The positive side of risk
Both good and bad things happen. Only managing the potential for failure, in my opinion, is a recipe for failure.
It is essential to consider all the things that might happen, both good and bad, if you are to achieve your objectives.
So how should we talk about the good stuff if we reserve the word ‘risk’ for the bad?
COSO and governance codes like King IV (South Africa) talk about ‘risk and opportunity’, where risk refers to the harmful effect of what might happen and opportunity is the positive side.
I have heard people talk about opportunity being the “other side of the coin” from risk.
ISO 31000:2018 refers to risk as ‘the effect of uncertainty on objectives’; the effect could be either positive or negative. (ISO does not provide a definition of uncertainty in this context. There are several dictionary definitions, few of which work in this context, but the one in Wikipedia is useful: “Uncertainty is a potential, unpredictable, and uncontrollable outcome.” That is consistent with my preference for talking about ‘what might happen’.)
We could use the ISO language, but is that useful when people generally see risk as bad?
If we can’t agree on what the terms risk and opportunity mean, how can we have a constructive conversation?
What does real life have to tell us?
Let’s take the fairly simple example of a CEO starting his day.
He is thinking about the problem that came up late the previous evening and how he should spend his morning.
His current schedule starts at 9:30 am with a 2 hour final review and approval of the company’s next generation product. The project leaders and his key direct reports are meeting in his conference room to confirm that it is on track for timely and quality completion. The product is essential to the success of the company over the next couple of years, especially as its competitors are likely to release similar products at about the same time as the company. A delay or functionality failure would be a disaster.
But, last night the CFO sent him an email with the updated forecast for the 4th quarter (Q4) and full year. Apparently, the company is expected to miss both the Q4 and annual revenue numbers (which he had shared with the analysts only a month earlier) by as much as $10 million. The CEO knows that will disappoint the market and the company’s share price will drop. In addition, his customers will see the shortfall and question whether they should move all or part of their business to a competitor that reports revenue and market share growth.
He knows he needs to understand the situation better. A meeting with both the CFO and the head of sales is needed, so he texts them both and asks that they meet in his office at 8 am.
The CEO is also thinking about what could be done to salvage the situation. He remembers that when he last talked to the head of sales, several large deals were being pursued. Perhaps he could visit a few of those customers; his presence and ability to make a deal might either increase the size of a deal or accelerate one from Q1 of next year into Q4.
The 8am meeting sheds some light on the current situation. His questions elicit:
- The CFO and head of sales believe there is only a 70% likelihood of achieving revenue goals.
- There are several deals that are being negotiated, each with a different likelihood of success. Overall, the head of sales says that:
- There’s a 15% chance that they will miss by $5 million or so. The CFO and CEO agree that this will disappoint the market and the share price will drop temporarily. A good Q1 could bring it back.
- They could miss by $10 million or even more, and that is also 15% likely. The CFO and CEO deem that unacceptable as the share price would drop substantially and it could be several quarters before it recovered.
- If the CEO joined him to visit three major customers, including one that afternoon, there is a good possibility that they will be able to bring some large deals to a close in Q4 and hit their numbers. The head of sales believes that the likelihood of hitting the numbers (or better) would increase to 90%, and the possibility of a $10 million miss would drop to only a few percent. The CEO would have to leave the office by 10 am as the customer is a 2 hour drive away.
- The CFO advises that he should warn the market of the possibility of missing the previously announced numbers by the end of the week (just a few days away) – unless the forecast changes before then.
It is decision time for the CEO.
If he stays with the current schedule, the likelihood of missing the revenue numbers is unacceptable. The board will expect him to act, as long as he doesn’t offer a massive discount to close deals at the cost of Q1 results. In addition, large discounts would set expectations for similar discounts in the future.
But, if he postpones the project review he might avoid the revenue failure.
But, again, if he postpones the project review for a week while he chases revenue, there’s a chance (which he estimates at 20%) that it’s going in the wrong direction and it would take enormous efforts to bring it back.
On reflection, he changes his gloomy estimate from 20% to 5%, because it would only be a week’s delay and he should be able to catch any major defects before they turn into disasters.
So, he has to weigh all the possibilities and make an informed and intelligent decision.
He decides to ask his COO to lead the project review while he visits as many major customers as he can before the end of the week.
Both good and bad consequences may flow from this decision.
Do we call the good ‘opportunities’ and the bad ‘risks’? Should we call all the potential effects ‘risks’?
Certainly, one is not (IMHO) the flip side of the other.
It’s not as if you either have either a risk or an opportunity, a good or a bad potential effect. The decision will have both.
I don’t care what you call them as long as you recognize that the potential effects of uncertainty can be positive, negative, or (most likely) both.
I welcome your comments, good and bad.
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
Norman
Good way to jostle on such crucial concepts with real life example, thanks.
CEO’s decision has to be rational, keeping in view the ill effects or risks or bad effects or positive opportunities available on either side – Delaying the project launch which could bring more revenues in quarters to come, or, go out to meet clients to boost revenues for this quarter and prevent assumed or expected share price fall.
I see he has to identify the potential loss from both the sides and accordingly weigh his decision.
Positive side of risk here could also lead on testing the performance potential of Head sales and COO to see their decision taking abilities in such crunchy situations.
Norman, I favour the ‘risks equals bad, opportunities equals good’ approach, since most people understand risks to be circumstances which hinder the achievement of objectives. This approach also emphasizes the need for the opportunities in any situation to be identified. Risks and opportunities are therefore opposite (loss vs benefits) but I would agree that every risk does not have a corresponding benefit.
I’m concerned at the chances calculated as 70%, 15% etc. At least they should be quoted with their error range. I believe the best way of framing the CEO’s decision is to ask:
How am I able to use my time to maximise revenue?
What time-consuming responsibilities can I delegate?
Is the company too dependent on me?
Risk is neutral but not most often seen that way . I See risk as neutral with threats and opportunities representing the bad and good sides. Not opportuities opposing risk. But I do not get hung up on it .
Excellent article Norman. Events like the one you described happen daily in the real world. My only quibble is that all the schedules of all of the CEO’s that I know (Fortune 200) start around 0600 not 0930 and ends sometime around 1900 (unless there is a dinner to attend).
Norman, you described a typical activity which is an accumulations of activities over the past months. Personally I do not think this is Risk Management rather specific KEY activities with a Criteria attached would be Risk Management activity. When the sales figure failed the quarterly target, this will accumulate unless NEW controls are put in action to arrested the fall. Other activities worthy to note would be forex, political situation, China USA trade conflict.
It always amazing to mention opportunities which is easy said then achieve. Like Sales figure exceeds the target it’s nothing to do with opportunities could be because of conservative estimates. Opportunities come about when your competitor is in trouble then you take advantage of it like competitor factory burnt down, attempt to gain the market share with various strategies. This is an Asian view which may differ drastically from a developed country.
Traditional risk management is as you say, but is generally not perceived as value add, helping the organization succeed. I suggest that whether you are in Asia or Antarctica, changing to making intelligent and informed decisions after considering what might happen will make you and the organization more successful.
I have spoken frequently on this in KL and Singapore (will be back in April).
Hi Norman
Risk, in traditional terms, is nearly always viewed as a negative. A common dictionary definition of risk is “exposure to danger or hazard.” The Chinese symbol for “crisis,” is compiled of two elements, which may offer a better description of risk. The first symbol is the symbol for “danger,” while the second is the symbol for “opportunity,” making risk a mix of danger and opportunity. By linking the two, the definition emphasizes that you cannot have one (opportunity) without the other and that offers that look too good to be true (offering opportunity with little or no risk) are generally not true.
It is a sad truth and comes as no surprise that many managers become interested in risk management during or just after a crisis and pay it little heed in good times. The Chinese definition of risk/crisis points to the fact that good risk-taking organizations not only approach risk with equanimity, but also manage risk actively in good times and in bad times. Thus, they plan for coming crises, which are inevitable, in good times and look for opportunities during bad times !
