How to Define Risk Tolerance: 3 Mini Case Studies


/ July 1st, 2010/ Posted in Risk Tolerance / No Comments »

Following on the idea given in the previous post What is Risk Tolerance that performance measures will necessarily be of different types and qualities, we can conclude that a risk tolerance assessment for a given context will have various measures, too.

This assumes that the risk tolerance statement is not construed purely in financial terms, and that Enterprise Risk Management contemplates many forms of tolerance, risk in all domains, not just in capital management.

The tolerance for risk will have to be determined within the specific work context.  It will be defined in relation to the goals of the organization, and to its particular system of ethics, professional codes, business rules, and quality standards – in a word, its values.

It will not necessarily be something categorically measured, a discrete number. It might, on the other hand, have various obtainable measures associated with it, as indicators that require monitoring. I believe that in many organizations, risk tolerance must be the subject of a continual dialogue between management and staff, in order to ensure a reasonably consistent interpretation of and adherence to it.

What that means in practice is that the risk manager will not find a universal formula for risk tolerance, but may well have quality standards, statutory requirements, regulatory guidelines, or stakeholder interests that help shape it.

Example 1. If I am a mechanical engineer requiring a certain carbon content or grain structure in the steel that enters the plant to manufacture a critical part, I have to determine my degree of tolerance – risk will play out in different ways, and so will mitigation costs, depending on whether I rely on the supplier’s assurances, third party reports, or in-house 100% check.

Example 2. A social services organization, such as a child welfare agency, or a counselling or psychiatric care facility, will have “zero tolerance” for certain things involving patient safety. Yet, staff will have to make judgments as to whether the safeguards in any particular situation are sufficient to permit attention to be diverted elsewhere – to clients at risk who might otherwise go unattended.

Example 3. Imagine an IT firm that is doing well and sees potential in branching out into a new area of cyber security. Managers do not have clear agreement on the criteria for success, and guidelines for making incremental choices, as they build the new operation.  The firm’s tolerance for risk (or risk appetite) for this specific venture needs definition beyond a simple percentage.

Well, each of these examples shows that Enterprise Risk Management cannot rely solely on the notion of risk tolerance as a discrete number, a percentage of capital at risk. ERM allows for the design of risk tolerance for contexts of different scope and activity  in different disciplines.

This is just where the risk manager can offer to lead a thorough risk identification and assessment session. In each of the examples above, managers and staff will be glad to participate in a structured discussion of risk, and contribute to suggestions for risk mitigation, because the results will help them to make critical decisions in their daily work.

The final report, based on a fully developed risk profile and agreed mitigation, could serve as a guideline, offering measures where possible, as well as practical indicators and advice. The engineer might then use that risk report to justify the cost of doing 100% inspection – or instead discover that it’s not necessary. The field staff in social services will feel as though their concerns have been heard, they have had a chance to discuss the ambiguities and contradictions encountered in the field, and they now have better guidelines to help them in difficult situations. The managers in the IT firm will have documented consensus on the new venture risks, and an agreed blueprint for proceeding.

Risk ID and assessment can therefore help establish a common understanding of the organization’s tolerance for risk, its possible measures and indicators, and steps to ensure adherence to it in practice.

If you enjoyed this post, make sure you subscribe to my RSS feed!

Tags: , , , ,

Leave a Reply

Name required

Mail (will not be published) required

Website