risk and reward analysis business plan

Business Plan Risk Analysis - What You Need to Know

The business plan risk analysis is a crucial and often overlooked part of a robust business plan. In the ever-changing world of business knowing potential pitfalls and how to mitigate them could be the difference between success and failure.  A well-crafted business plan acts as a guiding star for every venture, be it a startup finding its footing or a multinational corporation planning an expansion. However, amidst financial forecasts, marketing strategies, and operational logistics, the element of risk analysis frequently gets relegated to the back burner. In this blog, we will dissect the anatomy of the risk analysis section, show you exactly why it is important and provide you with guidelines and tips. We will also delve into real-life case studies to bring to life your learning your learning.

Table of Contents

• Risk Analysis - What is it?
• Types of Risks
• Components of Risk Analysis
• Real-Life Case Studies
• Tips & Best Practices
• Final Thoughts

Business Plan Risk Analysis - What Exactly Is It?

Risk analysis is like the radar system of a ship, scanning the unseen waters ahead for potential obstacles. It can forecast possible challenges that may occur in the business landscape and plan for their eventuality. Ignoring this can be equivalent to sailing blind into a storm. The business plan risk analysis section is a strategic tool used in business planning to identify and assess potential threats that could negatively impact the organisation's operations or assets. Taking the time to properly think about the risks your business faces or may face in the future will enable you to identify strategies to mitigate these issues.

Types of Business Risks

There are various types of risks that a business may face, which can be categorised into some broader groups:

• Operational Risks: These risks involve loss due to inadequate or failed internal processes, people, or systems. Examples could include equipment failure, theft, or employee misconduct.
• Financial Risks: These risks are associated with the financial structure of the company, transactions the company makes, and the company's ability to meet its financial obligations. For instance, currency fluctuations, increase in costs, or a decline in cash flow.
• Market Risks: These risks are external to the company and involve changes in the market. For example, new competitors entering the market changes in customer preferences, or regulatory changes.
• Strategic Risks: These risks relate to the strategic decisions made by the management team. Examples include the entry into a new market, the launch of a new product, or mergers and acquisitions.
• Compliance Risks: These risks occur when a company must comply with laws and regulations to stay in operation. They could involve changes in laws and regulations or non-compliance with existing ones.

The business risk analysis section is not a crystal ball predicting the future with absolute certainty, but it provides a foresighted approach that enables businesses to navigate a world full of uncertainties with informed confidence. In the next section, we will dissect the integral components of risk analysis in a business plan.

Components of a Risk Analysis Section

Risk analysis, while a critical component of a business plan, is not a one-size-fits-all approach. Each business has unique risks tied to its operations, industry, market, and even geographical location. A thorough risk analysis process, however, typically involves four main steps:

• Identification of Potential Risks: The first step in risk analysis is to identify potential risks that your business may face. This process should be exhaustive, including risks from various categories mentioned in the section above. You might use brainstorming sessions, expert consultations, industry research, or tools like a SWOT analysis to help identify these risks.
• Risk Assessment: Once you've identified potential risks, the next step is to assess them. This involves evaluating the likelihood of each risk occurring and the potential impact it could have on your business. Some risks might be unlikely but would have a significant impact if they did occur, while others might be likely but with a minor impact. Tools like a risk matrix can be helpful here to visualise and prioritise your risks.
• Risk Mitigation Strategies: After assessing the risks, you need to develop strategies to manage them. This could involve preventing the risk, reducing the impact or likelihood of the risk, transferring the risk, or accepting the risk and developing a contingency plan. Your strategies will be highly dependent on the nature of the risk and your business's ability to absorb or mitigate it.
• Monitoring and Review: Risk analysis is not a one-time task, but an ongoing process. The business landscape is dynamic, and new risks can emerge while old ones can change or even disappear. Regular monitoring and review of your risks and the effectiveness of your mitigation strategies is crucial. This should be an integral part of your business planning process.

Through these four steps, you can create a risk analysis section in your business plan that not only identifies and assesses potential threats but also outlines clear strategies to manage and mitigate these risks. This will demonstrate to stakeholders that your business is prepared and resilient, able to handle whatever challenges come its way.

Business Plan Risk Analysis - Real-Life Examples

To fully grasp the importance of risk analysis, it can be beneficial to examine some real-life scenarios. The following are two contrasting case studies - one demonstrating a successful risk analysis and another highlighting the repercussions when risk analysis fails.

Case Study 1: Google's Strategic Risk Mitigation

Consider Google's entry into the mobile operating system market with Android. Google identified a strategic risk : the growth of mobile internet use might outpace traditional desktop use, and if they didn't have a presence in the mobile market, they risked losing out on search traffic. They also recognised the risk of being too dependent on another company's (Apple's) platform for mobile traffic. Google mitigated this risk by developing and distributing its mobile operating system, Android. They offered it as an open-source platform, which encouraged adoption by various smartphone manufacturers and quickly expanded their mobile presence. This risk mitigation strategy helped Google maintain its dominance in the search market as internet usage shifted towards mobile.

Case Study 2: The Fallout of Lehman Brothers

On the flip side, Lehman Brothers, a global financial services firm, failed to adequately analyse and manage its risks, leading to its downfall during the 2008 financial crisis. The company had significant exposure to subprime mortgages and had failed to recognise the potential risk these risky loans posed. When the housing market collapsed, the value of these subprime mortgages plummeted, leading to significant financial losses. The company's failure to conduct a robust risk analysis and develop appropriate risk mitigation strategies eventually led to its bankruptcy. The takeaway from these case studies is clear - effective risk analysis can serve as an essential tool to navigate through uncertainty and secure a competitive advantage, while failure to analyse and mitigate potential risks can have dire consequences. As we move forward, we'll share some valuable tips and best practices to ensure your risk analysis is comprehensive and effective.

Business Plan Risk Analysis Tips and Best Practices

While the concept of risk analysis can seem overwhelming, following these tips and best practices can streamline the process and ensure that your risk management plan is both comprehensive and effective.

• Be Thorough: When identifying potential risks, aim to be as thorough as possible. It’s crucial not to ignore risk because it seems minor or unlikely; even small risks can have significant impacts if not managed properly.
• Involve the Right People: Diverse perspectives can help identify potential risks that might otherwise be overlooked. Include people from different departments or areas of expertise in your risk identification and assessment process. They will bring different perspectives and insights, leading to a more comprehensive risk analysis.
• Keep it Dynamic: The business environment is continually changing, and so are the risks. Hence, risk analysis should be an ongoing process, not a one-time event. Regularly review and update your risk analysis to account for new risks and changes in previously identified risks.
• Be Proactive, Not Reactive: Use your risk analysis to develop mitigation strategies in advance, rather than reacting to crises as they occur. Proactive risk management can help prevent crises, reduce their impact, and ensure that you're prepared when they do occur.
• Quantify When Possible: Wherever possible, use statistical analysis and financial projections to evaluate the potential impact of a risk. While not all risks can be quantified, putting numbers to the potential costs can provide a clearer picture of the risk and help prioritise your mitigation efforts.

Implementing these tips and best practices will strengthen your risk analysis, providing a more accurate picture of the potential risks and more effective strategies to manage them. Remember, the goal of risk analysis isn't to eliminate all risks—that's impossible—but to understand them better so you can manage them effectively and build a more resilient business.

In the ever-changing landscape of business, where uncertainty is a constant companion, the risk analysis section of a business plan serves as a guiding compass, illuminating potential threats and charting a course toward success. Throughout this blog, we have explored the critical role of risk analysis and the key components involved in its implementation. We learned that risk analysis is not just about identifying risks but also about assessing their potential impact and likelihood. It involves developing proactive strategies to manage and mitigate those risks, thereby safeguarding the business against potential pitfalls. In conclusion, a well-crafted business plan risk analysis section is not just a formality but a strategic asset that empowers your business to thrive in an unpredictable world. As you finalise your business plan, keep in mind that risk analysis is not a one-time task but an ongoing practice. Revisit and update your risk analysis regularly to stay ahead of changing business conditions. By embracing risk with a thoughtful and proactive approach, you will position your business for growth, resilience, and success in an increasingly dynamic and competitive landscape. Want more help with your business plan? Check out our Learning Zone for more in-depth guides on each specific section of your plan.

How to Highlight Risks in Your Business Plan

Tallat Mahmood

5 min. read

Updated October 25, 2023

One of the areas constantly dismissed by business owners in their business plan is an articulation of the risks in the business.

This either suggests you don’t believe there to be any risks in your business (not true), or are intentionally avoiding disclosing them.

Either way, it is not the best start to have with a potential funding partner. In fact, by dismissing the risks in your business, you actually make the job of a lender or investor that much more difficult.

Why a funder needs to understand your business’s risks:

Funding businesses is all about risk and reward.

Whether it’s a lender or an investor, their key concern will be trying to balance the risks inherent in your business, versus the likelihood of a reward, typically increasing business value. An imbalance occurs when entrepreneurs talk extensively about the opportunities inherent in their business, but ignore the risks.

The fact is, all funders understand that risks exist in every business. This is just a fact of running a business. There are risks that exist with your products, customers, suppliers, and your team. From a funder’s perspective, it is important to understand the nature and size of risks that exist.

• There are two main reasons why funders want to understand business risks:

Firstly, they want to understand whether or not the key risks in your business are so fundamental to the investment proposition that it would prevent them from funding you.

Some businesses are not at  the right stage to receive external funding  and placate funder concerns. These businesses are best off dealing with key risk factors prior to seeking funding.

The second reason why lenders and investors want to understand the risk in your business is so that they can structure a funding package that works best overall, despite the risk.

In my experience, this is an opportunity that many business owners are wasting, as they are not giving funders an opportunity to structure deals suitable for them.

Here’s an example:

Assume your business is  seeking equity funding,  but has a key management role that needs to be filled. This could be a key business risk for a funder.

Highlighting this risk shows that you are aware of the appointment need, and are putting plans in place to help with this key recruit. An investor may reasonably decide to proceed with funding, but the funding will be released in stages. Some will be released immediately and the remainder will be after the key position has been filled.

The benefit of highlighting your risks is that it demonstrates to investors that you understand the danger the risks pose to your company, and are aware that it needs to be dealt with. This allows for a frank discussion to take place, which is more difficult to do if you don’t acknowledge this as a problem in the first place.

Ultimately, the starting point for most funders is that they  want  to invest in you, and  want  to validate their initial interest in you.

Highlighting your business risks will allow the funder to get to the nub of the problem, and give them a better idea of how they may structure their investment in order to make it work for both parties. If they are unsure of the risks or cannot get clear explanations from the team, it is unlikely they will be forthcoming when it comes to finding ways to make a potential deal work.

Brought to you by

Create a professional business plan

Using ai and step-by-step instructions.

Secure funding

Validate ideas

Build a strategy

• The right way to address business risks:

The main reason many business owners don’t talk about business risks with potential funders is because they don’t want to highlight the weaknesses in their business.

This is a fair concern to have. However, there is a right way to address business risk with funders, without turning lenders and investors off.

The solution is to focus on how you  mitigate the risks.  

In other words, what are the steps you are taking in your business as a direct reaction to the risks that you have identified? This is very powerful in easing funder fears, and in positioning you as someone who has a handle on their business.

For example, if a business risk you had identified was a high level of customer concentration, then a suitable mitigation plan would be to market your products or services targeting new clients, as opposed to focusing all efforts on one client.

Having net profit margins that are lower than average for your market would raise eyebrows and be considered a risk. In this instance, you could demonstrate to funders the steps you are putting in place over a period of time to help increase those margins to at least market norms for your niche.

The process of highlighting risks—and, more importantly, outlining key mitigating actions—not only demonstrates honesty, but also a leadership quality in solving the problems in your business. Lenders and investors want to see both traits.

• The impact on your credibility:

Any lender or investor  backs the leadership team  of a business first, and the business itself second.

This is because they realize that it is you, the management team, who will ultimately deliver value and grow the business for the benefit for all. As such, it is imperative that they have the right impression about you.

The consequence of highlighting business risks in your business plan with mitigations is that it provides funders a real insight into you as a business leader. It demonstrates that not only do you have an understanding of their need to understand risk in your business, but you also appreciate that minimizing that risk is your job.

This will have a massive impact on your credibility as a business owner and management team. This impact is more acute when compared to the hundreds of businesses they will meet that omit discussing the risks in their business.

The fact is, funders have seen enough businesses and business plans in all sectors to instinctively know what risks to expect. It’s just more telling if they hear it from you first.

• What does this mean for you going forward?

Funders rely on you to deliver on your inherent promise to add value to your business for all stakeholders. The weight of this promise becomes much stronger if they can believe in the character of the team, and that comes from your credibility.

A business plan that discusses business risks and mitigations is a much more complete plan, and will increase your chances of securing funding.

Not only that, but highlighting the risks your business faces also has a long-term impact on your character and credibility as a business leader.

Tallat Mahmood is founder of The Smart Business Plan Academy, his flagship online course on building powerful business plans for small and medium-sized businesses to help them grow and raise capital. Tallat has worked for over 10 years as a small and medium-sized business advisor and investor, and in this period has helped dozens of businesses raise hundreds of millions of dollars for growth. He has also worked as an investor and sat on boards of companies.

Table of Contents

• Why a funder needs to understand your business’s risks:

Related Articles

1 Min. Read

How to Calculate Return on Investment (ROI)

6 Min. Read

How to Forecast Sales for a Subscription Business

8 Min. Read

How to Forecast Personnel Costs in 3 Steps

5 Min. Read

How to Improve the Accuracy of Financial Forecasts

The Bplans Newsletter

The Bplans Weekly

Subscribe now for weekly advice and free downloadable resources to help start and grow your business.

We care about your privacy. See our privacy policy .

The quickest way to turn a business idea into a business plan

Fill-in-the-blanks and automatic financials make it easy.

No thanks, I prefer writing 40-page documents.