“I don’t care what you call them as long as you recognize that the potential effects of uncertainty can be positive, negative, or (most likely) both.”
Risk – bad
Opportunity – good
Uncertainty – Bad or Good
A real world example of the risk being neither inherently negative or positive – an uncertainty for our business is M&A activity of independent insurance agents (which is the sole channel our product is distributed through). In discussing this risk with the VP-Sales, I mentioned that risk is not always bad, and he lit up – “Exactly! We don’t know if this M&A activity will grow our business with the agency, shrink it, or if it will stay the same.” And we have experienced just that – sometimes the acquiring agency or network gets more involved with our independent agent, makes them better, and the agent in turn sells more of our product. Sometimes the acquiring company has a preference for a competitor. And sometimes the acquiring company just acquires the agency and changes nothing.
As an insurer, our hand is being forced with an ERM program as we will soon be crossing the threshold for ORSA implementation. I very much appreciate your articles and the conversation they generate in helping me have positive moments like the one described above.
Norman, surely the problem of misleading terminology which underlies your example can be resolved if we recognise risk not as a ‘bad thing that happens’, but as a situation from which a number of things could happen? This misconception of risk as a ‘bad thing that happens’ besets risk management everywhere, evidenced in any risk register or risk report that uses the term “risk event”. Even typing that term makes me shudder like fingernails scraping down a blackboard.
Uncertainty is the essential characteristic of all risk. Uncertainty is also not a ‘bad thing that happens’, and therefore also not an ‘outcome’ as in the Wikipedia definition. Uncertainty is a description of circumstances in which you lack knowledge or control, or both. If you have full knowledge and full control of what will happen, there is no uncertainty and no risk.
Understanding risk as a situation in which you lack knowledge or control entirely eliminates the need for pointless discussions over whether risk is ‘positive’ or ‘negative’. It eliminates the idea that risk management is concerned only with managing failure. It is the outcomes from decisions and actions when taking a risk that can be positive or negative. The risk, the situation, is neutral.
This is an interesting idea, that uncertainty is the lack of knowledge about what might happen. From that flows an effect on objectives.
But you can never be certain. You are always guessing (hopefully its an educated guess), so I have a problem with this definition.
I think its better not to use term uncertainty either, as it is unclear and (sorry) impractical.
Dear Norman,
Thank you for focusing on this persistent misunderstanding; yet I always knew we were on the same page in this respect. Nonetheless, I shall try not to get too excited with my remarks, aimed primarily at fellow commentators. But first, IMHO, the solution sought by the CEO is highly unsatisfactory because it merely attempts to save the present at the expense of the future.
You cannot believe how this topic winds me up, nearly as much as my never-ending battle against ‘inherent risk’ = ‘gross risk’, which is a David vs. Goliath struggle being perpetuated against the very powerful external auditing sector, despite authoritative others accepting that it represents an intrinsic, unalterable characteristic that cannot be reduced by mitigation (*). Regrettably, still undefined in ISO 31000:2018. Anyway, as my Japanese friend Yo likes to say, on to today’s topic.
I cringe every time someone, especially those highly respected by us all like Richard Chambers, talks (loosely) about risks & opportunities (feeling apparently shared with #9 RC).
Just yesterday, I chomped on my teeth for that very reason during a webinar about risk assessment in ISO 9001:2015, despite the presenter at one point stating (admitting?) that “Opportunity is a positive deviation from the expected”!
So, please let me seriously beg to differ with the last sentence in comment #3 SC.
“Risk is neutral but not most often seen that way. I see risk as neutral with threats and opportunities representing the bad and good sides. Not opportunities opposing risk. But I do not get hung up on it.”
Sorry, but as so-called risk professionals we definitely should get hung up about it!
