Lately, I’ve seen the term “positive risk” used with increasing frequency. I find this to be problematic.
Risk managers using the term are conflating two related but fundamentally different concepts: risk and opportunity.
This may be to sound less pessimistic or to appear aligned with popular standards. Either way, the use of the term doesn’t provide clarity, improve our understanding of risk or make risk management more effective.
What it instead does is mislead decision makers and suggests that risk management approaches, designed primarily for loss avoidance, can be easily applied to the pursuit of opportunity. This undermines effective decision making.
Positive outcomes are not “positive risks”
A big part of the problem is the mislabeling of potential positive outcomes (i.e. opportunities ) as “positive risks”.
This is not an uncommon phenomenon.
Even Amazon, in its own guidance, makes the mistake1. They claim that implementing patch management could increase customer trust and they label this increase in trust a “positive risk.”
According to Amazon, this could happen as follows:
1.
Implementing patch management could reduce vulnerabilities in the application.
2.
Removing vulnerabilities could reduce application risks and make the application more secure.
3.
Improved application security could reduce data loss.
4.
Reduced data loss could increase customer trust.
Here’s my issue with this thinking — Amazon has clearly mislabeled opportunities as “positive risks”
In their breakdown, what they’ve essentially done is to describe the potential opportunities (e.g reduced data loss, increased customer trust) associated with the risk mitigation activity (i.e. patch management).
These opportunities are not themselves risks. They are not uncertain events with the potential for loss.
Opportunity may lie on the other side of risk
Standard driven ambiguity
I place the blame for this confusion squarely at the feet of influential bodies like the International Standards Organization (ISO) and the Project Management Institute (PMI) .
Through their standards, they promote the idea that risk includes positive and negative deviations from the expected.
ISO 31000 defines risk as “the effect of uncertainty on objectives” and notes that this effect can be positive or negative. The PMI takes a similar approach, describing risk as an “uncertain event or condition that, if it occurs, has a positive or negative effect on a project’s objectives.”
I get what they’re trying to do – acknowledge that uncertainty can lead to both gains and losses, but in practice, their definitions do not provide the clarity they may have hoped for. It drives ambiguity2.
Instead of advancing our understanding of risk these definitions conflate two fundamentally different things: the potential for loss (risk) and the potential for gain (opportunity).
This is where it helps to have a better definition. I prefer how the FAIR Institute defines risk, as the probable frequency and magnitude of future loss3.
This definition is not only more precise, but it better reflects how we naturally understand risk.
While the definition has it’s roots in the cyber and information risk management space, it also aligns with actuarial practice, which treats risk in terms of expected loss4. It also mirrors conventional economic logic, which considers trade-offs between downside exposure and potential gain, rather than trying to force these two elements into a single term.
This is how decision makers intuitively think. Risk is what can go wrong and cost us. Opportunity is what can go right and benefit us. These two concepts are related, but they are not the same.
It’s important to keep in mind that:
- Opportunity ≠ “positive risk”
- All uncertainty ≠ risk
Yes, risk is a subset of uncertainty. It specifically deals with negative outcomes. Calling all uncertainty risk, corrupts the meaning of the term and confuses related decisions.
If the goal actually is better decision making, then semantic gymnastics does little to help. It benefits us more to have a better understanding of risk, where we can distinguish between but still connect the concepts of risk and opportunity.
Different concepts, different approaches
Before we think about building a better model, it’s worth accepting the obvious – if risk and opportunity are fundamentally different, we shouldn’t expect them to be managed the same way.
Each of these concepts requires a different system of understanding, decision-making structure, and measurement approach. Here’s how the concepts typically differ in practice:
| Aspect | Risk Management | Opportunity Management |
|---|---|---|
| System focus | Loss minimization | Gain maximization |
| Key Question | What could go wrong? | What could go right? |
| Typically overseen by | Chief Risk Officer, Chief Audit Executive | Chief Executive Officer, Chief Operating Officer |
| Approach | Controls, mitigation | Investment, enablement |
| Success measures | Reduced likelihood or impact of adverse events | ROI, market share, realization of strategic initiatives |
| Mindset | Cautious, prudent | Ambitious, Innovative |
The attempt to lump risk and opportunity into one category, risks applying the wrong tools, metrics, and mindsets to the wrong problem. This blurring of the lines can only leave stakeholders confused, complicate accountability and undermine effective decision-making.
Coexistence is Possible
Risk and opportunity require different tools and thinking, but we do not need to overcompensate by having largely divergent approaches. What we need is connection, through common decision-making structures.
Fortunately, we don’t need to reinvent the wheel. Several established decision-making approaches already support the simultaneous consideration of both positive and negative outcomes.
Scenario analysis, decision trees, and Monte Carlo simulations are just a few options. Their use makes it possible to explore the full range of outcomes associated with business decisions, both positive and negative, in a well established, structured way.
Scenario Analysis
I’ve found scenario analysis to be most useful where the level of uncertainty is high and where both positive and negative outcomes need to be considered.
With a well crafted scenario, decision makers are able to explore a range of probable futures while modelling different combinations of risk and opportunity.
More often than not, two or three related scenarios are presented for consideration. As an example, a financial services firm evaluating regional expansion might consider:
- economic downturn with regulatory tightening,
- stable growth with moderate competition, and
- a tech-driven boom with low barriers to entry.
Each scenario can allow both threats (compliance costs, market saturation) and opportunities (increased market share, talent acquisition) to be explored.
Decision Trees
With a decision tree, branches represent choices and their consequences, both positive and negative. Decision trees provide a logical structure for evaluating decisions with multiple possible outcomes.
A user can trace how one event leads to another, determine probabilities and make estimations on the estimated value of different paths.
In the example below, a company deciding whether to launch a new product can model two initial paths: launch or delay. If launched, the product could succeed (positive response), underperform (neutral response), or fail (negative response). We could further refine each path to include both associated costs (development, marketing) and benefits (revenue, brand growth), with probabilities and payoffs assigned allowing us to calculate net expected value.
Monte Carlo Simulation
Monte Carlo simulations allow us to model thousands of possible outcomes in a way that makes it easier for us to understand the impact of uncertainty on decision making.
By repeatedly sampling from probability distributions, Monte Carlo simulations provide a sense as to the most likely outcomes, as well as the entire range of possible results (both positive and negative).
If we were evaluating a cybersecurity investment, a Monte Carlo model could allow us to simulate the range of possible breach costs over a five year period. Factoring in incident frequency, legal fees, recovery costs, etc. as well as the reduction in losses associated with various mitigants allows us to model breach costs with more confidence.
Embed by design
It’s important to remember that tools like scenario analysis, decision trees, and Monte Carlo simulations are only as useful as the data/insights that feeds them and the processes they inform.
To ensure that risk and opportunity are routinely considered, we need to embed these tools into our day to day decision making structures, particularly for consequential choices.
The goal isn’t to create largely distinct processes for risk and opportunity assessment, but to accept that these are both key components of decision making.
We might choose to explore risk and opportunity in parallel at the onset or have different teams take responsibility for these areas, but ultimately the outputs of these processes should converge and attract equal attention if the goal is pursuing optimal outcomes.
Final thoughts
The concept of “positive risk” is fundamentally flawed. It deviates from the intuitive widely held notion of risk as the potential for loss and opportunity as the potential for gain.
Popular standards support the concept, however in practice, this leads to conflated ideas around risk, the inefficient management of risk and pursuit of opportunity, poor decision making and loss of credibility.
Interestingly, we have positive risk, but not negative opportunity. This alone says a lot.
What we need is not rebranding or blurring of terms but conceptual clarity. This better sets us up to create decision making structures that treat risk and opportunity as distinct but interconnected elements. Appreciating the difference helps us to shift organizational culture towards smarter, more consistent, balanced decisions.
Footnotes
- https://docs.aws.amazon.com/prescriptive-guidance/latest/strategy-cybersecurity-positive-risk/examples.html ↩︎
- https://www.fairinstitute.org/blog/a-kobayashi-maru-exercise-for-iso31000-risk-analysis ↩︎
- https://www.fairinstitute.org/blog/fair-terminology-101-risk-threat-event-frequency-and-vulnerability ↩︎
- https://www.actuarialstandardsboard.org/asops/risk-evaluation-enterprise-risk-management/ ↩︎
Leave a Reply