Part 2: Defining Risk and Opportunity

(For Part 1, click here.)

From the information you have derived from the COTO exercise, you now have a better understanding of the company, it’s stakeholders, internal and external issues of concern, and other factors which will build the framework for your thinking about risk.

You will also realize that because the information derived from the COTO exercise will be different for every company, the risks will also be different for every company. This means no auditor can tell you what your risks are. (Of course they are going to anyway, but you have to push back.) You decide which risks are going to be managed… no one else. This is explicitly hard-coded into the standard, which says:

6.1.1 When planning for the quality management system, the organization shall … determine the risks and opportunities that need to be addressed.

In the AS9100 scheme, which has had requirements for risk management since 2009, we have seen auditors come on site and try to dream up risks during the audit, and then play “gotcha” with the client. Despite being presented with formal risk registers, they will stroke their chin and muse on things you’ve missed: “well, did you think of whether or not a meteor will strike your HR manager on her way to work?” or “did you assess the risk of a zombie apocalypse?” Now, under 9001:2015, you get to tell them to STFU and look at the risks you’ve addressed, to stop auditing by fantasy, and for God’s sake, stop stroking their chin.

Re-Defining Risk and Opportunity

So the next step is to “determine” your risks. Unfortunately, we have another slight speedbump: ISO has completely mucked up traditional concepts of risk. The reasons for this are complicated and political, and not at all universally agreed-upon. There are two camps: one that thinks “risk” is neutral, and thus can be either negative or positive (thus defying the dictionary) and the other that believes risk is solely negative.  The “positive risk” crowd has won over the ISO Technical Management Board and the authors of ISO 31000 on risk management, but did not win over TC 176. In fact, the “positive risk” debate is one of the main sticking points for ISO 9001 ratification across the world.

Why does this matter? Wouldn’t it be nice to let ISO have their fight and watch from the sidelines? Well, this has a real-word impact on you right now. You see, normally you work to mitigate risk — meaning minimize it — because it’s bad. If you suddenly treat risk as “positive” then you would want to maximize the possibility of the risk, right? But you can’t use the same tools to both minimize and maximize something at the same time. SWOT comes close, but other traditional tools like FMEA focus only on reducing risk, understanding that risk is inherently bad. Other tools might work to maximize opportunities (such as expanding business development leads) but these wouldn’t work for reducing negative risk.

The Silver Lining Theory

The “positive risk” camp tends to defend its view using what I have dubbed the “Silver Lining Theory” — this is where they paint risk as being positive only because there may be an accidental benefit of an otherwise disastrous thing. The example I often hear is the “hurricane” scenario: a hurricane is a bad thing because it causes damage. The “Silver Lining” crowd says that a hurricane is also positive, since the destruction it leaves behind becomes an opportunity for those in the construction industry.

The reason the Silver Lining Theory fails is when you try to apply it in a practical way. Remember, for negative risk we work to minimize the likelihood and severity; so companies must reduce the risks associated with hurricane damage by having business continuity plans in place, escape routes, shelters, data backups. etc.

devilRemember too that positive opportunities must be managed to increase their likelihood and maximize the benefits. However, those in the construction industry cannot increase the likelihood of a hurricane, and cannot maximize the damage (which to them is a benefit) unless they hire hordes of looters to tear the city apart, which they can rebuild later. Not a great business plan.

The best a construction company can do is plan to have additional resources ready (reconstruction teams, hardware, etc.) in the event there is damage they can repair. But that’s not the same as risk management since mere planning does not increase either likelihood or severity. And, in fact, they may expend money to have those resources ready and it be all for naught, if the hurricane doesn’t make landfall at all. In which case, they’ve created a problem (now they’re broke) and not achieved any opportunity. Not to mention they need to do all of this while mitigating their own exposure to the damage of the hurricane, like making sure the people they have on standby don’t get killed themselves. None of this magically turns a hurricane into a good thing; it just tries to examine the “silver lining” behind an overwhelmingly bad thing.

(The most ghoulish explanation I’ve heard is related to cancer. A few “positive risk” advocates claim that cancer is good because it creates jobs. They ignore the fact that those jobs are seeking to eradicate cancer, an admission that cancer researchers never view cancer as an “opportunity” but as a risk that must be eliminated.)

A “pure” positive opportunity exists, first and foremost, as an opportunity; it is not an accidental positive side effect of a bad thing, it is inherently good to start with. For example, a positive opportunity might be that the government puts a $5 Billion contract out for bid, and it’s something your company is qualified in. Another opportunity might be you find $100 on the street, or prices drop on a critical raw material, or that nerdy engineer who works in the lab and smells like tuna fish accidentally invented antigravity. All these things are positive first; they may have hidden negatives (a “tarnished silver lining” if you will) but they are primarily opportunities. You work to exploit them, not run from them.

The Uncertainty Battery

So what you have is the reality that uncertainty is neutral, while “risk” and “opportunity” are the negative and positive aspects of uncertainty. If you imagine a battery is, itself, neutral and only the poles have a charge, then you begin to understand the true nature of uncertainty:


So the Oxebridge view is that uncertainty is neutral; risk is the negative effect of uncertainty, and opportunity is the positive effect of uncertainty. This interpretation has the benefit of (a) complying with English dictionaries and (b) actually making sense. I strongly suggest you adopt this view to proceed, but if you do, you may need to indicate this in your QMS documentation somewhere. Auditors may come in and disagree, depending on which ISO school of thought they were trained in, but you get to define concepts for your QMS, not them.

The ISO 9000 Problem

An aside: some will say that ISO 9001 calls out the definitions in ISO 9000 as a “normative reference” which thus makes the definition of “risk” from ISO 9000 a mandatory requirement. This is not true, and you must be ready to defend yourself against this argument as well. Here are the talking points for your defense:

  • ISO 9000’s definition is not universally adopted within ISO itself, which has 40 different and often contradictory definitions of the term “risk”.
  • ISO 9000’s definition of “risk” has been viewed as controversial and may be changed or revoked, and you don’t want to hold your QMS hostage to something that could change easily.
  • ISO 9000’s definition of risk is impossible to implement in a practical way, since negative risks must be managed differently than positive opportunities, so the definition needed “tailoring”.
  • The tailored definition doesn’t inherently contradict ISO 9000’s definition anyway, they merely provide greater context.

As we will see, having this definition in place will become necessary to continue.

Continued in Part 3: RBT in Practice

Like this topic? Book Christopher Paris for a speaking event at your organization on Practical Implementation of Risk-Based Thinking. Click here for more details.




ISO Benchmark