Home > Risk > Risk and Opportunity Management

Risk and Opportunity Management

As we review the exposure draft (ED) from COSO of their ERM Framework, one of my concerns has been whether it pays sufficient attention to the positive effects of uncertainty (things that might happen in the future that would increase the success of the organization).

While COSO ERM 2004 told us that there are both potential positive and negative effects of uncertainty, the detail in the framework focused exclusively on the negative (which it referred to as ‘risk’, with ‘opportunity’ the positive).

The 2016 ED again tells us that organizations need to manage all the potential effects of uncertainty and not just the adverse.

Do they do that well?

My comments on the ED, which are downloadable and are summarized on my IIA blog, include an assessment of this issue.

The title of this post is “Risk and Opportunity Management” because the exposure draft of the South African corporate governance code (King IV) no longer refers to risk management. It now refers to risk and opportunity management.

I think this is an excellent move.

Rather than trying (as ISO 31000:2009 does without sufficient success) to explain that risk can be either positive or negative, battling uphill against common English usage of the word, perhaps it is time we started talking about risk and opportunity.

A new report from The Risk Institute at Ohio State University, their second Annual Survey on Integrated Risk Management, shares some interesting insights.

One of the things I like in the report is how they talk about the fact that many if not most see risk management as a defensive strategy.

That is reflected in the entrenched thinking that risk management is a compliance activity (“33 percent of financial firms reported an “exceptional improvement” in their ability to meet regulatory and compliance requirements when they integrated risk management to improve achieving corporate objectives”;  and “Similar to financial firms, nonfinancial firms reported exceptional improvement (30 percent) in the ability to meet regulatory and compliance requirements and that an ability to avoid litigation and protect the firm against negative events is important”).

The report says (emphasis added by me):

When asked what best describes the “tone at the top” regarding risk management at their company, about 45 percent of respondents in financial firms report that it is reactive or defensive, reflecting a necessity for mandated requirements or for protection against negative outcomes, respectively. However, more than 40 percent of the respondents in financial firms recognize risk management as a value creation tool used across the firm, mostly in a fully integrated way.

In contrast, in nonfinancial firms, 67 percent of respondents see risk management as a reactive or defensive strategy, while about 20 percent of respondents believe that this strategy creates value in a partially or fully integrated way.

The number indicating that risk management is about more than defense is growing.

Previously risk management was only being done to meet regulatory requirements and to protect the firm against the negative effects of volatility in firms’ business environments. While these views are still a common practice, more firms recognize risk management as a source of both growth and value, and emphasize its use in certain, if not all, areas of the firm.

One other interesting point that the report makes is that functions like Marketing, Sales, R&D, and Human Resources are rarely involved in risk management processes.

When I led risk management at Business Objects, these were the functions most heavily involved!

As the report affirms, they are major areas of both risk and opportunity.

Is it any wonder that executives fail to see the value of risk management and how it contributes to the success of the organization, when risk practitioners only talk about potential harms?

Is it time to reposition to risk and opportunity management? Is it time for risk practitioners to remove the blinders, see the big picture, and pay attention to both creating and preserving value?

Or is it time to stop talking about either, instead talking about informed and intelligent decision-making? Maybe we should just talk about effective management!

I welcome your comments.


As a reminder, my comments on the COSO ERM ED are available here.

  1. July 2, 2016 at 1:53 PM

    Norman, I believe that the discussion on ‘Risk and Opportunity’ never ends because so far no one has clearly defined: What is Opportunity?
    Is Opportunity the ‘opposite’ of Risk? Or is the ‘opposite’ of Threat?
    Are opportunities risk sources?
    Is Opportunity the ‘positive effect’ of uncertainty? – as some ISO/TC 262 members have suggested in the revision of ISO 31000 standard (the revision is at the CD – Committee Draft stage).
    I firmly believe that Opportunity is the ‘mirror’ of Threat, and both are risk sources.
    Threat is defined e.g. as ‘source of potential non conformity, unwanted incident, or other undesirable situation, which can result in loss, damage, harm to individuals, a system or an organization, the environment or the community’…
    Opportunity should be defined as ‘source of potential benefit to individuals, a system or organization, the environment or the community’.