Discover the world’s #1 plan building software

• Business Essentials
• Leadership & Management
• Credential of Leadership, Impact, and Management in Business (CLIMB)
• Entrepreneurship & Innovation
• Digital Transformation
• Finance & Accounting
• Business in Society
• For Organizations
• Support Portal
• Media Coverage
• Founding Donors
• Leadership Team

• Harvard Business School →
• HBS Online →
• Business Insights →

Business Insights

Harvard Business School Online's Business Insights Blog provides the career insights you need to achieve your goals and gain confidence in your business skills.

• Career Development
• Communication
• Decision-Making
• Earning Your MBA
• Negotiation
• News & Events
• Productivity
• Staff Spotlight
• Student Profiles
• Work-Life Balance
• AI Essentials for Business
• Alternative Investments
• Business Analytics
• Business Strategy
• Business and Climate Change
• Design Thinking and Innovation
• Digital Marketing Strategy
• Disruptive Strategy
• Economics for Managers
• Entrepreneurship Essentials
• Financial Accounting
• Global Business
• Launching Tech Ventures
• Leadership Principles
• Leadership, Ethics, and Corporate Accountability
• Leading Change and Organizational Renewal
• Leading with Finance
• Management Essentials
• Negotiation Mastery
• Organizational Leadership
• Power and Influence for Positive Impact
• Strategy Execution
• Sustainable Business Strategy
• Sustainable Investing
• Winning with Digital Platforms

What Is Risk Management & Why Is It Important?

• 24 Oct 2023

Businesses can’t operate without risk. Economic, technological, environmental, and competitive factors introduce obstacles that companies must not only manage but overcome.

According to PwC’s Global Risk Survey , organizations that embrace strategic risk management are five times more likely to deliver stakeholder confidence and better business outcomes and two times more likely to expect faster revenue growth.

If you want to enhance your job performance and identify and mitigate risk more effectively, here’s a breakdown of what risk management is and why it’s important.

Access your free e-book today.

What Is Risk Management?

Risk management is the systematic process of identifying, assessing, and mitigating threats or uncertainties that can affect your organization. It involves analyzing risks’ likelihood and impact, developing strategies to minimize harm, and monitoring measures’ effectiveness.

“Competing successfully in any industry involves some level of risk,” says Harvard Business School Professor Robert Simons, who teaches the online course Strategy Execution . “But high-performing businesses with high-pressure cultures are especially vulnerable. As a manager, you need to know how and why these risks arise and how to avoid them.”

According to Strategy Execution , strategic risk has three main causes:

• Pressures due to growth: This is often caused by an accelerated rate of expansion that makes staffing or industry knowledge gaps more harmful to your business.
• Pressures due to culture: While entrepreneurial risk-taking can come with rewards, executive resistance and internal competition can cause problems.
• Pressures due to information management: Since information is key to effective leadership , gaps in performance measures can result in decentralized decision-making.

These pressures can lead to several types of risk that you must manage or mitigate to avoid reputational, financial, or strategic failures. However, risks aren’t always obvious.

“I think one of the challenges firms face is the ability to properly identify their risks,” says HBS Professor Eugene Soltes in Strategy Execution .

Therefore, it’s crucial to pinpoint unexpected events or conditions that could significantly impede your organization’s business strategy .

Related: Business Strategy vs. Strategy Execution: Which Course Is Right for Me?

According to Strategy Execution , strategic risk comprises:

• Operations risk: This occurs when internal operational errors interrupt your products or services’ flow. For example, shipping tainted products can negatively affect food distribution companies.
• Asset impairment risk: When your company’s assets lose a significant portion of their current value because of a decreased likelihood of receiving future cash flows . For instance, losing property assets, like a manufacturing plant, due to a natural disaster.
• Competitive risk: Changes in the competitive environment can interrupt your organization’s ability to create value and differentiate its offerings—eventually leading to a significant loss in revenue.
• Franchise risk: When your organization’s value erodes because stakeholders lose confidence in its objectives. This primarily results from failing to control any of the strategic risk sources listed above.

Understanding these risks is essential to ensuring your organization’s long-term success. Here’s a deeper dive into why risk management is important.

4 Reasons Why Risk Management Is Important

1. protects organization’s reputation.

In many cases, effective risk management proactively protects your organization from incidents that can affect its reputation.

“Franchise risk is a concern for all businesses,“ Simons says in Strategy Execution . “However, it's especially pressing for businesses whose reputations depend on the trust of key constituents.”

For example, airlines are particularly susceptible to franchise risk because of unforeseen events, such as flight delays and cancellations caused by weather or mechanical failure. While such incidents are considered operational risks, they can be incredibly damaging.

In 2016, Delta Airlines experienced a national computer outage, resulting in over 2,000 flight cancellations. Delta not only lost an estimated $150 million but took a hit to its reputation as a reliable airline that prided itself on “canceling cancellations.”

While Delta bounced back, the incident illustrates how mitigating operational errors can make or break your organization.

2. Minimizes Losses

Most businesses create risk management teams to avoid major financial losses. Yet, various risks can still impact their bottom lines.

A Vault Platform study found that dealing with workplace misconduct cost U.S. businesses over $20 billion in 2021. In addition, Soltes says in Strategy Execution that corporate fines for misconduct have risen 40-fold in the U.S. over the last 20 years.

One way to mitigate financial losses related to employee misconduct is by implementing internal controls. According to Strategy Execution , internal controls are the policies and procedures designed to ensure reliable accounting information and safeguard company assets.

“Managers use internal controls to limit the opportunities employees have to expose the business to risk,” Simons says in the course.

One company that could have benefited from implementing internal controls is Volkswagen (VW). In 2015, VW whistle-blowers revealed that the company’s engineers deliberately manipulated diesel vehicles’ emissions data to make them appear more environmentally friendly.

This led to severe consequences, including regulatory penalties, expensive vehicle recalls, and legal settlements—all of which resulted in significant financial losses. By 2018, U.S. authorities had extracted $25 billion in fines, penalties, civil damages, and restitution from the company.

Had VW maintained more rigorous internal controls to ensure transparency, compliance, and proper oversight of its engineering practices, perhaps it could have detected—or even averted—the situation.

Related: What Are Business Ethics & Why Are They Important?

3. Encourages Innovation and Growth

Risk management isn’t just about avoiding negative outcomes. It can also be the catalyst that drives your organization’s innovation and growth.

“Risks may not be pleasant to think about, but they’re inevitable if you want to push your business to innovate and remain competitive,” Simons says in Strategy Execution .

According to PwC , 83 percent of companies’ business strategies focus on growth, despite risks and mixed economic signals. In Strategy Execution , Simons notes that competitive risk is a challenge you must constantly monitor and address.

“Any firm operating in a competitive market must focus its attention on changes in the external environment that could impair its ability to create value for its customers,” Simons says.

This requires incorporating boundary systems —explicit statements that define and communicate risks to avoid—to ensure internal controls don’t extinguish innovation.

“Boundary systems are essential levers in businesses to give people freedom,” Simons says. “In such circumstances, you don’t want to stifle innovation or entrepreneurial behavior by telling people how to do their jobs. And if you want to remain competitive, you’ll need to innovate and adapt.”

