Acceptable risk is fundamentally different from an unacceptable behaviour. ‘Zero tolerance’ isn’t about risk at all.
Your organisation probably has a code of conduct and a statement of values. The Board may have ‘zero tolerance’ for certain types of behaviour. Common examples are theft, fraud, or mistreatment of co-workers. Nothing in this guide is meant to suggest that you transgress the code or values in any way.
That kind of ‘tolerance’, especially ‘zero tolerance’, has nothing to do with risk management.
The behaviour is deemed unacceptable regardless of any specific risk to the organisation that might arise from the behaviour. It is not a defence of theft to say that the company’s bottom line was not in danger.
‘Zero tolerance’ for misbehaviour does not mean that management is expected to take costly measures to ensure that misbehaviour cannot occur. It only means that misbehaviour will be acted upon when it is detected, and without regard to scale or measurable impact.
When you come across the term ‘risk tolerance’, and you will again shortly, that has nothing to do with tolerance for violations of the organisation’s values, or any other questionable behaviours. Also drop any idea that a high tolerance for risk is any sort of moral laxity. They are two different things entirely. High risk behaviour is only immoral when you put someone else at risk without their informed consent.
When an organisation has zero tolerance for specific bad behaviours, it does not mean it has zero tolerance for the risk of that behaviour. In real life, it is usual for such organisations to allow some opportunities for individuals to do the wrong thing. They create that opportunity by declining to implement preventive controls, often because those controls would be very costly. The organisation therefore accepts that misbehaviour is very likely to occur sooner or later. The organisation therefore accepts risk.
The ‘zero tolerance’ refers to what happens to the individual when the anticipated misbehaviour is detected. It has nothing to do with accepting the risk that misbehaviour will eventually occur.
Acceptable risk is different from an unacceptable number, and from an unacceptable outcome.
Sometimes the board or top management set acceptable ranges for certain metrics. The limits may be motivated by the perceived risk that would result from letting those metrics go out of the acceptable range. What the limits mean is that if the metric is out of range, the likelihood of some other (unstated) outcome becomes too high, in the estimation of the board or top management. This sort of thing is found in investment management organisations, and in high level corporate financial management. It’s a fragment of risk management, not risk management itself. In specialist risk language, the range limits are risk treatments or controls, not risk tolerances.
From your unit’s point of view, keeping one of those metrics in its acceptable range is a positive outcome. Allowing it to go outside the range is a negative outcome.
There are probably many other kinds of potential outcome from your unit’s activities that the organisation regards as either ‘mandatory’ or ‘unacceptable’.
Some of those might outcomes end up on the wrong side of ‘acceptable’ for reasons outside your direct control. The reasons might be outside the direct control of anyone in the organisation.
For example, you might not be a cybersecurity manager, but your unit’s system could get hacked, leading to ‘unacceptable’ losses and brand damage. You didn’t breach any behavioural expectations. No metric slipped out of an acceptable range. Nevertheless, your unit’s activities led to losses and brand damage for the whole organisation. Your unit used a system that allowed the losses to occur. The cybersecurity manager may have some responsibility, but like you, the cybersecurity manager did not choose to allow the hacker attack, and may well have been making best reasonable efforts to prevent it.
Upper management might say that the losses and brand damage are ‘unacceptable’. They may actually be ‘intolerable’, if the organisation folds as a result.
Yet there was always some possibility of a hacker attack leading to the losses and damage. Upper management never said that the likelihood of that scenario must be zero. They would not have agreed to absolutely precluding any such possibility, for instance by keeping your unit’s records on paper with no use of an electronic network. That would have cost a lot, and limited your business activity.
So, when that they said that the losses and brand damage were ‘unacceptable’, what they wanted you and your colleagues to do was keep the likelihood of such losses down at an acceptable level. They probably never said what that level was. There may never be a specific number representing that likelihood level. Yet it was your job to keep that likelihood acceptably low.
For risk purposes, this is the important part of you and your boss knowing ‘what’s acceptable’.
Behaviours are either acceptable or not, regardless of specific consequences for the organisation. There is nothing much to doubt in that category, at least not within the risk part of business planning.
Metric values may have acceptable ranges. From where you are in your work unit, keeping the metric in range is an outcome. The metric may be linked to risk management at Board or upper management level.
In risk management, you use a similar approach for unintentional regulatory breaches. Intentional regulatory breaches are behaviours, whereas unintentional breaches are a hazard in doing the business. There is no point in the organisation calling them unacceptable. The organisation accepts a certain likelihood or frequency for such breaches, and if the actual likelihood is higher than that, the organisation changes its activities in some way. Failing to make the change is a tacit decision to accept the likelihood as it is.
Delivery on commitments or targets might be regarded as mandatory. For you, delivery is an outcome, even if it isn’t the final outcome for the organisation.
An acceptable risk is an acceptable likelihood for an outcome.
Outcomes, including mandated metric values, may be described casually as either ‘unacceptable’ or ‘mandatory’. That never means that their likelihood must be zero or certainty. It means that it’s your job to keep the likelihood of each such outcome within an acceptable range. The acceptable range of likelihood is ‘low enough’ for ‘unacceptable’ outcomes, and ‘high enough’ for ‘mandatory’ outcomes.
There are also acceptable likelihood ranges for in-between outcomes that are never flagged with emotive words like ‘unacceptable’ or ‘mandatory’.
Between you and your boss, you will have to work out the range of likelihood that is acceptable to the organisation for each outcome. You will match up that acceptable likelihood with the actual likelihood that you assess during the risk work. Neither likelihood will be a precise number.
Your confidence will come when you demonstrate that the actual likelihood of any given outcome was within reasonable expectations, and that any doubts were referred up the line.