Food, wine and debates about controls: just another Friday night for Protecht. But let’s back up a bit and look behind the curtains. Recently we released our Controls design and assurance course on Protecht Academy. A statement in the course resulted in a dinner debate: “Controls are only applied to downside”. But could they also be applied to upside?
In our collective experience, I’m not sure we have seen controls applied in this way. However, it seems perfectly plausible to think about controls for upside. At Protecht we already refer to controls as enablers, and for upside it certainly helps to think about them in this way, designed to exploit an opportunity.
If risks can be positive, why can’t controls?
The definition of control in ISO 31000 is “a measure that maintains or modifies risk”. Expanding the risk definition, it becomes “a measure that maintains or modifies the effect of uncertainty on objectives”. ISO 31000 also states that the uncertainty can have a positive or negative effect on objectives.
If controls over opportunities (that we couldn’t exploit if we weren’t prepared) improve the likelihood of achieving objectives, might management not also require assurance that those controls or enablers remain effective, not just the controls over downsides?
Consider a scenario where you operate in a saturated but highly competitive market, and your objective is to grow your market share. It is not uncommon for competitors in your market to fail or pivot out of the market quickly, sometimes engaging with their previous competitors to transition customer bases (the opportunity to grow your market share). Based on market conditions, you anticipate there is a 30% chance that one or more competitors will exit the market.
Let’s consider the common control types, and how they might be adapted for this scenario:
Reactive controls
Reactive controls in a negative context respond to risks to minimize the impact. For opportunity, this means maximizing the positive impact. You might consider:
- Having sufficient financial capital, human resources and internal capability in order to meet the transitional requirements if a competitor seeks to engage with you
- Having preferred arrangements in place with technology providers to expand existing technology capacity at speed
- Investing resources with technology providers in the industry that competitors use, to understand how to quickly adopt their technology and thereby enabling competitive positioning
These all allow you to respond faster (or at all) and maximize the impact if a competitor comes knocking.
Detective controls
Detective controls analyze information to detect risks through their life, triggering action if certain thresholds or criteria are met. This seems directly applicable to upside. For our scenario, if the first time you find out a competitor has left the market is from a media release where they have sold off their customer base to someone else, it’s too late and the opportunity no longer exists for you.
Following market trends, close associations with industry bodies or even maintaining relationships with some of those competitors (perhaps reciprocal business continuity arrangements) might put you in a position to detect some of these changes or be a preferred candidate.
Preventive controls
Preventive controls in a negative context prevent a risk from occurring closer to its root causes to reduce the likelihood of occurrence. So in a positive context, it should be to increase the likelihood of occurrence (separate from our ability to maximise impact of the opportunity). This becomes a bit stretched for our analogy – actively sabotaging your competitor isn’t something to endorse!
An alternative might be lobbying for regulatory change to open up a market that currently does not exist for you.
Assurance over opportunity
You could certainly argue that these controls meet the ISO definition of control, as they modify the uncertainty around objectives. In some circles, they might be considered options; the ability to participate in the opportunity if the conditions were right, with some opportunity cost involved (other benefits foregone).
One of the risk management processes generally related to controls is controls testing and assurance. Executive, board or other stakeholders require assurance that those controls – particularly key controls – remain effective. When I try and think about assurance for upside controls, there is immediate cognitive dissonance – but that might simply be because we are so entrenched that controls only manage downside.
What if investment in these upside controls is the most likely way management can achieve chosen objectives (assuming the cost of the controls do not significantly reduce the likelihood, of course)? In that context, they could be considered ‘key enablers’, and therefore subject to assurance.
This is likely to be more of a thought exercise than revolutionising upside controls – most of this strategic positioning is likely happening in organisations outside of risk frameworks, and there is criticism in some circles over whether definitions of risk should include upside at all. But it does highlight the risk/reward decision making that Protecht promotes. You can invest in these controls, but you need to consider the opportunity cost to do so.
Whether you call them upside controls, or perhaps consider it as part of related disciplines like decisions analysis or real options, the aim is to maximise the likelihood of achieving objectives while minimising unacceptable outcomes.
Next steps for your organization
Your internal control framework and individual controls are the front line in managing your risks, yet they are often misunderstood, neglected and operating inefficiently and ineffectively.
Our Controls design and assurance course is focused on providing a deep understanding of controls to enable optimally designed controls to be implemented to achieve maximum effect for minimum cost.
The class is delivered online on-demand using our Protecht Academy platform. Find out more and sign up now:
