450 words. Updated 09 May 2024.
No universal formula for risk tolerance in non-financial contexts
In another article [1] on this topic, I claim that, with the advent of Enterprise Risk Management, terms borrowed from the world of finance have been inappropriately introduced into non-financial contexts.
The utility of the idea of risk appetite outside of an investment operation seems remote, while it will take some work to specify and make useful the notion of risk tolerance.
What that means in practice is that the risk manager will not find a universal formula. Corporate goals, values, quality standards, statutory requirements, regulatory guidelines, or stakeholder interests can all play a role. It may have to be determined at the granular level; i.e., for each item in the risk register, or for each administrative decision.
Risk tolerance example 1
If I am a mechanical engineer requiring a certain carbon content or grain structure in the steel that enters the plant to manufacture a part, then, in a sense, I have to determine my “degree of tolerance” for the risk that the steel received is sub-standard. This will play out in different ways, and so will mitigation costs, depending on whether I rely on the supplier’s assurances or on third party reports, or instead if I opt for an in-house 100% check operation.
Example 2
A social services organization, such as a child welfare agency, or a counselling or psychiatric care facility, will have, at least in policy, “zero tolerance” for certain things involving client or patient safety. If staff members interpret this in a literal or fanatical manner, they will still have to make judgments on a daily basis in unique, complex, multivariate situations as to whether safeguards are sufficient — or perhaps even excessive, causing deficient allocation of resources elsewhere, leading to untold harms.
Example 3
Imagine an IT firm that invests in a subsidiary operation to address a new area of cyber security. Managers may not have clear agreement on the timeline, nor on success criteria for the new venture. The way managers tolerate risk is not consistent from one to the next.
Conclusion
Well, each of these examples shows that Enterprise Risk Management cannot rely just on the notion of willingness to risk financial capital. ERM must allow for the design of risk tolerance in activities of varying scope, in different disciplines.
High quality risk assessment allows participants in a round table discussion to have a nuanced discussion of risk. They arrive at a finely tuned common interpretation of real situations. Risk tolerance can then be the subject of dialogue in order to ensure a reasonably consistent understanding and adherence to it.