The Tricks to Tolerance

March 2008 Issue

By Diana Del Bel Belluz, M.A.Sc., P.Eng.

Executives don't end up in the news or in jail merely because they took a risk. Rather, they end up there for not managing their business risks properly. We actually expect our leaders to take risks. And we expect them to appropriately balance the risk/reward ratio, i.e., to pursue risks that are in line within the organization's risk appetite. We also expect executives to properly manage the risks they decide to take, i.e., to stay within the bounds of the organization's risk tolerance.

I define Risk Appetite as the size of 'bet' the organization is willing to take to achieve it's objectives. A clear understanding of Risk Appetite is necessary to determine appropriate goals and strategic direction. I define Risk Tolerance as the margin by which the organization is willing to accept either over- or under-shooting its objectives. A clear articulation of Risk Tolerance is critical for resource allocation decisions.

For example, a firm may have a strategic goal to have an average customer satisfaction rating of 75% (its Risk Appetite). Operationally, it is prepared to accept ratings in the range of 70% to 80% (its limits of Risk Tolerance).

Recently I've had several conversations with risk managers on the topic of risk tolerance. The common thread to these discussions was the question “How can I get my senior leadership team to articulate organization's risk appetite and set risk tolerance levels?” These risk professionals were seeking deterministic formulas and techniques that would neatly produce objective and irrefutable risk tolerance values.


You know, the kind of wisdom that is chiseled into stone and can be easily understood and consistently applied by everyone in the organization. Not surprisingly, my colleagues' pleas for clear statements on risk management went unanswered by their senior leadership teams. Why are some senior managers reluctant to articulate their risk tolerance?

One common reason is that they mistakenly believe that if they don't formally commit to a tolerable level of risk then they can't be held accountable for setting it incorrectly. Furthermore, they will tell you that they've gotten along just fine up to now without explicitly defining risk tolerance so why fix something that’s not broken?

By not providing clear targets for risk tolerance (similar to the customer satisfaction example) to others in the organization, these executives mistakenly believe they are protecting themselves. Instead, like the ostrich that buries its head in the sand, they are actually exposing their most tender parts to danger. And many have the bruises to show for it.

For instance, a recent global survey of chief financial officers (see Bonus Resource for details of the study) found that “two out of three (62 percent) enterprises with revenues over US$5 billion have encountered material risk events in the last three years.” According to the survey, the situation at small enterprises wasn’t much better. History proves yet again that ignoring risk is a poor protection strategy.

The cold hard truth is this. Whether or not senior executivesexpress their risk tolerances explicitly, they implicitly dictate the organization's risk tolerance and risk culture through the decisions they take and through the business practices they enable and over which they preside. If they leave it to employees to figure out for themselves what is expected of them, senior managers leave themselves wide open to risk exposure from poor decisions and inadequate business practices, leading ultimately to failed strategies, poor performance, and a complete lack of accountability.

Another common reason that executives are reluctant to set risk tolerance levels is that they don't know how to go about it. This is because, in many organizations, risk management has traditionally been done on an ad hoc basis, relying on everyone in the organization to intuitively know what is or is not acceptable.

The Global CFO survey (see this month's Bonus Resource) revealed that only about half of all enterprises acknowledge having any sort of formalized risk management program. Without exposure to formal risk management techniques, executives do not get an opportunity to develop the skills and tools they need to explicitly and confidently articulate the organization's risk tolerance.

Here are some tricks for engaging executives in the risk tolerance discussion. First, help them understand that they cannot dodge their responsibility to define the organization's risk tolerance. That is the first step to convincing them that they are far better off taking a leadership role than passively leaving it up to individuals across the organization to decide for themselves. Secondly, give them the tools and information they need to see and understand the organization's de facto risk tolerance as it is expressed in the organization's recent decisions and current practices.

Here are three steps to uncover your organization's de facto risk tolerance.

STEP 1: Assess The Effectiveness of Your Existing Risk Management Practices

How do know if you are managing your risks effectively? You need to look at your risk controls and mitigation programs (i.e., the plans the organization has put in place to deal with each risk should it occur), risk management capabilities (i.e., your people's readiness and ability to execute your risk management plans) and risk management practices (i.e., your people's actual behaviour in managing risks).

I've developed a simple assessment tool to determine the effectiveness of management strategies and practices. It is a Risk Management Effectiveness Map and it rates management effectiveness according to these three key criteria:

  • Resources. How well have you defined the strategies and programs to manage each risk?

  • Roles and Responsibilities. How well do executives, managers, and employees know who is responsible for which component of the risk management process for each risk and what is expected of them in particular?

  • Communication. How well does your communication function work and does information about risk get to the right people at the right time?

I find that, when applied to a company's most significant risks, these three criteria provide a reasonable assessment of an organization's risk management effectiveness.

STEP 2: Plot a Risk Management Effectiveness Map 

As illustrated in Figure 1, the Risk Management Effectiveness Mapgraphically compares the magnitude of each risk (based on a traditional combination of likelihood and impact on objectives) with the measure of how effectively it is managed (based on an assessment of the organization's current strategies and actual practices for that particular risk).

Click here to view larger version of figure.

The Risk Management Effectiveness Map takes the traditional risk matrix to the next level. It enables you to distinguish between those risks that are taken deliberately and managed for success and those risks that are taken unwittingly. This is critical information for resource allocation that cannot be gleaned from a traditional risk matrix.

The Risk Management Effectiveness Mapprovides critical information to support a rational and evidence-based discussion about risk tolerance.

STEP 3: Engage Your Leadership Team in a Discussion of Your De Facto Risk Tolerance

Since introducing the Risk Management Effectiveness Map tool in 1999, I have found that executives like it because they can quickly see which risks are properly managed versus those that are under-managed or over-managed.

Under-managed risks typically appear in the top-right corner of the graph, i.e., those items with large risk magnitudes and low management effectiveness. Items that fall into this category can indicate a large exposure to risk. With information on both the magnitude and current management effectiveness of a risk, executives can decide if they are comfortable with that exposure, or if they want to allocate resources to reduce the risk (if it’s within their control) or improve the effectiveness of their risk management activities. If they are willing to live with the existing risk exposure, this indicates a higher level of risk tolerance. Returning to the earlier example, if the company discovers that ineffective complaint resolution processes are driving overall customer satisfaction ratings below the lower tolerance limit of 70%, the company might consider allocating resources to improve its complaint resolution processes.

Over-managed risks typically appear in the bottom-left corner of the graph, i.e., those risks with a small magnitude and with high management effectiveness. Risks that fall into this category may represent a certain amount of wasted resources. Are you comfortable with that allocation of resources? If yes, that indicates a lower level of risk tolerance, perhaps even a case of risk aversion. In the customer satisfaction example, if the company discovers that high staffing levels are driving overall customer satisfaction ratings above the higher tolerance limit of 80%, the company might consider moving some of its people to other areas of the business that are understaffed.

In conducting assessments of risk management effectiveness, I have found that executives are often quite surprised to learn of the risks their employees are taking on their behalf. This can be a great wake-up call to senior leadership teams that prompts them to explicitly define and communicate their risk tolerance and appetite.

Once you provide your executive team with an understanding of your organization's current de facto levels of risk tolerance, they will have a strong desire to align these de facto tolerances with their desired levels of risk tolerance.

Executives often have a visceral response to the current level of risk tolerance. This strong engagement occurs because it is not a hypothetical situation they are pondering, but rather the actual results of decisions and actions taken across the organization.

When you give executives a tool that enables them to see clearly where risks are under- or over-managed, they feel compelled to do something about it.They usually start with stating their target levels of risk management, i.e., the boundaries for appropriately managing risk.


The Risk Wise bottom line…

Give yourself and your executive team the tools and information to understand and set your organization’s risk tolerance. The Risk Management Effectiveness Map is a simple technique to differentiate between the risks your executive team chooses to take and manage for success versus those risks that unwittingly expose your organization to liability, losses, and waste. The bottom line is that you can’t escape accountability by ignoring risk tolerance. But you can account for how effectively you are managing your risk exposures and at the same time get the critical information you need to avert failed strategies, business losses, and wasted resources. That adds up to true accountability.


Tell me how you’ve tackled the risk tolerance issue.

  • What criteria do you use to measure your risk management effectiveness?

  • How do you decide how much risk management is enough?

I appreciate receiving emails with your tips and success stories at This email address is being protected from spambots. You need JavaScript enabled to view it.

Follow the links to:

Current Special Offers for Subscribers

The code to access the following special offer has been emailed to all Risk Management Made Simple Advisory subscribers:

  • SPECIAL INTRODUCTORY OFFER:  To entice you to 'take a bite', we are waiving the fee ($100 value) for your first Virtual Learning Bite.  (Subscribers have been sent the instructions on how to access this offer).  Not yet a subscriber?  Don't miss out, click here to sign-up for your complimentary Advisory subscription.  The Learning Bite topics for June 2019 are:
    • Italian Flag is a technique that enables you to quickly conduct an evidence-based assessment of the likelihood that a risk event will occur.  The focus on evidence helps to minimize the bias that can creep in when using more subjective methods such as the risk matrix approach which relies heavily on judgement and opinion.
    • Range Assessment is a technique that enables you to enables you to estimate a range for a variable (e.g., impact or cost of a risk event) which more realistically represents and communicates the uncertainty in the estimate than a single number would.
    • Scenario Planning Primer - Scenario planning is a powerful methodology to get to grips with the future uncertainties of the broader business environment.  The primer provides an overview of the approach illustrated by examples of scenarios and also covers how scenario planning can support decision making.
  • SPECIAL OFFER: $500 off the full program fee for Risk Management Made Simple Advisory subscribers on the Masters Certificate in Risk Management and Business Performance . The next program module to be held on September 23-26, 2019 in Toronto, ON. (Subscribers have been sent the instructions on how to access this offer).  Not yet a subscriber?  Don't miss out, click here to sign-up for your complimentary Advisory subscription.  Note:  the only change from the current listing on this are the dates.

Not yet a subscriber, but want to access these special offers?

When you subscribe to the Advisory, we'll send you the code for all current special offers along with a link to your New Subscriber Bonus, a copy of Moving Beyond the Risk Map to Operational Vigilance.

FIND OUT FOR YOURSELF why risk management leaders subscribe, click to access the ARTICLE INDEX of all past issues of the Risk Management Made Simple Advisory.

"I save and study each issue of the Advisory. I appreciate how Diana gives very practical advice and links it to fundamental theories and best practices." 

Sherrie Hyde, Risk Manager, Lutherwood


Moving Beyond the Risk Map to Operational Vigilance

Read more about the Risk Management Made Simple Advisory.

"It is so refreshing to read a newsletter that offers real solutions for risk management challenges."
Cathy Taylor
Director, Risk
Kinross Gold Corporation

Jump Start your risk management program.

Receive personalized advice from Risk Wise

See Details

Diana's Pick

The Neuroscience of Enterprise Risk Management (written by Diana Del Bel Belluz of Risk Wise) expores findings from the field of neuroscience and shares practical tips on how to apply them to enhance individuals' risk management thinking and implement brain-friendly ERM practices in organizations.

The article was published by The Conference Board of Canada in the Autumn 2017 issue of the journal Risk Watch.