The final phase of the three-step risk assessment stage of the risk management process is about making choices about the threats and opportunities, collectively the risks, facing the organisation.
In the last post detailing risk analysis, we developed a prioritised list of risks for the organisation. This enabled us to discard the low rated risks from further analysis (but periodic monitoring) and left the higher rated threats and opportunities for further consideration.
Given that most organisations are limited as to how many resources can be directed to risk management, risk evaluation is about getting the most 'bang' for your risk management 'buck'.
In most cases, what's an acceptable risk and what is not will be determined by some sort of financial measurement - think commodity price movements, labour costs, theft or fraud and the like.
In other cases, acceptability will be determined by societal expectations - safety of people, environmental performance, not tolerating child labour in the supply chain - all potentially damaging to an organisations reputation if not directly to the bottom line.
Many organisations find that the number of individual risks can become overwhelming so they group them into categories and will set a risk appetite for the category. The risk consequence table that we saw in the last blog is one way of capturing the 'appetite' per category set by the Board or Senior Management.
For those risks selected for the evaluation phase, consideration is given to additional controls that can be introduced to minimise the threat (or maximise the opportunity).
So how do we know what's tolerable and what's not?
This is the topic for another blog but suffice to say, the risk appetite is generally described as the level and type of risks that the Board and Senior Management are willing to take in order to achieve the objectives and mission of the business.
The risk tolerance on the other hand, is the level of risk the organisation can bear beyond which the risk becomes unacceptable.
A brief example might be that the Board has an 'appetite' for staff turnover of 10% per annum but the 'tolerance' for this risk is a maximum turnover of 15% and a minimum of 5%.
In our risk register above, the evaluation of the 'Attract Key People' risk shows that it is not within tolerance. This means that this risk will require further decision making in the next phase of the risk management process - Treat Risks.
The evaluation phase of risk assessment is very important in determining where the organisation should focus its (usually) limited risk resources.
Some people combine the risk analysis and risk evaluation steps - there's no problem with this as long as the key objective is achieved - an understanding of the major risks to the organisation and whether enough is presently being done to manage them.
Next blog we'll look at treating risks - where organisations learn to live with the threats and opportunities they face.