Home > Risk > Talking about risk and opportunity

Talking about risk and opportunity

October 26, 2018 Leave a comment Go to comments

Some talk about opportunity as “the other side of the coin” from risk.

One is good and the other bad.

That is how COSO views the two words, risk and opportunity. ISO seems them differently, defining risk as the effect on objectives. That effect could be positive or harmful.

A few governance codes, such as the King IV code in South Africa, have changed their language from talking about board oversight of risk management to the oversight of risk and opportunity management.

In this view, an opportunity is where there is a possibility for action that is likely to lead to reward or gain. For example, if a homeowner is dissatisfied with his or her realtor, that is an opportunity for another realtor.

Certainly, those situations exist and organizations need to be able to recognize, understand, assess, and then seize them where appropriate.

I encourage you to view this excellent video with David Hillson (a.k.a. the Risk Doctor): Risk and Opportunity: How can risk be good?

As David points out (and I said in World-Class Risk Management and Risk Management in Plain English), the tools and techniques traditionally used to ‘manage’ potential harms (risks, in normal language) can and probably should be used to manage the potential for gain (opportunities).

Others, such as suggested in an article from software vendor Enablon, talk about How risks can turn into opportunities. The idea is that by addressing a source of risk you can create opportunities for gain.

We had that when I ran internal audit at Tosco Corp. One of our risks was the potential for changes in the relative prices of our raw materials (primarily crude oil) and products (gasoline, diesel, jet fuel, and other refined products) to adversely affect our margins and earnings. Management established a sophisticated and talented trading operation to hedge those commodities. In the process, they gained the ability to trade for profit and added to their earnings in the process. (OF course, the trading activity also created new risks.)


Expanding ‘risk management’ beyond a paranoid view of what might happen is progress, but is it sufficient?


As I wrote earlier, the level of risk is not a point. There is a range of potential consequences from an event, situation, or decision, and each has its own likelihood.

In that post, I included an illustrative chart, but all the potential consequences were negative.

In real life, there are some situations where the range of consequences might include both positive and negative effects.

In other words, the idea that risk and opportunity are different because (as David says) one has a positive and the other a negative sign is not entirely correct.


For example, if an organization introduces a new product with the hope that related revenue in the first year will be $800,000 or more with earnings of $180,000, that objective may be achieved or exceeded, or they may fail to achieve it.

In fact, revenue could range from the unlikely zero to the unlikely $1.5m, with many possibilities in between. If revenue is below $500,000 they would incur a loss. The chart below shows net earnings assuming a fixed cost of $300,000 and a variable cost of 40% of revenue.

range of earnings


The likelihood of achieving or exceeding the targeted revenue and earnings is 60%.


The point I am making is that events and situations can have a range of potential consequences, some of which may be negative and some positive.

In the example above, the management team has to be ready to respond should it look like the product will do better than expected (they will have to make sure manufacturing and distribution can keep pace) or worse.


Do the terms risk and opportunity make sense as a basis for understanding and assessing what might happen?

Isn’t it better to recognize that there is a range and we have to be prepared to address all the possibilities?


I welcome your comments.

  1. vincent tophoff
    October 26, 2018 at 3:12 PM

    Thanks Norman. Personally, I prefer the term “uncertainty,” for various reasons. First and foremost it is neutral, where risk is often perceived as negative and opportunity as positive. However, the same “source of risk” or “event” may lead to something positive or negative, depending on how it pans out and your objectives. For example, prices of raw materials – as you mentioned – typically bear uncertainty for future planning, as they can go up or down. And depending on your objectives (e.g., whether you are a buyer or a seller) that can be good or bad. Many of the prominent contributors in this area seem to agree on this. Problem, however, is that the term “uncertainty” is not really recognized as such: ever heard of an “uncertainty manager,” working in accordance with the ISO Uncertainty Standard?

    • Norman Marks
      October 26, 2018 at 3:33 PM

      Vincent, our friend Grant also likes uncertainty, but in the sense that we should seek certainty of achieving objectives, I don’t agree that we can achieve certainty until after the results are in. I prefer determining whether the likelihood (as best we can tell) of achieving objectives is acceptable.

  2. vincent tophoff
    October 26, 2018 at 3:18 PM

    Fascinating, though, how “uncertainty” and “risk” are interpreted completely different in many organizations, triggering a counterproductive knee-jerk reaction for the latter:

    Ask “How does your organization address uncertainty in achieving its strategic objectives?” and the answer will be something like: “Through our strategic management system, with line management engaged in plan-do-check-act cycle, and focused on achieving our organization’s objectives.”

    Now ask “How does your organization address risk?” and I bet the answer will be more like “Through our risk management system, owned and operated by our risk manager, and focused on mitigating risk.”

    Good risk management is simply good management. Nothing more and nothing less!

  3. Mike Tordesillas
    October 27, 2018 at 6:45 PM

    Makes sense. Would be interested in the source of the ISO comment about risk and objectives, and some being positive.
    I see ethical situations where it’s risky to do business with this questionable entity (should they get exposed, and it is known who does business with them – we suffer a severe reputational risk). But, we make lots of money, and our only risk is if they get exposed.

    • Norman Marks
      October 28, 2018 at 7:57 AM

      ISO 31000:2018: “It can be positive, negative or both, and can address, create or result in opportunities and threats.”

  1. October 26, 2018 at 11:49 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: