Some talk about opportunity as “the other side of the coin” from risk.
One is good and the other bad.
That is how COSO views the two words, risk and opportunity. ISO seems them differently, defining risk as the effect on objectives. That effect could be positive or harmful.
A few governance codes, such as the King IV code in South Africa, have changed their language from talking about board oversight of risk management to the oversight of risk and opportunity management.
In this view, an opportunity is where there is a possibility for action that is likely to lead to reward or gain. For example, if a homeowner is dissatisfied with his or her realtor, that is an opportunity for another realtor.
Certainly, those situations exist and organizations need to be able to recognize, understand, assess, and then seize them where appropriate.
I encourage you to view this excellent video with David Hillson (a.k.a. the Risk Doctor): Risk and Opportunity: How can risk be good?
As David points out (and I said in World-Class Risk Management and Risk Management in Plain English), the tools and techniques traditionally used to ‘manage’ potential harms (risks, in normal language) can and probably should be used to manage the potential for gain (opportunities).
Others, such as suggested in an article from software vendor Enablon, talk about How risks can turn into opportunities. The idea is that by addressing a source of risk you can create opportunities for gain.
We had that when I ran internal audit at Tosco Corp. One of our risks was the potential for changes in the relative prices of our raw materials (primarily crude oil) and products (gasoline, diesel, jet fuel, and other refined products) to adversely affect our margins and earnings. Management established a sophisticated and talented trading operation to hedge those commodities. In the process, they gained the ability to trade for profit and added to their earnings in the process. (OF course, the trading activity also created new risks.)
Expanding ‘risk management’ beyond a paranoid view of what might happen is progress, but is it sufficient?
As I wrote earlier, the level of risk is not a point. There is a range of potential consequences from an event, situation, or decision, and each has its own likelihood.
In that post, I included an illustrative chart, but all the potential consequences were negative.
In real life, there are some situations where the range of consequences might include both positive and negative effects.
In other words, the idea that risk and opportunity are different because (as David says) one has a positive and the other a negative sign is not entirely correct.
For example, if an organization introduces a new product with the hope that related revenue in the first year will be $800,000 or more with earnings of $180,000, that objective may be achieved or exceeded, or they may fail to achieve it.
In fact, revenue could range from the unlikely zero to the unlikely $1.5m, with many possibilities in between. If revenue is below $500,000 they would incur a loss. The chart below shows net earnings assuming a fixed cost of $300,000 and a variable cost of 40% of revenue.
The likelihood of achieving or exceeding the targeted revenue and earnings is 60%.
The point I am making is that events and situations can have a range of potential consequences, some of which may be negative and some positive.
In the example above, the management team has to be ready to respond should it look like the product will do better than expected (they will have to make sure manufacturing and distribution can keep pace) or worse.
Do the terms risk and opportunity make sense as a basis for understanding and assessing what might happen?
Isn’t it better to recognize that there is a range and we have to be prepared to address all the possibilities?
I welcome your comments.
He retired in early 2013. However,he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.
- When enterprise risk-based audit plans are not enough - November 15, 2023
- More useful information about cyber risk - October 18, 2023
- How do you measure internal audit effectiveness? - October 3, 2023
