May 04, 2022

Red-Teaming Your Risk Management

Reading for Lifelong Learning and Leadership: A PICPA Blog Series

Red Team: How to Succeed by Thinking Like the Enemy by Micah Zenko 

James Caruso, CPABy James J. Caruso, CPA (inactive), CGMA

In Red Team: How to Succeed by Thinking Like the Enemy, author Micah Zenko defines red-teaming as “a structured process to better understand the interests, intentions, and capabilities of an institution – or those of a potential competitor – through simulations, vulnerability probes, and alternative analyses.” The term “red team,” according to Zenko, was first used within the U.S. military during the Cold War, although the tools and techniques of the process were in use well before that. In fact, the concept can be traced back to the role of devil’s advocate, which was an actual Vatican position in the Roman Catholic Church beginning in the 13th century.

Red-teaming is designed to provide an independent, dissenting voice to challenge assumptions and anticipate potential threats, weaknesses, and vulnerabilities. The objective is to mitigate groupthink and overcome conformity by purposefully seeking to reach an opposite conclusion relative to a strategy or the prevailing wisdom.

Book cover image of Micah Zenko's Red Team Here are a few illustrative red team exercises discussed by Zenko: The Millennium Challenge in 2002, a series of concept-development war games to simulate future operational military challenges; a mid-2000s Department of Homeland Security assessment of airport vulnerability to terrorist attacks using shoulder-fired missiles; New York Police Department tabletop exercises prompted by the 2008 Mumbai terrorist attacks; a 2010 CIA Red Cell memo titled, “What If Foreigners See the U.S. as an ‘Exporter of Terrorism’”; and three different red teams used prior to the military raid targeting Osama bin Laden in 2011.

In essence, red-teaming is a risk management strategy. Financial professionals – whether auditors, tax preparers, controllers, or CFOs – are expected to identify potential risks, anticipate what might go wrong, and plan for contingencies.

Unfortunately, useful contrarian thinking like red-teaming is missing in most organizations. The path of least resistance is to go along with the status quo and follow the consensus, without considering how our assumptions might be wrong. We tend to develop optimistic plans without an adequate consideration of potentially unfavorable outcomes. Blind spots result from biases, at both the individual and the organizational levels. These include confirmation bias, anchoring (continuing to be influenced by initial information or impressions and failing to see new information objectively), and mirroring (assuming everyone else thinks like you).

Applying the concepts and mindset of red-teaming can help you transcend the day-to-day and think more strategically about potential risks, alternative scenarios, and undesirable outcomes. Red-teaming counters biases, emotions, and the tendency to over-simplify the complexities of reality with assumptions and models. It can be used to challenge day-to-day operations and processes, or specific one-time initiatives. A common red team exercise that may already be used by your organization is intrusion testing: engaging third-party “white-hat hackers” to test the vulnerabilities of your information systems. However, we rarely see any type of formal red-teaming outside of this, particularly in small to midsize organizations. This is unfortunate because its principles and methods have application in all sorts of areas related to financial management, including budgeting and forecasting, software implementation, preparation for audit, development of internal controls, or the design of any new policy or process.

Independence and objectivity are prerequisites for red-teaming. Of course, it is not practical to hire a third-party firm to red team everything. The next best thing is an internal team, but its members must be independent of the work being red teamed. An internal red team can employ structured brainstorming to speculate about alternative or unfavorable outcomes, draw out “what-ifs,” or prepare “pre-mortems,” which are hypothetical post-mortems done in advance, pretending things have gone awry. An internal red team does not have to be large, but appointing just one individual to provide a dissenting view will not counter groupthink.

In addition to independence and objectivity, Zenko highlights a number of principles and best practices required for successful red-teaming, including leadership’s buy-in and willingness to hear bad news without “shooting the messenger;” changing methods and approaches to prevent predictability; presenting issues without antagonism; not confusing findings with policy, or allowing red teams to make decisions; and limiting the frequency of red team exercises to avoid a “boy that cried wolf” attitude. Not all of the illustrative red team exercises presented by Zenko were successful, not only because of failure to follow one or more of these principles, but also due to mistrust or approaches designed simply for “cover you’re a**” purposes or to get the answers leaders wanted.

Although red-teaming requires independence (we cannot “grade our own homework,” as Zenko notes), we can all benefit from deploying red team skills and perspectives in our work. We can be open-minded critical thinkers. We can be contrarian thinkers that question everything and maintain a healthy dose of skepticism against conventional wisdom. We can be well-read lifelong learners and develop our general knowledge. As Zenko notes, generalists make better red-teamers than specialists. We can expand our imaginations to visualize every possible scenario. We can always be thinking about what can go wrong. We can schedule time to get out of the day-to-day and think strategically.

As Zenko concludes, a red team mindset can empower anyone to think differently and critically about the complexities they face in their work and life.

James J. Caruso, CPA (inactive), CGMA, is CFO of Knipper Health in Somerset, N.J., and a member of the Pennsylvania CPA Journal Editorial Board. He can be reached at james.caruso@knipper.com.

Sign up for weekly professional and technical updates from PICPA's blogs, podcasts, and discussion board topics by completing this form.

1 comment

Leave a comment
  • Jim Seaman | May 04, 2022
    Really not any different than ERM, if implemented properly.

    Leave a comment

    Follow @PaCPAs on Twitter
    PICPA Staff Contributors
    Statements of fact and opinion are the authors’ responsibility alone and do not imply an opinion on the part of PICPA officers or members. The information contained in herein does not constitute accounting, legal, or professional advice. For professional advice, please engage or consult a qualified professional.