Its easy to read about the downside of risk management. What about the upside?
The attribution of a negative outcome to risk can be attributed to Frank Knight (1921) in Risk, Uncertainty, and Profit. Knight, and others, define risk as the potential of bad things happening.
This line of thinking has pervaded our thinking, literature, dictionaries, and practices.
So, who is looking at the possibility of good outcomes? If we call bad outcomes risks, what do we call good outcomes?
COSO (2018) in Enterprise Risk Management Integrating with Strategy and Performance recognized that “when risk is considered in the formulation of an organization’s strategy and business objectives, enterprise risk management helps to optimize outcomes”. COSO describes risks as potential events which can impact strategy. In this context, “bad things” only means events which are not consistent with the strategy.
ISO (2018) in ISO 31000:2018(en) Risk management — Guidelines defines risk as effect of uncertainty on objectives. An effect is a deviation from the expected. It can be positive, negative or both, and can address, create, or result in opportunities and threats. Objectives can have different aspects and categories and can be applied at different levels.
Almost 100 years later, we now have definitions that recognize that risk is the potential of outcomes that differ from our expectations.
Its time to change the way we think about risk management.
If your risk management program is only focused on the negative outcomes, then they are only doing half the job.