Risk Management


Ayse Nordal

  1. Background

During a risk management seminar, one of the participants asked the following question: “…Why is it too difficult to identify relevant events and scenarios representing positive risks? Why do many of the risk registers include a high number of negative outcomes, but only a few registers -if any- recognize positive scenarios? In what way can a risk manager contribute to the organization’s focus on the upside risks?

  1. Justifying the identification of positive risks- Possible Approaches

The risk manager is not only responsible for the development of risk maps and registers but also for the development, implementation, and assessment of risk culture across the organization. According to Ferma’s European Risk Manager Report 2020, which summarizes the responses from 764 respondents in 34 countries, 77 % of respondents are responsible for the development of the risk culture.[1] Ensure adequate attention to opportunities is an element while developing the risk culture in an organization.

To my opinion, the risk manager can employ three approaches to ensure such focus, one by one, or in combination with each other. The choice of approach will be affected by the organization’s capabilities, culture, and risk maturity:

1. The structure-oriented approach

The risk definitions embedded in the well -known risk management standards and frameworks include positive risks:

  • ISO 31000: 2018 defines risks as the effect of uncertainty on business objectives, which may be positive, negative, or both.[2]
  • In a similar way, COSO- ERM suggests that risk is the possibility that events will occur and affect the achievement of strategy and business objectives. Organizations commonly focus on those risks that may result in negative outcomes….However, events can also have positive outcomes.[3]
  • The risk definition in an earlier standard by FERMA sounds the same. Risk is the combination of the probability of an event and its consequences. In all types of the undertaking, there is the potential for events and consequences that constitute opportunities for benefit (upside) or threats to success (downside).[4]

Establishing formal structures, defining processes, to develop procedures in accordance with the requirements, guidelines, and terminology employed by the well-known standards are top priority subjects in many organizations.  Reference to definitions used in these standards may support the risk manager’s efforts in putting the positive risks i.e. opportunities, on the table, during a risk assessment workshop.

2. The goal-oriented approach

In some organizations, the achievement of objectives has the sole priority. The focus is on identifying and assessing uncertainty that may affect the strategy and objectives. Objectives can not be achieved without giving due attention to opportunities that contribute to success. If goal orientation is the dominant cultural element in an organization, the risk manager may benefit from a list of questions that may trigger focus on upside uncertainty during a workshop. Examples for such questions are the following:

  • How can we evaluate changes which may substantially affect strategy and business objectives in a positive way, without identifying and assessing positive uncertainty?
  • Didn’t we ever deliver better than expected in terms of time, costs, and quality? What was the reason?
  • Should we limit our ambition to monitor and handle negative events? What about benefiting from the opportunities?
  • Is it possible to use a portfolio approach to our investments, projects, asset portfolio without identifying and enabling the amplification of successful business plans? [5]
  • Is it possible to motivate innovation without considering opportunities?

3.  The mathematical approach

Often, the risk identification workshops include members who have a basic knowledge of mathematics and statistics and can relate to the expected value concept. They do not need to be able to calculate alphas or betas like an investment manager would be able to do. However, if the participant is familiar with to the expected value and the normal distribution, then she/he will understand the deviations from the expected value too, both in the positive and in the negative direction.

Figure 1: The normal distribution

Facilitating the workshop

When the risk manager aims to enable the identification of positive risks in a workshop the choice of method will be crucial.

To my opinion, choosing SWIFT (Structured What-If Analysis) is beneficial. The structured what-if analysis is similar to failure mode and effect analysis (FMEA) and is often used for identifying negative uncertainty/outcomes.[6] SWIFT is a brainstorming technique where the discussions are structured by the guidewords and parameters. However, there is no theoretical reason to limit the use of this technique only to the analysis of the negative outcomes.

When this technique is used to identify the negative risks attached to a system or to a process, the analysis starts with identifying the system- components/activities. Guidewords and parameters are used to describe “what might go wrong”.

When the possible positive outcomes will be identified through the use of the same technique, one can start with the objectives, define the structural parameters which may affect the achievement of objectives, and facilitate the creative process by letting the participants combine these parameters with guidewords. In the following a possible example is presented:

  1. Conclusion

Through proper justification and discussion techniques, the risk manager will succeed to achieve a focus on positive uncertainty and ensure that the organization identifies not only the possible negative outcomes but also the positive ones.

Denne artikkelen har relevans til ett av de fire spørsmålene som Ayse ivaretar i sin  presentasjon i  Risiko Spørretimen den 28. april 2021. Velkommen!

Event:  28. april @11.00

Påmelding her;

K&R Spørretime Risiko – “4 spørsmål”  v/ Ayse Nordal

Y. Ayse B. Nordal
fotokred: qrn/Annlaug

Ayse Nordal – kursleder i Risikostyring/Risk Management

Ayse Nordal er til daglig seniorrådgiver for strategisk planlegging og risikostyring ved Undervisningsbygg, Oslo  kommune. Ayse har B Sc. og M Sc. i økonomi og statistikk (teknisk universitet) og lisensiat i anvendt sosialøkonomi og makroøkonomi (NHH). Hennes spesialområder er strategisk planlegging, internkontroll og risikostyring, og er sertifisert akkreditert risikoleder (Risk Manager).

Flere fagartikler fra Ayse finner du her


A Simple Scenario-based Qualitative Model for Assessing Start-up Risk

Author: Y Ayse Nordal

Collapse ButtonQuick Abstract
ISO 31000:2018 Risk Management Guidelines and COSO:2017 Enterprise Risk Management framework have two important and common characteristics. Firstly, they connect risks with business objectives. Secondly, they define risks as potential events that represent both positive and negative deviations from the expected. When a start-up company assesses its risks….  Se www.qrn.no/blog

KRN Academy RM  m/ grunnkurs og lederkurs med mulighet for sertifisering EOQ Risk Manager – neste åpne kurs i riskostyring kommer i mai – samtlige nivå