4 November 2016

The final draft version of the King IV Report on Corporate Governance in South Africa 2016 (King IV) places a different focus on the Governance and Management of Risk compared to the situation that existed before. It now states that:

“The governing body should assume responsibility for the governance of risk by setting the direction for how risk should be approached and addressed in the organisation. Risk governance should encompass both:

  1. the opportunities and associated risks to be considered when developing strategy; and
  2. the potential positive and negative effects of the same risk on the achievement of organisational objectives.”

The focus is now firstly on “opportunities” and the “potential positive effects” and only thereafter on “negative effects.” The major change in focus, however, is the requirement in paragraph a., where it is stated that opportunities (firstly) and risks should be considered when developing strategy. It is implied that the opportunities referred to are the opportunities brought about by the development of the organisation’s strategy. These opportunities can be viewed as “stand-alone” opportunities, or opportunities that were identified without firstly identifying the risk. This requirement is different from the requirement in the next paragraph, where the positive and negative effects of the same risk should be dealt with.

The difference in accent is more apparent when the definition of Risk contained in King IV is examined. It states that “Risk is about the uncertainty of events; including their likelihood of occurring and their effect, both positive and negative, on the achievement of the organisation’s objectives. Risk includes uncertainties with a potential positive effect on the organisation (i.e. opportunities) not being captured or not materialising”. This definition of Risk clearly highlights “uncertainties with a potential positive effect”.

Although all commonly-used risk definitions, from COSO 2004 to ISO 31000/2009, as well as King III, referred to opportunity or the upside of risk, the concept of risk was generally viewed as something negative, or as the potential downside of a future occurrence. What has exacerbated this misconception was the view that risk and opportunity were opposites. Many documents, including King II, stated that “enterprise is the undertaking of risk for reward” implying that the greater the risk, the greater the reward. In other words, if everything went well, you had great reward, but if things went badly, you had great risk. This led to the mistaken belief that opportunity is merely the “upside of a downside risk”. This belief assumed that risk and opportunity are inextricably linked. It is now apparent that this notion is not true. It is entirely possible to reduce risk whilst improving returns. In fact, to survive in today’s world, it is not only possible but essential.

Traditionally, risks were classified and managed in three broad categories, namely hazard risks (so-called pure risks like fires, natural catastrophes, violent attacks, etc.); financial risks (bad debt, currency, interest rates, etc.); and operating risks (IT system failures, supplier interruptions, etc.). The opportunities attached to these risks can be described as reducing the impacts of the downsides, also known as the “silver-lining” opportunities. In other words, every dark cloud (risk) has a silver lining (opportunity) attached to it. Often the opportunities are the exact opposite of the downside risk, viewed as the two sides of the same coin. A good example may be a rise in interest rates, which may be a risk to some people, whilst being an opportunity to others.

However, when one looks at the King IV definition of “Risk” it is apparent that the achievement of the organisation’s objectives is the key element. The key objective of any organisation can never only be the avoidance of loss or harm, but must be the optimisation of its strategic objectives. This is confirmed by the old adage that “a risk is not only a bad thing happening, it is also a good thing not happening.”

Any future uncertainty, which can be opportunity, risk, or both, can be classified into four broad categories, namely:

  • Future possible event (Stochastic Uncertainty).
    • This refers to an event that has not happened and it may not happen at all. However, if it does, it will have an impact on the organisation. Most identified risks are like this and include events like new developments, a supplier going out of business, law changes, disasters, and the like.
  • Variability (Aleatoric Uncertainty).
    • Some aspect of a task or project is uncertain and may include timing uncertainties, budget variability and the like.
  • Ambiguity (Epistemic Uncertainty)
    • This uncertainty stems from lack of knowledge or understanding of a situation, condition or event. This may include matters like market conditions, competitor capability and the like.
  • Blind Spots (Ontological Uncertainty).
    • This uncertainty exists outside of normal knowledge and experience frameworks and are therefore not seen or expected – the so-called “black swans”, emergent or emerging risks and blind spots.

