At times it seems risk tolerance relates to the famous quote on congressional accomplishments, “When all is said and done, there is a lot more said than done.” This is likely because the term is often used qualitatively. That is, we describe one organization as more or less risk tolerant than another without addressing how much more or less.
What if you could describe risk tolerance quantitatively? Better yet, what if you could extract if from your existing risk data?
Organizations are often asked by leadership to become more risk tolerant. Like other elements of risk management, tolerance has two facets: threat tolerance and opportunity tolerance. Becoming more threat tolerant means reducing the effort spent treating threats (i.e., accepting more residual threat exposure). Becoming more opportunity tolerant means increasing the effort spent treating opportunities (i.e., accepting as much residual opportunity exposure as you can afford).
The question becomes, how do you get numbers? We determined that they can come from impact assessments.
Most mature risk management organizations already understand the importance of preparing two impact assessments when initially considering whether to address an uncertainty. In our organization, they are called the initial and target assessments, but they may have other names. The initial assessment describes the impact the uncertainty may cause if the organization does nothing. This assessment also establishes the inherent risk. That initial assessment gets updated to represent the current assessment as the treatment plan unfolds. The target assessment tells the organization when they should stop, essentially setting the residual risk the organization is willing to accept. When the current assessment reaches the target assessment, we stop and keep our fingers crossed. More formally, we accept the residual risk and engage fallback (contingent) actions only if the uncertainty unfolds despite our treatment efforts.
We have found that for threats, large differences between the inherent and target assessments represented less organizational threat tolerance than small differences. On the other hand, for opportunities, large differences between inherent and target assessments represented more organizational opportunity tolerance than small differences.
Our organization’s risk assessment technique assigns a number from 1 to 25 for inherent and target threat impact assessments. Not surprisingly, the inherent threat assessment is larger than the target threat assessment as the purpose of threat treatment is to reduce the residual impact. For opportunities, we assign a number from -1 to -25 for inherent and target opportunity impact assessments, where the inherent assessment is greater numerically (-1 is greater than -25) than the target assessment. In both cases, subtracting the target assessment number from the inherent assessment number yields a positive number. The result can be compared across the various risk in a portfolio and tracked over time as risk appears, is treated and is closed.
This can be confusing. For increased threat tolerance we want inherent minus target to decrease, but for opportunity tolerance we want inherent minus target to increase. We needed a way to report changes in both threat and opportunity tolerance on the same scale with improvement measured in the same direction. We settled on a simple mechanism mapping ranges of inherent–target values to tolerance values from 1 to 5, where 5 is better than 1. Figure 1 illustrates the mapping.
Figure 1—A (Kind of) Quantitative Approach to Organizational Risk Tolerance
|
Threat Tolerance Level |
Threat Rating Delta (I–T) |
Opportunity Tolerance Level |
Opportunity Rating Delta (I–T) |
|
5—Bold |
0–5 |
5—Exceptional |
21–24 |
|
4—Forward leaning |
6–10 |
4—Significant |
16–20 |
|
3—Moderate |
11–15 |
3—Moderate |
11–15 |
|
2—Cautious |
16–20 |
2—Minor |
6–10 |
|
1—Averse |
21–24 |
1—Negligible |
0–5 |
We went one step further to integrate this method into a continuous, agile risk management process with short cycle times and frequent management involvement, including setting organizational desired tolerance levels.
An Excel workbook is all that is needed for the math and mapping, but it does require discipline to address and record both inherent and target risk assessments. Considering how important such assessments are to management decisions necessary for effective risk management, it really is not too much to ask of an organization’s risk management communities.
Editor’s note: For further insights on this topic, read the authors’ recent Journal article, “A Novel Approach for Government Acquisition and Procurement: Agile Risk Tolerance,” ISACA Journal, volume 3, 2021.
Don't forget—Members can earn free CPE from ISACA Journal quizzes!