sun peaking out from behind the clouds
PHOTO: Andrew Ruiz

People talk about a risk event as if it is obvious what it is and what it means. 

COSO, an organization dedicated to providing frameworks and guidance on enterprise risk management, discusses the possible effect of an event on objectives. In common parlance we are talking about something happening that has an effect on the organization. (COSO thinks of risk as the possibility of that event occurring; ISO talks about risk as the effect of what might happen on objectives.)

Most often when people discuss a risk event, they are thinking of a negative effect, something harmful that is the consequence of the event.

Examples of so-called risk events include:

  • The passing of new regulations.
  • The loss of a key employee.
  • An earthquake, hurricane, flood, or other natural disaster.
  • A data center fire.
  • An intrusion by a hacker.

What this approach leaves out is the possibility that these events may have multiple effects or consequences, not just one, some of which might be positive.

Related Article: One Objective, Multiple Risks: What Do You Do?

Risk Doesn't Have to Be Negative

For example, a new regulation might mean sales are disrupted and additional costs incurred to bring a product into compliance. There is an increase in cash flow risk, revenue risk, customer satisfaction risk and compliance risk. But if the organization is sufficiently prepared and agile, it may be able to release a compliant product earlier than its competitors and gain market share. In fact, some competitors may not be able to adjust at all.

The loss of a key employee may be a risk to a project or other key activity, but it is also an opportunity to hire somebody with greater or different skills, making other things possible. It may even be an opportunity to reorganize for agility or efficiency.

The loss of a data center due to fire or flood may have multiple and diverse effects, but is also an opportunity to build a better one, financed by the insurance proceeds.

There are times when it may be to a company’s advantage to get new regulations passed, simply because they are better prepared to respond than their competitors. It also helps the company’s reputation to be seen as sensitive to the demands of the community — for example, by adding safety features.

All of this needs to be considered: the likelihood of an event, the range of potential consequences and the likelihood of each, how the organization can be prepared, and how advantage may be taken.

The other thing that gives me cause for concern is that events are not the only source of risk.

Decisions have an effect as well. The action taken following a decision, for example the decision to read this article, can have an effect as well.

But let’s come back to events.

Related Article: Effective Risk Management Starts With Better Decision Making

Address the Effect, Not the Cause

Years ago, when I was a VP in IT, I was responsible for data center disaster recovery and corporate contingency planning. I learned that rather than building a plan for every event that could cause the data center to be out of commission, it was better to build a plan that addressed how to deal with the effect of those events.

In other words, we had a plan for the loss of a data center, rather than separate ones for loss due to fire, flood, and so on.

Similarly, many things can happen that might affect the achievement of an objective. Shouldn’t we have plans that address how we respond to the effect rather than to every event? If we are monitoring the likelihood of achieving an objective rather than simply the levels of individual risks, won’t that help the organization run the business to success?

What do you think?