US President John F. Kennedy famously, albeit imprecisely, remarked that the Chinese characters for ‘crisis’ are made up of the Chinese character for danger and the character for opportunity. These speeches, the first at United Negro College Fund fundraiser, Indianapolis on 12 April 1959, and the second at Valley Forge Country Club, Pennsylvania on 29 October 1960 have subsequently been recycled by historical figures ranging from President Nixon to Lisa Simpson.
In truth, both wei ji and ki ki, more closely translated as ‘danger’ and ‘an imminent juncture’. In any case, the danger/opportunity meme that has become ubiquitous in speeches on risk, disaster and recovery, in my view, continues to serve a useful purpose – hope and a recognition that with every threat, there is opportunity.
So it is with risk. No, I’m not talking about ‘likelihood’ and ‘consequence’. Rather, I am talking about the dual characterisation of risk – that risk can be both the chance of something positive happening and the chance of something negative happening. A bit like a game of chess – “If I move Black Knight to E6, I’ll expose Black Rook, but in any case, I’ll have a defendable move on White Queen”. It is this dual-characterisation of risk that often unhinges those that are tasked with the identification and assessment of risk.
Risk is the effect of uncertainty on objectives. This effect can either be positive or negative.
Clients often ask me, “How do I properly assess risk to take advantage of the dual nature of risk?” The easiest option is to have two registers – one used for managing opportunity risk, and the other used for managing threat risk. Taking it up a level of complexity, you may like to have one framework that allows oversight and management of both natures. The issue with this approach is that aggregation and integration becomes challenging due to the difficulty in offsetting one against the other. It can be done, but the complexity can overwhelm inexperienced risk managers.
How do I properly assess risk to take advantage of the dual nature of risk?
Risk Management as a discipline is constantly evolving. That’s one reason I get so passionate about it. It also gives me the opportunity to re-invent standard approaches. One example (although probably not a true ‘approach re-invention’) is my preferred way of helping clients minimise threat risk and maximise opportunity risk. And it is simple.
Specifically, I advocate an assessment of threat or opportunity risks, noting that the chance of a threat influencing an objective is also the chance of a threat not influencing an objective. So, let’s say we have an assessment of your entity’s risks that is entirely negatively characterised – how then do we modulate opportunity risk? …through the controls framework. This can be as simple as maintaining a contingent control to maximise the non-realisation of a threat risk, or as complex as undertaking a secondary assessment of such controls.
So, let’s use a fictitious example – a bet (only because in risk training, gambling is the most common such example): If I wager $100 at 10:1 odds that Carlton will win their next game (many will argue that’s a bad bet!), there is a chance that I will win $1000. This is the opportunity risk, and is roughly quantified by the odds (that is, 10:1, or a 10% chance that I will win). There is also a roughly 90% chance that I will lose my $100. This is the threat risk. If we describe the risk as ‘There is a chance that Carlton will lose their next game’, then I might establish a control along the lines of ‘Mandated betting threshold for all Carlton wins of $10’ (because a $10 loss is within my risk appetite), or to maximise opportunity risk, I might establish a control of ‘Bet $100 on all Carlton losses’.
Even though this is a simple example, the concept is clear – use your controls framework as your lever to maximise opportunity risk. Just like a game of chess.
Mark Sullivan is Senior Manager of Risk Assurance at PriceWaterhouse Coopers. He will be facilitating a workshop at the Measuring & Managing Strategic Risk in Government Conference on ‘Measuring & working within risk tolerance & appetite – better manage risk & organisational performance’.