450 words.

In a previous article, I showed that “risk tolerance”, a term borrowed from the world of finance, is actually of different types and qualities. If Enterprise Risk Management must contemplate risk tolerance in domains other than financial, then it will have to be determined within the specific work context.

What that means in practice is that the risk manager will not find a universal formula for risk tolerance. Corporate goals, values, quality standards, statutory requirements, regulatory guidelines, or stakeholder interests can all help shape tolerance. It may have to be determined at the granular level; i.e., for each item in the risk register, or for each administrative decision.

Example 1. If I am a mechanical engineer requiring a certain carbon content or grain structure in the steel that enters the plant to manufacture a part, then, in a sense, I have to determine my “degree of tolerance” for the risk that the steel received is sub-standard. Risk tolerance will play out in different ways, and so will mitigation costs, depending on whether I rely on the supplier’s assurances or on third party reports, or instead if I opt for an in-house 100% check operation.

Example 2. A social services organization, such as a child welfare agency, or a counselling or psychiatric care facility, will have “zero tolerance” for certain things involving patient safety. Yet, staff will have to make judgments on a daily basis in unique, complex, multivariate situations as to whether the safeguards are sufficient — or perhaps even excessive, causing deficient allocation of resources elsewhere.

Example 3. Imagine an IT firm that sees potential in branching out into a new area of cyber security. Managers may not have clear agreement on criteria for the new venture's success. In a sense, risk tolerance is undefined.

Well, each of these examples shows that Enterprise Risk Management cannot rely on the notion of risk tolerance solely as a discrete number; i.e., a percentage of capital at risk. ERM must allow for the design of risk tolerance in activities of varying scope, in different disciplines.

High quality risk assessment allows managers and staff to have a nuanced discussion of risk. They can define risk mitigation measures, and arrive at a finely tuned common interpretation of tolerance in real situations. Risk tolerance might have various measures associated with it, as indicators that require monitoring.

Conclusion 
I believe that in many organizations, risk tolerance might be considered an inappropriate and dysfunctional notion. But if it is deemed indispensable, then it must be the subject of a continual dialogue between management and staff, in order to ensure a reasonably consistent interpretation and adherence to it.