  2. Glenn Daly
    July 2, 2016 at 9:09 PM

    If risk management places more emphasis on “opportunities” what are the implications?. 1. Internal audit scope changes consistent with the importance of processes relating to opportunity management?. 2. Existing Strategy / Innovation Committees need to rethink their scope because they now have a board level risk committee looking at the same thing?. 3. The makers of standards and guidelines and people in enterprise risk management type roles often (but not always) come from finance, internal audit and the like type backgrounds….different people with more of a strategy bent should be involved?. 4. “Opportunity” assessments are typically the responsibility of strategy areas in an organisation. Risk functions are going to encroach on turf where our involvement may not be wanted or needed? . And so on. In theory sounds great and addresses the perception issue of risk management being perceived as too negative. But the practical implications need to be worked through to make it real and for management to support this change in emphasis. Rgs

  3. Sanjeev marwaha
    July 3, 2016 at 6:10 AM

    This is a great read, much of what I try to champion for a while but opportunities will require a different outside of the box mindset to really become practical. This will be difficult as one of the biggest problems in the profession is the lack of risk professionals who can help facilitate such thinking. I also like the mention of the other functions included as many ERM functions do not truly implement a full enterprise wide approach and just try to tackle the most obvious areas, that is a very lazy approach which I cannot stand. One question I have is should we promote ERM as an ‘offensive’ discipline as opposed to defensive as we aim to create value.

  4. geoff716
    July 4, 2016 at 4:52 AM

    The problem is perpetuated by the ambiguity inherent in the word ‘risk’ which now embraces both probability and danger; in fact in much narrative text it is used to mean either one or the other or both. This failure to differentiate plagues communication, thought and discussion, and not only in risk management circles. In general usage ‘risk’ is frequently a synonym for danger, so that the negativity of risk is, at the level of public consciousness, ‘built in’. This was not always the case.

    If you look at the text associated with safety legislation prior to the 1970s (from the first Factory Act, 1802), the emphasis is on ‘danger’ and the term ‘risk’ is usually reserved for discussion of the probability of occurence. All the early Factory Acts were concerned with specific work place dangers such as the age of child employees, stopping machinery during maintenance tasks, factory ventilation etc. and this contributed to the semantic separation of ‘risk’ and ‘danger’. This approach continued in the UK until the Robens Report and the subsequent Health and Safety At Work Act (1974) which drew a line under the endless addition of new dangers to the potentially interminable list. All subsequent legislation has adopted the generalised Robens approach; basically, that danger to the public is the fault of whatever endeavour it is a consequence of; “The conduct of an undertaking”; a framework backed by general principles, regulations, codes of practice and guidance and backed by penalties and punishments arbitrated by the courts.

    The benefit of the pre-Robens approach was its lack of ambiguity. People have very different orientations towards risk. Personality research identifies a world of dispositions that are risk related and one person’s greatest fear may be another person’s greatest enjoyment. Entertainment often relies on the perception of risk of an audience being the polar opposite of that of the performer – from trapeze artist to aerobatic displays and olympic ski jumping. Regularors have great difficulty in factoring personal skill into the equation, or even in taking their own personality based bias into account.

    For all its many good points, the unattended consequence of the new approach was the creation a world of uncertainty, litigation, blame and compensation. The interpretation of any principle is inevitably subjective. An employers view may differ from that of a disaffected employee; a cafe customer may sue over a spillage of red wine or the heat of the coffee; an experienced and skilled roof worker may be fined for behaviour that looks dangerous to a council official but which is well within their competence; a technitian may be required to carry out a once routine task according to new and complex protocols. Traditional boundaries of acceptable behaviour have become open to question across all areas of life.