Simply because people in the street perpetuate such misunderstandings – through no fault of their own, I’m willing to concede – is not a valid excuse for us to abandon the proper usage of risk related concepts and terminology.
Doctors, lawyers, architects, etc. all have their professional vocabulary and they do not dumb it down for ease of comprehension by Joe Bloggs. I apologize to anyone actually so named & the jeans (sic).
To be frank, I find it shameful. When we find ourselves speaking / writing in a professional risk context, we need to ‘behave’ correspondingly.
Even in scientific circles, without pointing the finger anywhere specifically (but I could), publications use ‘risk analysis’ & ‘risk assessment’ as interchangeable synonyms, then, worse still, they go on to confuse ‘risk management’ with only ‘risk response / treatment’. Yet, a concession I’ll make is for Business Impact Analysis (habitually avoid BRA for obvious reasons, like Intrusion Testing rather than P… Testing), which has been around far too long for us to get it corrected into Assessment.
This not a domain where we can just say, “well, for me” or ”I favour” (#2 DG) because of what “most people” understand risks to be. “A common dictionary definition” (#6 MS) – or even one according to my beloved, donated Wikipedia – is totally immaterial.
Regarding the “danger + opportunity = crisis” (#6 MS) assertion, please refer to http://www.pinyin.info/chinese/crisis.html
Already shared compassion with #9 RC but emphatically disagree with: “If you have full knowledge and full control of what will happen, there is no uncertainty and no risk.” Those might well be your famous last words! Remember, ‘risks’ are pesky little creatures that do evil, beneficial and middling things ALL THE TIME, irrespective of what you think or believe!
Lastly, if you’ll allow me, I’d therefore slightly modify your closing sentence to: “I don’t care what you call them as long as you recognize that the potential effects of uncertainty can be positive, negative, or (most likely) both anywhere in-between.” (takes care of both #7 OS & #8 KW)
Huffing & Puffingly, your obedient servant, Hugh.
PS Sending you privately my little illustration from the back of an envelope many moons ago, which I use for my students, etc. to try and explain the components of risk management, as well as an unpublished article for an ASIS magazine (*), too lengthy to cut & paste here.
“I don’t care what you call them as long as you recognize that the potential effects of uncertainty can be positive, negative, or anywhere in-between.” (strike-out not shown)
Norman great discussion points as always. How we view risk depends on our perspective and from which discipline we are applying it. If we look at it from an Enterprise perspective this might be very different than investment or environmental/safety risk (hazard focus). Inherently auditors are traditionally taught concepts such as the “risk an account is misstated”, that leads to thinking of risk only from a negative sense. A financial reporting perspective. It also is not necessarily the way a business owner thinks in persuing risks in a sale of a product or service.
From the statistical perspective, it is about the bell curve if the actual outcome falls outside our range of expectations (this could be a positive or negative outcome depending which side of the curve you land).
I think the key is to ensure all players at the table have a common understanding of risk and from which perspective it is being managed, viewed and/or assessed at. Further that it also aligns with the level of risk they wish to take.
Here’s yet another public statement misusing ‘our’ terminology, whilst I leave aside ‘prayers’ as a mitigation factor:
“It is the poorest people who face the biggest risks from the economic uncertainty posed by Brexit, the archbishop of Canterbury said on Saturday, and the prayers are likely to focus on reconciliation and the needs of those most vulnerable.” The Guardian 23FEB19
IMHO should read: “It is the poorest {i.e. those most vulnerable (sic)} people who face the biggest threats (sic) from the economic risk posed by Brexit,…”
Also, why did I change ’risks’ into ‘risk’? Brexit has many different kinds of risks associated with it, e.g. cultural, macro & micro economic, financial, health care, personal, political, national, social (take care not to put those last two words too closely together in this context). In each of those primary, singular categories there are multiple potential outcomes with vastly different likelihoods, each of which might be good, bad or somewhere in-between.
Of course, Brexiteers regard Brexit as an opportunity, which ideally squares the circle with what has been previously advocated here by some of us. QED!