The positive side of risk
While both ISO 31000 and COSO ERM recognize that risk can have a positive effect on the achievement of objectives, I don’t see that aspect being covered well if at all.
I discussed the positive side of risk in 2019 (which you may want to re-read), but let’s examine some more examples. Each of these are based on real life situations.
- The company is part-way through a project to build an additional processing unit in its New Jersey refinery. The commercial team inform management that the prices for the mix of products from the new plant have changed significantly since it started. If the design is modified to create more of what are now high-value products, the additional revenue should be significant. Of course, there are cost implications and the schedule for completion of the new unit might be adversely affected.
Management needs to understand the range of additional revenue and the likelihood of each point on that range – just as they need to understand the cost implications and the possible effect of a schedule delay.
The techniques used by risk practitioners to understand, assess, and evaluate the potential for harm work well when applied to the potential for reward.
In addition, it should be possible to use techniques like Monte Carlo simulation and business judgment to weigh the potential benefits of the design change against the potential harms.
- The CIO is asked by the Senior Vice President of Marketing to change the scope of a systems development project. The project is about 30% completed, so any change can have adverse effects. But the SVP points out that the change he is requesting will support a surge in demand for on-line shopping by customers around the world.
As in the previous example, the risk practitioner can use their tools and techniques to assess all the pros and cons of the change, enabling an informed and intelligent business decision.
- A member of the board alerts the CEO that there are rumors about the financial health of a major competitor. If the other company falters, there would be an opportunity to seize a larger share of the market. However, there is no certainty.
The risk practitioner can work with the management team to assess the situation. How likely is it that the other company will fail completely vs. have to cut back? If they fail, how likely is it that they would do so in three months, six months, a year? Given that, what is the range or potential benefits and what is the likelihood of each point? The practitioner can also help management determine what it will take to seize the market, what it will cost (in dollars spent as well as what is given up to free resources to prepare to seize the day), and how to evaluate what is best for the business considering all of the above.
- The vice president in IT is told that a third-party expert in a system they just purchased has just become available. If they hire that person, it would not only speed implementation but reduce the risk of getting it wrong. However, the budget would be blown.
The risk practitioner can help evaluate the options and enable an informed and intelligent business decision.
- A data privacy bill is working its way through Congress. There is no certainty it will pass, although it seems more likely than not, and the final form of the legislation is unclear. If it passes, it will affect a profitable revenue stream of a subsidiary. Action will be needed to avoid losing that revenue. However, the company believes it is in a better position to make necessary changes than its competitors and, if it moves aggressively, it might be able to capture a larger market share.
This is one of those situations where an event or situation does not have only a negative or only a positive effect on objectives.
The risk practitioner can help management consider all the uncertainties, both now and as the situation unfolds, and make informed and intelligent decisions.
XX
What should be clear to everybody is that pretty much every situation has several things that might happen, some of which are positive while others are negative.
Evaluating the downside and hoping somebody else has equivalent tools and techniques to evaluate the upside (the ‘it’s not my job’ disease), in a way that enables informed and intelligent decision, doesn’t make business sense to me.
I welcome your thoughts.
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
Norman, you are 100% correct in your assessment. Unfortunately, after working with this issue for several years the problem seems to revert back to the silo issue and reluctance to admit Risk Management into the strategic silo on any level other than a “staff report.”
Putting the Chief Risk Executive (CRE) on par with the COO, CLO and CFO is a jump that not many organizations are willing to do without a serious push from the Board led by the Chairman. (If the CEO is also the Chairman, it is easy to imagine that not happening.) Add to that the need for the CRE to have direct access to the Board so far has been a step too far for most.
I agree. I am also struggling to have upside and downside viewed as two sides of the same ‘risk coin’. But I deal with divisional risk management units that say they view risk in downside terms and that opportunity is for sales or marketing. In strategic planning process, discussions on what should go right and what could go wrong are separated. Slowly, topdown, as a corporate risk manager I get a seat at the board table to provide some sort of challenge, but unfortunately after planning, objectives and target discussions have taken place… The Strategic Risk Assessment is still a separated report, not integrated in strategic planning, to provide “list management” to executive board and supervisory board members. I’m sure we’ll get there in the end, but it will require change in culture, and will go rather slow…
Jo, have you tried talking them about developing even a simple list of pros and cons? Sometimes, showing them what is possible changes minds.
Yes I did. I also made a mockup of a report in which for the strategic objectives upside and downside risks were shown as well as a “level of urgency” for actions (inspired by Hans Lassoe’s PAPA-model). They (executive board) actually liked it, but in the end they still preferred a downside oriented heatmap because that is what the supervisory board (we have a two-tier board) has seen previously and understands. Furthermore, I have to deal with a number of rather autonomous subsidiaries which are regulated and where the risk departments are pretty much siloed. Lot’s of work and evangelizing to do.
I wish you luck, Jo.
What I have done in similar circumstances is find an executive who will let me help him or her. That person becomes a champion and we can build on it.
Thanks Norman
Evaluating the positive side of taking on additional risk seems to be to often overlooked in the risk assessment. I think the professional natural tends towards emphasizing risk minimization and conservatism. Without properly weight the risks against the benefits and accurately assessing potential upsides of additional risk, the risk assessment could be insufficient to guide smart strategic decisions. Excellent post! I really appreciate the nuance you bring to framing risk assessment decisions.