While both ISO 31000 and COSO ERM recognize the potential positive effects risk can have on the achievement of objectives, I don’t see that side being covered well, if at all.
I discussed the positive side of risk in 2019 (which you may want to re-read), but let’s examine some more examples. Each of these are based on real-life situations.
When Risk Evaluates Potential Rewards
Opportunity for Additional Revenue
A company is part-way through a project to build an additional processing unit in its New Jersey refinery. The commercial team informs management that the prices for the mix of products from the new plant have changed significantly since it started. If the design is modified to create more of what are now high-value products, the additional revenue should be significant. Of course, it might adversely affect the cost and the schedule for completion of the new unit.
Management needs to understand the range of additional revenue and the likelihood of each point on that range — just as they need to understand the cost implications and the possible effect of a schedule delay.
The techniques used by risk practitioners to understand, assess and evaluate the potential for harm work well when applied to the potential for reward. In addition, it should be possible to use techniques like Monte Carlo simulation and business judgment to weigh the potential benefits of the design change against the potential harms.
Chance to Capture Online Shopping Demand
The senior vice president of marketing asks the CIO to change the scope of a systems development project. The project is about 30% completed, so any change can have adverse effects. But the SVP notes the change he is requesting will support a surge in demand for online shopping by customers around the world.
As in the previous example, the risk practitioner can use their tools and techniques to assess all the pros and cons of the change, enabling an informed and intelligent business decision.
Greater Market Share in Reach
A member of the board alerts the CEO that there are rumors about the financial health of a major competitor. If the other company falters, there would be an opportunity to seize a larger share of the market. However, there is no certainty.
The risk practitioner can work with the management team to assess the situation. How likely is it the other company will fail completely vs. having to cut back? If they fail, how likely is it they would do so in three months, six months, a year? Given that, what is the range or potential benefits and what is the likelihood of each point? The practitioner can also help management determine what it will take to seize the market, what it will cost (in dollars spent as well as what is given up to free resources to prepare to seize the day), and how to evaluate what is best for the business considering all of the above.
Questions of Hiring
The vice president in IT is told a third-party expert in a system they just purchased has just become available. If they hire that person, it would not only speed implementation but reduce the risk of getting it wrong. However, the budget would be blown.
The risk practitioner can help evaluate the options and enable an informed and intelligent business decision.
Data Privacy Bill Effects
A data privacy bill is working its way through Congress. There is no certainty it will pass, although it seems more likely than not, and the final form of the legislation is unclear. If it passes, it will affect a profitable revenue stream of a subsidiary. The company will need to take action to avoid losing that revenue. However, the company believes it is in a better position to make necessary changes than its competitors and, if it moves aggressively, it might be able to capture a larger market share.
This is one of those situations where an event or situation does not have only a negative or only a positive effect on objectives.
The risk practitioner can help management consider all the uncertainties, both now and as the situation unfolds, and make informed and intelligent decisions.
Accentuate the Positive
What should be clear to everybody is that pretty much every situation has several things that might happen, some of which are positive while others are negative.
Evaluating the downside and hoping somebody else has equivalent tools and techniques to evaluate the upside (the ‘it’s not my job’ disease), in a way that enables informed and intelligent decision, doesn’t make business sense to me.
I welcome your thoughts.
Norman Marks, CPA, CRMA is an evangelist for “better run business,” focusing on corporate governance, risk management, internal audit, enterprise performance, and the value of information. He is also a mentor to individuals and organizations around the world, the author of World-Class Risk Management and publishes regularly on his own blog.