Keeping an Eye Out for Positive Risk
We commonly think about risks having negative consequences. With each month bringing new cybersecurity threats, breaches, and vulnerabilities, sound risk management practices are necessary to protect your organization. However, when performing risk management, do organizations unnecessarily limit themselves by only thinking about risks as negative effects and not looking at positive effects, too?
Risks Can Be Positive
The CERT Resilience Management Model (CERT-RMM) defines risk as "the combination of a threat and vulnerability (condition), the impact (consequence) on the organization if the vulnerability is exploited, and the presence of uncertainty." Threats and vulnerabilities are inherently negative, and the impact of an exploited vulnerability, for many organizations, may cause the disruption of a high-value asset or service that negatively impacts the organization's mission. Understandably, many organizations' top priority is to address negative risk.
The International Organization for Standardization (ISO) has a broader definition of risk: "effect of uncertainty on objectives." According to this definition, uncertainty can arise from conditions other than threats and vulnerabilities, and the effect can be negative or positive. The ISO definition encourages organizations to think about risk as a change in circumstances, its likelihood, and its impact, regardless of whether it is positive or negative.
Positive risk is often misunderstood or not considered. As the CERT-RMM and other standards describe, most organizations have historically applied risk management to control negative future outcomes. Yet it's hard to deny that risk and opportunity go hand in hand. Advancement cannot be achieved without taking risk. Risk is essential to progress, and the outcome may be positive, negative, or some of both. Successful organizations learn how to balance the possible negative consequences of risk against the potential benefits of its associated opportunity. Organizational risk management activities would be unnecessarily limited by not accounting for the positive effects of risk.
Risk need not be defined as good or bad. Risk management is a proactive organizational practice to prepare for variation and the unexpected. Organizations are then better prepared to mitigate adverse impacts and exploit favorable ones to achieve objectives, instead of just act reactively. As ISO 3100:2018 puts it, "Risks emerge, change, and disappear as a project's external and internal context changes. Risk management anticipates, detects, acknowledges, and responds to those changes and events in an appropriate and timely manner."
A good risk management program should establish clear communications and situational awareness about all risks. This allows risk decisions to be well informed, well considered, and made in the context of organizational objectives, such as opportunities to support the organization's mission and potential business rewards. Risk management should take a broad view of risks across an organization to inform resource allocation, better manage risks, and enable accountability.
Approaching Positive Risk
Many projects use different processes to minimize the impact of a risk versus maximize the impact of an opportunity. Not all risks can be eliminated, and no organization has an unlimited budget or enough personnel to address all risks, so management should define risk management activities that maximize the balance.
For negative risks, organizations avoid, transfer, mitigate, and accept risk based on their risk tolerance and appetite. They try to ensure either the risk doesn't occur or that when it occurs, it has little or no impact on the organization's overall mission.
Organizations take the same approaches to positive risks but with a twist.
For opportunities, organizations should try to exploit, enhance, share, or accept the positive risk. Exploiting a positive risk means accepting the risk and realizing the positive effect. Enhancing is acting to increase the chance of the positive risk occurring to maximize the opportunity. Sharing the risk allocates part of the ownership and responsibility to a third party. This is the same approach as with a negative risk, and it tries to control the potential loss or gain. Lastly, accepting the risk or doing nothing is always an option, whether the risk is negative or positive. Often the risk is either highly unlikely to occur, or the effect when realized is not significant. Consequently, organizations do not invest resources to accept the risk, which may be the correct approach.
As most organizations address today's ever-changing challenges, they are trying to define risk management activities that allow them to balance their focus and resources to maximize their opportunities and minimize their challenges. Most organizational cultures place a greater emphasis on the protection against loss than the attainment of gain.
Do you think of risk as a negative outcome, or do you think of risk as preparing for the unexpected?
Too much of a good thing is possible, if you are unprepared for it. That's why it's important to consider risk from both sides, positive and negative. For example, there may be such a thing as too secure. If you have not been able to do innovative things because you spent your entire budget on security controls and tools, are you missing an opportunity?
What do you think? Do you track both positive and negative risks? Send us your thoughts on positive risk management to firstname.lastname@example.org.
Consider making your risk management activities more robust by not only identifying effects that can have negative consequences but modifying your practices as necessary to leverage opportunities, too.