December 28, 2016
A New Paradigm for Risk Management?
The focus is shifting to “opportunities” and the “potential positive effects” of risk, and only thereafter on “negative effects.”
The final draft version of the King IV Report on Corporate Governance in South Africa 2016 places a different focus on the governance and management of risk. It now states that:
“The governing body should assume responsibility for the governance of risk by setting the direction for how risk should be approached and addressed in the organization. Risk governance should encompass both:
- the opportunities and associated risks to be considered when developing strategy; and
- the potential positive and negative effects of the same risk on the achievement of organizational objectives.”
The focus is now firstly on “opportunities” and the “potential positive effects” and only thereafter on “negative effects.” The major change in focus, however, is the requirement in paragraph A, where it is stated that opportunities (firstly) and risks should be considered when developing strategy. It is implied that the opportunities referred to are the opportunities brought about by the development of the organization’s strategy. These opportunities can be viewed as “stand-alone” opportunities, or opportunities that were identified without first identifying the risk. This requirement is different from the requirement in the next paragraph, where the positive and negative effects of the same risk should be dealt with.
See also: Easier Approach to Risk Profiling
The difference in accent is more apparent when the definition of risk contained in King IV is examined. It states that, “Risk is about the uncertainty of events; including their likelihood of occurring and their effect, both positive and negative, on the achievement of the organization’s objectives. Risk includes uncertainties with a potential positive effect on the organization (i.e. opportunities) not being captured or not materializing.” This definition of risk clearly highlights “uncertainties with a potential positive effect.”
Although all commonly used risk definitions, from COSO 2004 to ISO 31000/2009, as well as King III, referred to opportunity or the upside of risk, the concept of risk was generally viewed as something negative, or as the potential downside of a future occurrence. What has exacerbated this misconception was the view that risk and opportunity were opposites. Many documents, including King II, stated that “enterprise is the undertaking of risk for reward,” implying that the greater the risk, the greater the reward. In other words, if everything went well, you had great reward, but if things went badly, you had great risk. This led to the mistaken belief that opportunity is merely the “upside of a downside risk.” This belief assumed that risk and opportunity are inextricably linked. It is now apparent that this notion is not true. It is entirely possible to reduce risk while improving returns. In fact, to survive in today’s world, it is not only possible but essential.
Traditionally, risks were classified and managed in three broad categories, namely hazard risks (so-called pure risks like fires, natural catastrophes, violent attacks, etc.); financial risks (bad debt, currency, interest rates, etc.); and operating risks (IT system failures, supplier interruptions, etc.). The opportunities attached to these risks can be described as reducing the impacts of the downsides, also known as the “silver-lining” opportunities. In other words, every dark cloud (risk) has a silver lining (opportunity) attached to it. Often the opportunities are the exact opposite of the downside risk, viewed as the two sides of the same coin. A good example may be a rise in interest rates, which may be a risk to some people, while being an opportunity to others.
However, when one looks at the King IV definition of risk it is apparent that the achievement of the organization’s objectives is the key element. The key objective of any organization can never only be the avoidance of loss or harm, but must be the optimization of its strategic objectives. This is confirmed by the adage that “a risk is not only a bad thing happening, it is also a good thing not happening.”
Any future uncertainty, which can be opportunity, risk or both, can be classified into four broad categories, namely:
- Future possible event (Stochastic Uncertainty).
- This refers to an event that has not happened, and it may not happen at all. However, if it does, it will have an impact on the organization. Most identified risks are like this and include events like new developments, a supplier going out of business, law changes, disasters and the like.
- Variability (Aleatoric Uncertainty).
- Some aspect of a task or project is uncertain and may include timing uncertainties, budget variability and the like.
- Ambiguity (Epistemic Uncertainty)
- This uncertainty stems from lack of knowledge or understanding of a situation, condition or event. This may include matters like market conditions, competitor capability and the like.
- Blind Spots (Ontological Uncertainty).
- This uncertainty exists outside of normal knowledge and experience frameworks and is therefore not seen or expected – the so-called “black swans,” emergent or emerging risks and blind spots.
The traditional method of identification of opportunities as part of the risk assessment process, where the upside of a downside risk is identified, can be viewed as “passive opportunity identification.” These identified opportunities are mostly the direct opposites of the identified risks and fit in well with the view that higher reward requires higher risk – the “two different sides of the same coin” principle. It must be stressed, however, that this method of opportunity identification remains a key component of risk and opportunity management and that it remains important to have it done. Examples of these kinds of opportunities are items such as interest rate movements, exchange rate fluctuations, margin squeeze and the like. In short, it can be described as “risk including opportunity.”
King IV, on the other hand, now requires the governing bodies of organizations to ensure that “active opportunity identification” is conducted. These are the stand-alone opportunities that are not necessarily aligned with any downside risk. These would be the opportunities that the organization needs to pursue to enable it to achieve its strategic objectives. Custodians of this process would normally be the office of the CEO, the strategy director or the research and development department. The opportunity identification and assessment process would be distinctly different, and separate, from the risk assessment process that organizations are currently conducting in terms of King III.
Reporting of the opportunities that are the result of the identification process would be different as well. These reports would not fit the mold of the typical risk report, with likelihood and impact indications, as these metrics are mostly irrelevant to opportunities. The target audience of the report would be different, as the information surrounding potential opportunities are by their very nature confidential and not for wider consumption.
See also: Building a Risk Culture Is Simple–Really
The key aspect in the risk assessment process that needs careful consideration when conducting opportunity management is that of “appetite and tolerance.” When downside risks are considered in isolation, determining and calculating risk appetite and risk tolerance levels are foundational in the process. These levels do not only refer to financial metrics (gearing, debt levels, cash, etc.) but also to non-financial metrics (level of injuries, negative press, etc.) and are mostly absolute downside risk limits beyond which the organization is not willing or able to venture. These risk limits do not reference opportunity, and the only upside apparent in appetite and tolerance levels would be when those limits are not reached or breached. When dealing with stand-alone opportunities, the organization would determine or calculate what downside limit it is prepared or able to endure to achieve a particular opportunity.
Although the identification and management of opportunities may not be the responsibility of an organization’s risk department, the latter has a role to play and can add significant value to the process. As a result of the methodologies and techniques at its disposal, and as a result of the knowledge and experience of its personnel, the risk department may be able to assist in the process to identify opportunities, may be able to assist in the documenting and evidencing of the results of this process and may be able to assist in the monitoring of the results.