Risk and Opportunity Management
As we review the exposure draft (ED) from COSO of their ERM Framework, one of my concerns has been whether it pays sufficient attention to the positive effects of uncertainty (things that might happen in the future that would increase the success of the organization).
While COSO ERM 2004 told us that there are both potential positive and negative effects of uncertainty, the detail in the framework focused exclusively on the negative (which it referred to as ‘risk’, with ‘opportunity’ the positive).
The 2016 ED again tells us that organizations need to manage all the potential effects of uncertainty and not just the adverse.
Do they do that well?
The title of this post is “Risk and Opportunity Management” because the exposure draft of the South African corporate governance code (King IV) no longer refers to risk management. It now refers to risk and opportunity management.
I think this is an excellent move.
Rather than trying (as ISO 31000:2009 does without sufficient success) to explain that risk can be either positive or negative, battling uphill against common English usage of the word, perhaps it is time we started talking about risk and opportunity.
A new report from The Risk Institute at Ohio State University, their second Annual Survey on Integrated Risk Management, shares some interesting insights.
One of the things I like in the report is how they talk about the fact that many if not most see risk management as a defensive strategy.
That is reflected in the entrenched thinking that risk management is a compliance activity (“33 percent of financial firms reported an “exceptional improvement” in their ability to meet regulatory and compliance requirements when they integrated risk management to improve achieving corporate objectives”; and “Similar to financial firms, nonfinancial firms reported exceptional improvement (30 percent) in the ability to meet regulatory and compliance requirements and that an ability to avoid litigation and protect the firm against negative events is important”).
The report says (emphasis added by me):
When asked what best describes the “tone at the top” regarding risk management at their company, about 45 percent of respondents in financial firms report that it is reactive or defensive, reflecting a necessity for mandated requirements or for protection against negative outcomes, respectively. However, more than 40 percent of the respondents in financial firms recognize risk management as a value creation tool used across the firm, mostly in a fully integrated way.
In contrast, in nonfinancial firms, 67 percent of respondents see risk management as a reactive or defensive strategy, while about 20 percent of respondents believe that this strategy creates value in a partially or fully integrated way.
The number indicating that risk management is about more than defense is growing.
Previously risk management was only being done to meet regulatory requirements and to protect the firm against the negative effects of volatility in firms’ business environments. While these views are still a common practice, more firms recognize risk management as a source of both growth and value, and emphasize its use in certain, if not all, areas of the firm.
One other interesting point that the report makes is that functions like Marketing, Sales, R&D, and Human Resources are rarely involved in risk management processes.
When I led risk management at Business Objects, these were the functions most heavily involved!
As the report affirms, they are major areas of both risk and opportunity.
Is it any wonder that executives fail to see the value of risk management and how it contributes to the success of the organization, when risk practitioners only talk about potential harms?
Is it time to reposition to risk and opportunity management? Is it time for risk practitioners to remove the blinders, see the big picture, and pay attention to both creating and preserving value?
Or is it time to stop talking about either, instead talking about informed and intelligent decision-making? Maybe we should just talk about effective management!
I welcome your comments.
As a reminder, my comments on the COSO ERM ED are available here.