Enterprise Risk Management: Don’t forget Opportunity Management

Risk Management gets a great deal of discussion, but most of the discussion is focused on preventing or avoiding risk.   There is another very important dimension to the risk discussion -Opportunity - but first, we need to sort out a few issues:

• Enterprise, Business, or Strategic Risk Management is very different than Process or Reporting risk management for financial reporting and other process reporting. 

• Process and reporting risk management is almost entirely about avoiding mistakes or negative impact.

• Enterprise, Business, or Strategic Risk Management looks at the major issues that could derail your business; BUT it also has an OPPORTUNITY side – looking at the major issues that could grow your business…..And ensuring your business is TAKING the risks necessary to explore and find those opportunities.

The Opportunity side of risk management gets much, much less discussion….look at the title “risk” management….I would argue the term should be “Risk and Opportunity” Management, especially at an enterprise level.   Organizations don’t grow and don’t succeed over the long run if they don’t seize opportunities and take the risks to find and adapt to changing needs, customers, technologies, markets, etc.  

“Risk Appetite” is a commonly used term.  The idea is that a business decides how much risk it can accept, prevent, or take.  It is commonly tied to spending on programs such as internal audit, cyber security, insurance, etc. – preventative steps.   It is equally important to decide how much opportunity a company will pursue – is enough being spent on marketing, is the sales force large enough, is the R&D pipeline in good shape, are our resources (tangible and intangible) capable enough, are enough new products and services being developed, etc.?  

It is important to ensure there are controls to monitor and contingency plans to address both risks and opportunities.   Again, these controls and contingency plans often focus on stopping a bad event – a cyber-attack, bad publicity, a product or service that doesn’t achieve its target sales.  

BUT how often do businesses plan for runaway success of a or service?  Such as,  where to get the additional capacity quickly, how to incent a customer to wait, etc.  How often have you heard an internal auditor say something like – Marketing is not taking enough risk to meet our goals and risk appetite?  Or Sales needs a larger sales force to have a chance at making our growth target? Or R&D or Development is underspending to develop new product or service concepts?  The failure to seize an opportunity can result in forgone revenue and profits that no one will ever notice….certainly not on any organizational financial statements or reports.

PACE is very different within the Accounting Universe.  Revenue Management is a key part of our analytic and modeling concepts.  PACE recognizes that pursuit and management of opportunity is the critical business driver.

What's your view on how effectively Opportunity is managed as part of an Enterprise Risk Management program?