Netflix is an example of how risk management can inspire innovation. In the early 2000s, the company was primarily known for its DVD-by-mail rental service. With growing competition from video rental stores, Netflix went against the grain and introduced its streaming service. This changed the market, resulting in a booming industry nearly a decade later.

Netflix’s innovation didn’t stop there. Once the steaming services market became highly competitive, the company shifted once again to gain a competitive edge. It ventured into producing original content, which ultimately helped differentiate its platform and attract additional subscribers.

By offering more freedom within internal controls, you can encourage innovation and constant growth.

4. Enhances Decision-Making

Risk management also provides a structured framework for decision-making. This can be beneficial if your business is inclined toward risks that are difficult to manage.

By pulling data from existing control systems to develop hypothetical scenarios, you can discuss and debate strategies’ efficacy before executing them.

“Interactive control systems are the formal information systems managers use to personally involve themselves in the decision activities of subordinates,” Simons says in Strategy Execution . “Decision activities that relate to and impact strategic uncertainties.”

JPMorgan Chase, one of the most prominent financial institutions in the world, is particularly susceptible to cyber risks because it compiles vast amounts of sensitive customer data . According to PwC , cybersecurity is the number one business risk on managers’ minds, with 78 percent worried about more frequent or broader cyber attacks.

Using data science techniques like machine learning algorithms enables JPMorgan Chase’s leadership not only to detect and prevent cyber attacks but address and mitigate risk.

Start Managing Your Organization's Risk

Risk management is essential to business. While some risk is inevitable, your ability to identify and mitigate it can benefit your organization.

But you can’t plan for everything. According to the Harvard Business Review , some risks are so remote that no one could have imagined them. Some result from a perfect storm of incidents, while others materialize rapidly and on enormous scales.

By taking an online strategy course , you can build the knowledge and skills to identify strategic risks and ensure they don’t undermine your business. For example, through an interactive learning experience, Strategy Execution enables you to draw insights from real-world business examples and better understand how to approach risk management.

Do you want to mitigate your organization’s risks? Explore Strategy Execution —one of our online strategy courses —and download our free strategy e-book to gain the insights to build a successful strategy.

About the Author

• SUGGESTED TOPICS
• The Magazine
• Newsletters
• Managing Yourself
• Managing Teams
• Work-life Balance
• The Big Idea
• Data & Visuals
• Reading Lists
• Case Selections
• HBR Learning
• Topic Feeds
• Account Settings
• Email Preferences

How to Write a Great Business Plan

• William A. Sahlman

Every seasoned investor knows that detailed financial projections for a new company are an act of imagination. Nevertheless, most business plans pour far too much ink on the numbers–and far too little on the information that really matters. Why? William Sahlman suggests that a great business plan is one that focuses on a series of questions. These questions relate to the four factors critical to the success of every new venture: the people, the opportunity, the context, and the possibilities for both risk and reward. The questions about people revolve around three issues: What do they know? Whom do they know? and How well are they known? As for opportunity, the plan should focus on two questions: Is the market for the venture’s product or service large or rapidly growing (or preferably both)? and Is the industry structurally attractive? Then, in addition to demonstrating an understanding of the context in which their venture will operate, entrepreneurs should make clear how they will respond when that context inevitably changes. Finally, the plan should look unflinchingly at the risks the new venture faces, giving would-be backers a realistic idea of what magnitude of reward they can expect and when they can expect it. A great business plan is not easy to compose, Sahlman acknowledges, largely because most entrepreneurs are wild-eyed optimists. But one that asks the right questions is a powerful tool. A better deal, not to mention a better shot at success, awaits entrepreneurs who use it.

Which information belongs—and which doesn’t—may surprise you.

Few areas of business attract as much attention as new ventures, and few aspects of new-venture creation attract as much attention as the business plan. Countless books and articles in the popular press dissect the topic. A growing number of annual business-plan contests are springing up across the United States and, increasingly, in other countries. Both graduate and undergraduate schools devote entire courses to the subject. Indeed, judging by all the hoopla surrounding business plans, you would think that the only things standing between a would-be entrepreneur and spectacular success are glossy five-color charts, a bundle of meticulous-looking spreadsheets, and a decade of month-by-month financial projections.

• William A. Sahlman is the Dimitri V. D’Arbeloff-MBA Class of 1955 Professor of Business Administration at the Harvard Business School.

Partner Center

Industry in Focus

Good Growth for Cities

Sustainable economy

Rethink Risk

Business in focus

Transformation

Managed Services

175 years of PwC

Annual Report

What is The New Equation?

Loading Results

No Match Found

Balancing risk and reward

Hayley-Beth Peters Director - Enterprise Risk Management Lead, Non-Financial Services, PwC United Kingdom

The Covid-19 pandemic has prompted many organisations to reassess their appetite for risk, but this is work that needs to be carried out in the context of the business’s strategic objectives.

Almost nine in 10 organisations are reassessing their tolerance for risk because of the COVID-19 pandemic, new research reveals. PwC’s Annual UK CEO Survey suggests business leaders are focusing on new methods for measuring enterprise risk and making decisions in the wake of the crisis, with 89 per cent thinking again about their risk appetite [ 1 ] .

“The pandemic has made people stop and think,” says Hayley-Beth Peters, UK Lead of Enterprise Risk Management at PwC, pointing out that not a single executive in PwC’s 2019 Global Crisis Survey expected to face a global health pandemic. “We may have felt that we instinctively knew what risks we faced, but many organisations now recognise the need to think more broadly about what may face them in the future; then they can begin to think about how to deal with those risks[ 2 ]”.

There are plenty of them. The World Economic Forum’s Global Risk Report 2021 highlights the ‘highest likelihood risks of the next 10 years’ as extreme weather, climate action failure and human-led environmental damage, digital power concentration, digital inequality and cyber security failure[ 3 ].

Add to those threats the disruptive forces of technological advance and new competition. And then there is the more general sense of unease about what lies ahead: PwC’s CEO Survey shows 86 per cent of UK CEOs are worried about uncertain economic growth [ 4 ] .

Inevitably, there are difficult judgments to make. Managing enterprise risk does not mean eliminating it all together. Nor should it: after all, risk goes hand in hand with opportunity. A business focused on the potential benefits of digital transformation, for example, will be conscious of the increased cyber security risks from an increased digital footprint, but will still want to proceed while managing that risk. A business determined to get rid of all health and safety risks would have to cease operating completely.

The key is to think about enterprise risk in the context of the organisation’s objectives, argues Iain Wright, Chair of the Institute of Risk Management. “Risk has got to link to strategy,” he says. “What are the risks that the organisation faces as it pursues its strategic objectives and builds its business? What are the red lines it is not prepared to cross?”

Since the responsibility for setting the organisation’s strategic direction sits at board level, so too does the ultimate responsibility for deciding your risk appetite, argues PwC’s Hayley-Beth Peters. “The conversation the board needs to have is about where and how much risk the organisation is prepared to take given the rewards available,” she says. “This is how you set your parameters; then you move on to the controls that you need, as well as how to track risk.”