The traditional method of identification of opportunities as part of the risk assessment process, where the upside of a downside risk is identified, can be viewed as “passive opportunity identification”. These identified opportunities are mostly the direct opposites of the identified risks and fit in well with the view that higher reward requires higher risk – the “two different sides of the same coin” principle. It must be stressed, however, that this method of opportunity identification remains a key component of risk and opportunity management and that it remains important to have it done. Examples of these kinds of opportunities are items such as interest rate movements, exchange rate fluctuations, margin squeeze, and the like. In short, it can be described as “Risk including Opportunity”.

King IV, on the other hand, now requires the governing bodies of organisations to ensure that “active opportunity identification” is conducted. These are the stand-alone opportunities that are not necessarily aligned with any downside risk. These would be the opportunities that the organisation needs to pursue to enable it to achieve its strategic objectives. Custodians of this process would normally be the office of the CEO, the strategy director or the research and development department. The opportunity identification and assessment process would be distinctly different, and separate, from the risk assessment process that organisations are currently conducting in terms of King III.

Reporting of the opportunities that are the result of the identification process, would be different as well. These reports would not fit the mould of the typical risk report, with likelihood and impact indications, as these metrics are mostly irrelevant to opportunities. The target audience of the report would be different, as the information surrounding potential opportunities are by their very nature confidential and not for wider consumption.

The key aspect in the risk assessment process that needs careful consideration when conducting opportunity management is that of “appetite and tolerance”. When downside risks are considered in isolation, determining and calculating risk appetite and risk tolerance levels are foundational in the process. These levels do not only refer to financial metrics (gearing, debt levels, cash, etc.) but also to non-financial metrics (level of injuries, negative press, etc.) and are mostly absolute downside risk limits beyond which the organisation is not willing or able to venture. These risk limits do not reference opportunity, and the only upside apparent in appetite and tolerance levels would be when those limits are not reached or breached. When dealing with stand-alone opportunities, the organisation would determine or calculate what downside limit it is prepared or able to endure to achieve a particular opportunity.

Although the identification and management of opportunities may not be the responsibility of an organisation’s risk department, the latter has a role to play and can add significant value to the process. As a result of the methodologies and techniques at its disposal, and as a result of the knowledge and experience o its personnel, the risk department may be able to assist in the process to identify opportunities, may be able to assist in the documenting and evidencing of the results of this process as well as assist in the monitoring of the results.


Adrian J. Slywotsky The Upside (2009) Oliver Wyman

British Standards Institution Specification of common management system requirements as a framework for risk integration (2012) BSI London, UK

Committee of Sponsoring Organisations of the Treadway Commission Enterprise Risk Management – Integrated Framework: Executive Summary (2004) COSO, USA

Federation of European Risk Management Associations A Risk Management Standard (2002) FERMA, Brussels, Belgium

Gert Cruywagen Integrating Risk and Opportunity (2016) Presentation to Annual IRMSA Conference, Johannesburg, South Africa

International Standards Organisation ISO 31000 Risk Management – Principles and Guidelines (2009) ISO Genève, Switzerland

King Committee on Corporate Governance King Report on Governance for South Africa (2009) Institute of Directors, Johannesburg, South Africa

King Committee on Corporate Governance DRAFT King Report on Governance for South Africa (2016) Institute of Directors, Johannesburg, South Africa

The Institute of Risk Management South Africa The IRMSA Guidleline to Risk Management (2014) IRMSA, Johannesburg, South Africa

The Risk Management Society RIMS, SRM Definition (2011), RIMS, USA

I hereby certify that this article is my own work, and has not, in full or in part, been published elsewhere.

Submitted by:

Gert Christiaan Cruywagen

Villa Brouette

1343 Prairie Dunes

Copperleaf Country Estate



011 510 7871 (Work)

083 636 1407(Cell)



G.C. Cruywagen


© 2017 IDI Technology (Pty) Ltd | PAIA | BBEE Certificate | Tax Clearance Certificate