What is an acceptable risk?
Updated: Feb 26, 2019
Organisations and the individuals within them make risk decisions every day, sometimes without even knowing. As someone with a career in managing risk, of one form or another, I am often asked by Clients to bring some pragmatism to what can often be a polarising discussion between different stakeholder groups.
The question of acceptability of a risk will usually come down to a few questions:
1) Is it actually a Risk, Issue or Incident that we are talking about?
2) Who will own (or be impacted by) the risk if it is realised?
3) How often or likely is the Risk (and how have we determined this)?
4) Is the cost (or impact) of addressing the risk (i.e. controls) justifiable against the expected, best-case or worst-case losses?
5) Should we or must we address the issue, to what degree, and when?
Other important considerations around risk include:
1) Is the risk linked to any specific conditions, e.g. phase of a project or timeframe?
2) Is the risk owned by a single stakeholder, or shared across many?
3) How long has the risk already been present (whether formalised or not)?
4) Is it likely to get better or worse and how would we know (Risk Indicators)?
5) Are our controls keeping up with the risk (Control Indicators)?
6) Do we understand (and can we map) our controls against each risk?
I like to recount an anecdote provided by a presenter a number of years back who was talking about a polar mission. The topic was on Team selection using role profiling and was a good talk (largely focussed on having the right type of makeup of a team for a given mission).
As part of the planning for the mission, the topic of security arose (specifically what would be done if the group was attacked by polar bears). One of the expedition team (with an animal rights background) apparently had very strong views regarding the use of firearms to defend the group.
As a valued member of the expedition, his unwillingness to change his perspective on the matter of the use of firearms had the potential to delay or derail the endeavour.
Some thinking ensued, which resulted in a contract being drafted which said something along the lines of:
I the undersigned hereby understand the risks posed by native polar wildlife including polar bears and as a result of my personal beliefs and wishes to protect this wildlife, despite these risks, hereby volunteer to sacrifice my own life to ensure the safe escape from any such attacking wildlife. Furthermore, If I am unable or unwilling to execute my responsibilities herein, I hereby grant irrevocable and binding consent for another member of the expedition to incapacitate, inhibit or maim me to enable me to fulfil these responsibilities.
Apparently the response was "ok - you can take a gun".
I think this scenario highlights the concept of shared risk management as well as an interesting solution to ownership of the outcomes of risk acceptance.
Author: Clinton Smith