This is exactly the approach taken by Yorkshire Water, explains the utility company’s Head of Risk and Audit Rachel Lindley. “Our conversation begins with the organisation’s objectives and what could go wrong as we pursue those objectives,” she says. “We think about both bottom-up factors, issues to do with our people, our assets and our technology, and external risks, such as political, regulatory or societal risk.”

Each of those risks is assessed both for its likelihood and its potential impact, with speed of onset also an important factor. Some risks will be non-negotiable – Lindley gives the example of any threat to public safety – while in other cases, risk tolerance may be higher. “The board is very clear about its appetite for risk in the context of its objectives,” she says. “We have a mechanism that ensures the board understands the nature of the risk and its extent – and that it is able to respond in a way that is proportionate.”

Still, many organisations feel their boards are better equipped to deal with some types of risk than others. In one recent report from the management school INSEAD, 91 percent and 88 percent of boards, respectively, believed they had good knowledge of risks related to finance and regulation, but only 28 per cent and 34 per cent said the same of cyber security and climate change [ 5 ] .

“The conversation the board needs to have is about where and how much risk the organisation is prepared to take given the rewards available.” Hayley-Beth Peters UK Lead of Enterprise Risk Management, PwC

Once an organisation's board has set out its risk appetite, the role of the CEO and the broader management is to set a course that reflects this judgement. This means building structures that enable reporting - and thus risk monitoring. Every function of the organisation is generating data constantly, so the task is to harness the relevant insights from this data to track areas identified as of concern.

New technologies have an important role to play here, with many risk functions now investing in data analytics and tools such as dashboards that provide a real-time view of a broad range of risk metrics. It is also possible to use such tools to assess potential exposures, through exercises such as stress-testing and war-gaming that give the organisation a view of its exposure to scenarios.

The aim, argues the Institute of Risk Management's Iain Wright, is to build an organisation where enterprise risk management is embedded in decision making. "Beware box ticking, where you seek risk only as a compliance exercise," he says. "The goal is a culture where you have flexibility, trust and a willingness to question yourself."

Organisations that get that right will improve the quality of decision making and enhance speed to market, rather than risk acting as a brake. For example, embedding security into digital projects at the design stage, rather than retrofitting protections, will ensure transformation proceeds more quickly and exposes the organisation to fewer vulnerabilities.

The imperative is for risk professionals to become business partners, argues PwC's Hayley-Beth Peters. "How is the risk function perceived in the wider organisation?" she asks. "Is it an afterthought that people turn to at the last minute, or do colleagues recognise its potential to help them understand and manage risk as they pursue opportunity?"

This content was paid for by PwC and produced in partnership with the Financial Times Commercial department.

[1] https://www.pwc.co.uk/ceo-survey.html [2] https://www.pwc.com/ee/et/publications/pub/pwc-global-crisis-survey-2019.pdf [3] https://www.weforum.org/reports/the-global-risks-report-2021 [4] https://www.pwc.co.uk/ceo-survey.html [5] https://www.insead.edu/sites/default/files/assets/dept/centres/icgc/docs/leadership-in-risk-management-european-report-2020.pdf

"The goal is a culture where you have flexibility, trust and a willingness to question yourself." Iain Wright Chair, Institute of Risk Management

Related content

Rethink risk: 10-point agenda for action.

Risk is unavoidable. Its ability to disrupt our daily lives and create uncertainty has been brought into sharp focus. The priority now is to change our approach...

Hayley-Beth Peters

Director - Enterprise Risk Management Lead, Non-Financial Services, PwC United Kingdom

Tel: +44 (0)7740 242402

© 2015 - 2024 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.

• Terms and conditions
• Privacy Statement
• Cookie info
• Legal Disclaimer
• About Site Provider
• Provision of Services
• Human rights and Modern Slavery Statement
• Web Accessibility

Lorem ipsum test link amet consectetur a

• Career Skills
• Change Management
• Communication Skills
• Decision Making
• Human Resources
• Interpersonal Skills
• Personal Development
• Program Management
• Project Management
• Team Management
• Learning Tracks
• Free Productivity Course

By Denis G.

Risk and Reward Analysis

A risk-reward analysis is a very simple tool which can help you assess the risk and reward profile of completely different options. It works in the same way as a risk-return analysis which you may already be familiar with.

It can be applied at any level, for example:

• by a CEO for comparing different strategic directions for the company.
• by a program manager deciding which projects to keep within the program and which to discard.
• by a project manager deciding how to sequence tasks
• or simply by an individual team member deciding how best to spend their day.

The template works by having risk plotted along one axis and reward along the other. In the diagram below I’ve divided the template into four sections to show you how to interpret the information.

The four categories from the diagram above are as follows:

• Equal Low : where risk and reward are both proportional and low.
• Equal High : where risk and reward are both proportional and high.
• Positive : represents a positive risk-reward balance, where a higher return can be achieved with limited risk.
• Negative : represents a negative risk-reward balance, where a low return is the reward for taking on a relatively high risk.

How to Use it

First, you need to create a list of all the different options and their possible rewards. This can done quickly and roughly, or can involve serious effort (market research, scenario development etc) – the effort you put in will depend on the size of the decision you are making. Examples of some options might include: outsourcing non-core activities, stop investing in poorly performing product lines, invest in new products, or investing to move into new markets. Once you have all the options and their potential reward, they should be plotted on the risk-reward chart:

At this stage some options will appear to have a more favourable risk-reward profile than others, such as outsourcing in the above example, but it is work taking the time to investigate whether any options can have their risks mitigated, or if there are options that can have their rewards boosted, before making a final decision on which option to go with. In the above example, if the risk of developing new products could be mitigated somehow then that option would become more favourable than outsourcing.

Finally, for an even more complete picture to further aid our decision making, we can add resources to the risk-reward template. In the diagram below, the bigger the bubble the more resources are required to execute that option.

With risk, reward, and resources all plotted, we are able to trade them against one another to find the best option for us. From the diagram above you can see that outsourcing is probably the most favourable option, providing plenty of upside reward but requiring minimal resource and having little risk. Additionally, with so few resources engaged in making the outsourcing happen, perhaps some investigative work can start on the new product development option with some of the spare resource.

Cite this article

Minute Tools Content Team, Risk and Reward Analysis, Minute Tools, Jul, 2011 https://expertprogrammanagement.com/2011/07/risk-and-reward-analysis/

Originally hailing from Dublin, Denis has always been interested in all things business and started EPM in 2009. Before EPM, Denis held a leadership position at Nokia, owned a sports statistics business, and was a member of the PMI's (Project Management Institute’s) Global Executive Council for two years. Denis now spends his days helping others understand complex business topics.

How useful was this post?

Click on a star to rate it!

Average rating 5 / 5. Vote count: 1

No votes so far! Be the first to rate this post.

Related Tools

Hoshin planning explained.

