| Key Takeaways |
| A positive risk is an uncertain event or condition that, if it occurs, would have a beneficial effect on one or more objectives. ISO 31000:2018 defines risk as “the effect of uncertainty on objectives,” explicitly encompassing both downside threats and upside opportunities. COSO ERM 2017 Principle 13 includes “pursue” as a risk response option alongside accept, avoid, reduce, and share. |
| Most organizations manage only downside risk. Risk registers are filled with threats, and the response toolkit defaults to avoid, reduce, transfer, or accept. Upside opportunities are identified informally (if at all) and lack the same structured identification, analysis, evaluation, and treatment discipline applied to threats. This asymmetry leaves value on the table. |
| The four response strategies for positive risk are: Exploit (ensure the opportunity is realized), Enhance (increase the probability or impact of the opportunity), Share (allocate opportunity ownership to a party best positioned to capture it), and Accept (be ready to capitalize if the opportunity materializes, but take no proactive action). |
| Positive risks exist across all enterprise risk categories: strategic (new market entry), operational (process efficiency gains), financial (favorable interest rate movements), technological (disruptive innovation adoption), compliance (regulatory change opening new products), and reputational (brand-enhancing events). |
| The opportunity register is the counterpart to the risk register. Both use the same lifecycle: identify, analyze, evaluate, treat, monitor. Both use likelihood-impact scoring. The difference is that positive risk scoring measures the probability and magnitude of benefit rather than harm, and the response strategies aim to maximize capture rather than minimize loss. |
| Integrating positive risk into ERM creates a balanced risk profile that shows the board both the threats to strategy and the opportunities strategy could exploit. Organizations that present only downside risk to the board encourage risk-averse decision-making. Organizations that present both sides enable risk-informed decision-making. |
| A 90-day roadmap adds opportunity management to the existing ERM framework without building a separate system. |
ISO 31000:2018 defines risk as “the effect of uncertainty on objectives.” That definition is deliberately bilateral: uncertainty can push outcomes below objectives (threats) or above objectives (opportunities). Both directions qualify as risk.
Both deserve the same structured management discipline. Yet most enterprise risk management programs focus almost exclusively on the downside. Risk registers catalogue threats. Heat maps show red zones of potential loss. Board risk reports highlight what could go wrong.
This asymmetry has consequences. Organizations that manage only threats become risk-averse by default. Every strategic decision is filtered through “what could go wrong” without equal weight given to “what could go right.”
The COSO ERM framework (2017) addresses this directly: Principle 13 includes “pursue” as a legitimate risk response, recognizing that some risks should be actively sought because their upside potential exceeds the cost and downside exposure.
COSO’s shift from the 2004 “COSO Cube” to the 2017 “Integrating with Strategy and Performance” model explicitly positions risk management as a value-creation activity, not just a loss-prevention exercise.
This guide provides the framework for managing positive risk within ERM: how to identify upside opportunities across all risk categories, how to score them using the same likelihood-impact methodology applied to threats, how to select the right response strategy (exploit, enhance, share, or accept), and how to integrate opportunity management into the existing risk management life cycle without building a separate system.
Defining Positive Risk: Threats, Opportunities, and the Bilateral Nature of Risk
The concept of positive risk often creates confusion because the phrase sounds contradictory. “Risk” is colloquially associated with danger, loss, and harm. In enterprise risk management, however, risk has a precise technical definition. The table below clarifies the terminology.
