Francesco De Cicco According to ISO 31000 and ISO Guide
73, what is correct to say: "RISK and OPPORTUNITY" or "THREAT
and OPPORTUNITY"? Why?
Jacquetta Goy • I'm not sure which is corect, but we have just introduced a double
consequence table, and I've opted for 'threat and opportunity' for the scales.
This is largely because we use SWOT in our planning process so I think there is
a good transition, but also because if we use 'risk and opportunity' then it
reinforces the idea that risk is always negative, which would slightly defeat
the purpose of the exercise. Threat is also a widely used concept in
information security (including as I recall in ISO27005).
In practice I think that people are more inclined to think risk/opportunity so we'll see how things work out.
On a side note, has anyone come across a good (non dictionary) definition for opportunity? When I was building our risk lexicon I was surprised to find that this widely used word didn't appear to have any technical definitions.
In practice I think that people are more inclined to think risk/opportunity so we'll see how things work out.
On a side note, has anyone come across a good (non dictionary) definition for opportunity? When I was building our risk lexicon I was surprised to find that this widely used word didn't appear to have any technical definitions.
Michel Rochette, FSA, MBA, PHD Student • Hi.
I used to use the term risk more often but now I tend to use Threats more often and Opportunities as well. Then, once better understood and with better knowledge about them, they may become risk to any organization once we can better asses their potential likelihood and impact/consequences/effects..Otherwise, they remain potential threats.
And I tend to relate the concept of Vulnerability to the ideas of Strengths and Weaknesses...For example, if a co has a lot of liquid capital - big strength - it is certainly less vulnerable to threats in general and more specific risks it may face and can take on more opportunities with better confidence.
I used to use the term risk more often but now I tend to use Threats more often and Opportunities as well. Then, once better understood and with better knowledge about them, they may become risk to any organization once we can better asses their potential likelihood and impact/consequences/effects..Otherwise, they remain potential threats.
And I tend to relate the concept of Vulnerability to the ideas of Strengths and Weaknesses...For example, if a co has a lot of liquid capital - big strength - it is certainly less vulnerable to threats in general and more specific risks it may face and can take on more opportunities with better confidence.
Francesco De Cicco • Hi
Jacquetta. In fact, there is no "technical definition" for
Opportunity. The new ISO 22300:2012 - Societal security - Terminology - defines
Threat as "potential cause of an unwanted incident, which may result in
harm to individuals, a system or organization, the environment or the
community".
Considering that the "mirror" of Threat is Opportunity, I usually use the following definition for Opportunity: "potential cause of a wanted event, which may result in benefits to individuals, a system or organization, the environment or the community".
Considering that the "mirror" of Threat is Opportunity, I usually use the following definition for Opportunity: "potential cause of a wanted event, which may result in benefits to individuals, a system or organization, the environment or the community".
Jacquetta Goy • Thank you
Francesco, I'm glad to see you take that approach, as it is pretty much what I
have done too, and I hoped I hadn't just missed standard 'opportunity'
definitions. I used the definitions of threat from ISO27005 and M_o_R, combined
the meanings and converted them to language that I though would work
internally.
We have
Threat: An unfavourable condition or situation, negative set of circumstances or possibility for negative change
Opportunity: A favourable condition or situation, positive set of circumstances, or possibility for positive change
Our criteria then relate to specifics (how the benefit or harm might impact on our goals).
We have
Threat: An unfavourable condition or situation, negative set of circumstances or possibility for negative change
Opportunity: A favourable condition or situation, positive set of circumstances, or possibility for positive change
Our criteria then relate to specifics (how the benefit or harm might impact on our goals).
Khanh Vuong • Based on the
above last two comments, where does one draw the line between risk management
and strategic planning initiatives within a firm, as far as organizational
structures and staffing and processes are concerned? Would the spill-over of
risk management into opportunity management work in reverse too, where the
strategic planning staff would address risk and how risk is managed within a
firm?
Jacquetta Goy • In my mind
these are both advisory services, providing structure and support for
management. The risk management team provides advice primarily on thinking
about risk, and the strategic planning team facilitates effective forward
planning. They should in these endeavours work very closely together regardless
of organisational structures.
In my own organisation right now I am providing ERM consultancy to the business planning process, and the planning people are advising me on how to present my desire for more ERM support as an organisational opportunity. Synergy in action :)
In my own organisation right now I am providing ERM consultancy to the business planning process, and the planning people are advising me on how to present my desire for more ERM support as an organisational opportunity. Synergy in action :)
Francesco De Cicco • Hi
Jacquetta. Since the last edition of AS / NZS 4360 standard did not define
Opportunity, I created the following definition (in 2004):
Opportunity: aspect or condition, not necessarily associated with an event, in which there is perception of potential benefits.
Today I use the definition of Opportunity I mentioned before, because it is now "supported" by an international standard...
Have you created a "Sustainability" Matrix (ie, a "mirror" of the Tolerability Matrix) for evaluating* risks arising from opportunities?
(*) I see such matrices only as a "big filter", but that´s another story...
Opportunity: aspect or condition, not necessarily associated with an event, in which there is perception of potential benefits.
Today I use the definition of Opportunity I mentioned before, because it is now "supported" by an international standard...
Have you created a "Sustainability" Matrix (ie, a "mirror" of the Tolerability Matrix) for evaluating* risks arising from opportunities?
(*) I see such matrices only as a "big filter", but that´s another story...
Khanh Vuong • Thanks
Jacquetta. Would you say that you would NOT be held accountable for missed or
mismanaged opportunities as part of your ERM responsibility, whereas the
strategic planning team would be held accountable? Is this the distinction
line?
Jacquetta Goy • Francesco
yes we have just implemented a double impact matrix, currently with the
traditional green-red for the 'bad to terrible side' and blue-purple for the
'OK to fantastic side'.
Khanh I would indeed not be held accountable for missed opportunities, but then neither would the strategic planning team. We are both support functions and responsible primarily for facilitation. We would of course be accountable if we did a poor job, but the decisions about strategic direction belong to leadership and are not I believe delegatabe, whilst operationalisation is generally a management or project management role.
Khanh I would indeed not be held accountable for missed opportunities, but then neither would the strategic planning team. We are both support functions and responsible primarily for facilitation. We would of course be accountable if we did a poor job, but the decisions about strategic direction belong to leadership and are not I believe delegatabe, whilst operationalisation is generally a management or project management role.
WILLIAM GIFFORD • I
prefer THREAT ----- In my view inserting RISK on the other polar axis from
OPPORTUNITY turns the clock back on the risk management evolution process. It
is important that everyone sees and recognises the existence of upside risk.
RISK & OPPORTUNITY does the opposite by reenforcing negative, downside risk
management focus (this encourages mitigation,compliance and not a lot more).
Upside risk management thinking should support and add value to business
planning, implementation and offer continuous improvement of processes and
procedures in support of strategic goals.
Khanh Vuong • Jacquetta, I
meant to ask a (admittedly rhetorical) question whether or not the risk manager
would be held accountable for the facilitation function for missed
opportunities. Every one within any organization can contribute his/her input
into any of the processes or projects, but if risk management has a mandate of
managing both risk and opportunities and the strategic planning team also has
the mandate of managing opportunities, then there is a redundancy. I am trying
to see if you might agree with me that there is not a blanket but rather a
conditional case for managing opportunities within risk management. That is if
opportunities arise from a risk event, rather than any and all opportunities.
Dr. Mirmohamad Rouzbeh • Considering
that ISO 31000 and related standards focus on "risk", it's only
natural to see its consequences as both threats & opportunities. However,
for those in business, risk is not always an end, but a necessity for many
reasons. A company has a mission, and formulates strategies, policies, and
objectives to exploit available opportunities in its sector activities. This
necessitates looking at risks associated with those opportunities as well. In
other words, we need to implement risk management, and perform risk analysis,
for the sake of better deploying opportunities. Maybe that's a reason behind
the decision for the ISO High Level Structure for all Management System
standards to look at "risks & opportunities" as a single
integrated concept. Of course we would look at "threats &
opportunities" when carrying out a SWOT analysis. However, we do it to
primarily find out what opportunities are available, and how we can best
exploit some of those opportunities. That may be difficult if we don't know
about the associated risks to be managed.
Sean Coleman • I
think MOST management teams in action are looking at the threats to the
business/organisation when engaging with RM. The opportunities are being
scanned at all times but not so the threats to the same extent.
Think of examples
Failure to leverage Green Image for company involved in forestry
There is an opportunity "leverage green image" with an implicit threat i.e. failure......
RM is about balancing the decision making process and in particular arming those making the decisions with the skills and knowledge to make the "right decision"
So in the example above the risk is defined and it has both threat and opportunity .If you like the risk is in the middle.
Think of examples
Failure to leverage Green Image for company involved in forestry
There is an opportunity "leverage green image" with an implicit threat i.e. failure......
RM is about balancing the decision making process and in particular arming those making the decisions with the skills and knowledge to make the "right decision"
So in the example above the risk is defined and it has both threat and opportunity .If you like the risk is in the middle.
