In a previous article, I showed that the term “risk tolerance”, borrowed from the world of finance, is actually of different types and qualities. If Enterprise Risk Management must contemplate risk tolerance in domains other than financial, then it will have to be determined within the specific work context. It will be defined in relation to the goals of the organization, and to its particular system of ethics, professional codes, business rules, and quality standards – in a word, its values.
What that means in practice is that the risk manager will not find a universal formula for risk tolerance, but may well have quality standards, statutory requirements, regulatory guidelines, or stakeholder interests that help shape it. It may have to be determined at the granular level; i.e., for each item in the risk register, or for each administrative decision.
Example 1. If I am a mechanical engineer requiring a certain carbon content or grain structure in the steel that enters the plant to manufacture a part, then, in a sense, I have to determine my “degree of tolerance” for the risk that the steel received is sub-standard. Risk will play out in different ways, and so will mitigation costs, depending on whether I rely on the supplier’s assurances or on third party reports, or instead if I opt for an in-house 100% check operation.
Example 2. A social services organization, such as a child welfare agency, or a counselling or psychiatric care facility, will have “zero tolerance” for certain things involving patient safety. Yet, staff will have to make judgments on a daily basis in unique, complex, multi-variable situations as to whether the safeguards are sufficient — or perhaps even excessive, causing deficient allocation of resources elsewhere.
Example 3. Imagine an IT firm that sees potential in branching out into a new area of cyber security. Even if burn rate is defined, managers may not have clear agreement on criteria for incremental success. In a sense, risk tolerance is undefined.
Well, each of these examples shows that Enterprise Risk Management cannot rely on the notion of risk tolerance solely as a discrete number; i.e., a percentage of capital at risk. ERM must allow for the design of risk tolerance for activity of varying scope and in different disciplines.
High quality risk assessment allows managers and staff to cooperate in a structured discussion of risk. They can define risk mitigation measures, and arrive at a finely tuned common interpretation of tolerance in real situations. Risk tolerance will not necessarily be something physically measured, a discrete number. It might, on the other hand, have various obtainable measures associated with it, as indicators that require monitoring.
Conclusion: I believe that in many organizations, risk tolerance must be the subject of a continual dialogue between management and staff, in order to ensure a reasonably consistent interpretation of and adherence to it.