risk is “the effect of uncertainty on objectives. An effect is a deviation from the expected — positive and/or negative”
Business organisations, especially in regulated industries like financial services, invest heavily in the management and reporting of risk. They set up risk management functions, processes and systems to identify, assess, treat, and report risks, and this is effectively driven by regulatory compliance.
Regulators are, of course, interested in the protection of consumers, employees, the society, the environment and so on. Which is why they focus on the negative consequences of risks like credit, liquidity, currency risk, health and safety, and environmental protection.
This mindset, combined with the daily headline news of negative events like aeroplane disasters, financial crises, hurricanes, Covid-19 pandemic have embedded in society and in business organisations the idea that risk is a bad thing which we want to avoid, reduce or transfer to someone else (e.g. buy insurance).
Is risk bad thing?
The answer is: it depends.
The risks mentioned above have a downside which can cause significant financial loss or injuries to people, damage to assets or the environment. They also have an upside, which may have a substantial benefit for the organisation. Because the word risk has a negative connotation attached to it, this upside is usually overlooked and not factored at all within the organisation’s risk management framework.
The ISO Risk Management Standard (ISO 31000) defines risk as “the effect of uncertainty on objectives”. And it adds: “An effect is a deviation from the expected — positive and/or negative. Objectives can have different aspects (such as financial, health and safety, and environmental goals) and can apply at different levels (such as strategic, organization-wide, project, product and process).”
From the above definition, it follows that risk is neutral. But depending on the business objectives it can also be positive, leading to benefits or gains or negative leading to losses or damage for the business.
Without objectives there is no risk. In business, we have strategic, financial, and other objectives that carry varying degrees of uncertainty and, therefore, of risk. Any deviation from what we expect shall have an impact on our objectives. Such deviation can be positive or negative.
If it is a negative deviation (threat), we may avoid, reduce or transfer the risk by trying to reduce its likelihood or its consequences in order to minimize losses. In the case of a positive risk, we may retain the risk, or take more risk by trying to increase the likelihood or consequences of the risk in order to maximize gains.
Managing Risk
The same framework and process that the organisation uses to manage negative risk can therefore be used to manage also positive risk. Through the risk assessment process, both negative risks (threats) and positive risks (opportunities) can be identified, analysed, evaluated and recorded.
Tools such as SWOT analysis, PESTLE, and Porter’s Five Forces, scenario analyses, structured what if techniques and others are all useful in identifying risks.
Before proceeding with risk identification, the organisation should define its risk appetite (the amount and type of risk that an organisation is willing to pursue or retain) and risk tolerance (organisation’s readiness to bear the risk after risk treatment) in order to achieve its objectives). Risk appetite and risk tolerance define the consequences (impact) of risk whether positive or negative.
Below are examples of assertions used in a risk appetite statement
Risk Appetite statement examples
Risk Element | Examples of Risk Appetite Statements | |
1 | Strategic or acceptable risks | Market growth: We shall pursue strategies to achieve market growth objectives (increase market share by 2%) and invest in and develop key and new markets. The risks inherent in this strategy are accepted. |
2 | Non-strategic or undesirable risks | Reputation and brand: Any situation that may result in a negative impact on our reputation and brand is not acceptable and any undesirable situation shall be managed aggressively to protect our image |
3 | Strategic risk parameters | Investment in existing and new market development ventures shall be limited to 10% of capital and should produce a positive ROI of 10% over a five year period |
4 | Financial risk | We shall only do business with counter parties of good financial standing. (Rating A- or better) New business growth shall be financed from own funds. We shall maintain a working capital ratio of 5% |
5 | Operational Risk | Operations and activities shall be managed so that no single event shall result in a loss of more than 0.5% of capital No single customer will account for more than 10% of sales There is zero tolerance for injuries or illness to employees, customers and other parties resulting from our operations or from the use of our products |
Risk Appetite | Risk Taking limits |
The organisation has a higher risk appetite related to strategic objectives and is willing to accept higher losses in the pursuit of higher returns | While we expect a return of 15% on this investment, we are not willing to take more than a 25% chance that the investment leads to a loss of more than 50% of our existing capital |
The organisation has low risk appetite related to risky ventures and is willing to invest in new business but with low appetite for potential losses | We will not accept more than a 5% risk that a new line of business will reduce our operating earnings more than 5% over the next ten years |
The organisation has low risk appetite related to the social and economic costs for sourced products from foreign locations that could be accused of being child sweatshops or having unhealthy working conditions | For purchasing, the risk tolerance is set to near zero for products that do not meet the organizations quality and sourcing requirements |
Risk Appetite and tolerance consequences are combined with the likelihood or probability of a risk occurring to give us the level of risk. Below is an example of an Opportunity and Threat Matrix which defines risk levels based on likelihood and consequences.
On the opportunity side, we have levels of positive risk ranging from low to high and on the threat side we have levels of negative risk again ranging from low to high. The level of risk is defined as a function of its probability or likelihood and its consequences (impact).
Opportunity and threat risk matrix example
All risks identified (positive or negative) should be recorded in a risk register, analysed and evaluated against the defined risk criteria (levels of risk).
The definition of levels of risk should be customised to the specific needs and circumstances of the organisation. Below is an example of level of risk definitions and actions that are necessary.
Risk Criteria example
Risk Level | Threats | Opportunities | Risk Level |
High | Irrespective of the benefits the risk is not tolerable. Requires continuous monitoring at the highest level. The level of risk calls for the review of all measures with the objective to reduce exposure to the risk as soon as possible. Risk should be reduced as low as reasonably practicable (ALARP) Transfer the residual risk if possible | Start, Continue, maintain or increase the activity that produces the positive outcome Increase the likelihood of occurrence of the risk, to increase possible benefits Try to enhance possible consequences, to increase the expected gains Share the risk with other parties that may contribute by providing additional resources Retain the residual risk | High |
Medium | Action plans and allocation of resources are required to address the risk. The level of risk can potentially jeopardize the achievement of objectives. Measures are necessary to reduce risk where feasible The level of risk calls for a cost benefit analysis before the implementation of control measures | Action plans and allocation of resources are required to address the risk. The level of risk can potentially support the achievement of objectives and benefit the organisation. Measures are necessary to increase risk where feasible The level of risk calls for a cost benefit analysis before the implementation of control measures | Medium |
Low | Potential impact is negligible. Measures can be taken if resources allow. The risk can be managed through normal business processes and controls. Requires continuous monitoring for any changes | Potential impact is negligible. Measures can be taken if resources allow. The risk can be managed through normal business processes and controls. Requires continuous monitoring for any changes | Low |
Negative risks that are evaluated as high should be avoided or reduced to an acceptable level or transferred. Risks which cannot be reduced to acceptable levels should either be transferred or be managed through a business continuity plan.
Positive risks that are evaluated as high should continue to be pursued and possibly increased. Negative risks should be avoided reduced or transferred. Medium positive risks need to be further investigated. A cost benefit analysis would be helpful.
Low positive risks are managed through business as usual and monitored for any changes.
Conclusion: Where does that leave us?
Risk taking is the engine that drives business and is vital for organisations to succeed. Organisations succeed by taking risks and they fail by failing to manage risk. Successful organisations consistently manage both the downside and the upside of risk by focusing on capitalising on opportunities and value creation. This requires a system to consistently identify, measure, manage and monitor both risks and opportunities. The ISO 31000 Risk Management Standard provides a framework which enables organisations to manage both.