| Term | Definition | Example |
| Risk (ISO 31000) | The effect of uncertainty on objectives. This includes both positive effects (opportunities) and negative effects (threats). | Uncertainty about customer adoption of a new product could result in higher-than-expected sales (positive) or lower-than-expected sales (negative). |
| Threat (Negative Risk) | An uncertain event or condition that, if it occurs, has a negative effect on one or more objectives. Threats reduce value, create losses, delay timelines, or damage reputation. | A key supplier goes bankrupt, causing production delays and $5M in lost revenue. |
| Opportunity (Positive Risk) | An uncertain event or condition that, if it occurs, has a positive effect on one or more objectives. Opportunities create value, generate savings, accelerate timelines, or enhance reputation. | A competitor exits the market, creating a $20M addressable market share opportunity. |
| Risk Event | The specific occurrence that triggers either a threat or an opportunity. The same event can create both simultaneously (e.g., regulatory change creates compliance risk and product opportunity). | New data privacy regulation increases compliance costs (threat) but creates demand for privacy consulting services the organization can sell (opportunity). |
| Risk Response (Threat) | Avoid, Reduce (likelihood or consequence), Share/Transfer, Accept. | Purchase insurance to transfer financial impact of a natural disaster. |
| Risk Response (Opportunity) | Exploit, Enhance, Share, Accept. | Acquire the competitor’s customer list to exploit the market share opportunity created by their exit. |
The bilateral definition of risk is not new. ISO 31000 has included it since the 2009 edition. COSO ERM 2017 explicitly addresses opportunities through the “pursue” response in Principle 13.
The PMI’s PMBOK Guide (7th Edition) dedicates equal treatment to threats and opportunities in the risk management knowledge area. The challenge is not definitional; the challenge is operational.
Most organizations have risk registers full of threats and empty of opportunities because their identification workshops, scoring tools, and reporting templates were designed for downside risk only.
Positive Risk Across Six Enterprise Risk Categories
Upside opportunities exist in every risk category. The table below provides examples of positive risks across the six standard enterprise risk categories, showing that opportunity management is not limited to strategic or financial risks.
| Category | Positive Risk Example | Potential Upside | Probability Factors | How to Detect It |
| Strategic | A major competitor exits a geographic market, creating an immediate customer acquisition opportunity. | $15-25M in accessible revenue from displaced customers. Market share increase of 8-12% within 18 months. | Competitor financial health indicators. Industry consolidation trends. Regulatory pressure on competitors. | Competitive intelligence monitoring. Industry analyst reports. Customer feedback indicating competitor dissatisfaction. |
| Operational | A process improvement initiative yields greater efficiency gains than the business case projected. | 30% reduction in processing time vs. 15% projected. $2M annual cost savings above the original $1M estimate. | Pilot results exceeding projections. Staff adoption rate higher than planned. Technology performing above specifications. | Process performance metrics. Pilot program KPIs. Continuous improvement team reports. |
| Financial | Interest rate movements create a refinancing opportunity that reduces debt servicing costs below budget. | $3M annual interest savings on a $200M debt portfolio. Improved debt-to-equity ratio strengthening credit rating. | Central bank policy signals. Yield curve movements. Credit spread compression in the organization’s sector. | Treasury monitoring of interest rate environment. Relationship with investment banks providing rate movement alerts. |
| Technological | An emerging technology (AI, automation, blockchain) matures faster than expected, enabling capabilities the organization planned for 2027 to be deployed in 2025. | Two-year acceleration of digital transformation roadmap. First-mover advantage in customer experience or operational efficiency. | Technology maturity assessments. Vendor roadmap updates. Peer adoption signals from industry conferences. | Technology horizon scanning. CTO/CIO participation in industry forums. Proof-of-concept results from R&D team. |
| Compliance / Regulatory | New regulation creates a product or service opportunity (e.g., mandatory ESG reporting creates demand for ESG advisory services the organization can offer). | New revenue stream: $5-10M in consulting or advisory services. Brand positioning as a compliance leader. | Legislative pipeline monitoring. Regulatory consultation papers. Industry lobbying group intelligence. | Regulatory affairs team tracking upcoming legislation. Product development team assessing market gaps created by new requirements. |
| Reputational | A high-profile corporate social responsibility initiative generates unexpectedly positive media coverage and customer sentiment. | Brand value increase measurable through NPS improvement, social sentiment, and media share of voice. Employee pride and retention improvement. | Quality and authenticity of the initiative. Media interest in the topic. Social media amplification potential. | Media monitoring. Social listening tools. Customer feedback channels. Employee engagement pulse surveys. |
Four Response Strategies for Positive Risk
Just as negative risks have four standard responses (avoid, reduce, transfer, accept), positive risks have four responses designed to maximize the probability and impact of upside outcomes.
