Home > Risk > When an acceptable level of risk is not acceptable

When an acceptable level of risk is not acceptable

February 4, 2017 Leave a comment Go to comments

We are used to identifying a risk, analyzing the potential consequences and their likelihood, and then establishing a ‘risk level’. We evaluate whether the level of risk is acceptable or not, based on risk appetite, risk criteria, or the like.

But is that sufficient?

Let’s imagine we are planning a trip from our home in Paris to Lyon. The plan is to take a taxi to the train station and then a fast train to Lyon. An uncle will meet the train and bring us to his home, where we will spend a few days.

You and your spouse assess the risks.

There’s a possibility that either of you or the kids will get sick. You assess that risk as low but will monitor it as the date gets closer.

Strikes in Paris are always a possibility and you are vulnerable to either a taxi or train strike. In addition, if the Metro workers go on strike finding a taxi will be hard. Again, you accept the risk but agree to monitor it.

Other risks include the possibility that your uncle or members of his family will be sick, or that either you or your spouse will be called into work to handle an emergency.

Overall, though, the risks are each assessed as low but need to be watched.

The week before the trip, two of your children start to show the symptoms of a bad cold. You are at home looking after them and have to make a decision. Will there be time to treat them so that it’s ok to travel rather than stay home? You decide that more likely than not they will recover in time and the risk is acceptable.

But meantime, your spouse is hearing from a manager that there’s a decent chance (maybe 30%) that a potential major deal will close in a couple of days. If that happens, you will need to cancel the vacation. Your spouse decides that the risk is acceptable.

That evening, you get together and share your assessments of the individual risks.

While each may be acceptable individually, the combination troubles you. You decide to check the weather and see that there’s a 30% chance of rain in Lyon for each of the days you will be there.

Overall, you decide it is better to cancel. The overall situation is not to your liking. You are not going to take the risk.

The same thing can happen with a business situation.

If your company is considering opening an office in Japan, you might identify a number of risks such as:

  • Inability to hire Japanese-speaking employees with the experience and contacts necessary to make the new office a success
  • The ‘stickiness’ of Japanese companies when it comes to being open to buying products from you rather than their traditional Japanese vendors
  • The ability to deliver products to the Japanese market, given the long supply chain from your factories in Europe
  • The level of competition from your competitors, including the possibility of their lowering prices to keep you out
  • Your unfamiliarity with Japanese customs and regulations, leading to potential compliance risk
  • The increase in cyber risk from extending the network into Japan, especially as you expect the staff there to need Japanese language cloud-based systems
  • The additional cost of providing materials in the Japanese language
  • The ability to find warehouses with the necessary conditions to support sales in Japan

Each of these might be assessed separately, perhaps by different teams.

While each may seem to be individually acceptable, it is possible that the aggregate effect is such that there’s an unacceptable level of risk of failure.

Why is this important?

A risk register or heat map that focuses on individual risks does not easily support business decisions like this.

Your thoughts? How do you address this?

Are you helping decision-makers understand the

  1. Glenn Daly
    February 4, 2017 at 5:05 PM

    1. Typically in practice companies view the risks as simply one part of an overall business proposal which looks at the individual risks in the context of the strategic rationale along with the rewards coming from the proposal. In this way key approvers can then decide what to do do weighing up the overall risks and rewards. To imply risks are prepared in isolation from the stategic rationale and the benefits etc….well at least in my company it simply does not happen that way (and I suspect the same is true in most others).

    2. What you are highlighting is the fact that a list of individual risks with mitigation lowering the risks to low or whatever does not necessarily mean overall the proposal should go ahead. No one would disagree. Also agree that sometimes insufficient attention is paid to the overall risk level, and that there is no attempt to formally assess it overall to help decision makers. How the formally identified risks relate to the required rate of return on the investment (which should reflect the overall risk level) may not always be clear or understood. In my company we do try and provide an assessment of risk overall and ensure some linkage back to the required rate of return, albeit it may not always be done perfectly.

    3. Looking for those risks that may inter relate with each other and together may pose a significant risk impact on a proposal is not always easy…whether done formally via registers or informally. The overall assessment may end up not being accurate… with people coming in afterwards telling you that (always easier in hindsight).

    4. Agreed risk registers on their own are not the answer however if risks are linked to objectives in the register and you robustly assess the objectives (as distinct from the individual risks)…. If the process to derive the data in the registers is robust…..If the results from this are incorporated into an overall business proposal spelling out the benefits etc….it may help a bit. If all this can be done in peoples heads effectively, registers probably add no value….and that is where the real issue with registers rests. Management often cannot always see the value in having the risk or objective assessment formally documented. However typically you get more support for it on ad hoc business investment proposals than the ritualistic periodic update.

