Director, Paladin Risk Management Services
There is considerable confusion in the risk world in relation to terms such as risk appetite, risk tolerance, risk acceptance, risk threshold and risk attitude (just to name a few). These are defined differently by organisations and there is no guidance in ISO 31000 that clarifies this, so the confusion becomes a distraction.
No matter what it is called – all organisations need to specify the parameters within which they are going to manage their risks. In order to do this there a number of fundamental questions that you need answered.
1. What is the level of risk that I’m willing to accept against all my particular categories?
It is important to look at all categories individually as certain categories may be different. You may have a very low acceptability for safety risks and reputation, but slightly more than performance or financial management. Identify what level of risk you are willing to accept for each category and this becomes your target level of risk. Therefore when you identify a risk and analyse it, if it’s sitting above that target, straight away you know you have to take steps to reduce it down to that target.
One way of capturing this information is in a matrix as shown below:
2. What am I going to measure my consequences against? What are my critical success factors?
Ask yourself what categories, impact areas or critical success factors am I going to measure my consequence against? In determining what success looks like for your organisation, you can devise the critical success factors for your consequence matrix.
Some common critical success factors include (but are not limited to):
- Schedule (Projects)
Analyse each category and ask “what does a severe consequence look like to us as an organisation against each of those categories?” This will express your threshold for pain in terms of incidents that may occur.
This article is related to the Whitepaper: Noncompliance to FDA Quality Standards - What's the Risk to Executives?To get the full details, please download your free copy.
4. What does almost certain look like against from a likelihood perspective?
Is it more than once a year, is it a hundred in a thousand, or is it once in three months? This is an important question to ask because if you get this wrong, or if you have an inappropriate likelihood matrix, you are also going to see some real issues with your risk assessments.
5. What does my matrix look like? What is its size (3x3, 5x5 .etc.)? What is the level each of the squares represent?
The way you structure your matrix is going to determine how conservative your organisation is and if you choose the wrong type of matrix and you have incorrect squares, e.g. if you’re a highly conservative organisation but you’ve got a lot of squares at the medium or the low level rather than the high or extreme level, your matrix isn’t actually reflective of the nature of the business that you are involved in.
Too many people and too many organisations are scrambling around asking ‘what’s my risk appetite?’ or ‘what’s my risk tolerance?’ There’s a void of knowledge that exists around appetite and tolerance that people are filling with their own opinions. There is one fundamental outcome that you want: to actually set your risk context – and if you ask the above five questions you will be able to do this effectively.
Have you formally set your risk parameters? How do you measure your success factors?
Rod Farrar is the Director of Paladin Risk Management Services, an Australian-based risk management business that provides risk management training and consultancy services to government and industry. Paladin’s flagship courses, the Diploma of Risk Management and Business Continuity and the Advanced Diploma of Governance, Risk and Compliance, have been attended by over 300 participants from all locations across Australia as well as Indonesia, New Zealand, PNG and Solomon Islands. Contact him at firstname.lastname@example.org.