Professional Documents
Culture Documents
Fundamentals of Risk Management
Fundamentals of Risk Management
15
Tolerate, treat,
transfer and
terminate
Impact
Transfer Terminate
the risk to another party the activity generating the risk
Treat
Tolerate
the risk to reduce the likely
the risk and its likely impact
impact or exposure
Likelihood
enable the organization to place the risk on a risk matrix. The position of the risk
on the risk matrix will then indicate the most likely response to that risk. If the
risk assessment is undertaken at the current level of risk, the effect of the existing
controls will already have been evaluated as part of the risk assessment exercise.
Consider the case of a theatre that needs to respond to the increasing use of agents
who require payment at the time of the booking, rather than after the performance.
Also, a recent failure of an actor to arrive on the night of the performance caused
the theatre considerable financial loss. This has resulted in the theatre reviewing
the booking and appearance arrangements for actors and deciding responses that are
appropriate in relation to all 4Ts.
The theatre might decide that it has to tolerate the new booking fee arrangements.
It has also decided that in order to treat/reduce the risk, it will only deal with estab-
lished agents in future and terminate existing arrangements with an agency that has
proved unreliable in the past. The theatre might also investigate the possibility of
buying insurance, so that the theatre can transfer the cost of a performance cancelled
because the actor fails to arrive on the night.
Tolerate risk
Risk tolerance is defined in Guide 73 as the organization’s or stakeholder’s readiness
to bear the risk after risk treatment in order to achieve its objectives. The guide then
178 Risk response
adds that risk tolerance can be influenced by legal or regulatory (compliance) re-
quirements. The comment about legal or regulatory requirements is very relevant, in
that organizations will often have to tolerate a risk because of legal or regulatory
requirements, even in circumstances where the organization would otherwise not
wish to tolerate that risk. It should be noted that tolerance relates to a specific or
individual risk, rather than the more general approach represented by risk appetite.
Risk appetite refers to the amount and type of risk that an organization is willing to
pursue or retain.
There is a confusion of terminology between when an organization is willing to
tolerate a risk and the concept of risk tolerance. The concept of tolerate is normally
concerned with the organization being willing to retain or tolerate a risk, even if it is
higher than the organization would choose to accept. The other concept is that of
risk tolerance. Many organizations use risk tolerance in the engineering sense to
represent the range of risk that is broadly acceptable. In Figure 25.1, the central
sections of concerned zone and cautious zone draw the boundary around the risk
tolerance. As with the engineering use of the word tolerance, these zones define the
boundaries within which the organization desires the level of risk to be confined.
An organization may have to tolerate risks that have a current level beyond its
comfort zone and its risk appetite. On occasions, an organization may even have to
tolerate risks that are beyond its actual risk capacity. However, this situation would
not be sustainable and the organization would be vulnerable during this period.
When the hazard risk is considered to be within the risk appetite of the organiza-
tion, the organization will tolerate that risk. Risk tolerance is shown as the approach
that will be adopted in relation to low-likelihood risks with low impact. However, an
organization may decide to tolerate risk levels that are high because they are associated
with a potentially profitable activity or relate to a core process that is fundamental
to the nature of the organization.
It is unusual for a hazard risk to be accepted or tolerated before any risk control
measures have been applied. Generally speaking, a risk only becomes tolerable when
all cost-effective control measures have been put in place, so that the organization is
accepting or tolerating the risk at its current level. Certain control measures may
have been applied because the inherent level of the risk may have been unacceptable.
Control effort seeks to move the risk to the low-likelihood /low-impact quadrant of
the risk matrix, as illustrated in Figure 16.1.
Sometimes risks are only accepted as part of an arrangement whereby one risk is
balanced against another. This is a simple description of neutralizing or hedging
risks, but on a business level this may represent a fundamentally important strategic
decision. For example, an electricity company operating independently in the northern
states of the United States may have to accept the impact of variation in temperature
on electricity sales. By merging (or setting up a joint venture) with an electricity
company in the southern states, the north/south combined operation will be able to
smooth the temperature-related variation in electricity sales. The combined operation
will then sell more electricity in the northern states during cold weather, when
demand in the southern states is low. Conversely, the combined operation will
sell more electricity for air-conditioning units in the southern states in the summer,
when demand for electricity in the northern states may be lower.
180 Risk response
Treat risk
When the level of risk exposure (likelihood) associated with a particular hazard is
high but the potential loss (impact) associated with it is low, the organization will
wish to treat the risk. Risk treatment will often be undertaken with the risk at the
inherent and/or current level, so that when the risk has been treated, the new current
level or target level may become tolerable.
Actions to improve the standard of risk control will always be under constant
review in an organization. On a personal level, wearing a seat belt when driving a car
or fitting an intruder alarm in a house are examples of risk reduction actions.
Improvements to standards of risk control in relation to physical (insurable) risks
are well known. Fitting sprinklers to buildings, providing enhanced building security
arrangements and employee security vetting are all examples of risk improvement
actions designed to better manage hazard risks.
When identifying suitable risk treatment options, the organization will need to
look at the effect of the treatment on the likelihood of the risk materializing as
well as looking at the impact of the risk should it materialize. Cost-effective risk
treatments will need to be selected and the effect of different control measures can
be shown on a risk matrix, as in Figure 16.1.
There is an issue of terminology associated with treat risk. ISO 31000 considers
that ‘treat risk’ is the main heading under which various options exist, such as:
●● avoiding the risk by deciding not to start or continue with the activity;
●● taking or increasing the risk in order to pursue an opportunity;
●● removing the risk source;
●● changing the likelihood or the consequences;
●● sharing the risk with another party or parties;
●● retaining the risk by informed decision.
Other risk management standards refer to ‘risk response’ as the main heading and
this is the approach taken in this chapter. Using risk response as the main heading
then gives rise to the options of tolerate, treat, transfer and terminate. As with all
issues of terminology, it is for the organization to establish its own risk vocabulary,
one that is consistent with the external, internal and risk management context.
In some cases, terminology will be dictated by the external context. For example,
banks and other financial institutions will need to use the terminology of the
regulator. On occasions, terminology is dictated by the internal context within the
organization. If the terminology that has developed within the organization is
inconsistent with the terminology in ISO 31000, it is probably the case that the
risk manager would be better advised to use the terminology that already exists
within the organization, rather than trying to introduce new terms or new
meanings for existing terms.
Tolerate, treat, transfer and terminate 181
Transfer risk
When the likelihood of a risk materializing is low but the potential is high, the
organization will wish to transfer that risk. Insurance is a well-established mechanism
for transferring the financial impact of losses arising from hazard risks and (to a
lesser extent) control risks. The issues associated with the use of insurance as a risk
transfer mechanism are considered in more detail in Chapter 17.
In some cases, risk transfer is closely related to the desire to eliminate or terminate
the risk. However, many risks cannot be transferred to the insurance market,
either because of prohibitively high insurance premiums or because the risks under
consideration have (traditionally) not been insurable.
Risk transfer can be achieved by conventional insurance and also by contractual
agreement. It may also be possible to find a joint-venture partner, or some other
means of sharing the risk. Risk hedging or neutralization may therefore be considered
to be a risk transfer option, as well as a risk treatment option.
The cost of risk transfer is a component of risk financing. Once again, there is
variation in the definitions used. In relation to risk financing, both BS 31100 and
ISO 31000 agree that risk financing involves the cost of contingent arrangements
for the provision of funds to meet the financial impact of a risk materializing. Such
arrangements are usually provided by insurance, and insurance is, therefore, finance
that is contingent upon certain insured events taking place.
A difference in the definitions in BS 31100:2008 and ISO 31000:2009 is that
ISO 31000 also considers that the cost of risk financing should include the provision
of funds to meet the cost of risk treatment. In this text, resourcing of controls is
considered to be a separate step in the risk management process. This is another
example that illustrates that there is no universally agreed or common language
of risk.
There is another issue of terminology with the use of the phrase ‘risk transfer’.
ISO 31000 recommends that risk sharing should be used in preference to risk transfer.
The argument is that a risk can never be fully transferred and whatever the intention
of the parties, the risk will always be, to some extent, shared. This is an accurate
analysis, but the choice of terminology used within an organization will also be
influenced by other factors. In relation to risk sharing, the insurance industry uses
the terminology risk transfer. It may be difficult for the enterprise risk manager to
insist on the use of the phrase risk sharing when the insurance manager in the or-
ganization prefers to use the terminology of risk transfer because that is the standard
terminology used in part of the external context that is the insurance market.