    • Norman Marks
      February 4, 2017 at 5:17 PM

      Well said, as usual

  2. February 5, 2017 at 1:47 PM

    Norman, I would certainly agree that risks add up and they must all be considered together when coming to a decision about pursuing an objective. Glenn’s point 4 about ‘robustly assessing the objective’ is particularly important and I would argue that you need to be more specific in the above examples. Why do you want to go to Lyon? To use up annual leave or visit a very sick relative? How much profit will the Japanese office generate? Until these questions are answered the consequences of each risk cannot be balanced against the benefits and against the cost of managing those risks.
    I personally don’t see the harm in ‘heat maps’ provided they relate to one objective. They do enable a visual presentation of those risks which must be managed to bring the profile of all the risks down to an acceptable level, if that can be achieved.

    • Norman Marks
      February 5, 2017 at 2:28 PM

      Good points, David.

  3. February 7, 2017 at 2:11 AM

    Thanks, good article.

  4. Hans Læssøe
    February 7, 2017 at 2:27 AM

    Norman, I fully agree that addressing indivdual risks and accepting each of these may still – in combination – put the organization at an unacceptable risk exposure.
    I was, several years ago, pushed hard from our exetutive team to be able to calculate/state whether or not we were taking on too much risk overall – or not taking enough risk. It took some pondering to figure out how to do that, but eventually, I used the approach of Insurance Companies, i.e. Monte Carlo simulation.
    Risk management is not about averages but about extremes, so I had to figure out, what our (in our case) 3% wost case loss would be compared to planned earnings, and then ask our executives if that was acceptable.
    So – I simulate. For each risk, I have a (financial) impact – on top of which I add a triangular distribution to accomodate for the fact that people are “poor” at assessing numbers. I also have a likelihood. Based on this I Monte Carlo simulate the entire risk register some 10.000 times (Thank you computeres) and find the 97th percentile (i.e. the 3% worst case loss.
    I then compare this loss with the planned earnings – and get the 3% worst case profit (or loss) for the period to come. This is discussed with the executives and the Board of Directors. Later, the board of Directors defined a risk tolerance based on a requested minimum earning we should deliver with 97% certainty.
    Incidentally – and now the fun begins – the risks we are taking overall are much less than what the Board of Directors are prepared to accept, and hence we can allow ourselves to take bigger risks if needed to meet our targets, or even raise our targets/aspirations. During these past 6-7 years, we have used this approach, I have actually contacted top management with the suggestion that we deliberately took on more risks, as meeting targets were “under pressure” in a year, whilst we were not utilizing our risk tolerance.Now risk management becomes a driving force, and not (just) a value protector.

  5. Fernando
    February 8, 2017 at 3:09 AM

    The ability to respond to the compounded effect of different risk sources on the objectives makes all the difference between “treating risks as a system” and just “having a risk management system”. Also, an assessment of integrity of the barriers (risk controls) required to to provide protection against unachieved objectives may support better informed decisions than just qualitative projections of likelihood and severity.

  6. February 8, 2017 at 9:47 AM

    Norman, I completely agree that both the individual risks and the compound effect of multiple risks need to be understood by the company. Otherwise, the company will make a decision based on an individual risk without understanding the full picture.

    Regarding how to address this – I would suggest always identifying a source or driver of the risk. Also identify any interdependencies or links between risks. Then once the individual risks are assessed, all of the risks associated with a specific source (like your Paris to Lyon trip) can be grouped and the risks reviewed in totality. In fact, with this grouping, I would also question if one risk was triggered, would the effect of another risk be amplified?

    • Norman Marks
      February 8, 2017 at 9:52 AM

      I agree that looking at all the effects of a single source of risk can be illuminating, but what about aggregating the operational, cyber, compliance, third party, and other risks relating to a single business strategy or objective?

  7. Marianne Hendrikse
    February 9, 2017 at 8:06 AM

    Good article and comments thanks

  8. venkatasubramanian
  9. Paul S Attrell
    February 10, 2017 at 2:33 PM

    Most interesting, and something I had not considered in this way before. Thanks for Sharing.

  10. Greg Chesterton
    March 10, 2017 at 3:26 PM

    What Hans said. Model the decision. Explicitly model the dependencies between events. Simulate. Address the probability of some unwanted outcomes. Use loss exceedence curves and risk tolerance curves to address trade space between benefit and loss. Dump the risk register.

  1. No trackbacks yet.

Leave a Reply to Antonio Castro Caldas Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: