Michael D. Moberly July 28, 2010
It’s common to hear experienced risk managers express the view that its impossible to eliminate all risk. To that I say, perhaps it is possible, however the actions one would have to take – undergo to eliminate all risk would, for most, be far too draconian and require virtually no interaction which essentially renders the statement moot insofar as businesses are concerned.
First, it’s important to define ‘risk tolerance’ and the various ways in which it can be determined – assessed, i.e., by an organization’s:
1. Experience – the level of a company’s current knowledge pertinent to – necessary for the successful management of a particular risk.
2. Resiliency – the level of residual strength and/or asset fragility within a company’s base of financial, physical, or intellectual resources should a particular risk materialize or cascade.
3. Flexibility – the ability of an organization to positively respond (apply mitigation measures) to an array of (identified) risks in a timely manner to elevate the probability that a previously agreed upon (accepted) level of business operational continuity is sustainable should a particular risk actually materialize.
So perhaps the next logical question to ask is why should management teams, boards, and companies in general, tolerate risk? The answer, in my view, is not so much that risk is an inherent aspect of doing business, rather, it’s that organizations tend to tolerate risk because:
1. The level of risk is deemed (assessed to be) so low in terms of probability, vulnerability, and criticality that specific treatment (risk mitigation initiatives) are neither appropriate or necessary given a company’s available resources.
2. The nature of the risk itself is such that there are no available treatments or perhaps the risk, should it materialize, falls outside the capabilities of an organization/company to actually mitigate.
3. The cost of risk mitigation (the treatment), including insurance costs, is excessive, relative to the benefits, making ‘risk toleration’ the only, or perhaps the most viable option. Such circumstances often arise with risks that are assessed as being a low priority in terms of probability, vulnerability, and criticality.
4. The (business) opportunities presented (become available) outweigh the threat, i.e., the vulnerability, probability, and criticality should a risk actually materialize) to the point that a management team and board can justify (rationalize) assumption of the risk on behalf of the company.
(This post was inspired by the work of Dr. Marc Siegel related to organizational resilience.)
The ‘Business IP and Intangible Asset Blog’ is researched, written, and produced by Mr. Moberly to provide insights and additional and sometimes alternative views for company management teams, boards, and employees to aid in identifying, assessing, valuing, protecting, and profiting from their intangible assets. I welcome and respect your comments and perspectives at firstname.lastname@example.org.