Home / more articles - The author - Contact

Upside GraphicChanging risk management to include the upside of risk
What should change and how?

by Matthew Leitch, 4 March 2003.

Is the "upside" of risk real?
Defining risk management and the upside
What has to change and how?
- finding risks
- writing risks
- rating risks
- managing risks
- names
- the overall objective of risk management
Conclusion - the upside is real and more important than it may seem

Is the "upside" of risk real?

The first time I read about the "upside" of risk I thought it was just marketing puff from consultants. Perhaps it was, but now it is real and important.

Most non-financial risk management has been concerned with bad things that might happen unexpectedly. However, many now believe risk management should also include good things that might happen unexpectedly. On the Dynamic Management homepage I ran a small poll in early 2003 asking visitors this question:

Should risk management concern itself with unexpectedly favourable outcomes (opportunities) as well as unexpectedly unfavourable outcomes (hazards)?

90% of respondents wanted to include opportunities. Bearing in mind that this is not usually done at present (except in financial risk management, and even there the focus is mostly negative) this is an astonishing level of agreement. (Respondents were mostly risk management professionals.)

This web page looks at the precise meaning of "upside" and analyses how typical risk management procedures have to change to incorporate it. The final conclusion is surprisingly important.

Defining risk management and the upside

The upside of risk has often been written about in a confusing and vague way. Sometimes it seems we are just being asked to think of risk as a "good thing", sometimes the upside risk seems to be that we will achieve our objective (an odd choice), sometimes it is suggested that risk is good because it necessarily brings reward (probably a misunderstanding of the capital asset pricing model).

None of this is very helpful, but if we go back to the basics of risk management we can see that there are two parts to the upside of risk.

Risk management is a thought process where we think about, and try to manage through advance action, possible future outcomes other than some benchmark outcome (usually the one we expect, are planning for, or think is the proper outcome). An upside risk is an outcome better than the benchmark, while a downside risk is an outcome that is worse than the benchmark.

For example, if you lend money to someone the natural choice of benchmark outcome is that they will pay you back, but there is a risk that they won't. In this case the risk is bad thing, and there is no outcome better than the benchmark outcome. The only risk is a downside one, though a different choice of benchmark could change this.

Other situations have a more obvious upside. Suppose a company launches a new product and makes plans for production based on an estimate of sales in the first three months. The natural benchmark level is the estimate made and used for planning, but there is a risk of lower sales and a risk of higher sales. The risk of lower sales is the downside, while the risk of higher sales is the upside.

However, this is only one aspect of the upside of risk. If we think about the impact of a risk in more detail there are usually some effects that are favourable and some that are unfavourable. Analysing in this way is important for managing risks because we want to promote the positive effects but reduce the negative effects. Favourable effects of a risk are another type of upside.

For example, suppose sales of the new product are lower than expected. Overall, that is probably a bad thing, but within this there are helpful effects such as the reduced need for purchases and a greater flexibility to adjust the product and brand if early results are poor.

Economic recession is usually a bad thing overall but there are some good aspects to it that some companies manage to exploit.

To avoid confusion, the term "upside risk" can be reserved for some event that is, overall, positive in its impact relative to the benchmark, while the term "upside effect" refers to a positive effect of a risk occurring (which may be one of many and also be offset by negative effects).

What has to change and how?

How should risk management procedures and techniques change to incorporate these upside concepts? There are a number of changes:

Finding risks

Some ways of finding risks tend to prevent upside risks being included. If many of the risks in your analysis are "Failure to achieve X" where X is some business objective then no upside risks will arise for these items.

Methods of identifying risks that work from high level areas of uncertainty down to specific risks will tend to make the upside easy to find.

Writing risks

In many companies a method of finding risks has been used that can find upside risks, but at the last moment the upside has been filtered out. This is easily corrected. For example, if you have written "Risk of losing market share" you can either add "Risk of gaining market share", or put "Risks of unexpected market share" instead.

Rating risks

Giving meaningful ratings to risks to show their importance is a surprisingly complex problem and the full solution is beyond the scope of this discussion. It is made more difficult by the fact that most items on corporate risk registers are not individual risks, but sets of risks, sometimes infinite sets.

The key difference that the upside makes to rating is that you have to be very clear about what is being used as the benchmark level. Is it the forecast, the plan, or some other level considered to be the proper benchmark?

Managing risks

The traditional approach to mitigation is to search for actions that will:

However, risks have both positive and negative effects, and some risks are, overall positive and to be encouraged. Therefore, the revised approach is to search for actions that will:


It may be that the word "risk" is so closely linked to hazards that it would be better to use some other name. Two alternatives are emerging. One is to talk about "risk and opportunity" management. Another is to talk about "uncertainty management".

The word "opportunity" is quite apt for something unexpected that happens that is good for us. However, asking people in a workshop to think of opportunities tends to produce a lot of current opportunities (i.e. things we can do now because of good things that have already happened) rather than identifying opportunities that could arise in the future.

This is a similar mistake to confusing "issues" (the bad thing has happened) with "risks" (it could happen), which is something else that people often do in workshops.

The overall objective of risk management

In traditional risk management all risks are negative, and the best that can happen is that you achieve your original objectives. In other words, risk management is seen as a method for achieving your original objectives come what may.

However, the reality is that things do sometimes turn out better than we expected. What should we do? Ignore it and carry on after the original objectives without a moment's thought? Or think again to see if we can now raise our sights and exploit our good fortune? Obviously, the latter, though this contradicts one of the most basic assumptions of the management-by-target/budget philosophy inherent in most approaches to management control.

Risk management that includes the upside moves from being a method of achieving one's original objectives come what may to being a method for opening minds to the full range of potential future outcomes/events.

It opens the door to a fast moving, more flexible approach to dealing with future uncertainty and responding to current events. For more on this read "A new approach to management control: Dynamic Management"

Conclusion - the upside is real and more important than it may seem

Incorporating the "upside" in risk management is not just a matter of changing some headings in the risk register. Just about every aspect of the process and techniques needs to be reviewed and revised, and the end result is an approach to managing uncertainty that provides an alternative to the more familiar approach of control-by-target-and-variances.

About the author: Matthew Leitch's interests include risk and uncertainty management, cognitive psychology, mathematics, internal control systems, design, the internet, and human knowledge. He is a Chartered Accountant with a BSc in psychology from University College London. Until very recently he worked as a consultant in risk management and systems for a leading professional services firm. He pioneered new methods for designing internal control systems for large scale business and financial processes, through projects for internationally known clients. However, this web site is not connected in any way with his former employer nor are the views expressed here connected with the views of that organisation.

Contact the author at: matthew@dynamicmanagement.me.uk

Words © 2003 Matthew Leitch

Home / more articles - The author - Contact