    As usage and meaning of the term ‘risk’ has moved further towards ‘danger’ use of the term has sky-rocketed. Usage today appears to have increased dramatically since the mid 70s, a 4X increase according to Google Ngram Viewer; check it out at https://books.google.com/ngrams

    Since becoming aware of this drift in word meaning I have taken to replacing the word risk with either ‘danger’ or ‘probability’; amazingly the result illustrates that the word ‘risk’ is entirely and absolutely unnecessary! On its own it means nothing. It needs a context to mean anything and adds nothing that cannot be conveyed with less emotionally charged terms like danger or hazard. My suggestion is that you take the leap and refer to Opportunity Management and leave it at that. Why not leave the term ‘Risk’ to the media and get back to specifics?

    Geoff Trickey

  5. Ray Willows
    July 11, 2016 at 5:53 PM

    Hi Norman. I’m a fan of your blog and enjoy the exchange of ideas tremendously. Along with others, I’m also struggling in many ways to make the risk management process more jargon-free, more relevant, and simpler for my colleagues to use in their everyday work lives. Within that context, I tend to align more with those contributors who talk about opportunity and threat being two sides of the same coin, rather than opportunity and risk assuming those roles – and Francesco is correct, I think, in saying that definitions of key terms used to express ideas is important (it’s interesting to observe how much effort can be wasted in organisations when different groups make different assumptions about what things mean!).

    A far more learned practitioner than myself has previously suggested that, “opportunities are environmental conditions that can be exploited to achieve objectives. Organisations do this by making decisions. It is the decision that involves uncertainty (i.e. has risk attached) not the opportunity.” This makes sense to me.

    Taking this a bit further, organisations (usually) undertake a rolling strategic planning process (the peak business process for any organisation?) and then set their business objectives accordingly. Any subsequent changes in the internal or external environment could have one of three possible consequences for the organisation:
    1. No impact at all.
    2. The change creates a condition that could make it easier for the organisation to achieve an objective (an opportunity).
    3. The change creates a condition that could make it more difficult for the organisation to achieve an objective (a threat).

    The high-level response of the organisation to either (2) or (3) should be driven by the strategic planning process, but once a decision is made (or in other words, an objective is created), then the risk management process should be used as a decision-support process to enhance the likelihood that the organisation will achieve that objective. I think that this is one of the core messages expressed by the writer of the ‘Forward’ to your recent book.

    In summary, it helps my thought process (and therefore my ability to explain risk concepts to my colleagues) when I frame it in a way that says one of the purposes of the strategic planning process is to manage the ongoing opportunities and threats to organisational objectives, and that the purpose of the risk management process is to act in support of this peak process by improving decision-making so as to make it more likely that our subsequent actions (to maximise an opportunity, or to minimise a threat, for example) will contribute as much as possible to the achievement of those objectives.

    • July 11, 2016 at 7:07 PM

      At our center in Brazil, we created in 2004 a ‘Conceptual Diagram of Risk’, which has been constantly improved. See this short video: http://bit.ly/29tKBlJ

      • Norman Marks
        July 18, 2016 at 12:00 PM

        Francesco, I like this. Can you share the PowerPoint with me?

    • Norman Marks
      July 18, 2016 at 11:58 AM

      Thanks for the kind words, Ray. When you look at an opportunity, something positive that might happen, the scale of that reward and the likelihood of that effect need to be assessed – just as you do for a negative effect of uncertainty.


  6. July 18, 2016 at 9:42 PM

    Norman, I think the most important aspect is how you DESCRIBE the risk.
    Because risk is the effect of uncertainty on objectives, the description of risk needs to convey both elements. In other words, firstly make clear which objectives are being referred to, and secondly identify the particular source of uncertainty and how it could lead to consequences.
    ISO Guide 73 defines a risk description as a ‘structured statement of risk usually containing four elements: sources, events, causes and consequences’.
    The risk description should include this information in sufficient detail to be useful in the next of the risk assessment steps!

    PS: I will try to get the ppt or pdf for you.

  7. July 29, 2016 at 8:18 AM

    An important topic, and an excellent thread.

  8. July 29, 2016 at 2:09 PM

    Norman, I sent the pdf file to you (through LinkedIn system) on 19th July.

    • Norman Marks
      July 29, 2016 at 2:11 PM


  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: