Whenever I ask people what ‘risk’ makes them think of, the only response I ever get is ‘danger, threat, loss, bad outcome…’. No one wants any of these things. Yet, even in risk management, risk tends to fall under a single risk category: negative risk. That’s why things like risks stemming from market-share failure, problem-management issues or disasters are seen solely in a negative light.
But here’s the question that should be niggling at the back of every project manager’s mind, every business leader’s mind, and indeed the mind of every stakeholder: why can’t a risk be good?
What if there were a complementary type of risk that could be considered positive, even with a potentially negative outcome? It does exist, and it’s called a positive risk. And, yes, positive risks can still go wrong.
Understanding Risk
Before discussing positive risk management vs negative risk management, let’s provide a simple and general definition of risk.
Risk is the chance that something will happen that could affect our objectives. This ‘chance’ is often expressed as a probability. The thing itself could be positive or negative, and this inherent tendency for both good and bad outcomes complicates risk management.
The Institute of Risk Management (IRM) supports this, stating that risk management concerns risk’s positive and negative aspects – A Risk Management Standard.
Negative Risk: The Traditional View
Negative risk is commonly meant when the term ‘risk’ is used. It’s the potential for an unfortunate event or outcome that could damage a project, company, or person. Examples of negative risks could include:
- Cybersecurity risks, such as data breaches or system failures
- Financial losses due to market fluctuations
- Project delays or budget overruns
- Natural disasters affecting business operations
- Reputational damage from public relations crises
Organisations should strive to identify, evaluate, control and mitigate these downside risks. The objective of negative risk management should be to decrease the likelihood of their materialisation and minimise their potential effects, should they come to pass.
Positive Risk: The Often Overlooked Opportunity
Although negative risks attract much attention, positive risks are equally significant in risk management.
Positive risk, sometimes called upside risk, refers to the prospect of favourable outcomes or benefits associated with uncertain events. Positive risks include:
- Unexpected market opportunities
- Technological breakthroughs that enhance productivity
- Favourable regulatory changes
- Positive public recognition leads to increased brand value
- Cost savings due to efficiency improvements
People and organisations that recognise these potential opportunities up front and find ways to capitalise on them if they materialise embrace positive risk by practising positive risk management. Doing so can pay huge dividends to those organisations willing to take and manage positive risks.
The Risk Management Process: Handling Both Positive and Negative Risks
Whether the risks are positive or negative, a risk management process generally involves the following steps:
- Identification of Risk: this refers to identifying and recording the identified risks, including positive and negative, using tools such as brainstorming sessions, historical data, expert interviews, etc.
- Risk Analysis: once identified, risks are analysed to determine their likelihood of occurring and their potential magnitude of impact. This can be done through qualitative risk analysis, e.g., subjective scales, such as using a risk scale of 1-5 (1 indicating a lower likelihood/impact and 5 being a higher likelihood/impact) or quantitative risk analysis (using numerical data and statistical methods to evaluate risks).
- Risk Appetite and Risk Tolerance Assessment: this step assesses the prioritised risks against the enterprise’s risk appetite and risk tolerance. It determines which risks require immediate mitigating actions and which risk monitoring should suffice.
- Develop Planned Risk Responses: formulate risk responses commensurate with the assessment. Risk responses might include avoidance, transfer, reduction, or acceptance strategies for risks possessing undesired consequences. Risk responses might also include the exploitation, enhancement, sharing, and acceptance strategies for risks bringing desired consequences.
- Execute Risk Responses: the chosen strategies are enacted and recorded in a risk management plan.
- Monitor and Control Risks: consider this function an ongoing process in which identified risks must be tracked, new risks identified, and response strategies assessed for robustness.
Positive Risk vs Negative Risk: Key Differences
Although this overall risk management process is similar, differences in how positive and negative risks are treated are significant:
- Risk Mindset: negative risk management prioritises loss aversion and prevention. In contrast, positive risk management is theoretically oriented towards opportunity and potential gain.
- Risk Response: negative risks are commonly assigned an ‘avoid’, ‘transfer’, or ‘mitigate’ response, depending on the organisation or situation involved. On the other hand, positive risks are often judged in terms of increased probability or impact of their desired result, the positive outcome.
- Differing Risk Appetites for Positive vs Negative Risk: organisations might have different degrees of tolerance for positive versus negative risk. For positive risk, organisations can be more willing to play with the cards if the results align with their goals.
- Stakeholder Perception: negative risks are often perceived as threats to be reduced, while positive risks are viewed as opportunities to be enhanced.
- Measurement: the probabilistic and quantitative aspect is often lost for positive (opportunity) risk measurement. Typically, it’s measured in money or utility loss for negative (threat) risk; for positive risk, moreover, it’s measured in terms of potential benefit.
Enterprise Risk Management: Balancing Positive and Negative Risks
For enterprise risk managers, the challenge of judging positive and negative risks is embedded in Enterprise Risk Management (ERM). ERM is built on the premise that all risk should be seen as a unified view of an organisation’s risk exposure.
They might identify a downside risk, such as facing stronger competitors, see an upside risk, such as new technology that enhances their production process, and develop a strategy that adjusts to both.
Project Risk Management: Navigating Individual and Overall Project Risks
Project management has positive and negative risks, but both kinds are important. When managing a project, you have to consider individual project risks and overall project risks through:
- Identifying potential risks (both positive and negative) that could affect project objectives
- Analysing the probability and potential impact of each risk
- Developing response strategies for both threats and opportunities
- Continuously monitoring and updating the project risk register
Proper management of positive or upside risks, like negative or downside risks, can help project managers succeed and perhaps even delight the stakeholders.
Positive Risk-Taking: A Balanced Approach
While negative risk-taking is undoubtedly essential to control, organisations can’t forget about positive risk-taking; decisions made where possible benefits are weighed against potential harms. This type of risk-taking acknowledges that some level of risk is vital for growth and advancement.
For example, suppose a firm invests in a new but untested technology. In that case, there’s the possibility of negative risk (financial loss if the technology doesn’t work) and positive risk (a significant competitive advantage if it does). By clarifying the potential reward of risk and its downside, a business can decide which risks to take.
The Role of Technology in Managing Positive and Negative Risks
Technological advances have enhanced our ability to determine, target and tend to positive and negative risks through data analytics, artificial intelligence and machine learning tools to help organisations:
- Identify potential risks more accurately and comprehensively
- Perform more sophisticated quantitative risk analysis
- Model complex scenarios to better understand potential outcomes
- Monitor risks in real time and respond more quickly to changes
Together, these technological capabilities enable you to respond to control and mitigate cybersecurity risks, including those with negative consequences, e.g., breaches, etc. and those with positive consequences, e.g., better security measures that lead to competitive advantage, etc.
Final Thoughts: Embracing a Comprehensive Risk Management Strategy
Organisations operating within highly complex and turbulent environments need to develop an integrated approach to managing risk that does not merely focus on negative risks but also emphasises positive risks. This balanced approach to managing risk enables organisations to:
- Protect against potential threats and negative outcomes
- Capitalise on opportunities and positive impacts
- Make more informed decisions aligned with strategic objectives
- Improve overall performance and resilience
Viewing risk not only as the negative but also as the positive, something that needs to be embraced to achieve a desired outcome, transforms what’s traditionally seen as a measure of avoiding something bad into a strategic enabler of success.
And remember, effective risk management is not about risk elimination but understanding and balancing risk. Appreciating that risk has positive and negative attributes will help devise more complete and effective strategies for enterprise risk management or for managing simply the risk profile of an individual project.
Ultimately, the aim is to achieve a risk culture that explores and harnesses the upside instead of fearfully avoiding risk. By perfecting the art of ‘tuning’ the risks in their favour, organisations will enter the ‘grey’ area of uncertainty with confidence and ingenuity to turn it into a springboard for nurturing growth and success.