The table below compares each positive risk response with its negative risk counterpart to show the mirror-image relationship.
| Positive Response | Negative Counterpart | What It Does | When to Use | Example |
| Exploit | Avoid | Takes deliberate action to ensure the opportunity is realized. Eliminates the uncertainty by making the positive outcome certain. | The opportunity is high-value and the organization has the capability to guarantee its capture. The cost of exploitation is justified by the expected return. | A competitor exits the market. Exploit: immediately launch a targeted marketing campaign to the competitor’s customer base, offering migration incentives. Make the customer acquisition certain. |
| Enhance | Reduce (Likelihood) | Increases the probability that the opportunity will occur, or increases the magnitude of benefit if it does occur. Does not guarantee the outcome but improves the odds. | The opportunity is attractive but uncertain. Actions can be taken to increase the likelihood or magnify the payoff at reasonable cost. | Process improvement pilot shows 30% efficiency gain vs. 15% projected. Enhance: expand the pilot to three additional business units, increasing the scope of benefit. Invest in additional training to maximize adoption. |
| Share | Transfer / Share | Allocates part or all of the opportunity to a third party better positioned to capture it, in exchange for a share of the benefit (revenue sharing, joint venture, strategic partnership). | The organization lacks the capability, resources, or market access to capture the opportunity alone. A partner can amplify the outcome. | New regulation creates demand for ESG advisory services. Share: form a joint venture with an ESG consulting firm, combining domain expertise with client access. Share revenue 60/40. |
| Accept | Accept | Acknowledges the opportunity and is ready to take advantage if it materializes, but takes no proactive action to increase its probability. The organization monitors the opportunity and responds when conditions are right. | The opportunity is low-probability, the cost of proactive action exceeds the expected benefit, or the organization is not ready to act. The opportunity is documented and monitored. | Interest rate environment may create a refinancing window. Accept: monitor rates monthly. If the window opens (rates drop 75bps below current), trigger the refinancing process. No upfront cost. |
Every opportunity response should be documented with the same rigor as a threat response: opportunity ID, description, response strategy, owner, budget (if applicable), timeline, expected benefit, and KRI triggers that indicate whether the opportunity window is opening or closing. Without this documentation, opportunity management reverts to ad hoc decision-making.
Scoring Positive Risks: The Opportunity Heat Map
Positive risks are scored using the same likelihood-impact framework as negative risks, but with two modifications.
The impact scale measures magnitude of benefit (not loss), and the priority action is to maximize capture (not minimize damage). The table below provides the 5×5 opportunity scoring matrix.
| Likelihood / Benefit | 1 – Minimal | 2 – Minor | 3 – Moderate | 4 – Significant | 5 – Transformational | |||
| 5 – Almost Certain (>90%) | 5 | 10 | 15 | 20 | 25 | |||
| 4 – Likely (60-90%) | 4 | 8 | 12 | 16 | 20 | |||
| 3 – Possible (30-60%) | 3 | 6 | 9 | 12 | 15 | |||
| 2 – Unlikely (10-30%) | 2 | 4 | 6 | 8 | 10 | |||
| 1 – Rare (<10%) | 1 | 2 | 3 | 4 | 5 | |||
| Score Range | Priority | Recommended Response | Board Reporting | |||||
| 20-25 | Priority 1: Exploit | Assign dedicated resources. Build a capture plan with owner, budget, and timeline. Exploit or Enhance response required. Report to the board as a strategic opportunity. | Include in the quarterly board risk report under “Strategic Opportunities.” Request board endorsement for resource allocation. | |||||
| 12-19 | Priority 2: Enhance | Increase the probability or impact through targeted actions. Assign an owner. Monitor monthly. Consider Share response if partnership amplifies the outcome. | Include in the management risk report. Escalate to the board if resource requirements exceed management authority. | |||||
| 6-11 | Priority 3: Share or Accept | Monitor the opportunity. Take action if conditions improve (likelihood increases or benefit becomes clearer). Consider sharing with a partner to reduce investment while maintaining upside. | Include in the opportunity register. Report to the board annually as part of the comprehensive risk assessment. | |||||
| 1-5 | Priority 4: Accept | Document in the opportunity register. Monitor passively. No proactive investment justified at current probability and benefit levels. | No specific board reporting. Include in the aggregate opportunity register count. | |||||
The opportunity heat map should be presented alongside the threat heat map in every board risk report.
A board that sees only red zones (high-severity threats) without corresponding green zones (high-value opportunities) will make risk-averse decisions that protect value but fail to create it.
The balanced presentation supports risk-informed decision-making that weighs both sides of uncertainty.
Worked Example: Managing a Positive Risk Through the Full Life Cycle
| Step | Activity | Output |
| 1. Identify | During the annual strategic risk assessment workshop, the competitive intelligence team reports that Competitor X has been losing market share for three consecutive quarters, their CEO resigned, and industry analysts predict a possible exit from the EMEA market within 12 months. The workshop captures this as a positive risk: “Competitor X exits the EMEA market, creating a $20M addressable revenue opportunity from displaced customers.” | Opportunity ID: OPP-2025-003 entered in the opportunity register. Category: Strategic. Owner: VP Sales, EMEA. Current probability: Possible (3). Potential benefit: Significant (4). Score: 12 (Priority 2: Enhance). |
| 2. Analyze | The sales team conducts a detailed analysis. Competitor X serves approximately 800 enterprise customers in EMEA. Average contract value: $25K. Estimated capture rate if the organization acts quickly: 30-40% (240-320 customers). Revenue opportunity: $6M-$8M in Year 1, growing to $15-20M by Year 3 as relationships deepen and cross-selling expands. | Quantitative analysis: P50 revenue impact: $7M Year 1. P95 (best case with aggressive pursuit): $12M Year 1. Investment required for capture campaign: $1.5M (marketing, sales team expansion, onboarding infrastructure). |
| 3. Evaluate | Compare the opportunity against the organization’s strategic risk appetite. The appetite statement says: “Moderate appetite for strategic growth risk in existing markets.” EMEA is an existing market. The $1.5M investment is within management’s authority. The opportunity score of 12 places it in Priority 2 (Enhance). However, if the competitor confirms its exit, the probability increases to Likely (4), raising the score to 16 (Priority 2, approaching Priority 1). | Decision: Enhance now. Prepare the capture campaign so it can launch within 2 weeks of confirmed competitor exit. If exit is confirmed, escalate to Exploit and request board endorsement for an expanded $3M investment. |
| 4. Respond | Enhance response: (a) Sales team develops a targeted value proposition for Competitor X’s customer segments. (b) Marketing creates campaign materials and digital assets. (c) Customer success team designs an accelerated onboarding program. (d) Finance models the revenue and margin impact for the board pack. Total preparation cost: $150K. The organization is ready to launch within 48 hours of confirmed competitor exit. | Enhance action plan documented: Owner (VP Sales EMEA), preparation budget ($150K), trigger condition (competitor exit announced), escalation to Exploit (board approval for $3M investment within 5 business days of trigger). |
| 5. Monitor | Monthly KRIs tracked: (a) Competitor X share price (leading indicator of exit likelihood). (b) Competitor X customer satisfaction reports from industry analysts. (c) Competitor X employee departures (LinkedIn tracking). (d) Industry analyst commentary on Competitor X’s strategic direction. Quarter 2: Competitor X announces restructuring and sale of EMEA business unit to a private equity firm. Probability updated to Likely (4). Score: 16. Response escalated from Enhance to Exploit. | Exploit activated: Board approves $3M capture investment. Campaign launches on Day 1 of competitor transition announcement. Sales team contacts 500 of Competitor X’s 800 EMEA customers within 30 days. Quarter 3 results: 180 customers acquired. $4.5M in contracted revenue. Full-year forecast revised to $8M. |
Integrating Positive Risk Into the Existing ERM Framework
Opportunity management does not require a separate framework. The existing risk management life cycle (identify, analyze, evaluate, treat, monitor) applies equally to threats and opportunities. The table below shows the integration points.
