All of man’s activities is fraught with uncertainty and risk. When he undertakes something, he faces uncertainty and risk and loss. Even when he does not undertake anything new, but simply goes on with life as normal, he still faces uncertainty and risk and loss.
Therein lies the essence of risk management, to which man runs to, to seek an answer to his question: in the face of this uncertainty, what should we do?
Every company faces risks as it goes about its day-to-day operations.
A bank branch could find itself in the midst of a robbery. A fastfood restaurant could suddenly have a cook badly burned by an overturned pot filled with boiling water. A shipping company may have one of its ships boarded by pirates. A veterinary clinic may have one of its staff or customers bitten by a dog. A data centre may find the building it is located in collapsing due to an earthquake. These risks are called ‘Operations Risk’, or alternatively ‘Operational Risk’.
The types of operations risk a company faces depends heavily on its line of business, although the nature of risk is that it is often unexpected: the bank could suddenly discover that the pirates who boarded the ship in the above example are actually the bank’s customers. The shipping company may find its cook burned badly while preparing food.
Operations risk is different from the other types of risks that companies face. It is not credit risk, which is the risk related to debtors not paying the company. It is not strategic risk. It is not market risk. It is not reputation risk. Nevertheless, risks arising from operations can cascade into these types of risks. The revelation that a pirate has been hoarding its loot in your bank can rapidly discredit the bank (reputation risk).
There are two kinds of risk managers. There is the kind who think that risk management is about managing ‘negative’ risks. Then there are those who think that risk management should include managing ‘positive’ risks.
Briefly, a negative risk is a situation that has undesired impacts on our objectives, while a positive risk is a situation that could potentially have desirable impacts on our objectives. For the most part, risk management has been about managing negative risks. People buy fire insurance just in case their house burns down. Nobody buys insurance just in case their house doesn’t burn down.
Edmund Conrow and Robert Charette has an article in Defense AT&L critical of ‘Opportunity Management’ (PDF link) . The authors argue that Opportunity Management, or OM, is unnecessary, and will only bring in more trouble than benefits. The main argument Conrow & Charette make is that the standard processes of project management, risk management, and systems engineering, are enough to ensure that the project takes care of opportunities that present themselves in the course of the execution of the project. Therefore there is no need for a distinct OM.
Before I came across this article, I’ve already come across literature endorsing the inclusion into risk management the management of ‘upside risks’ (opportunities), but I’ve not come across any literature that purports to advance OM as aggresively as that suggested by Conrow and Charette’s article. The authors worry about OM IPT’s (Integrated Project Teams) running about looking for opportunities in a projects, and enveloping the whole project team with scope creep.
The Australia Risk Management Standard ANZ 4360:2004 indeed recommends management of positive risks. Chapman and Ward have also been proponents of this view for many years. But from what I understand of at least these two sources, the main idea is, as part of risk management, to be prepared in case it is the positive event, rather than the negative event that occurs. That is, to be prepared to take advantage of the situation.
