Gartner Blog Network

Manage risk up!

by Mark P. McDonald  |  September 10, 2010  |  2 Comments

Risk is a persistent issue in IT and it is based on the premise that you need to manage risk down, reducing it via various decisions, polices and investments.  CIOs and IT executives see lower risk as a good thing, particular as it comes to operational systems and investments.  That view defines risk as the potential for bad things to happen.  It establishes a mind set of inspect and protect that keeps IT in an operationally safe risk managed box.  The goal operationally is to manage risk down.

What if we were to turn it on its head and thing about managing up risk?

What is possible if we were willing to take on more risk in exchange for greater innovation and results?

How might that work

Here are some thoughts and a note.  This post is speculating about turning risk management on its head and therefore it provides numerous links to other thoughts, observations and resources that may be helpful in crafting a different approach to risk management

In financial terms risk is assessed based on the variance of potential returns. Using this view, risk is an exchange between unpredictability and results.  The more unpredictable, the greater the result I need to jump in.  The figure below provides a conceptual illustration of two choices.  One in gray has less variance and therefore is less risky and with a similar smaller rate of return.  The gray option can be thought of as a blue chip corporate bond – little fear of default.  The yellow option has more risk and a commensurate greater level of return – a high-risk bond or stock.


Now before you say, duh I took finance in school so I understand the investment trade off between risk and reward, please indulge me for another paragraph or two.

Operationally, we invest in eliminating the downside risks in order to protect ourselves and out companies.  That is shown conceptually in the figure below.  In doing so, we eliminate the downside and reduce the upside potential of our strategy and decision.  This is the world of last year + or – 10% planning – which is a sign of weak management.  We accept that approach because it is what we believe we can do.  It reflects the commitments we are comfortable making to each other and stakeholders.


Such an approach made sense when risk was essentially fear of the unknown.  We cannot know what is there or even if we are headed in that direction so we will invest in keeping loss at bay.  This is the domain of insuring and insulating yourself against loss at the cost of limiting your potential upside.

I wonder if it has to be that way in the future, particularly in an environment of increasing information, competition and change.  These and other factors create more uncertainty and volatility and therefore more risk.

Every enterprise will face greater risks whether they like it or not.  Those that do little to change their capacity for risk, will see less market opportunity in the future compared to those that recognize the need to match their capability and capacity in the face of a changing market – that mean managing risk up.

Managing up risk, entails having better information, assessing reality, preparing for all contingencies and investing in the ones at the extremes while actively managing my way through the middle part of the distribution.  This brings in Nicholas Taleb’s Black Swan into the strategy and risk equation at both extremes of the distribution.

Managing up risk would not entail throwing caution to the wind and taking the payroll money to Las Vegas.  Rather it leverages several realities that are just beginning to creep into management thinking about strategy and risk:

  • Outside information is flooding the marketplace and your company enabling it to know more about what is going on outside the company than every before.  Traditionally information was limited to what happened inside the company’s four walls and with less information you cannot see far, so you unnecessarily limit risk.  Increased business intelligence, informatics, social media and other information generating technologies mean that there will be more information always coming.
  • Analytics are getting more powerful and provide a way to see patterns in customer, market and operational behavior that shed light on the real risk profile and the commensurate opportunities and threats.  Analytics and modeling help transform the flood of information into a usable stream of intelligence that helps people make decisions.  This is one way that companies can compete on analytics.
  • Value chains and sourcing are extending beyond the company, enabling it to share operational risk with others and tap into world class capabilities in areas where the company knows less and therefore takes on more risk.  Managing up risk can leverage the knowledge, operational capability and flexibility created through extending the value chain into value networks.
  • Markets are fraking, requiring bolder value propositions and better ones better tuned to local markets.  Rather than facing a smooth demand curve, most companies are starting to realize that demand is fragmented, local, and frustratingly less predicable when you treat the market as a single homogenous set of customers.  This is why it is important to manage up risk because there are fewer and fewer ‘normal’ markets that can be addressed in traditional ways.

The capabilities exist for a new approach to risk management.  One that recognizes that you can take more risk when you have better information, insight and management capability, particularly relative to your competitors.  Those capabilities are coming online right now, requiring a new look at our mental models and approaches to risk management.

Companies like Best Buy, Capital One and even the Wall Street types who saw the global financial crisis coming all offer examples of managing up risk to one extent or another.  We will talk more about them in a latter post, as this one is getting long.

The difference between managing down risk and managing risk up is part of the difference between the front and back office view of the world.  Let me use an analogy to illustrate.

Think of a trapeze performance at a circus, which can involve using no net.  Trapeze athlete/performers working without a net do so because they have trained and prepared in order to reduce the risk of catastrophe.  They take away the net because they have the skill, practice and capability to take on a different risk profile.

Now think about how they use that profile – to attract attention and create tension in the audience.  By managing risk up, they increase the value of their performance.  That is the front office potential.  The back office reality is that both before and during the performance, the athlete/performer is constantly taking in information and making judgments to actively manage the best return for the situation that exists rather than just protecting themselves against potential loss

I am interested in your thoughts.  Is this a dumb idea, or is it something you are already doing?  If so how is it working and what can you share?

Category: innovation  leadership  strategic-planning  strategy  

Tags: 2011-planning  business-leadership  business-management  business-strategy  strategy-and-planning  

Mark P. McDonald
8 years at Gartner
24 years IT industry

Mark McDonald, Ph.D., is a former group vice president and head of research in Gartner Executive Programs. He is the co-author of The Social Organization with Anthony Bradley. Read Full Bio

Thoughts on Manage risk up!

  1. […] For further reading on managing risk, take a look at Gartner Analyst Mark McDonald’s thoughts on ‘Managing Risk Up’. […]

  2. […] managing risk, take a look at Gartner Analyst Mark McDonald’s thoughts on ‘Managing Risk Up’. Share this:TwitterFacebookLike this:LikeBe the first to like […]

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.