Home > Risk > Does risk management really include the upside of potential events?

Does risk management really include the upside of potential events?

November 5, 2011 Leave a comment Go to comments

The major risk management standards and frameworks (including ISO 31000:2009 and COSO ERM) tell us that risk management is about both the potential for adverse effects and positive opportunities. But is that realistic? Are we being practical when we talk about the positive effects of uncertainty, or are we dreaming?

I can’t think of a risk management practitioner (and would love to hear if one exists) that helps management follow a formal process to identify, analyze, evaluate, and treat all potential events and situations that may have a positive effect on performance. The risks that are subject to formal risk management processes are those that can adversely affect the achievement of objectives.

Have you ever seen a heat map that includes opportunities?

So, perhaps we should be realistic and set the expectation that risk professionals should focus on managing the downside and not the upside of uncertainty.

While that may be current reality, I don’t think we should settle for it.

If we are to obtain the maximum value out of risk management, it should include helping management seize opportunities, not just avoid adverse events. Risk management should be about more than protecting value, it should be able increasing the likelihood of success – and of greater success, at that. (There’s nothing wrong with surpassing objectives.)

I am thinking that while risk professionals should continue to enhance the company’s formal processes for managing the downside, we should also have a vision where we can develop processes for management to help them seize the upside. I am not 100% convinced that the processes are exactly the same, but managers should be trained in:

  • Being prepared to seize and take advantage of opportunities, considering and modifying the likelihood and impact of both associated negative events/situations and positive ones (seizing an opportunity may create a negative risk)
  • Recognizing when these opportunities arise and understanding how to evaluate and respond to them
  • Have a disciplined process than improves the likelihood of an optimal response to opportunity
Questions for you:
  1. Can you point to any companies with formal processes for managing the upside of risk?
  2. Is the process the same for events/situations with a positive effect as it is for adverse effect?
  3. Should we focus on the adverse and protect value, or should we reach for and enable management to reach the skies?
    November 5, 2011 at 3:48 PM

    the process is the same and by now you should know this process quite well having read ISO 31000 and the ancillary information many times. You have also had a hundred communications and conversations with risk management luminaries such as John Fraser and Grant Purdy on this subject matter. The companies they work for and serve all would be ready examples to use

    So when you say that you are not 100% convinced that the processes are the same, what exactly do you find confusing? Spell it out with an example please.

    It is actually quite easy if you wish to work out an example on line. I think that part of the problem is that you continue to cling to COSO ERM which has never spelled out anything in practicality the way ISO 31000 does. Overlaying this with what you have been communicating about GRC, is part of the reason why I think this confusion exists.

    November 5, 2011 at 4:04 PM

    here is why the process for adverse and positive opportunities must be the same

    Context must always be developed using ISO 31000 and a part of the context is understanding and documented clearly the strategic objectives of the company. So everything must follow the strategic objectives. That is the process with no changes to it.

    You move to event identification and use several techniques of the fifteen different techniques available to identify all of the major events that could impact accomplishment of the specific strategic objective. Some of these events will be positive and some will be negative. For example if you learn in the event identification phase that it is highly likely that there will be favorable tax law changes, that it is highly likely that your one major competitor will go out of business and that it is highly likely that the FDA will grant you extension of time on various drug patents- all of these are conceivably positive events. Any risk assessments which does not consider these positive events in the same light as the negative events is a flawed risk assessment

    The reason you may have difficulty in finding written documented examples is because this ISO stuff is still relatively new and as well many of the excellent companies out there just have not been members of the various groups we belong to. But to be sure there will be example cropping up

  3. Norman Marks
    November 5, 2011 at 4:24 PM

    Arnold, thank you for the constructive comment and explanation in your second comment. You have the ability to contribute positively to a learning discussion.

    Can you point to anybody who has a formal process for identifying favorable events/situations and including them on a heat map or similar?

    I don’t see or hear about many people who consider what can be done to improve likelihood and effect of potentially favorable outcomes, and would love to hear success stories.

    November 6, 2011 at 10:19 AM

    I would say that you should speak to John Fraser, Grant Purdy, Michael Parkinson, Julian De Plessis, Jacquetta Goy, Pat Croke, Felix Kloman for examples from their companies and clients. it is a problem

  5. Norman Marks
    November 6, 2011 at 1:26 PM


    I believe risk management is or should be about managing uncertainty. I am inclined towards educating management so they can deal with uncertainties, improving the likelihood and impact of potential events and circumstances. Each situation will probably have a combination of both upsides and downsides and we should be making the best decisions and taking the best actions to achieve the best result.

    As you have heard me say before, risk management should not be a separate process – but understanding and addressing uncertainty is an essential part of intelligent management.

    Do you agree?

    I am still interested in hearing about organizations that do this well (I know about John Fraser’s shop).

  6. Ravikumar
    November 6, 2011 at 8:02 PM

    Thank you Norman for this wonderful post. I have done this during my tenure as a CRO in my earlier organization. Whenever we prepared Risk analysis and Risk assessement, we also prepared what is typically called by our CEO as Risk Exploits.

    That is if something undersirable happens, how we should take advantage of the situation.
    When we had “Black monday” and “black thursday” in India, where all the share prices crashed, we purchased some of the good scrips at very low prices, only to gain great profits at a later stage. This was during 2000- 2003.

    • Didier Verstichel
      November 7, 2011 at 3:33 AM

      Once “something” happens, it is not a risk anymore, it is a fact. Is your example not more about switching from Risk Managment to Crisis Management?

  7. Didier Verstichel
    November 7, 2011 at 3:37 AM

    We are using a color code for our “negative” risk assessments (Green, Yellow, Amber, Red). We are experimenting adding 4 shade of Blue to colour code the “positive” risks.
    It is also important to assess the risks (+ & -) of doing and the risk (+ & -) of not doing.

  8. November 7, 2011 at 4:40 AM

    Very interesting and relevant post Norman. Very good comments too.
    I think what you’re looking for is called Strategic Scenario Management, where 2 key uncertainties define 4 scenarios which our strategy must be tested against. These scenarios could be positive/negative in relation to our curr. position.
    I reckon this technique is a better way to evaluate the impact (+/-) of uncertainties to our curr. strategy and help develop alternative bus. models to seize opportunities and minimize adversities.
    This technique is not new and is being used strategically at Dutch Shell since late 80’s
    Ref. Peter Schwartz, The Art of The Long View. and The Global Business Network.

  9. November 8, 2011 at 8:00 AM

    A missed opportunity is a negative impact, however I think that widening the brief too much is not appropriate; ultimately it has to be management that are responsible for identifying and maximising opportunities. Having said that I think it is appropriate for those involved with risk management to ensure that systems and processes are not only fit for reducing negative impacts, but also in helping identify positive impacts.

    The reasons for my view, is firstly it is the other side of the same coin. The other reason is that providing recommendations that will help add to the bottom line should help ensure that risk management is more firmly embedded and accepted within an organisation.

  10. November 10, 2011 at 6:40 AM

    Norman, I hope your post generates a dialogue about the important question of utilizing the ERM process to create new measurable value. As a strategy and arm consultant I see a trend away from audit and compliance based ERM to a value driven approach that brings a balance of downside and upside risk. Heat maps are risk focused a provide no value if the objective is to create value. For that you need a ValuMap that we have been utilizing with clients for several years.
    John Bugalla

  11. November 22, 2011 at 12:47 PM

    Hi Norman, the guys at Economist Intelligence Unit released a piece on strategic risk this week – you might find some interesting examples of upside consideration (albeit without very much granularity), as there are a number of one-on-one interview excerpts with high profile CROs etc.

    Click to access LON%20-%20SM%20-%20Risk%20Report%20Web.pdf


  12. Canberra Jane
    November 27, 2011 at 7:27 PM

    Norman, I’m with you. At a practical level the identification and assessment of ‘positive’ risks does not work. My organisation has a risk matrix which defines five degrees of negative consequences. In order to rate ‘positive’ risks we would need another five degrees of positive consequences. While many have theorised loudly about WHATshould be done, I have yet to see one good example of HOW it might be acheived in a practical and efficient way.
    By all means, consider risks and opportunities (as two distinct concepts) – but to suggest that there are positive risks and negative risks and that an ERM framework can deal with these equally is generally far beyond the RM maturity of most organisations.

  13. James Wright
    May 16, 2014 at 2:56 PM

    I have never bought into this lunacy that “risk” can be positive. Every English language dictionary on the planet defines risk as “chance of injury or loss”; or something similar. In my world, the Canadian federal government, the notion that there are positive risks will buy you one of two things, likely both. One, you will confuse people who are risk management novices, and in the federal government this is by far the majority, RM novices that is. Or it will buy you an immediate loss of credibility with people, the vast majority, who do not subscribe to this theory. To me it is simply making the logical illogical.

    In my work with federal government departments we do two things. We look for events or situations that can get in the way of our achieving our objectives (risks) and we also look for ways of improving our processes or our systems to help us to better achieve our objectives (opportunities). Both sets of analyses follow the CSA Q850 decision model, developed in 1995 and copied around the globe, including by ISO31000. ISO31000, in my mind, added very little and cut out some key concepts embedded within Q850.

    Risk Management is not rocket science. People have been managing risks forever, albeit not in a consistent or systematic manner. It is just that now, we have words to describe a structured risk management decision process. But using words that have little meaning for people; e.g., “positive risk”, is less than helpful.

    Someone once asked me to describe risk management in one sentence. They wanted to explain it to their Deputy Minister. I came up with five words; Understanding trade-offs. Process is everything. The DM understood it in a heartbeat.

  14. James Wright
    May 16, 2014 at 3:04 PM

    Can you point to any companies with formal processes for managing the upside of risk?

    We (federal government) don’t call it the “upside of risk”, but yes we seek out and analyse opportunities for improvement all the time.

    Is the process the same for events/situations with a positive effect as it is for adverse effect?

    Yes, the decision process for dealing with risks or dealing with opportunities is the same.

    Should we focus on the adverse and protect value, or should we reach for and enable management to reach the skies?

    I would not use those words, but we ALWAYS seek to identify and reduce risk, and we always seek opportunities to deliver services better.

  15. Zaid Omer
    July 26, 2018 at 12:15 AM

    Hi All. Is this blog was written in 2011 and the last comments left in 2016. I still think this topic is relevant today. As an engineer and risk manager, I have a wealth of experience in applying opportunity management within an ERM context.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: