How to integrate an opportunity mindset into your enterprise risk framework

Risk leaders in our network understand the importance of upside risk. But finding a way to formally integrate an opportunity mindset into their enterprise risk framework can be challenging.

Four ways to apply an opportunity lens to principal and emerging risks

Download peer insights

According to practitioners, there is a lack of awareness in the business about the role that risk teams can play in helping them take risks to realise opportunities.

Also, there is an absence of a broad and repeatable assessment methodology for upside risk, which may encourage organisations to focus their attention elsewhere.

So, how do risk leaders work with the business to not only embrace opportunities, but formalise this? At a recent collaboration between CROs, facilitated by Risk Leadership Network, one of our members explained the 7 steps they followed to help the business shift its mindset and begin to apply upside analysis.

1. Acknowledge that risk is "neutral"

Risk can pose threats or opportunities. It simply exists as a possibility of an event or outcome. In other words, risk is neutral.

Yet, at the same time, there is a bias at many organisations towards defining risk as something the business needs to stop from happening.

To counteract this assumption, the member explained that they have tried to adopt terminology such as "opportunities" and "challenges", instead of "risks". Other organisations in our network use "uncertainties" as alternative language for risks.

2. Align risk with strategic objectives

There is a tendency to include anything (and everything) on a risk register, yet most risks don't genuinely impact the achievement of strategic objectives."

Risk Leadership Network member

CRO, ASX organisation

One of the best ways to shift the mindset of the business is to evaluate risks according to their potential impact on strategic objectives, whether positive or negative.

This creates a different focus to simply rating and ranking the materiality of risks in isolation via a likelihood and consequence matrix.

In this light, 'opportunity' can be considered as part of the continuum of strategy, embraced by leaders as a valuable input to decision-making, rather than a discrete piece of risk work.

3. Use appetite to integrate threat and opportunity

Risk appetite statements usually include a range of definitions (i.e., from averse to opportunity seeking), naturally paving the way for businesses to take a more integrated approach to threat and opportunity. According to the member presenting their approach, you just need to apply a framework to your analysis.

They created two distinct matrices for this purpose:

• A threat matrix, which mirrors the impact descriptions from the appetite statements to help leadership categorise threats on a scale from negligible to catastrophic.
• An opportunity matrix, which helps to assess transformation potential, scaling from temporary short-term gains to long-term impacts.

4. Analyse to take action

When you do have a risk event you wish to lean into, you want to ask two main things: what needs to go right for us to leverage it, and what can go wrong?"

Risk Leadership Network member

CRO, ASX organisation

It's more important for organisations to identify risk events, whether positive or negative, rather than their underlying causes. This distinction can help focus action plans that make a difference.

5. Promote risk-based decision-making

An integrated approach to threat and opportunity can help the business to see that many risks will fall into both categories — threat and opportunity. This can be dependent on how quickly they are realised.

By using threat and opportunity matrices in tandem, as described above, it's easier for executives to understand that they have the ability to influence outcomes.

For example, they may be able to discern that leaning into a certain risk will help convert it into an opportunity faster. This supports a business case to prioritise resources there, instead of defaulting to threat protection.

6. Make the most of use cases

Once your approach is established, our member recommends testing it to "solve a problem" and build a bank of use cases.

At their organisation, they used threat and opportunity tables to help executives assess threats and opportunities associated with a significant ICT investment, which ultimately resulted in a multi-million-dollar saving and better service coverage.

This is where I got the most leverage because it helped them solve a problem. If I'd gone to them without a problem to solve, they wouldn't have been interested in the method."

Risk Leadership Network member

CRO, ASX organisation

Spend your initial time understanding what everyone's problems are, and this will give you an insight into where you can ultimately get bang for your buck.

7. Find opportunity "champions"

Another method of getting the board's attention is to identify champions who can advocate for your method and speak on the risk team's behalf when you're not in the room.

These are often the people who have seen the benefits of the use cases first hand. By contrast, don't waste time on people who can't see the value.

What's next?

Fundamentally, business leaders should understand this concept: when you're analysing your objectives and scanning your environment, don't just look at what can go wrong. Also look at the opportunities, then articulate and lean into them.

If you are striving to introduce upside risk in your organisation, and would like to validate your approach with peers, we can facilitate collaboration with risk leaders who have gone through a similar journey.

Find out more about membership:

• Take a look at how membership works
• Get a snapshot of our members
• See how we've supported our members in our case studies
• Watch a 2-minute video about the most valuable part of our service - bespoke assistance. 

If you would like to find out how we can support you with a specific challenge or priority you're facing, please book an introductory call.