Terminate risk
When a risk is both of high likelihood and high potential impact, the organization
will wish to terminate or eliminate the risk. It may be that the risks of trading in a
certain part of the world or the environmental risks associated with continuing to
use certain chemicals are unacceptable to the organization and/or its stakeholders.
182 Risk response
Potential
reward
Exploit Expand
opportunity until depending on risk
competitors arrive appetite and capacity
Exist Explore
in mature/declining entrepreneurial
markets opportunities
Level of risk
After a period of growth, the organization should be achieving a high reward for
a reduced risk. This represents the phase where the organization will exploit oppor-
tunities until competitors arrive. This is a mature operation. All mature operations
are exposed to the possibility of decline, although many organizations choose to exist
in a mature, declining market, where risk exposure is low and so are potential rewards.
The application of the 4Es to the management of strategic, opportunity or speculative
risks is consistent with the description of risk and reward offered by Figure 2.2. However,
pursuing opportunity risks and the development of strategic objectives are the most
important issues for many organizations. Risk management input into strategic decision
making may not always be as robust and well structured as the risk management input
into operations and projects.
The allocation of the dominant types of responses and controls to each of the four
quadrants shown in Figure 15.2 is similar to the allocation of the 4Ts using hazard
risk management. Existing in a mature or declining market is similar to accepting
uncertainty in tactics and tolerating hazard risks. Exploring opportunities is similar
to looking at the options for treating hazard risks. It is in the area of exploiting
opportunities and exiting opportunities where differences in approach between the
management of hazards and uncertainties compared with the management of oppor
tunities becomes most evident.
Figure 15.3 shows a refinement to Figure 15.2 in that the area of high risk and
potentially high reward is evaluated in a little more detail by taking account of risk
184 Risk response
Expand
Exploit the
if resources
opportunity
allow
Level of risk
appetite. An organization may find that it has a viable business opportunity but does
not have the resources to exploit it on its own. In these circumstances, the organiza-
tion has three main choices. It may exit the opportunity because it does not have the
risk appetite or risk capacity to pursue that opportunity. It may sell the opportunity
on to an organization that does have the appetite, capacity and resources to exploit
the opportunity or it may seek to share that opportunity.
Exiting the opportunity may be the appropriate option, because the organization
does not have the risk appetite, capacity or resources to pursue the opportunity and
has not been able or willing to find a partner to buy or share it. However, most
organizations with a viable opportunity will wish to gain from the identification of
that opportunity. Selling the opportunity may provide a profitable exit, but sharing
it with, for example, a joint-venture partner may be a better long-term option.
Entering into a joint-venture partnership will reduce the level of risk faced by the
organization, but will result in sharing of the benefits. This decision will depend on
business strategy, risk appetite, risk capacity and the availability of suitable business
partners. As well as a joint-venture partnership, exploiting business opportunities
may be possible by sharing the risk, using means such as outsourcing to share the
risk with others in the supply chain.
It should be noted that Figure 15.3 represents a flow chart from start-up (Explore
opportunities) to growth (Expand), then to a mature organization (Exploit) before
moving into decline (Exist). It is, therefore, similar to Figure 2.2. However, it has the
Tolerate, treat, transfer and terminate 185
added refinement that as the organization is looking to expand, it will have the
option of exiting if the risk appetite and/or risk capacity of the organization would
be exceeded. This extends the 4Es approach to become 5Es, depending on risk appetite.
The text box below provides an example of this approach applied to opportunity
management, although the terminology (as is often the case in risk management) is
a little different.
The purpose of the evaluation and response is to decide which opportunities require a
response and what the recommended response will be. The following are the key terms and
concepts when deciding how to respond to an opportunity and they can be used in
combination:
●● Enhance: the opportunity equivalent of ‘mitigating’ a risk is to enhance the opportunity
by increasing the probability and/or the impact.
●● Exploit: equivalent to the ‘avoid’ response, but the ‘exploit’ strategy seeks to make the
opportunity definitely happen.
●● Ignore: the ‘acceptance’ strategy takes no measures to deal with a hazard risk, and
opportunities can be ignored, with a reactive approach but no explicit actions.
●● Sharing (transfer) opportunity: ‘share’ strategy for opportunities seeks a partner able
to manage the opportunity who can maximize the chance of it happening.
186
16
Risk control
techniques
Types of controls
There are a range of controls that can be applied to hazard risks. The most convenient
classification system is to describe these controls as preventive, corrective, directive and
detective. This is the risk classification system suggested in the Orange Book. Table 16.1
provides a more detailed description of each of these four types of hazard controls.
In relation to hazard risks, the control options of preventive, corrective, directive
and detective (PCDD) represent a clear hierarchy of controls. The relationship
between these four types of controls and the dominant risk of response for different
levels of risks is illustrated on the risk matrix shown in Figure 16.1. Table 16.2 gives
examples of these four types of controls in relation to health and safety risks.
Impact
Transfer Terminate
risk to another party activity generating the risk
Dominant type of control will be Dominant type of control will be
Directive Preventive
Treat
Tolerate
risk to reduce the likely
risk and its likely impact
impact/exposure
Dominant type of control will be
Dominant type of control will be
Detective
Corrective
Likelihood
Risk control techniques 187
2 Corrective These controls are designed to limit the scope for loss
(treat) and reduce any undesirable outcomes that have been
realized. They may also provide a route of recourse to
achieve some recovery against loss or damage.
arises. Sometimes crisis management will involve the use of alternative facilities
that have been put in place before the crisis arose. It could be argued that these are
corrective controls.
In all cases, crisis management will involve directions to the involved parties as to
how they should behave if the crisis arises. It could be argued that these are directive
controls. Normally, detective controls relate to identification of circumstances where
a risk has materialized at a fairly low level with limited impact and consequences.
Clearly, DRP and BCP relate to circumstances where risks have materialized at crisis
level. Therefore, it is inappropriate to classify DRP and BCP as detective controls.
The bow-tie representation of the risk management process is a convenient way of
illustrating the role of the four types of controls. Preventive controls are relevant to
actions that are taken before the event occurs. The nature of detective controls means
that they relate to circumstances after the event has occurred. Corrective and directive
controls can be relevant to loss prevention, damage limitation and cost containment.
These are the three phases of loss control. The relevance of the types of controls
Risk control techniques 189
Flood Financial
Fire Infrastructure
Loss Damage to Cost
prevention premises containment
Earthquake Reputational
Preventive
Corrective
Directive
Detective
to the bow-tie presentation of the risk management process is shown in Figure 16.2.
For the sake of illustration, this figure uses the same hazard of damage to premises
as represented in Figure 11.2.
Directive controls are designed to ensure that a particular outcome is achieved.
In health and safety terms, directive controls would include instructions/directions
given to employees to follow, for example, in the use of personal protective equip-
ment. Training in how to respond to a particular risk event and detailed instructions
and procedures are directive controls. Directive controls are also associated with
actions that must be taken in the event of a loss to limit the damage and contain
the costs.
Detective controls are designed to identify occasions when an undesirable
outcome has occurred. The control is intended to detect when these undesirable
events have happened, to ensure that the circumstances do not deteriorate further.
An example of detective controls in a project is undertaking a post-incident review.
There is a clear hierarchy of effectiveness of controls that is represented by the
order preventive, corrective, directive and finally detective. Preventive controls are
clearly the most effective, followed by controls that correct adverse circumstances.
Providing training and direction to staff is a weaker level of control, and detective
controls only confirm that an adverse event has occurred.
The importance of DRP and BCP should not be underestimated. They are both
methods of cost containment designed to ensure minimum disruption after a hazard
risk has materialized, so they are aligned with detective controls. However, DRP
and BCP do not conveniently fit into the PCDD classification system for controls,
190 Risk response
because they are post-loss procedures. Some control classification systems include
BCP and DRP as a fifth category of control.
The example in the box below illustrates that an organization will use all four
types of control in order to build a robust set of risk responses. The road transport
company will make use of all four types of controls in order to reduce road traffic
accidents.
Take the example of a road transport company and the desire to reduce the number of
road traffic accidents per million miles driven, and the options for reducing this number.
The company can look at the preventive, corrective, directive and detective control
hierarchy and decide the following:
●● The scope for introducing preventive controls includes review of vehicle routing and
realistic estimates on delivery schedules so that drivers do not need to drive dangerously
to arrive on time.
●● The types of corrective controls that will be introduced include enhanced maintenance
procedures and improved arrangements for drivers to report vehicle defects.
●● Enhanced directive controls will be based on defensive driver training and the provision of
a vehicle driver handbook with practical advice that is easy to understand and follow.
●● Although some detective controls are already in place through the use of tachographs
in the vehicles, the company may decide to also introduce a routine review of drivers’
licences to check for penalty points.
Other controls that might be evaluated by the transport company include routine inspections
of vehicles to discover and report damage, and a review of fuel consumption to identify drivers
with an aggressive driving style. The company is then in a position to introduce structured and
measurable loss-control programmes to reduce the overall cost of running the fleet of vehicles.
Appetite
Impact line
Critical zone
Dominant response
will be
Concerned zone terminate
Dominant response
will be
transfer
Critical
line
Judgement line
Cautious zone
Dominant response
will be
treat
Comfort zone
Dominant response
will be
tolerate
Likelihood
a level of potential impact that will always be within the comfort zone. Likewise,
there is a level of risk likelihood that is always considered to be so low that it will
not happen.
However, as risk likelihood and potential impact increase, a point is reached
where judgement is required as to whether the risk should be tolerated. Judgement is
required within the cautious zone and actions will usually be taken to treat and/or
transfer the risks within that zone. The line that separates the cautious zone from the
concerned zone represents the risk appetite of the organization. The cautious zone
and the concerned zone together illustrate the acceptable variability of the level of
risk and can be considered to be the tolerance of the organization to acceptable
variability or volatility in the level of that particular risk.
As the risk likelihood and potential impact further increases, a critical line is
reached. When the risk gets above the critical line, the organization will be concerned
about tolerating those risks and will wish to terminate exposure to them. In certain
circumstances, the organization will not be able to terminate these risks, either
because they may represent a business imperative or because they are associated with
a high-risk/high-reward strategy that the board has adopted.
192 Risk response
Preventive controls
Table 16.1 provides a brief description of the nature of preventive controls.
These are the most important type of risk controls, and all organizations will use
preventive controls to treat certain types of risks. Prevention or elimination of
all risks is not possible on a cost-effective basis, nor may it be desirable for the future
of the organization and the continuation of certain activities.
Examples of preventive controls include the separation of duty, whereby no
person has authority to act without the consent of another when paying an invoice.
Also, expenditure systems should prevent the same person from ordering goods
and then authorizing the payment for them. In health and safety terms, preventive
controls include the elimination or removal of the hazard and providing a less risky
substitute. For example, a hazardous chemical used in a cleaning operation may be
substituted with a less harmful alternative.
The advantage of preventive controls is that they eliminate the hazard, so that no
further consideration of it is required. In reality, this may not be a cost-effective
option and may not be possible for operational reasons. The disadvantages of pre-
ventive controls are that beneficial activities may be eliminated and either outsourced
or replaced with something less effective and efficient.
Health and safety practitioners refer to the elimination of hazardous activities
‘so far as is reasonably practicable’. Achieving something so far as is reasonably
practicable involves the balance between cost in terms of time, trouble and money
against the benefit in terms of the reduction in the level of risk that is achieved. For
example, reducing the risk of collapse can be achieved in underground mines by the
provision of support beams and props. However, the extent to which this is reasonably
practicable will need to take into account the cost of providing these props against
the level of risk reduction that would be achieved in that particular mine.
Corrective controls
Table 16.1 provides a brief description of the nature of corrective controls. Corrective
controls are the next option after it has been decided that preventive controls are not
technically feasible, operationally desirable or cost-effective. Corrective controls are
capable of producing an entirely satisfactory result, whereby the current level of risk
is reduced to within the risk appetite of the organization.
Examples of corrective controls can be found in the management of health and
safety at work. Engineering containment by way of barriers or guards is a very
well-established type of corrective control. In relation to fraud exposures, use of
passwords or other access controls can be considered to be corrective controls. Staff
rotation and regular change of supervisors also fit into this category of controls.
