Does risk management really include the upside of potential events?
The major risk management standards and frameworks (including ISO 31000:2009 and COSO ERM) tell us that risk management is about both the potential for adverse effects and positive opportunities. But is that realistic? Are we being practical when we talk about the positive effects of uncertainty, or are we dreaming?
I can’t think of a risk management practitioner (and would love to hear if one exists) that helps management follow a formal process to identify, analyze, evaluate, and treat all potential events and situations that may have a positive effect on performance. The risks that are subject to formal risk management processes are those that can adversely affect the achievement of objectives.
Have you ever seen a heat map that includes opportunities?
So, perhaps we should be realistic and set the expectation that risk professionals should focus on managing the downside and not the upside of uncertainty.
While that may be current reality, I don’t think we should settle for it.
If we are to obtain the maximum value out of risk management, it should include helping management seize opportunities, not just avoid adverse events. Risk management should be about more than protecting value, it should be able increasing the likelihood of success – and of greater success, at that. (There’s nothing wrong with surpassing objectives.)
I am thinking that while risk professionals should continue to enhance the company’s formal processes for managing the downside, we should also have a vision where we can develop processes for management to help them seize the upside. I am not 100% convinced that the processes are exactly the same, but managers should be trained in:
- Being prepared to seize and take advantage of opportunities, considering and modifying the likelihood and impact of both associated negative events/situations and positive ones (seizing an opportunity may create a negative risk)
- Recognizing when these opportunities arise and understanding how to evaluate and respond to them
- Have a disciplined process than improves the likelihood of an optimal response to opportunity
- Can you point to any companies with formal processes for managing the upside of risk?
- Is the process the same for events/situations with a positive effect as it is for adverse effect?
- Should we focus on the adverse and protect value, or should we reach for and enable management to reach the skies?