Risk assessment
130
wholesale money markets, but the possibility of these markets failing was considered 
to be too remote to require further analysis or to call for the development of con-
tingency plans to respond to that situation.
Above these minimum levels of tolerable likelihood and impact, a range of risks 
can arise. Generally speaking, low-likelihood/low-impact risks will be tolerable, 
medium-likelihood/medium-impact risks will require some judgement before accept-
ance, and high-likelihood/high-impact risks will be intolerable. The overall attitude 
of an organization to risk can be described by a set of ‘risk criteria’ and this is the 
approach taken by ISO 31000. It is worth noting that there is no specific mention of 
risk appetite in ISO 31000 in favour of discussion of the risk criteria. The difference 
between risk attitude and risk appetite can be difficult to describe, but there is a 
similarity with attitude to food and the appetite for food at a particular time. Attitude 
to food is an established or medium-term to long-term set of criteria, but appetite 
for food represents an immediate need to eat. The same analysis can be applied to 
risk, so that the risk attitude is the established risk criteria and risk appetite is the 
more immediate need to take risk in order to achieve objectives.
Organizations will need to take a risk-by-risk approach when deciding whether
a risk is acceptable. Different organizations will set tolerance levels differently and 
this will be an indication of risk attitude. Many organizations will take a cumulative 
review of risk where all risk exposures are added together, and this is a feature of the 
enterprise risk management approach. The organization will then be able to decide 
whether the overall exposure to risk is acceptable and consistent with the risk atti-
tude of the organization.
When considering risk attitude, perception and appetite, it is worth reflecting 
on the fact that certain individuals may be more concerned about a low-impact risk 
with a high probability of occurrence (such as a car crash) than they will about a 
high-impact risk that is unlikely to happen (such as an earthquake). This difference 
in approach is often reflected in the risk assessment process and can affect the way 
in which significant risks are prioritized.
When all the potentially significant risks have been identified, one approach is to 
ask how likely it is that each of those risks will materialize above the threshold test 
for significance. The risks can then be prioritized as high likelihood, medium likeli-
hood and low likelihood. The alternative approach is to prioritize the potentially 
significant risks in order of the impact at the same likelihood. The risks will then be 
presented as high impact, medium impact and low impact.
There is a difference in attitude and perception in these approaches. The first
approach is based on how likely it is that the risk will be significant while the second 
is based on how much the risk will impact when it happens. Neither of these ap-
proaches is better than the other, and which approach an individual board member 
(or the collective board itself) may prefer is related to attitude to risk, as stated in the 
risk criteria for the organization. The impact associated with a risk is usually measured 
in terms of the effect on finances, infrastructure, reputation and/or marketplace (FIRM). 
One of the main requirements of risk management is that the consequences of high 
impact events for the strategy, tactics, operations and compliance (STOC) of the 
organization are successfully managed.

Download 3.45 Mb.

Do'stlaringiz bilan baham: