks something like this:

Choose Comp_Keyi to:



Exposure0 is the Company’s exposure to risk under the status quo, $8 million (see Figure 2, row [5]);

Exposure(Comp_Keyi, Comp_Keyi´) is the exposure to risk the Company faces if the Company offers Key Employee i compensation Comp_Keyi and the Competition offers him Comp_Keyi´;

Prob_Success(Comp_Keyi, Comp_Keyi´) is the probability of project or Company success if the Company offers Key Employee i Comp_Keyi and the Competition offers him Comp_Keyi´.

Management must figure out which compensation or morale boosters will be most effective at reducing the Company’s exposure to risk by convincing Key Employees not to leave to work for the Competition.


Key Team Members

Objective: Optimize job satisfaction. Compensation is a secondary but important factor: people are more likely to leave due to poor compensation than incented to stay or leave by high compensation. The work environment can be a significant contributor to job satisfaction.

Possible Actions: Choose to remain with the Company or to switch to a Competitor.

Payoffs: Choice of (i) employer, (ii) compensation, and (iii) pride in the new product determine job satisfaction.

Objective Function: The objective function that each Key Employee i seeks to optimize looks something like this:

Choose to stay with the Company or leave and work for the Competition to:



Ui(•) is the total job satisfaction (i.e., utility) for Key Employee i;

Comp_Keyi is the extra compensation or morale booster received by Key Employee i;

eqn_emply_obj2… is the extra compensation Key Employee i expects to receive, given the probability other Key Employees j may leave, causing the new project to fail;

Environi is the value Key Employee i receives from a good work environment;

Prob_Successi is the satisfaction Key Employee i receives from successfully launching a new product, given the Key Employee’s estimate of the probability of project success;

Comp_Keyi´ is the extra compensation or morale booster for Key Employee i if he leaves and works for the Competition.

Employees care about:

  • (i) Their expected compensation (including success bonuses), given the total number of other Key Employees they expect to leave and work for the Competition. Employees will be alert to potential defections of other Key Employees, because that will hamper the performance of the team, the probability the project and Company will succeed, and thus their expected success bonuses.
  • (ii) The work environment.
  • (iii) The personal satisfaction in a job well done – completion of the new product. I’m assuming that Key Employees have a chance of successfully completing the project if they stay with the Company, but not if they leave and work for the Competition.
  • (iv) The compensation they can expect to earn if they defect to the Competition.

Let’s approximate the value to Key Employee i of a good work environment as some fraction or multiple, g, of his compensation award: Environi = g x Comp_Keyi. Based on the probabilities in Figure 7, it appears that Key Employees value an improved work environment relatively highly, about as much as they value a salary increase (option #1).

Let’s also approximate the value to the personal satisfaction he gets from successfully completing the new product as some fraction or multiple, l, of his compensation award.

In this case a decision function for Key Employees might look something like this:

Figure 8

Ruth figure 8

If the value of the equation in Figure 8 is positive, then the Key Employee will choose to stay with the Company. Conversely, if the value of the equation in Figure 8 is negative, then the Key Employee will choose to leave the Company and work for the Competitor.

Notice that both components of the value received from the Company occur with some risk, while the value component for the Competitor is certain. The Company is thus at more of a disadvantage – that is, Key Employees are more likely to accept the Competition’s no-risk offer of compensation  – when Key Employees are more risk averse.

Notice also that the Company is at more of an advantage – that is, Key Employees are more likely to stay – when Key Employees get more satisfaction from successfully completing a product.

These two tendencies of Key Employees – risk aversion and job satisfaction – are a general property of utility functions, not just a byproduct of the form of the function chosen here.



Objective: Hire employees to optimize performance of teams relative to that of the Competition.

Possible Actions: Use compensation packages to recruit team members away from current employers.

Payoffs: Profits are higher when succeed in recruiting more and better employees.

Objective Function: The objective function the Competition wants to optimize looks something like this:

Choose Comp_Keyi´ to:



Comp_Keyi´ is the extra compensation paid to Key Employee i to convince him to leave the Company and work for the Competition;

COMP´ is the upper limit on expenditures the Competition can afford to spend to keep Key Personnel from leaving.

The Competition’s objective function is essentially the opposite of the Company’s: The Company essentially wants all its Key Employees to stay and work for the Company. The Competition wants the Company’s Key Employees to leave and work for the Competition. Recruiting Key Employees away from the Company simultaneously strengthens the Competition while it weakens the Company. Double Whammy!


Outcome of the Game

Management’s Expected Payoffs

Let’s start with Management’s expected payoffs under the different options, presented in Figure 9. Note that we previously discarded option 5 as unlikely to prevent employees from leaving.

  • Expectations about the Company’s exposure in the current situation, rows [1] and [7], are taken from Figure 2.
  • The expected probabilities of Key Employees leaving, rows [2] – [6] in columns [B] – [E], are taken from Figure 5A.
  • The potential exposure to the Company, columns [F] – [J], is the product of the probability Key Employees leave, columns [B] – [E], times the loss to the Company if Employees do leave, row [7].
  • Column [J] provides the total exposure of the Company for each option, the sum of columns [F] – [I].
  • Column [K] provides the reduction in exposure of each option (column [J]) relative to the status quo in row [1].
  • Column [L] is the cost to the Company of each option, taken from Figure 3.
  • Column [M] is the probability the cost in column [L] will be realized, taken from Figure 7, column [F].
  • Column [N] is the expected cost to the Company of each option, column [L] times column [M].
  • And The net value to the Company of each option, column [O], is the difference between the savings in exposure realized by each option and its associated cost.

Figure 9

Ruth figure 9

The order of preference for the Company, based on the net values of the different options, is:

Option #6 > Option #3 > Option #4 > Option #1 > Option #2


Key Employee’s Expected Payoffs

Next, we consider the expected payoffs to Key Employees under each option, using the Key Employees’ utility function in Figure 8. The two big issues for Employees are:

  • (i) The degree to which they don’t like risk, and
  • (ii) The degree to which they do like job satisfaction.

Figures 10A and 10B compare the total utility of Key Employees under four assumptions:

Column [G]: Indifferent to Risk, Care Less about Job Satisfaction

Column [H]: Indifferent to Risk, Care More about Job Satisfaction

Column [I]: Don’t Like Risk, Care Less about Job Satisfaction

Column [J]: Don’t Like Risk, , Care More about Job Satisfaction

Figure 10A

Ruth figure 10A

Figure 10B

Ruth figure 10B

The comparisons of Key Employees’ utilities across forms (columns [G] – [J] in Figure 10A) tell us:

  • The rankings of the options are the same across all four forms of Key Employees’ utility functions. The total expected value, however, differs across the configurations.

Option #3 > Option #6 > Option #1 > Option #4 > Option #2

Based on the comparisons in Figures 10A, we can also surmise that if Key Employees prefer[1]:

  • Less risk in their compensation awards (column [D]), then they will likely stay under options #1, #3, #4, and #6.
  • Larger expected awards (column [E]), then they will stay under options #1, #3, #6, and perhaps #4.
  • Job satisfaction from successful project completion (column [F]), then they will likely stay under options #1, #3, #4, and #6.

And if Key Employees think other Key Employees prefer:

  • Less risk in their compensation awards, then they will think other Key Employees are more likely to leave under options [2] and [4] than the numbers in the table suggest. In this case, both the expected value of the award (column [E]) and the probability of success (column [F]) would be lower than indicated by the numbers in the table.
  • Larger expected awards, then they will leave under options #2 and perhaps #4.
  • Job satisfaction from successful project completion, then they will leave under option #2.



The ordering of preference across options for the two sets of players is presented in Figure 11.

Figure 11

Ruth figure 11

The highest value choice for Management is option #6. However, Management is ‘reluctant but open’ to option #6. At the same time, option #6 is the second most desirable choice for Key Employees.

The second highest value choice for Management is option #3, and Management thinks this is an acceptable option. At the same time, option #3 is the preferred choice of Key Employees.

My advice to Management would be to choose option #3 over option #6 for two reasons in particular:

  1. Management thinks option #3 is acceptable, but it is reluctant to choose option #6.
  2. It’s possible Management is underestimating the probability that employees will leave. In other words, choosing Option #3 hedges against the possibility Management underestimated the probability employees would leave.

[1] The probabilities of project or Company success in columns [C] and [E] depend on the estimated probabilities in Figure 6. If some Key Employees think the estimates in Figure 6 are too high, then those Employees will have lower values for columns [C] and [E] than those presented in Figure 10A. Correspondingly, those Employees would be more likely to leave the Company and work for the Competition than columns [C] and [E] suggest.



Here is the chart requested by Nik