Internal Controls Design website by Matthew Leitch (tutor, researcher, author, & consultant)
New website, new perspective: - Related articles - All articles - The author - Services

Positive Graphic

How to be positive about risk

by Matthew Leitch 4th August 2010

  • Identifies pitfalls when writing about risk and trying to present risk management in a more positive light.

  • Offers tactics for talking and writing about risk and risk taking.

  • Useful when writing policies about risk taking, including 'risk appetite'.

Please note

The author is available to help with work to evaluate existing arrangements for governing risk taking, design new tools and processes, write guidance on their use, review work done using them for lessons to learn, and to provide relevant individual technical tutoring and teletutoring.

The trend towards positive

Most published guides and policies on risk management portray risks as undesirable or redefine risk as including nice surprises as well as nasty ones and portray risks as being both. Very occasionally people have made the mistake of talking as if risk generally is a good thing in itself.

However, I have noticed that recently there has been an increased tendency to, occasionally, portray risk as inherently desirable or to say that particular risks that are clearly downside ones are desirable. This is still rare in published documents, but more common in internal documents such as policies on risk taking, and much more common in conversation. I think this is thanks to the blaze of interest in the treacherous but intriguing phrase 'risk appetite'.

Saying risk is good is odd because, for most people, 'risk' is obviously a bad thing, so why say it, and is there a better approach?

Why say it?

There are some sensible drivers behind the desire to say that risk is good:

While these motives may be understandable, it is rarely the best strategy to say something that obviously is not true. Surely there is a better way? But first, let's just confirm that risk really is bad and look at the problems that can result from saying it is good.

But isn't risk good?

No, it isn't. If you do not like an outcome, such as falling off a cliff, then you will not like the possibility of that outcome. Making something just a possibility rather than a certainty does not flip it from undesirable to desirable.

Risk is often something that goes along with rewards we want, but that does not make the risk itself good and we would still be interested in reducing it.

The best that can be said for risk is that, if you define it in particular, rather unusual ways, it can be positive in some situations. Here are the two definitions that I am aware of that have this property:

What is the problem with saying risk is good?

Saying something that people immediately know to be untrue can undermine your credibility, but the greatest worry about saying risk is good is that some people may actually believe you and act on it.

For example, imagine that a company's business is making loans to people to buy cars. In the past it has been able to charge higher interest rates on loans to people without jobs so it decides to do more of that kind of business in the next year. It tells its employees that it wants 5% of its loans to be to people without jobs. Taking the higher risk of lending to unemployed people has just become a target, in itself, not a limit on risky lending. What might happen if the company is struggling to make loans to unemployed people is that employees might start to think that making the loans cheaper for unemployed people is a way to solve the problem.

A better approach would have been for the company to set higher interest rates as a target and explain clearly that keeping bad debts low is important and '5% of total loans' is a maximum limit on loans to unemployed people. This is not perfect but at least it reduces the risk of people seeing risk taking as desirable in itself.

How to be positive without saying that risk is good

Here are some tactics to use, illustrated by examples of statements mistakenly positioning risk as 'good', with some explanation of the problems they could cause, and alternative wordings.

Tactic 1: Say what you really want people to do

Instead of saying people should take more risk, say what they should be doing that really is desirable, even though it involves taking risk, such as launching new products, tackling new markets, and trying new methods - in short, exploring.

Exhibit A: from Risk appetite - How hungry are you? by Richard Barfield of PricewaterhouseCoopers

"One of the more interesting internal challenges in financial services organisations, which often tend to be risk averse and conservative, is to ensure that business unit management is assuming sufficient risk!"

The implication is that these organizations should not be risk averse and that some business unit management teams need to take more risk. Presumably they should be doing their jobs in more risky ways. In truth they should remain risk averse, but perhaps not as averse as they have been, and those business unit management teams should do more to develop new products, trial new ways of working, and make investments that pay better than cash, among other things.

Exhibit A would have been better written as follows:

"One of the more interesting internal challenges in financial services organisations, which are often too strongly risk averse, is to ensure that business unit management does enough to develop new products, trial new ways of working, and find attractive new investments."

This version is more informative and does not give the reader that vague sense of unease that comes from reading something that does not make sense.

Tactic 2: Avoid 'risk appetite' and beware of 'risk attitude'

The phrase 'risk appetite' makes most people think of other appetites, which are for things we consider desirable such as food, drink, and sex. Use plainer, more self explanatory language instead and avoid this misleading metaphor.

Exhibit B: from the Walker review

(Source: A review of corporate governance in UK banks and other financial industry entities, Final recommendations, 26 November 2009. These sentences come from the section on 'risk appetite and tolerance', which is what the writer is trying to explain.)

"6.20 While the specific approach will plainly need to be adapted to the business scope and particular risk profile of the entity, differentiation will be needed between a level of risk that is actively sought and willingly borne such as credit risk (for a bank), market risk (in a trading book), and risks arising as a consequence of doing business and which the firm may wish to tolerate, limit or reduce through mitigating action (such as some types of counterparty risk, reputational risk that might be linked to miss-selling to retail clients), operational, legal and compliance risks."

The distinction between risks 'actively sought and willingly borne' and others the firm 'may wish to tolerate' gives the definite impression that the former type are good risks, and the latter bad. The unwary banker could be forgiven for thinking this means that risks taken through lending or buying securities are a good thing, so the more they take the better and efforts to cut those risks are wasted.

However, there is nothing positive about credit risk itself. If people don't pay back their loans or fail to pay the interest they owe then that is bad for the bank. Likewise, market risk is something banks should be averse to. There is nothing inherently good about these risks, even though the commercial activities give rise to them directly.

