Decision making in risk management

Our world is in a state of upheaval – whether due to war and terrorism, the increasing number of environmental disasters or because of cyber risks and economic distortions. The risk map is growing as a result. For decision makers in the political and the economic sphere, this means adjusting to a  huge number of possible risks. Even more important is incorporating these risk factors into their own organisational planning. The FIRM editorial team spoke to Lieutenant Colonel Thorsten Kodalle, lecturer in security policy at the German military leadership academy, about the latest geopolitical upheavals, leadership in the digital age and war gaming as a method for improved decision making in risk management.

Lieutenant Colonel Kodalle, we face war, terrorism, refugee crises and cyber risks. The risk map these days is huge and it appears that the world is becoming increasingly destabilised in many areas. Where is our world heading in a geopolitical context?

Thorsten Kodalle: Where the world is heading is difficult to predict and to calculate. There are experts, like Robert D. Kaplan, who say that wanting to control the world today is just an illusion. So much happens and takes us by surprise in increasingly short time periods. It's hardly surprising, for example, that we have a forecasting horizon of perhaps three months in foreign policy. Looking at foreign policy, in recent months we have experienced things we never expected. You only have to look at the election of President Trump in the USA. In many cases, his domestic and foreign policy seems less calculable than that of his predecessors. It starts with communication via Twitter and ends with the perceived dismantling of the established international system with withdrawal from various organisations. Accompanied by the announcement of national and international agreements and a shift in the negotiating approach away from multilateral and towards bilateral talks, his policies are really quite hard to assess.

Can you give us your more specific assessment of Germany's geopolitical position?

Thorsten Kodalle: Geopolitically, Germany is in the middle, dependent on links with China, Russia and the USA. For example, there are strong trade links with China and huge links with Russia in the energy sector. In terms of the USA there remain significant defence policy links and, above all, dependencies on their capabilities, especially within NATO. From a military perspective, Germany's future direction is difficult to assess. One approach could be that, in these times of a "world with no world order", it is first of all crucial to pay more attention to regional conditions. This means finding regional solutions to create more stability, and not viewing everything through broad geopolitical goggles.

Digitalisation is a big issue. Among other things, you teach as a lecturer in security policy at the German military leadership academy. How should leadership be understood and practised in the digital age?

Thorsten Kodalle: Leadership in the digital age has to take into account the classic principles, which still count, because the human brain has not changed in the last 10,000 years. In other words, everything that was previously valid in the decision making process, is still valid today. For example, dealing with uncertainty and emotions is something that is still important in the digital age. But it takes digital leadership intelligence to deal with the fast pace. We have more and more data and feel as though we have less and less time. Value-based leadership capability is important for making correct decisions. Managing means doing things right, leadership means doing the right things – that is a crucial difference. These leadership decisions have to be continuously adapted. One analytical method for reflecting on suitable ideas is war gaming.

What is war gaming as a method all about?

Thorsten Kodalle: War gaming is based on a methodical analysis tool that supports decision-making in risk management. As a training tool, the war gaming method can be used to minimise risks and increase awareness. One of the objectives is to rule out avoidable errors in advance. A key feature of war gaming is that the simulation can take on the character of a game. However, at the same time a war game enables participants to contribute their own emotions and inclinations and to experience decisions. Essentially, we differentiate between manual, qualitative war gaming, which we use for training on an operational level at the Leadership Academy – and where our guidelines from 2004 are still the standard work within NATO – from quantitative, computer-based war gaming. This has more of the character of a constructive simulation. But the two methods can be combined very effectively – both in teaching and in analysis. For example, in January 2017 we combined manual war gaming at King's College London (PhD student Andreas Haggmann) with quantitative war gaming at the Karlsruhe Institute for Technology (KIT, Professor Hagen Linstädt).

Let's stay with war gaming for a moment. For the benefit of our readers, can you briefly outline the method using a practical example from banking?

Thorsten Kodalle: First of all, I'm not a financial advisor or an expert in the banking sector. But in recent months I've been doing a lot of work on cryptocurrencies. Alongside propaganda bots – of which there are 307 million on Facebook – and artificial intelligence, cryptocurrencies are one of the major drivers in the field of digitalisation in 2018. They have a direct and fundamental impact on banks. As there is a great deal of uncertainty in this area as to which nation is following which regulations and what opportunities an investor faces in different countries for trading in cryptocurrencies, and where banks can/must/should provide interfaces to FIAT currency, I believe there is plenty of material here for an interesting scenario analysis and/or a business war game. Therefore, a bank could run through the impact their "crypto strategy" could have on the regulatory and competitive environments in certain regions or globally. Blue would be their own bank/institution, red would be the competitive environment, perhaps with prominent players, yellow could be the regulators in the USA, China, Russia or India. Blue then develops a plan – for example providing an additional exchange in Germany – and all other participants develop their countermoves. The key requirement is that red genuinely attempts to represent the competition and not simply put a gloss on things. War gaming is the toughest way of testing your own ideas.

Let's return to the issue of digitalisation. When you, as an expert, take a critical look at the vulnerability of the financial sector – with all its digital products, new digital currencies and the promise of security in our closely networked world, how secure is the promised security, and what tasks do banks need to perform urgently?

Thorsten Kodalle: I can only give you a very basic evaluation, as I have no expertise on the detail. Essentially, all centralised systems have at least one "single point of failure", e.g. a central server. In the cyber security community, we say quite bluntly that there are only two kinds of company – those that have been hacked and those that don't know yet that they've been hacked. The community also still believes that the most risky weakness is the "carbon based life form" – i.e. the people. 61 percent of risks are caused by internal offenders and ensuring that employees have sufficient security awareness is still a strategic challenge, if not the most important one. From a statistical perspective, 15 percent of employees are in a state of mental resignation and thus represent either a recruitment basis for internal offenders or a critical mass of disinterest in cyber security. You can still always find an employee who clicks on every link sent to them by e-mail – whether maliciously or out of ignorance. Apart from that, banks need to keep their technology up to date and use "cutting edge" defence methods, as the attackers are definitely using "cutting edge" offensive methods. These now include fully automatic attack vectors with algorithms that change and adapt in real time and can only be countered with automated de- fence systems that are also capable of learning in real time.