Writing blogs in risk management is risky. It has a potential upside and a downside. On the upside, the hope is that the blog adds to the development of risk management thinking and at the least promotes discussion on ideas that could lead to improvements in this great discipline. On the downside, it opens oneself up to criticism, usually relating to the view that we are overcomplicating things and/or not being technically correct.
I for one, think the risk is worth taking as I believe the upside outweighs the downside and by and large positive and/or constructive feedback outweighs any negative and or destructive comments.
So, to this blog ….. The ISO 31000 definition of risk is “the effect of uncertainty on objectives”. It is sign agnostic when it comes to what the effect on objectives are. That said, it is still common to see many risk management experts still refer to risk as the “negative effect”.
The negative impacts of risk are obviously critical to understand and manage, and the value add of protecting an organisation from those potential negative impacts is unquestioned. However, what about the potential upside of risk? Read the article, when to invite "Good Risk".
Assume a person is on a crashing aircraft where death is certain, facing the choice of staying on the plane or opening the door and jumping out with a conveniently available parachute. The question is, which choice is riskier? Most people I ask choose staying on the plane. The truth of the matter is that there is no risk staying on the plane as there is no uncertainty as to the plane crashing and no uncertainty as to the impact on the person’s assumed objective of a long and happy pain-free life! As there is no uncertainty, there is no risk.
However, jumping out of the plane with the parachute contains substantial risk as uncertainty as to expected outcome has been introduced, that is, the person might not die. They may experience a range of possible injuries less then death or may even survive unscathed.
Those that choose option 1, are usually interpreting “risk” as being the “worst outcome” which is technically incorrect. Risk is the effect of uncertainty, which can be better or worse than the expected outcome.
Risk in this instance is represented by the possible positive effect on the expected outcome of the plane crashing. Risk taking, therefore, becomes the best thing the person can do to give them the chance of not dying in the crash! In the corporate world, we sometimes see organisation’s that are following a strategy that will end in disaster and they fail to act. (They stay on the plane). This is a low-risk strategy but the expected outcome is dire. Kodak springs to mind. Other organisations in the same position will instead act to change strategy and innovate. (They jump out with the parachute). This is a higher risk strategy. Lego comes to mind.
Not all risks have an upside. It is hard to imagine how external fraud against an organisation could benefit it. Other risks do have both an upside and a downside for an organisation. Taking risk in marketing and “being edgy” could lead to a low-cost campaign going viral for all the right reasons (upside) but also for all the wrong reasons (downside). All risk, other than where the expected outcome is worst case, has downside. Watch the webinar recording balancing Risk and Reward.
This leads us to the concept of “threat” risks when we consider the downside, and “opportunity” risks when we consider the upside. More recently, we are seeing clients developing separate “opportunity risk registers” where risks that could lead to a better than expected outcome are assessed and managed. This is often seen particulalry when project risks are being assessed.
Where the impact of a risk can only be negative, such as internal fraud, this is a “one-sided” risk. As a result, it makes no sense to actively pursue these risks. Other risks are "two-sided", having both a potential upside and downside. The viral marketing campaign is an example of this, as are market, credit, strategic and project risk.
All risks are therefore threat risks, they have a downside, where only some are opportunity risks by containing a direct upside.
So, how might these opportunity risks be assessed and managed?
Firstly, we must recognise the fundamental difference in natural response to the upside and downside of risk. We would naturally try and minimise threat risks and the threat component of opportunity risks, subject to it being commercially viable to do so. The upside of opportunity risks, however, is different.
We naturally would want to expose ourselves to the upside of these risks as they have the potential to produce an outcome better than what we expect. Our natural response would, therefore, be to position ourselves to be exposed to those risks and be in a position to benefit from that opportunity, even though that benefit is uncertain. This positioning will most likely involve an investment in terms of capital expenditure, people etc. We, therefore need to decide how much we are willing to invest, and potentially lose, in order to expose ourselves to that upside risk.
A poor investment may contain potential for further downside, over and above the loss of the investment such as reputation damage, customer dissatisfaction and additional exit costs not previously considered.
When managing opportunity risks we, therefore, need to consider:
- The potential upside(s). This includes the types of upside, the magnitude of upside and the likelihood of these upsides.
- The potential downside(s). This includes the types of downside, the magnitude of downside and the likelihood of these downsides.
- The investment required to position the business to optimally take advantage of this opportunity risk. The loss of this investment is a downside risk but I believe worth identifying separately as the investment has been specifically made in order to benefit from the risk.
So how might these “opportunity” risks be recorded, assessed, managed and reported? Here are some ideas we are seeing being used and developed:
- Use the Likelihood and Impact matrix and flip the impact scale around to be positive. An example is shown in Fig 1. This gives a view of considering what the risk may look like on both the upside and the downside.
- Use Key Risk Indicators attached to the opportunity risks to monitor them and assess how best the organisation might respond.
- Develop a separate opportunity risk register where the discussion revolves around the potential upside.
Fig 1: Likelihood and Impact Matrix
Managing opportunity risk well and making it a major component of your risk management framework has the potential to transform how risk management is perceived and valued in the business. It brings “management” of risk to the forefront rather than the “minimisation” of risk. It strengthens risk management’s position at the strategy and decision-making tables and most importantly enables risk management not to just be a “line of defence” but also a “line of attack”.
As always, your feedback and comments are greatly welcomed and we would love to hear any additional ideas you have in managing opportunity risks. To share your thoughts, views or constructive feedback, you can send an email to firstname.lastname@example.org.
In addition, for our Protecht.ERM system clients, this functionality is currently a preview feature which can be enabled by the Protecht Support Desk. Please contact them on (02) 8003 7391 or by email at email@example.com.
1. Find out what your users want and need
2. Create "wireframes"
3. Select appropriate visualisations
4. Consider filters and usability
5. Let it simmer then follow up