A better way to write that sentence would have been:

"6.20 While the specific approach needs to be adapted to the business scope and risk profile of the entity, differentiation will be needed between risks arising as a direct result of commercial activities, such as credit risk (for a bank) and market risk (in a trading book), and risks arising from being in business, such as operational, legal and compliance risks."

In this version the implication that some risks are good ones to be happily taken is removed along with the grammatical mistakes. It does not solve the problem of finding examples that make sense. Surely some operational risks are generated by processing each loan or market trade?

Exhibit C: From Thinking about your risk - Setting and communicating your risk appetite, by unnamed authors at HM Treasury

"1.2 The board will have an appetite for some types of risk and an aversion for others."

Again the phrase 'risk appetite' has led to a statement that makes risk into something desirable. (Strictly speaking, the approach to risk management promoted by HM Treasury says that risks are nice surprises as well as nasty ones, so the statement about having an appetite for some risks could reasonably apply to those nice surprises. However, the examples given in the same document are entirely in terms of nasty surprises. Indeed, using the methods of the examples shown there is no way to assess a nice surprise.)

Exhibit C would have been better as:

"1.2 The board should have a view as to the level to which each risk should be managed, taking into account factors such as the size of the risk and the scope for, and cost of, risk responses."

The problem with 'risk attitude' is that it drags in three terms: 'risk averse', 'risk neutral', and 'risk seeking'. These come from some theorising about why people see losses of a given amount of money as more important than gains of the same amount. They rely on a particular definition of risk as the spread of possible returns. In this theory it is taken as obvious that people do not like risk in the usual sense of 'bad things that might happen'.

Unfortunately, having said 'risk attitude' we feel almost compelled to explain that it can be risk averse, risk neutral, or risk seeking, even though the usual interpretation of risk means that every sane person is risk averse.

Tactic 3: Say risk management is good, not risk

Instead of saying that risk is good, say that managing risk skillfully is good. For example, you could say that risk management is the skill of doing dangerous things safely.

Exhibit D: from Risk appetite - The strategic balancing act, by unnamed authors at Ernst & Young

"After all, risks are the source of profit. The board should therefore ask itself: 'What are our three most profitable risks?'"

In this version of reality the things people do to make money have been confused with the risks run as a result. Does taking risk produce profits? Would you make more money by doing things in a more risky way? Surely it has more to do with providing goods and services that people value and doing it better than your competition. What has happened here is that what we should require has become confused with what we can expect. Specifically, the fact that we should require profit to compensate for bearing risk has become an assertion that bearing risk will bring profit. Given the context of exhibit D, a better version would have been.

"After all, better management of risk is a source of profit. The board should therefore ask itself: 'What are the three activities where our superior management of risk provides the greatest profit?'"

Tactic 4: Focus on the uncertainty

If you want to position 'risk management' as being less of a pessimistic exercise then avoid the word 'risk' and use uncertainty instead. For example, you can say:

"The methods that, today, are still referred to as 'risk' management are in fact focused on managing uncertainty. They involve opening our minds to more possible futures and asking, 'What would we do if...' Some of those futures would be welcome, some unwelcome, and many are a mixture or just different."

Exhibit E: The risk approach to strategic management in development NGOs, by Ricardo Wilson-Grau

"Risk is inherent to life. The future is always uncertain and the outcomes of events unpredictable. Furthermore, for development NGOs, risks cannot be avoided and indeed must be embraced. Innovation for human development requires risk-taking. Commonly, risk is thought of as something negative, as the danger of something undesirable occurring. That is too limited. Risk is also positive; there is an upside and a downside. A development organisation must dare to succeed and dare to fail."

This typical attempt to redefine 'risk' for the reader has all the cliches. Risk is positive too. Risks must be embraced. Innovation requires risk taking. The problem is just that most readers already have an idea of what 'risk' means and it's bad. This re-write shows the improvement that is possible by switching to 'uncertainty'.

"Uncertainty is inherent to life. The future is always uncertain and the outcomes of events unpredictable. Furthermore, for development NGOs, uncertainty cannot be avoided and indeed we can rarely afford to delay action until certainty is achieved. Innovation for human development involves doing things whose outcome is uncertain and ranges from dismal failure to astounding success, with most innovations providing some useful learning whatever the outcome. A development organisation must be willing and able to experience failures in its search for successes."


Risk management is good, especially if it includes potential nice surprises as well as nasty ones, but we need to be very careful when talking about 'risk' and remember that for most people it isn't good, by definition. There are also some logical mistakes it is easy to make, particularly if the phrases 'risk appetite' and 'risk attitude' are used.

Take care, and use the tactics suggested in this article.

© 2010 Matthew Leitch
New website, new perspective: - Related articles - All articles - The author - Services

If you found any of these points relevant to you or your organisation please feel free to contact me to talk about them, pass links or extracts on to colleagues, or just let me know what you think. I can sometimes respond immediately, but usually respond within a few days. Contact details

Matthew Leitch - Author

About the author: Matthew Leitch is a tutor, researcher, author, and independent consultant who helps people to a better understanding and use of integral management of risk within core management activities, such as planning and design. He is also the author of the new website,, and has written two breakthrough books. Intelligent internal control and risk management is a powerful and original approach including 60 controls that most organizations should use more. A pocket guide to risk mathematics: Key concepts every auditor should know is the first to provide a strong conceptual understanding of mathematics to auditors who are not mathematicians, without the need to wade through mathematical symbols. Matthew is a Chartered Accountant with a degree in psychology whose past career includes software development, marketing, auditing, accounting, and consulting. He spent 7 years as a controls specialist with PricewaterhouseCoopers, where he pioneered new methods for designing internal control systems for large scale business and financial processes, through projects for internationally known clients. Today he is well known as an expert in uncertainty and how to deal with it, and an increasingly sought after tutor (i.e. one-to-one teacher). more

Please share:            Share on Tumblr