What is it?
When considering the term “risk,” most people usually associate it with “What could go wrong?”. While generally true and rooted in evolutionary cognitive bias, this is only part of the definition. According to ISO31000, risk is “effect of uncertainty on objectives”. Therefore, when we talk about risk we should consider it as uncertainty that carries both hazard and opportunity.
So why are we concerned with risk? Isn’t that some corporate/bureaucracy exercise? To answer this we need to appreciate the other side of the coin - trust - which is the opposite of risk. Therefore, the focus of Risk Management programs is ultimately to increase trust, including:
- The trust that customers have in our products, services, corporate behavior, etc. - which leads to higher revenue; and
- The trust that the regulators have that we follow the rules - which reduces regulatory and market cost; and
- The trust our employees have in Atlassian - which leads to high moral and lower churn.
In a 2013 study conducted by the Boston Consulting Group, customers identified trustworthiness as one of the top qualities that would attract them to a brand.
Taking risks is part of life and we continuously assess risks against the benefits we enjoy by taking those risks. The risk profile of a company includes many different types of risks - financial, marketing, legal/regulatory, fraud, security, operational, etc. - that need to be balanced. The goal of the Enterprise Risk Management (ERM) program is to:
- Identify and analyze risks;
- Decide what actions should be taken;
- Operationalize the actions; and
- Report on the effectiveness of those actions.