As part of your daily life, you drive a car, walk down the street, ride in elevators, go swimming, have children. Correct? You live your life. Well, you are accepting risk in all of those things. In fact, having a home or renting an apartment also entails risk…fire, wind damage, snow or ice, tornado, earthquake, plumbing problems.
The reality is that if you did not accept risk, you would not be able to live.
So how does this apply to an organization?
It comes down to whether risks are knowingly accepted (active risk acceptance) or being accepted through inaction (passive risk acceptance).
Risk Appetite and Risk Tolerance
In response to a previous article on the possible risk response strategies, there was some hub-bub over whether there were 4, or 5, or even the order of the actions…
My reaction was this: does it really matter what they are called or how many there are? Yes, my personal preference is to call them avoid, reduce, transfer, and accept, but it is okay for other people and organizations to use different terms.
In order to know which type of response is appropriate for each specific risk, your organization should use risk appetite and risk tolerance.
As a side note: some people think risk appetite and risk tolerance is just for the banking industry, which is where it originated. But it can be done for other industries – you just have to make it work for your organization!
Okay, back to the topic at hand…
I love the use of risk tolerance for setting an informal boundary for decision-making. What I want to focus on is risk acceptance. After all, risk tolerance provides the tool for people to know what impact is acceptable to the organization.
If the risk is above the risk tolerance level, then additional action or discussion is needed.
- Is the risk so horrible and unmanageable that it should be avoided?
- Are there actions the organization could take to reduce the impact of the risk? Reduce the probability of the risk? Slow the timing of the risk so the organization has more time to prepare and/or respond?
- Are there options to contractually transfer the risk to another party?
- On the positive side, are the opportunities worth the additional risk?
If the current risk level is at or below the risk tolerance level, no further action is needed. Management has decided to actively accept the risk.
Passive Risk Acceptance
One of my most frustrating experiences in the ERM field has been identifying major risks to the organization, telling my management about my concerns, and watching them do nothing about it. Then when it actually happens, they wonder what happened and why are things going badly.
By not doing anything about an identified risk, they passively accepted the risk.
Has your organization’s management passively accepted risk and then regretted it? What was their response when the risk became reality?
Your instinct may say that there are plenty of risks that are okay to be passively accepted. Right?
No.
The reality is that you do not know if the risks are okay unless they have been assessed and compared to the tolerance. The assessment does not have to be a formal ERM exercise. It can be informal, off-the-cuff discussion, or even a mental pause to do in your head when making a decision.
But by having the conversation, doing the mental pause, you are taking action. Which means you are not passively accepting risk.
Informed Risk Decisions
So to summarize:
- There are two types of risk acceptance: active and passive.
- Risk tolerance is a great tool to use for knowing which risks should be actively accepted.
- Passive risk acceptance is due to inaction toward an identified risk and can be damaging to an organization.
Ensure that your organization’s management is aware of the risks that are being accepted. Focus on developing risk appetite and risk tolerance for your organization, with the end result being very shareable and easily usable by people throughout the organization for making decisions.
Encourage the mental pause, the informal discussions. (Sometimes very big decisions are made without much fanfare, so informal usage is critical…)
What are your next steps to ensuring your management has the tools needed for active risk acceptance?
I’m interested to hear your thoughts on this important topic. Please feel free to leave a comment below or join the conversation on LinkedIn.
And if risk tolerance is a challenge for your organization, please don’t hesitate to contact me to discuss your specific situation today.