Businesses face risk all the time — and that’s OK. Even though the word “risk” typically has a negative connotation, the word actually can represent many situations, not just unfavorable ones.
According to ISO 31000, risk is the “effect of uncertainty on objectives.” Depending on the impact for the company or the affected project, risk can come in two types: positive and negative.
Negative risks are all those possible events that could harm an organization, where we seek to mitigate, prevent, or reduce the extent of that harm.
Positive risks, in contrast, are all those events beyond the company’s control that can help the company, and are generally exploited to reap the benefit to the project.
Enterprise risk management (ERM) is the set of risk management tools or methodologies that protect the company and its stakeholders while trying to meet the organization’s objectives. Risk assessments are developed to assure informed decision-making and effective risk responses.
Examples of Positive Risks in ERM
To distinguish between positive and negative risks, we can also call positive risks “opportunities.” There are examples of this type of risk in several areas of an organization, where a miscalculation may translate into potential benefits. Below are several common risks that can have positive effects:
-
Project Management
One responsibility of a project manager is the creation and monitoring of the project budget, based on the estimated resources needed to achieve the project objectives.
Sometimes events happen during the project that can reduce total expenses. Or perhaps a miscalculation resulted in higher than necessary budget figures that could later be reduced.
These risks would positively affect the organization, considering that it’s much easier to redistribute unused resources than to cut other projects to meet overspending.
-
Assets & Investments
Many of the assets within a company have an estimated service life, which determines the worth of an object or property based on its ability to provide value over time.
When the actual useful life exceeds the estimated useful life, that is a positive development. The assessment was wrong, but the result was beneficial for the organization since it can take advantage of the asset longer without investing in a replacement.
-
Technology
When deploying certain technologies to facilitate tasks and reinforce areas within the company, the organization must consider the risks. Therefore, within the process of investigating and introducing new technologies, the potential risks (reputational, third-party, cybersecurity, and operational risks) are evaluated against the benefits they bring.
At the same time, there is an opportunity that technology and tools will be updated with enhanced functionality to drive efficiencies, mitigate negative risks, and improve communication.
These changes can directly benefit companies that can now take advantage of these new capabilities to increase productivity.
-
Development
When introducing a new product, it is easier to perceive the relationship between positive risk and opportunity compared to other areas. As a company develops a new product or service, it assesses different factors, from its ideal customers to market needs — but in the end, all comes down to market acceptance.
There is a risk that the good or service may not achieve the expected performance. Alternatively, the project’s success may exceed the organization’s expectations. This could result in problems with the organization’s ability to meet heightened demand for this product, but it’s generally a good problem to have and can deliver a benefit (with the proper risk controls in place).
Examples of Negative Risks in ERM
Negative risks are much more visible within an ERM program and are found even in the company’s daily operations. Also called “threats,” negative risks can be considered alongside positive risks:
-
Project Management
Far more common than underspending on a project is overspending. That can result from an inadequate estimation of project costs and can jeopardize the achievement of project objectives.
The absence of action plans to deal with budget overspending is, in itself, a negative risk for the company. Improvising the allocation of resources to complete a project is always a messy endeavor; meanwhile, project interruptions or delays can be exponentially more costly than the original budget overrun.
-
Assets & Investments
When a particular tool, asset, or infrastructure fails earlier than expected, that can result in a partial or total stoppage of a production line. Production stoppages harm employee efficiency, customer satisfaction, and profitability, among other damage to the organization.
-
Technology
A wide variety of negative risks in the technology sector can interfere with the achievement of the company’s objectives. Many of which are invisible until they occur and cause damage of all sorts.
In the same way that there are updates that protect users of particular software, these updates can also create vulnerabilities if unnoticed by developers and users, with potentially enormous harm if they open a gateway for cybercriminals.
-
Development
It’s always possible that a new product or service will not be attractive to customers and consequently, it fails.
Therefore, regardless of the proposal or the investment in market research, having risk response strategies in case of the project’s failure or missing expectations is advisable since there is always a degree of residual risk that is unavoidable.
Managing Positive and Negative Risks
Positive and negative risks are two sides of the same coin, despite having very different consequences. It may seem counterintuitive to assess and monitor positive risks, since they only help the organization. Still, they provide a unique approach to risk analysis and the organization’s risk exposure.
When a positive risk materializes (as in the case of underspending or the underassessment of an asset’s lifespan) it indirectly represents a failure in risk management processes — which either failed to identify a human error or were not sufficiently accurate in their assessments.
Beyond the added value of monitoring positive risks, both types of risks have opposing risk management strategies that can be implemented in your risk management plan.
While a company avoids negative risks by delegating tasks or rejecting certain agreements with third parties, it exploits positive risks by taking actions to increase the chances of those uncertain events.
While positive risks are shared to capitalize on a positive impact that another branch can leverage, negative risks are transferred to others who are better suited to respond or mitigate the harm.
When a positive event occurs, the aim is to leverage its effects and take advantage of them as much as possible for the organization’s benefit. In contrast, in a negative event, there are strategies to mitigate the harm. In both cases, the risks that cannot be influenced or modified are accepted, from which an organization can learn for future occasions.
Minimize Negative Risks with ZenGRC
Assessing your risks, installing proper controls for managing risk, and collecting documentation at each stage may be intimidating and time-consuming if you try to do it all yourself and manage the requirements on a spreadsheet.
ZenGRC assists you in complying with a wide range of frameworks, including GDPR, CCPA, HIPAA, and others, through identifying vulnerabilities, assessing policies and processes, and ensuring tracking and other measures operate correctly.
It’s a governance, risk management, and compliance solution that can help you streamline and optimize your compliance activities by automating many of these time-consuming, manual processes.
Contact us today for your free consultation.
