tolerate, treat, transfer and terminate
179
adds that risk tolerance can be influenced by legal or regulatory (compliance) re-
quirements. The comment about legal or regulatory requirements is very relevant, in 
that organizations will often have to tolerate a risk because of legal or regulatory 
requirements, even in circumstances where the organization would otherwise not 
wish to tolerate that risk. It should be noted that tolerance relates to a specific or 
individual risk, rather than the more general approach represented by risk appetite. 
Risk appetite refers to the amount and type of risk that an organization is willing to 
pursue or retain.
There is a confusion of terminology between when an organization is willing to 
tolerate a risk and the concept of risk tolerance. The concept of tolerate is normally 
concerned with the organization being willing to retain or tolerate a risk, even if it is 
higher than the organization would choose to accept. The other concept is that of 
risk tolerance. Many organizations use risk tolerance in the engineering sense to 
represent the range of risk that is broadly acceptable. In Figure 25.1, the central
sections of concerned zone and cautious zone draw the boundary around the risk 
tolerance. As with the engineering use of the word tolerance, these zones define the 
boundaries within which the organization desires the level of risk to be confined.
An organization may have to tolerate risks that have a current level beyond its 
comfort zone and its risk appetite. On occasions, an organization may even have to 
tolerate risks that are beyond its actual risk capacity. However, this situation would 
not be sustainable and the organization would be vulnerable during this period.
When the hazard risk is considered to be within the risk appetite of the organiza-
tion, the organization will tolerate that risk. Risk tolerance is shown as the approach 
that will be adopted in relation to low-likelihood risks with low impact. However, an 
organization may decide to tolerate risk levels that are high because they are associated 
with a potentially profitable activity or relate to a core process that is fundamental 
to the nature of the organization.
It is unusual for a hazard risk to be accepted or tolerated before any risk control 
measures have been applied. Generally speaking, a risk only becomes tolerable when 
all cost-effective control measures have been put in place, so that the organization is 
accepting or tolerating the risk at its current level. Certain control measures may 
have been applied because the inherent level of the risk may have been unacceptable. 
Control effort seeks to move the risk to the low-likelihood /low-impact quadrant of 
the risk matrix, as illustrated in Figure 16.1.
Sometimes risks are only accepted as part of an arrangement whereby one risk is 
balanced against another. This is a simple description of neutralizing or hedging 
risks, but on a business level this may represent a fundamentally important strategic 
decision. For example, an electricity company operating independently in the northern 
states of the United States may have to accept the impact of variation in temperature 
on electricity sales. By merging (or setting up a joint venture) with an electricity
company in the southern states, the north/south combined operation will be able to 
smooth the temperature-related variation in electricity sales. The combined operation 
will then sell more electricity in the northern states during cold weather, when
demand in the southern states is low. Conversely, the combined operation will
sell more electricity for air-conditioning units in the southern states in the summer, 
when demand for electricity in the northern states may be lower.

Download 3.45 Mb.

Do'stlaringiz bilan baham: