You will hear some in the profession refer to “upside risk” and “downside risk”, or “positive risk” and “negative risk.” This can be confusing for the vast majority of people who think of risk solely in terms of loss from adverse events; it's a particular set of blinders in the cybersecurity field. A logically consistent way to think about risk is to understand that exposure to loss from adverse events comes about through two mechanisms:
- In the course of pursuing objectives (e.g., revenue growth thru innovation) we introduce or increase the potential for adverse events. This exposure to loss due to the pursuit of gain can be thought of as “upside risk”. Depending on the balance between the potential for gain versus loss, taking on this type of risk is typically considered an unavoidable and responsible aspect of doing business.
- Exposure to loss that occurs existentially or outside of our control (i.e., not explicitly in the pursuit of an upside) can be thought of as “downside risk”. For example, changes in climate, privacy regulations, or cyber criminal activities may introduce or increase exposure to loss.
There are, however, those in the industry who subscribe to risk definitions that describe risk as being positive or negative. In other words, the potential for gain is “positive risk” and the potential for loss is “negative risk”. For example, the potential revenue gains from entering a new third-world market would represent “positive risk,” while the potential losses associated with security concerns in the third-world would represent “negative risk.” In theory, combining the “positive risk” with the “negative risk” would help an executive decide whether to enter the new market or not.
On the surface, this seems useful. After all, better-informed decisions are never a bad thing. Furthermore, the distinction is subtle between this and what I described above as “upside” and “downside” risk. The distinction is critical however, when it comes to measurement because in both “upside risk” and “downside risk” you’re measuring the potential for loss, while in “positive risk” and “negative risk” you’re measuring the potential for gains and losses. Furthermore, there are significant pragmatic difficulties associated with this notion of “positive” risk, including:
- The vast majority of people — including business executives — think of risk purely as exposure to loss. Adding “positive risk” to the conversation can create a lot of friction and confusion in terms of dialog and reporting.
- The vast majority of risk management professionals, policies, processes, and technologies focus on managing adverse events — i.e., loss. Re-engineering an entire professional discipline to include "positive risk" would be daunting, to say the least.
- It complicates the analysis process by forcing risk management professionals to measure the potential for gain as well as loss. Those of us who take risk measurement seriously would tell you that effectively measuring loss exposure is challenging enough as it is.
Enduring these difficulties would make perfect sense if including potential gains in the risk equation (i.e. “positive risk”) offered substantial improvements over the current state. A closer look suggests no meaningful improvements would result.
The intent that underlies the “positive/negative risk” paradigm is excellent – i.e., decision-makers need to understand the balance between the gains they’re pursuing and the losses they’re exposed to. Fortunately, the decision-making process in most organizations today already pays significant attention to the potential for gain (e.g., revenue projections, etc.). What has tended to be missing from decision-making is an expression of loss exposure in economic terms (thus the opportunity for FAIR to lend a hand). This being the case, providing a balanced perspective to decision-makers simply requires combining projected gains with economically expressed loss exposure through a well-established formula like Risk-Adjusted Return On Capital (RAROC), where Expected Returns are divided by Value at Risk (VaR). Trying to change the equation for risk itself to include the notion of "positive risk" is therefore unnecessary.
At the end of the day...
...the difference between "upside risk" and "positive risk" is this:
- "Upside risk" (and "Downside risk") simply describe how loss exposure is introduced to an organization's risk landscape
- "Positive risk" tries to fundamentally redefine risk by adding the potential for gains to the risk equation
The objective of making certain that executives have a balanced view of potential gains versus potential losses can be achieved by simply evolving and improving loss exposure analysis and reporting. The disruption associated with adding potential gains to the risk equation as is suggested with the “positive/negative risk” paradigm complicates an already challenging landscape and is unnecessary.