The advantage of many corrective controls is that they can be simple and cost-
effective. Also, they do not require that existing practices and procedures are eliminated
or replaced with alternative methods of work. The controls can be implemented
within the framework of existing activities. The disadvantage of some corrective
controls is that the marginal benefits that are achieved may be difficult to quantify
or confirm as cost-effective.
Risk control techniques 193
Directive controls
Table 16.1 provides a brief description of the nature of directive controls.
Organizations will be familiar with the directive controls, because staff will need
to be advised of the correct way of undertaking specific tasks. Where tasks involve
a level of risk, documented procedures, together with information, training and
instruction, can be seen as directive controls. Therefore, directive controls are likely
to be in place for most risks, regardless of whether other types of controls also exist.
An example of directive controls is the requirement to wear personal protective
equipment when undertaking potentially dangerous activities. Staff will need to be
trained in the correct use of the equipment and a level of supervision will be required
in order to ensure that it is used correctly.
The advantage of directive controls is that the risk control requirements can be
explained during a normal training and instruction session provided for staff. How
ever, directive controls, especially in relation to health and safety risks, represent a
low level of control that may require constant supervision in order to ensure that the
correct procedures are being followed.
Although directive controls on their own represent an insecure and unreliable
method of risk control, they will always be a component in the overall approach
to risk control adopted by any organization. Developing systems, procedures and
protocols are important for any organization. However, there is a danger that if
the developed procedures are not implemented in practice, the organization will be
more exposed to allegations of poor risk control. Developing detailed risk control
procedures is an indication by the organization that risks exist and need to be
managed. However, failing to implement the identified procedures will leave the
organization unable to defend itself by claiming that it was not aware of the risks.
194 Risk response
Detective controls
Table 16.1 provides a brief description of the nature of detective controls. As
suggested in the title, detective controls are those procedures that identify when the
hazard has materialized. Detecting that a hazard has materialized some time after
the event is not entirely satisfactory, but can be justified in certain circumstances.
Sometimes, other controls may be unable to completely eliminate the chances of
a risk materializing.
Examples of detective controls include stock or asset checks to ensure that stock or
assets have not been removed without authorization. Bank reconciliation exercises
can detect unauthorized transactions. Also, post-implementation reviews can detect
the lessons learnt from projects that can be applied in future. Detective controls are
closely related to review and monitoring exercises undertaken as part of the risk
management process.
The advantage of detective controls is that they are often simple to administer.
In any case, they are essential in many circumstances where the organization will
require early warning that other risk control measures have broken down. The
disadvantage of the detective controls is that the risk will already have materialized
before it is detected. It could be argued, of course, that the fact that detective controls
are in place will deter certain individuals from attempting to circumvent other risk
controls.
Detection of fraud is often only possible after the fraud has taken place. However,
there are considerable advantages in detecting fraud early, so that the nature and
scale of the fraud may be reduced and the scope for future similar fraudulent
activities eliminated. The text box discusses introducing new financial controls in
a charity.
Risk control techniques 195
Even in health and safety arrangements, there is scope for the use of detective
controls. Certain work activities have hazards associated with them that can lead to
permanent and serious health issues. By having detective controls to identify the
early symptoms of these occupational ill health conditions, employees will be
diagnosed early and further exposure can be eliminated. Examples of these types of
controls in health and safety include early detection of lung disease from dust
exposure, skin conditions such as dermatitis and finally deafness caused by exposure
to occupational noise.
The main reason for having financial controls is to reduce the risk of error and fraud.
Errors are likely to result in a loss of money, because donors are more likely to give
money to charities that they can trust.
Once you have established your financial controls, they should be discussed and
approved by the trustees. You need to ensure that you have the support of all trustees
before implementing any new controls. Then, implement the financial controls noting who
is responsible for each control. By making someone accountable for a financial control,
it is more likely to be effective.
Controls are only good if they are relevant; therefore, you need to ensure that you
routinely review your controls to see if they are still effective. As things change, you need to
think about making changes to your controls as your organization evolves. It can be hard to
make changes to existing controls, but assessing why the controls are no longer valid and
how new controls can help the organization will help you in putting the changes into place.