Hoshin planning, also known as Hoshin Kanri or policy deployment, is a 7-step strategic planning system. It ensures that the […]

Porter’s Generic Strategies

To thrive in a competitive market, every business needs a clear strategy to achieve a sustainable competitive advantage over its […]

The Balanced Scorecard

The balanced scorecard model is a strategic performance management tool used by management teams to set and measure performance in […]

Horizontal vs. Vertical Integration

Horizontal and vertical integration refers to an organization’s strategic approach when expanding externally, through the acquisition of, or a merger […]

CAGE Distance Framework

The CAGE Distance Framework is a model that can take some of the guesswork out of deciding which country to […]

The Ansoff Matrix

The Ansoff Matrix, also known as the Product/Market Expansion Grid, is a framework that can help your organization develop growth […]

Porter’s Five Forces

Porter’s Five Forces is a method for analyzing and understanding the competitive forces that are shaping a marketplace. It is […]

Porter’s Value Chain

Porter’s Value Chain is a strategic tool that helps you map out the internal activities you perform that add value […]

Diffusion of Innovation Theory

The diffusion of innovation theory, created by Everett Rogers in 1962, is a model that explains how, why, and at […]

VRIO Framework

VRIO framework is a strategic analysis framework that can help you uncover resources and capabilities within your organization that can […]

In our course you will learn how to:

This 5-week course will teach you everything you need to know to set up and then scale a small, part-time business that will be profitable regardless of what’s happening in the economy.

So if you’ve always wanted to be your own boss and have the flexibility and freedom that entails, then…

Do your future self a favor and check out our course designed to help you achieve exactly that.

Employee Benefits in Mergers & Acquisitions: Key Considerations When Acquiring a Defined Benefit Pension Plan

Although pension plans are increasingly rare, if your business is considering acquiring a company that sponsors a pension plan, then several new diligence and deal considerations come into play for the transaction. This can be incredibly daunting if your business does not already sponsor a pension plan, because pension plans are fundamentally different than defined contribution plans, such as 401(k) plans, in many respects. This article highlights some of the material diligence, transaction, and post-closing issues that you should consider if the target entity sponsors a pension plan.

1. Do You Understand the Funding Status of the Pension Plan?

• Pension plans are not required to be fully funded, i.e., it is not a legal requirement that the plan’s assets equal the plan’s liabilities. The “funded status” of a defined benefit pension plan can be viewed in different ways depending on the purpose for which the funding status is determined. For example, a pension plan that is considered “fully funded” (at 100% or more) for the plan’s most recently reported adjusted funding target attainment percentage (or, AFTAP) may not be considered “fully funded” if the plan was terminated and liquidated. This is because most ongoing actuarial funding certifications (like the annual AFTAP determination) are calculated by making certain actuarial assumptions related to the plan remaining in effect.
• Pension plans are only required to complete formal actuarial funding determinations on a periodic basis and then, those determinations are reported on a delayed basis. For example, for a calendar year pension plan, as of May 2024 the most recent Form 5500 available is for the 2022 plan year, which will report assets and liabilities as of the last day of the 2022 plan year. For a calendar year, that information is now almost one and a half years out of date. Unless an updated actuarial valuation is completed in connection with a transaction, the buyer will inevitably review “stale” funding data for the pension plan and must either demand an updated valuation (which may take time) or at a minimum, obtain an updated plan asset valuation so the buyer can at least assess more recent asset values.
• The funding status of the pension plan is important because if a plan is underfunded, then it’s likely the buyer will have to make periodic contributions to the plan’s trust to fund the plan, or a potentially large contribution if the intention is to terminate the plan. Further, an underfunded pension plan will pay more in annual PBGC premiums than a fully funded plan. These liabilities should be considered in the context of the overall financial aspects of the transaction.

2. Have You Reviewed Historical Compliance and Plan Governance?

• While the funding issue described above will likely be the most important issue to address in the transaction, the buyer should also review historical pension plan documents and governance to confirm that there are no significant outstanding compliance issues or liabilities sitting with the pension plan.
• At a minimum, the buyer should carefully review current plan documents, trust agreements, summary plan descriptions, participant notices (including distribution election materials), evidence of PBGC premium payments, Form 5500s, and any correspondence with the IRS, Department of Labor, or PBGC about the plan.
• To the extent there are outstanding compliance issues discovered in the diligence process, the buyer can address them in various ways. For example, the purchase agreement can require that necessary corrective actions to bring the plan into compliance be completed prior to the closing of the transaction, if feasible. Or, the parties may address material issues through purchase price adjustments or specific indemnity obligations, as needed.
• A buyer also needs to understand the current third-party administration arrangements and governance structure to determine if or when changes are needed following the closing of the transaction. For example, if the target company has established a benefits committee to serve as the plan’s administrator, then a buyer will need to consider if that committee should remain in place following closing (or, if members of the committee may no longer be around after the closing) or if the buyer has its own plan fiduciaries that it intends to appoint as the plan administrator going forward.

3. Do We Need to Address the Pension Plan in the Purchase Agreement?

• The purchase agreement will need to address the pension plan; however, how the plan gets addressed will vary depending on the overall business deal.
• The purchase agreement should contain certain representations from the seller about the overall compliance of the pension plan. If there are outstanding compliance issues, then the buyer may want to consider specific indemnification protections to address those risks.
• Depending on how a buyer views the pension plan’s overall funding and any minimum required contributions that are due prior to closing (or that relate to the pre-closing period, to the extent not due by closing), certain purchase price adjustments may need to be included within the purchase agreement. A buyer may also require a target company to make additional contributions to the pension plan’s trust prior to closing a transaction, which would also need to be documented under the purchase agreement.
• If the buyer expects the target company to take any corrective actions discovered during diligence or make any changes to the plan in connection with the closing, then pre-closing covenants and/or closing deliverables covering these items should be included under the purchase agreement.

4. Can We Freeze or Terminate the Pension Plan?

• If the target’s pension plan is still actively adding new participants and accruing new benefits (or, the plan may be frozen to new participants, but current participants are still accruing benefits), a buyer will want to consider fully freezing the plan to limit future benefit obligations. Decisions about freezing a pension plan will need to consider the buyer’s philosophy for retirement benefits going forward, any obligations under the purchase agreement to maintain defined benefit plan accruals for some post-closing period, and, in the event any plan participants are governed by a collectively bargained arrangement, those decisions will be subject to bargaining requirements. In addition, there are advanced notice requirements to freeze a pension plan that may make it impractical to implement a freeze at or shortly after the closing of the transaction. However, a pension plan can be frozen at any time on a prospective basis.
• Unlike a 401(k) plan, a buyer could terminate and liquidate a pension plan after the closing of a transaction. Even if a buyer does not plan to continue operating the pension plan after closing, the buyer does not necessarily need to require a seller to terminate a pension plan before closing (and, depending on the timing of a transaction, that may not even be feasible). A buyer could elect to terminate the pension plan at some later point after closing. Terminating a pension plan is a detailed and lengthy process that includes plan amendments, participant notices, potential funding obligations, ongoing Form 5500 reporting obligations, and PBGC and IRS reporting and determination processes, and can take around a year to complete.
• If the buyer intends to terminate the pension plan at or shortly following closing, then determining the appropriate funding status of the plan and whether additional contributions are needed (and who will pay for such contributions within the purchase agreement) becomes a critical point to address during the transaction.

5. What Do We Do with the Pension Plan After the Transaction Closes?

• Determine whether any plan amendments or updated participant communications or notices are necessary.
• Determine who are the pension plan’s current fiduciaries and plan administrators and if those delegations need to be updated to transition to the buyer’s other previously established fiduciary committees or to change authorized signatories for the plan.
• Ensure there are sufficient procedures and policies in place to adequately administer the pension plan and to implement the plan’s governance, investment, and other fiduciary decisions. Establish a regular cadence for review of the plan’s administration and investment performance. Establish contact and ongoing correspondence with third-party service providers for the plan.
• If the buyer already maintains other pension plans within its controlled group and will maintain the newly acquired plan after closing, then consider whether there are cost or administrative efficiencies in consolidating pension plan third-party vendors (e.g., plan recordkeeping, investment fiduciaries, etc.) and the appropriate timing for making those changes.
• If the buyer already maintains other pension plans within its controlled group and will maintain the newly acquired plan, then consider whether it makes sense at some point to merge the pension plans into a single plan. There are various considerations when deciding whether and when to merge pension plans, including those related to the funding status of each plan and PBGC premium costs. The plan sponsor should consult its various advisors before consolidating pension plans.

Kathleen Dreyfus Bardunias

Leigh C. Riley

Related insights, sidebar summit – new york tech week, master of its choice of forum, new safe harbor for the domestic content bonus tax credit.

An official website of the United States government

Here’s how you know

Official websites use .gov A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS A lock ( Lock A locked padlock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Free Cyber Services #protect2024 Secure Our World Shields Up Report A Cyber Issue

Categorically Unsafe Software

By: Senior Technical Advisors Bob Lord and Jack Cable, Senior Advisor Lauren Zabierek

In many of our writings about the secure by design initiative, we use phrases like “classes of coding error”, “classes of vulnerability”, or “categories of defect”. You may wonder why we place so much emphasis on grouping defects together rather than focusing on individual ones. In fact, we’ve had many people ask us why we urge software manufacturers to eliminate entire classes of defect like cross-site scripting (XSS), SQL injection (SQLi) , directory traversal , and memory unsafety, as called for in our Secure by Design Pledge . To illustrate how focusing on quality and eliminating groups of errors improves security, we offer our current thinking. 

From patterns to progress

Copying successful industries . While it might seem like a novel concept to making software more secure, root cause analysis and mitigation of repeated classes of defect is the norm in industries that have significantly higher levels of quality and safety. In the aviation industry, experts analyze safety-related incidents to understand not just the proximate causes of the problem, but the multiple contributing factors, thereby allowing them to make recommendations to change pilot, crew, and air traffic controller training, plane maintenance, and cockpit and aircraft design, among others. 

Recognizing patterns . To improve product quality and security at scale, we need to spot patterns of recurring defect so that we can move from addressing each defect one at a time to eliminating them from the start. What kinds of coding errors do developers repeatedly make at any given software manufacturer, or across the industry? When we group negative outcomes into classes, we can start to engage in systems thinking to understand the real root causes and potential remedies. Moreover, this helps us to better predict how these product defects will be exploited by malicious actors, thereby giving defenders a leg up when leveraging limited resources.

Analyzing trends over time . Pattern detection is just the first step. We also need to understand how those patterns change over time. Are classes of defect increasing or decreasing over time for any given software product, or across the entire industry? By looking at trends, we can start to see which software companies are making progress and which need to initiate a quality improvement program. 

Generalizing remedies . By thinking about classes of defect, we can think beyond the symptom of the problem, and start to reason more about ways to generalize remedies. This line of thinking also serves to shift the responsibility of security from the least capable to the most equipped. Instead of software developers asking, “How can I fix this one defect?” they can ask “How can I prevent all similar defects?” Rather than fixing one SQL injection (SQLi) defect, why not eliminate them entirely, as some companies appear to have done? 

Remediation scale . Some classes of coding error can be eliminated with relatively low effort, while some may require significant effort. Until we learn how widespread various classes of defect are, we won’t be able to distinguish between classes of defect that companies should eliminate on their own, and those that require a coordinated effort by the larger software ecosystem.

Shift left . In the context of software development, people use the phrase “shift left” to mean conducting certain activities earlier in the software development lifecycle (SDLC). Part of the idea is that preventing coding mistakes is cheaper than catching and fixing them later in the timeline. The phrases “shift left” and “eliminating classes of vulnerability” are different sides of the same coin. If you truly align your product security program to prevent defects as early in the development cycle as possible, meaning that you are shifting security left on a timeline, you must contemplate ways to eliminate entire classes of coding error.

Developer ecosystems . Google’s March 2024 whitepaper titled “ Secure by Design at Google ” includes this important observation: “The security posture of software products and services is an emergent property  of the developer ecosystem in which they are designed, implemented and deployed”. They further write that “careful design of developer ecosystems can drastically lower the incidence of certain kinds of defects, and in some cases practically eliminate them”. The idea is that repeated types of software defects are not the fault of the individual software developer. That means that “developer training” might not be the best remedy. Instead, they argue, those repeat offender defects are an emergent property of the tools and practices that the company has given their coders. Some tools make it nearly impossible for the developer to avoid coding errors. As one example, see the prevalence of memory safety defects in languages like C/C++ compared to others like Swift, C#, Java, Rust, Python, JavaScript, Go, and Ruby. 

Reducing costs to software manufacturers . Software defects can be reported at random times. Pulling software developers off other tasks to address software defects can be expensive and disruptive to project schedules. As any business looks to save where it can, it is useful to examine the costs of insecurity to the company. To instead achieve economies of scale, companies should invest in the tools and resources needed to prevent the introduction of entire classes of defect and achieve secure outcomes like secure developer ecosystems.

Reducing costs to the customers . Applying software updates is not a trivial matter in businesses, small or large – not to mention the costs of an intrusion. We now know that security will not be achieved by simply “patching harder.” Therefore, reducing the number of critical security fixes can reduce the load on IT professionals, and improve customer security.

Increasing costs to the threat actors . When we eliminate entire classes of defect, we make it harder for threat actors to exploit simple vulnerabilities. That raises their cost to conduct malicious cyber activity. If product teams eliminate enough of the classic defects, they may price some threat actors out of the market. 

Aren’t we doing that already?

Some software companies are already working to eliminate classes of coding error. Some have even accomplished that goal for the most common classes. But there is evidence that the industry as a whole is not making sufficient progress. In fact, many top software products fail to protect their customers from exploitation of the most common classes of defect. We read in the news about these common defects causing significant damage to companies and government agencies.

Let’s compare two documents, MITRE’s 2007 paper titled, “ Unforgivable Vulnerabilities ”, and their 2023 analysis of “ Stubborn Weaknesses ”. It would be a reasonable hope that the classes of defect from 2007 would have been eliminated and that the 2023 report would have all new classes of defect that are more expensive to exploit. We would hope that the software industry would eliminate top classes of defect every few years because doing so would increase the cost to threat actors.

Sadly, the truth is that the software industry has made inadequate progress since 2007, the year the iPhone was introduced. Of the 13 “unforgivable vulnerabilities”, most are still present in the 2023 report in one form or another. We are still plagued by classes of defect like memory unsafety, XSS, SQL injection, directory traversal, and improper input sanitization. What’s especially noteworthy is that for most of these classes of defect, we have known of ways to prevent them at scale for years, and even decades . Some damaging and costly cyber intrusions were likely preventable.

Over the past 17+ years, many software companies have prioritized fixing software defects found in customer deployments over fixing them in their product designs, thereby putting customers at risk and leading to significant real-world harms.

The CWE/CPE challenge

The above two reports rely on the Common Vulnerability and Exposure (CVE) program, and in particular, CVE Numbering Authorities’ (CNA) commitment to provide timely, complete, and correct CVE records. Especially important to root cause analysis are the Common Weakness Enumeration (CWE) and Common Platform Enumeration (CPE) fields. The CWE explains the type of coding error that created the defect. The CPE provides information about product and platform naming. 

Today, some CNAs ensure CWE and CPE fields are included with all CVE records they create, but many are not as diligent. Until all CNAs and software manufacturers fully commit themselves to ensuring that their CVE records (and CWE/CPE fields) are timely, complete, and correct, we will struggle to become a data-driven industry. Incomplete or inaccurate data will keep us in the dark about the root causes of cyber intrusions and inhibit our ability to prevent them at scale. 

But we’re seeing signs of progress. Recently Microsoft announced that they would “now publish root cause data for Microsoft CVEs using the Common Weakness Enumeration (CWE™) industry standard”. Their blog post is worth reading to understand their perspective. This development — and the commitment of 68 software manufacturers as part of our pledge to do the same — is exciting, and we hope all CNAs and software manufacturers follow suit. 

The next time you see a security-sensitive update for a software product, don’t focus on how the threat actors are abusing that specific coding error. Ask yourself what class of coding error it belongs to. If it belongs to one of the “unforgivable vulnerabilities” from the 2007 paper, or one of the recurring “stubborn weaknesses”, ask yourself why the software manufacturer shipped the product with that defect when systemic preventions are well-known. More importantly, ask those software companies what they are doing to eliminate that entire class of defect. As customers, we should demand that companies stop the practice of shipping defective software, and then only fixing the problems that are found in the field, often after a customer has been injured. 

The bottom line is that a secure by design software development program necessitates formal efforts to eliminate entire classes of defect before the product ships rather than playing whack-a-mole with defects that appear on customer systems in production. For the software manufacturer, a secure by design program that works to eliminate entire classes of defect is likely to be cheaper in the long run and will create a higher quality product that requires fewer emergency fixes. Such a program should be part of the company’s business strategy. For the customers, it will reduce the burden of having to apply as many urgent software updates. For our country, it will result in greater security and safety. It is the norm in other industries to perform root cause analysis and to work towards eliminating classes of defect and it is long past time for it to be the norm in the software industry.

For more information on developing software that is  secure by design , please see  CISA’s Secure by Design whitepaper . We encourage all software manufacturers to demonstrate their commitment by taking CISA’s  Secure by Design Pledge .

Related Articles

Prepared together – cyber storm ix recap, securing tomorrow: a recap of cisa’s cyber resilient 911 symposium (central region), opening statement by cisa director jen easterly at the update on foreign threats to the 2024 elections hearing.

CISA Updates Toolkit with Nine New Resources to Promote Public Safety Communications and Cyber Resiliency

Sony and Apollo Move Ahead With Paramount Bid Process but Reticent About Earlier Plan, NYT Reports

FILE PHOTO: The logo of Paramount Pictures studios is pictured after the Writers Guild of America (WGA) said it reached a preliminary labor agreement with major studios in Los Angeles, California, U.S., September 24, 2023. REUTERS/David Swanson/File Photo

(Reuters) - Sony Pictures Entertainment and Apollo Global Management have signed nondisclosure agreements that will allow them to look at Paramount's books ahead of a potential bid for the movie studio's assets, the New York Times reported on Friday, citing people familiar with the matter.

The companies are, however, backing away from an initial plan to make an all-cash $26 billion offer for Paramount, the newspaper said.

Reuters reported this month that Paramount was in talks to open its books to a consortium of the Sony movie unit and the U.S. buyout firm. CNBC later reported that Sony was rethinking its bid, sending Paramount's shares tumbling and helping the Japanese firm's shares surge after upbeat earnings.

Sony and Apollo are now contemplating a variety of approaches to acquire Paramount's assets, the New York Times said.

Paramount declined to comment on the report, while Sony and Apollo did not immediately respond to a request for comment late Friday.

Like other studios, Paramount has been struggling to recover from last year's months-long strikes by Hollywood writers and actors, a soft advertising market and falling cable subscriptions in the United States which have eroded profits for its TV business.

Paramount has also been talking with Skydance Media but earlier this month ended a period of exclusivity in the negotiations.

(Reporting by Mrinmay Dey in Bengaluru; Editing by Edwina Gibbs)

Copyright 2024 Thomson Reuters .

Tags: United States , Japan

The Best Financial Tools for You

Credit Cards

Personal Loans

Comparative assessments and other editorial opinions are those of U.S. News and have not been previously reviewed, approved or endorsed by any other entities, such as banks, credit card issuers or travel companies. The content on this page is accurate as of the posting date; however, some of our partner offers may have expired.

Subscribe to our daily newsletter to get investing advice, rankings and stock market news.

See a newsletter example .

You May Also Like

8 best high-yield reits to buy.

Tony Dong May 21, 2024

Elon Musk's Record of Overpromising

Wayne Duggan May 21, 2024

What Are Magnificent 7 Stocks?

9 Biggest Financial Fraud Cases

Brian O'Connell May 21, 2024

6 Best Vanguard Funds for Retirement

Coryanne Hicks May 21, 2024

Sell in May and Go Away in 2024?

Dmytro Spilka May 20, 2024

7 Best Funds to Hold in a Roth IRA

Tony Dong May 20, 2024

Cheap Dividend Stocks to Buy Under $20

Wayne Duggan May 20, 2024

7 Cheap ETFs to Buy Now

Glenn Fydenkevez May 20, 2024

Utility Stocks for Dividends

Matt Whittaker May 17, 2024

9 Growth Stocks for the Next 10 Years

Jeff Reeves May 17, 2024

7 Best Money Market Funds for 2024

Tony Dong May 17, 2024

5 Best No-Load Mutual Funds

Coryanne Hicks May 17, 2024

Top Stocks From All 11 Market Sectors

Glenn Fydenkevez May 16, 2024

Top Ray Dalio Stocks for 2024

Brian O'Connell May 16, 2024

What Are Financial Advisor Disclosures?

Marguerita Cheng May 16, 2024

21 Investors to Follow on Social Media

Ian Bezek May 16, 2024

7 Best Vanguard Bond Funds to Buy

Tony Dong May 15, 2024

Best Bond Funds for Retirement

Coryanne Hicks May 15, 2024

8 Best Quantum Computing Stocks to Buy

Brian O'Connell May 15, 2024