In the realm of risk management, you sometimes hear the phrase ‘upside risk’. But what is upside risk? Is upside vs downside risk even a thing? In this blog we will explore this topic and consider:
- Common definitions of risk
- Why consider upside risk?
- Challenges in operationalising upside risk
How well is your risk management aligned with your strategic and operational objectives? Join me and David Tattam for our From risks to outcomes: Putting strategy and objectives at the heart of risk management webinar to find out more:
What does upside risk really mean?
Risk is commonly thought of as negative. Let’s take a look at some common definitions.
ISO 31000 defines risk as “the effect of uncertainty on objectives”. That definition has the following sub-note “An effect is a deviation from the expected. It can be positive, negative or both, and can address, create or result in opportunities and threats”. You can replace the positive and negative as upside vs downside risk.
Let’s focus on objectives for a second. Objectives are usually further developed into SMART goals – ways to measure that the objective has been achieved, or enable tracking of progress. Risk only exists in relation to something we want to achieve. Downside risks (the common perception of risk) are events or conditions that would reduce the likelihood we will achieve those goals. So would an upside risk mean we are more likely to achieve them, or perhaps exceed them by an unexpected amount?
The sub-note also includes the word ‘opportunity’, and the phrase ‘opportunity risk’ sometimes gets thrown about as an alternative to upside risk. With limited formal meanings, this also has some different layman interpretations. The two main interpretations are:
- Potential events that might occur with some probability that will improve results or performance
- Synonymous with ‘opportunity cost’. Seeking one opportunity means foregoing other opportunities that could have provided better results
Given these distinct differences and the lack of agreed terminology and definitions, if you do use them you will need to be clear with your stakeholders what they mean in your context and how they are intended to be used.
Why consider upside risk?
Before we consider the why, maybe we should consider the who. Which stakeholders are promoting upside risk, whatever term you might use? Most likely it is risk managers or analysts. It’s probably not other stakeholders who don’t have risk in their title – though if your framework and processes aren’t linked to objectives, they might be wondering what the value is of participating in risk management processes.
There are three ways to consider upside risk:
- It’s already integrated into risk management, by virtue of linking to objectives
- You can identify specific opportunities or upsides that can arise that enhance objectives
- You can identify potential events or conditions that enable new objectives to be pursued
For #2, focus on the ‘unexpected’ opportunities. Let’s say you have a project to launch a product, and your timeline includes a third party who won’t be able to begin for a month due to prior commitments. They may have suggested they can start two weeks early if one of their other clients cancels, which happens 20% of the time. This could be captured as an opportunity to bring your project forward, which might result in an earlier product launch and revenue stream brought forward.
For #3, this can include tracking indicators to help identify potential objectives changing. At higher levels of the organisation, this is similar to horizon scanning and can feed into strategic planning. An example might be developing a distribution partnership for one product, and identifying that the relationship manager has connections that can open up additional markets.
Challenges in operationalising upside risk
Upside risk or opportunity risk has some appeal to risk managers: it can help balance the view that they focus on the negative. But it can run into challenges when considering how to operationalise or standardise its use.
Firstly, many of the processes relating to risk management simply aren’t suited to slotting in upside risk. You could expand risk registers to include upside, but it can get messy and hard to interpret. You might capture incidents, but you rarely capture opportunities missed in the same way. Perhaps risk appetite could consider the amount of risk – both upside and downside – in pursuit of objectives, but I expect challenges in providing meaningful board reporting on whether you are operating within appetite. I explored controls assurance over upside risk in a separate blog – though my conclusion was that it was largely a thought exercise.
Secondly, and perhaps most importantly, is that you are simply going to be butting up against culture barriers – most people think risk is bad or negative. Despite ISO 31000’s comments on positive deviations, even it isn’t consistent. The section on risk treatment suggests the following options (paraphrased):
- Avoid the risk
- Take more risk to increase the opportunity
- Remove the risk source
- Changing the likelihood
- Changing the consequences
- Sharing the risk
- Retaining/accepting the risk
While it uses ‘changing’ rather than ‘reducing’ the likelihood and consequences, there isn’t an option to provide new or more exposure to a risk source. While there is the (welcome) option to take more risk, saying ‘taking more upside risk to increase the opportunity’ is not likely to resonate with your stakeholders.
I’m going to refer back here to the relationship between uncertainty, risk and objectives. Risk requires some uncertainty, but uncertainty does not mean there is risk. I had a revenue target (measure of my objective), and mid-year presented a revenue forecast which included a range of possible outcomes. The worst case forecast already exceeded targets. While there was uncertainty regarding the final revenue figure, there was no uncertainty as to whether the objective would be achieved. If I’d presented the best case as ‘upside risk’ I think it would have raised a few eyebrows.
Conclusions and next steps for your organisation
So should you consider upside risk? Ultimately, you and your stakeholders are (hopefully) aiming to achieve the same things: consistently and safely achieving your objectives. If leveraging upside risk as part of your process can help you do that, then you should. Regardless of whether you include upside risk, you need to ensure that risk and objectives are intrinsically linked.
Integrating upside risk into your framework isn’t about turning risk management into a guessing game: it’s about making sure you’re positioned to identify, track and leverage opportunities that support your objectives. But without a clear link between risk and strategy, it’s all too easy for risk management to become a disconnected process rather than a strategic asset.
That’s where Protecht ERM comes in. Our strategy and objectives module is designed to help you embed strategic alignment into every aspect of your risk management process. You can define objectives, track KPIs, link them to risks and KRIs, and generate comprehensive reports that show how uncertainty (positive or negative) is affecting your outcomes.
Book a demo today and see how Protecht can help your organisation shift from process-driven to outcome-driven risk management: