16/10/2017
Organisations chose to take on some risks, avoid others and mitigate the rest. More often than not, this is based on some implicit notion of what appears acceptable, and what does not. In the volatile world we live in today, and which is only going to get even more volatile in the future - this is not sufficiently effective and efforts need to me systematic to be competitive.
Using the implicit notion as guideline, there is little doubt, that if/when analyzed, the organisation takes risks it should not take, as well as mitigate risks it need not mitigate.
ISO 31.000 defines risk appetite as the level of exposure an organization is WILLING to take, i.e. an exposure they will/should not mitigate any further. Further it defines the risk tolerance as the level of exposure an organisation is PREPARED to take.
If a systematic taking and management of risks is to be deployed - both of these level need to be explicitly defined. Most likely on in financial terms, but probably also in terms of reputational, environmental, safety, and other relevant impact paramters. After all - a company may we rather "well off" and innovative, and have a high tolerance for financial risks, but may be very cautious with respect to their reputation, whereas another are not very focused on their reputation, but are extremely focused on liquidity.
One these levels are defined (which is no easy taks, and highly political), the ideal risk taking will be higher than the risk appetite, as treating smaller risks is "overdoing" risk management. It will also be lower than the risk tolerance as risks exceeding that level are decided unacceptable. When risk taking is between these two limits, risk treatment should be based on a sound cost/benefit perspective and seen as a business decision rather than a risk decision. The risk has been seen as acceptable.
In a highly competitive world as this one, the ideal risk taking is close to, but of course below, the risk tolerance. If the company has an aggressive risk attitude, the risk tolerance will even be close to teh risk capacity meaning, they are prepared to take the risks which almost may "kill" them, and has a mindset of "what does not kill you, makes you stronger". Other companies may be less aggressive - but will also loose opportunities due to that.
All of this is applicable for single elements of risk taking, but the real value comes in, when a risk portfolio is consolidated - which can only be done effectively using Monte Carlo simulation. This will enable the organisation to discuss overall risk taking based on a risk tolerance which may be "There must be a 95% certainty of a profit" hence risk taking where the 95th percentile financial risk exposure is bigger than the planned profitability, is above the risk tolerance.
Few organisations make the effort of consolidating their risk exposure - and for many of these, overall risk taking is below, sometime significantly below, what the Board of Directors would be prepared to accept. This is like cruising at low speed looking for smaller, immediate risks, and be late for the party.
Let us "kill" the concept of risk management, and replace it with Intelligent Risk Taking. After all, we are all taking risks, all the time - even doing nothing implies a risk. Be mindful of that, and take risks - but do it wisely and manage the risks your are taking, just like you manage the money you are spending and the people you are hiring and the ...
The value of managing the risks and opportunities you have is that you essentially "prepare to dare", and dare to prosper.
