Managing Both Sides of Risk: Threat and Opportunity

Opportunities and threats are both uncertainties that matter

September 26, 2018 | Dr. David Hillson

opportunity and riskThe ability to manage risk effectively is recognized as an important contributor to business success, which is why it has become an essential part of the manager’s toolkit. Risk-based thinking is permeating the boardroom and discussions within executive committees as businesspeople grapple with how much risk to take in a given situation, how much risk is too much risk, and how to manage the risks they know about, as well as preparing for the ones they haven’t thought about yet. Management teams seek to set business strategy in ways that achieve their strategic goals while remaining flexible and resilient in the face of inevitable change.

In recent years, risk management has developed into an accepted discipline, applied broadly across a range of industry types and countries, with its own language, techniques and tools, and a growing body of literature devoted to the subject. The value of a proactive structured approach to managing uncertainty has been widely recognized, and many organizations are seeking to introduce risk processes in order to gain the promised benefits.

Although risk management is now a mature discipline, it continuously develops to meet the challenge of uncertainty in business. There is an accepted core understanding of risk management, but new directions are constantly being explored and a number of initiatives are underway to extend the boundaries of the subject. One key area of recent development is the inclusion of opportunity in the definition of risk, with a resulting broadening of the scope of the risk process to manage both upside and downside proactively.

Of course, common usage of the word “risk” sees only the downside. If you ask the proverbial “person in the street” if they would like to have a risk happen, they will nearly always say “no” because everyone knows that “risk is bad for you.” But professional bodies take a different view. The “ISO 31000:2018 Risk Management – Guidelines” standard defines risk as “effect of uncertainty on objectives,” with a note that clarifies “An effect is a deviation from the expected. It can be positive, negative or both, and can address, create or result in opportunities and threats.” This double-sided concept of risk is reflected in a range of other professional risk standards and guidelines, stating clearly that risk includes both threats and opportunities, and risk management should address both in an integrated common approach. The goal of risk management is to optimize achievement of objectives by minimizing threats and maximizing opportunities.

There is no doubt that businesses, like everything else in life, are subject to uncertainty. It is also clear that some of that uncertainty might be harmful if it came to pass, whereas other uncertainties might assist in achieving our objectives. The issue is whether we could or should include both types of uncertainty in our definition of risk, and whether both could or should be handled by a common risk management process. Despite some continuing debate,the risk management community has moved decisively towards the inclusive position.

But does this matter? As Shakespeare wrote, “That which we call a rose, by any other name would smell as sweet.” It does matter, because encompassing both opportunities and threats within a single definition of risk is a clear statement of intent, recognizing that both are equally important influences over business success, and both need to be managed proactively. Opportunities and threats both involve uncertainty that has the potential to affect objectives, and both can be handled by the same process, although some modifications may be required to the standard risk management approach in order to deal effectively with opportunities. Typical process modifications might include the following:

  • Risk identification: Routine identification techniques such as brainstorming or checklists could be used for opportunity identification, but the habit of management teams to think negatively in such settings is hard to overcome. Techniques specifically focused on exposing opportunities can therefore be used, such as SWOT Analysis, Assumptions Analysis and Constraints Analysis.
  • Risk assessment: The standard Probability-Impact Matrix or risk heatmap could be used for both threats and opportunities, but this might lead to confusion. Use of a double-format “mirror” P-I Matrix is recommended, to rank threats and opportunities and separate them into priority zones for further attention.
  • Response strategies: The typical threat-focused strategies of avoidtransfer, or reduce/mitigate cannot be applied to opportunities, but positive equivalents can be developed, such as to exploit (aggressively capture the opportunity), share (involve another party in managing the opportunity in return for a gain-share), or enhance (increasing probability and/or impact to improve the opportunity).

There are definite advantages to handling both opportunities and threats using a common risk management process. There is no need to introduce a new process since the traditional threat-based approach can simply be adapted. There is clear synergy in extending the same process to cover both types of uncertainty – if the management team is already setting aside time and effort to deal with threats, they can use the same time to identify and proactively manage opportunities as well, and gain twice the benefit. Both efficiency and effectiveness will be enhanced, and the chances of success will be significantly improved when opportunities are identified and captured. The alternative is a failure to deal with opportunities proactively, which will guarantee that only half of the benefits of risk management can be achieved.

Risk management that focuses on proactively addressing both threats and opportunities will help businesses avoid problems and enhance benefits, and ensure that objectives are achieved in the best way possible. In this way, the position of risk management as a key contributor to business success will not only be maintained, but its importance will increase further, offering both value protection and value creation. The future will always be risky, and we need to explore and exploit opportunity wherever we can find it. Risk management can help!

  • facebook
  • twitter
  • linkedin
  • mix
  • reddit
  • email
  • print
  • About The Author
  • Website
  • Dr David Hillson HonFAPM PMI-Fellow FIRM CMgr FCMI

    Known globally as The Risk Doctor, David Hillson leads The Risk Doctor Partnership (, a global consultancy offering specialist risk services across the world.

    David has a reputation as an excellent speaker and presenter on risk. His talks blend thought-leadership with practical application, presented in an accessible style that combines clarity with humor, guided by the Risk Doctor motto: “Understand profoundly so you can explain simply”.

    He also writes widely on risk, with twelve major books, and over 100 professional papers. He publishes a regular Risk Doctor Briefing blog in seven languages to 10,000 followers, and has over 7,000 subscribers to the RiskDoctorVideo YouTube channel (

    David has advised leaders and organizations in over fifty countries around the world on how to create value from risk based on a mature approach to risk management, and his wisdom and insights are in high demand. He has also received many awards for his ground-breaking work in risk management over several decades.