| ERM Component | How Threats Are Managed | How to Add Opportunities |
| Risk Register | Contains identified threats with descriptions, owners, scores, treatments, and monitoring status. | Add an “Opportunity Register” tab or section. Use the same fields: ID, description (cause-event-benefit structure), owner, likelihood, impact (benefit), score, response strategy, KRIs. |
| Risk Identification Workshops | Facilitator asks: “What could go wrong?” Participants identify threats to objectives. | Add a second prompt: “What could go better than planned? What external changes could create value?” Dedicate 20-30 minutes of each workshop to opportunity identification. |
| Risk Scoring Matrix | 5×5 matrix with likelihood and negative impact. Heat map shows red (high threat) to green (low threat). | Add a mirror 5×5 opportunity matrix with likelihood and positive impact (benefit). Opportunity heat map shows green (high opportunity) to grey (low opportunity). |
| Board Risk Report | One-page heat map showing top threats. Narrative explains risk movements. Decisions requested for threat treatment. | Add a second page: opportunity heat map showing top opportunities. Narrative explains opportunity movements. Decisions requested for opportunity exploitation (resource allocation, partnership approval, market entry). |
| Risk Appetite Statement | Defines how much downside risk the organization accepts across risk categories. | Add an “opportunity appetite” dimension: how much investment the organization is willing to make to pursue upside opportunities across categories (e.g., “up to $5M in strategic opportunity pursuit per year”). |
| KRI Dashboard | Monitors leading indicators of threats (declining metrics, increasing incidents, control failures). | Add opportunity KRIs: competitor performance metrics, technology maturity indicators, regulatory pipeline, market trend signals. Define triggers that escalate opportunities from Accept to Enhance or Exploit. |
Implementation Roadmap
| Phase | Actions | Deliverables | Success Metrics |
| Days 1-30: Design | Add the opportunity register template to the existing risk register (same structure with benefit-focused scoring). Design the 5×5 opportunity scoring matrix with benefit descriptors. Update the risk workshop agenda to include opportunity identification prompts. Define opportunity response strategies (exploit, enhance, share, accept) in the risk management procedures. | Opportunity register template. 5×5 opportunity scoring matrix. Updated workshop facilitation guide. Opportunity response strategy definitions in procedures document. | Templates approved by CRO. Scoring matrix reviewed by executive team. Workshop guide updated and facilitators briefed. |
| Days 31-60: Populate | Conduct the first opportunity identification sessions alongside the regular risk assessment cycle. Score identified opportunities using the 5×5 matrix. Assign owners to Priority 1 and 2 opportunities. Develop response plans for the top 5 opportunities. Define opportunity KRIs for the top 10 opportunities. | Populated opportunity register (target: minimum 15 opportunities identified across all risk categories). Scored and prioritized opportunity list. Response plans for top 5. KRI definitions for top 10. | 15+ opportunities identified. Top 5 have funded response plans with owners. Opportunity KRIs defined and data sources confirmed. |
| Days 61-90: Report and Monitor | Produce the first board risk report that includes both the threat heat map and the opportunity heat map. Launch monthly opportunity KRI monitoring. Establish the quarterly opportunity review cadence (integrated with the existing quarterly risk review). Present the balanced risk profile to the board. | First balanced board risk report (threats + opportunities). Opportunity KRI dashboard (integrated with existing KRI dashboard). Quarterly review schedule. Board presentation. | Board acknowledges the opportunity section. At least one Priority 1 opportunity has an active Exploit or Enhance response. Monthly KRI monitoring operational. |
Common Pitfalls and How to Avoid Them
| Pitfall | Root Cause | Remedy |
| Opportunities treated as “nice to have” rather than managed risks | The culture treats risk management as loss prevention. Opportunities are discussed informally but never enter the formal risk management process. | Require opportunity identification in every risk workshop. Include the opportunity register in the board risk report. Hold owners accountable for opportunity response plans with the same rigor as threat treatment plans. |
| Opportunity scoring uses the same impact scale as threats (measuring loss, not benefit) | The 5×5 matrix was designed for downside risk. Impact descriptors reference financial loss, operational disruption, and reputational damage. Positive impacts do not fit the scale. | Create a separate benefit impact scale with descriptors for revenue gain, cost savings, market share increase, capability acceleration, and brand enhancement. Mirror the threat scale structure. |
| All opportunities classified as Accept (passive) | Owners lack authority or budget to pursue opportunities. The default response is “we’ll wait and see” because no mechanism exists to fund opportunity pursuit. | Define an “opportunity investment budget” in the annual plan. Allocate 2-5% of the risk management budget to opportunity pursuit. Establish delegated authority for opportunity spending at the CRO or executive committee level. |
| Opportunity management becomes a separate, disconnected process | The organization builds a separate opportunity tracker managed by the strategy team, disconnected from the ERM framework. Risk and opportunity are managed in silos. | Integrate opportunities into the existing risk register, workshops, scoring, and reporting. One framework, two dimensions (threat + opportunity). One board report, two heat maps. One review cycle, one set of owners. |
| Confusing positive risk with personal risk-taking or “risk appetite for growth” | The concept is misunderstood as encouragement to take bigger bets or tolerate more losses. Positive risk is not about accepting more downside; it is about systematically capturing upside. | Train risk owners on the distinction: positive risk = uncertain events with beneficial outcomes. Response strategies aim to increase the probability and impact of good outcomes, not to increase tolerance for bad outcomes. |
| Opportunities are identified but never monitored for changes in probability | An opportunity scored as Unlikely (2) in January may become Likely (4) by June due to market changes. Without monitoring, the organization misses the escalation window. | Define opportunity KRIs with trigger thresholds. When a KRI indicates the opportunity is becoming more probable, automatically escalate the response from Accept to Enhance or Exploit. Monitor monthly. |
Looking Ahead: Opportunity Risk Management Trends 2025-2027
AI-driven opportunity detection is emerging as a complement to AI-driven threat detection. The same natural language processing and data analytics tools that scan for emerging threats can identify emerging opportunities: competitor weaknesses, regulatory tailwinds, technology breakthroughs, and market shifts.
Organizations deploying AI for risk identification are beginning to extend these capabilities to opportunity scanning, reducing the reliance on annual workshops as the sole opportunity identification mechanism.
ESG and sustainability are creating a new category of positive risks. Carbon credit markets, green bond premiums, sustainable product demand, and regulatory incentives for decarbonization all represent upside opportunities that organizations can exploit, enhance, or share.
KRIs for ESG and sustainability must track both the threat dimension (compliance risk, transition risk) and the opportunity dimension (green revenue, brand premium, talent attraction). Organizations that monitor only ESG threats miss the value-creation potential that ESG performance unlocks.
The COSO ERM framework’s emphasis on integrating risk with strategy and performance will continue to drive balanced risk management. Boards that receive only downside risk reports are making decisions with half the information.
Organizations that present both threat and opportunity profiles enable strategic conversations about where to invest, where to partner, and where to move faster.
The risk function that delivers this balanced view becomes a strategic advisor, not just a compliance mechanism. That is the promise of managing both sides of uncertainty: not just protecting value, but creating it.
Ready to add opportunity management to your ERM framework? Visit riskpublishing.com to access enterprise risk management frameworks, risk register templates, and KRI dashboard guides. Need a facilitated opportunity assessment? Contact our consulting team to design a balanced risk-opportunity framework aligned to ISO 31000 and COSO ERM.
References
1. ISO 31000:2018 Risk Management Guidelines — International Organization for Standardization
2. COSO ERM: Integrating with Strategy and Performance (2017) — Committee of Sponsoring Organizations
3. Risk Management Principles: ISO 31000 and COSO ERM — Wolters Kluwer
4. ISO 31000 vs COSO ERM: Frameworks Compared — TrustCloud
5. ISO 31000 vs. COSO: Comparing Risk Management Standards — TechTarget
6. ISO 31000 and Risk Management — Nobel Cert Universal / IRM
7. ISO 31000 Explained: Risk Management for Modern Organizations — Pacific Certifications
8. COSO vs ISO 31000 for ERM — Empowered Systems
9. ISO 31000 vs COSO ERM Risk Management Frameworks — Rcademy
10. The State of Enterprise Risk Management, 2025 — Forrester Research
11. 2025 KPMG Risk and Resilience Survey — KPMG International
12. PMBOK Guide, 7th Edition — Project Management Institute
13. Aon 2025 Global Risk Management Survey — Aon plc
14. IEC 31010: Risk Assessment Techniques — International Electrotechnical Commission / ISO
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.