Risk Magnitude, Tolerance, Scales and Factors Informing Risk Reduction/Management and Reasonably Practicable

Formal and informal considerations of risk invariably include financial expenditure or proportional economic investment to mitigate/manage risk, such as is commonly understood as reasonably practicable.

As a result, both scales of risk (viewed from top to bottom in the below graphic) in conjunction with the magnitude of risk (viewed as proportional variance in the red triangle below) influence attention, response and investment.

In other words, how big and wide a risk is perceived or calculated drives motivation, investment and effort to mitigate or manage one or more risks through controls, ultimately framing understandings of risk tolerance.

Despite this seemingly simple calculus and mapping exercise, few individuals or organisations adequately consider or document these financial and economic trade-offs, choices and decisions that have considerable influence in risk focus and investment leading to mitigation, control or management.

As Low as Reasonably Practicable (ALARP) remains more a conceptual guide than evidence-based rigour or scientific method.

In short, ALARP is influenced and constructed by far too many biases and confounding influences to be remotely accurate across individuals, organisations or industries.

Moreover, unsubstantiated concepts such as risk tolerance, risk appetite and even risk culture are predominately marketing and management tropes lacking empirical rigours, defensible constructs or reliable, valid data informing such claims.

Therefore, in broad terms (back of envelope calculations), reasonably practicable calculations and distributions should be mandatory inclusions in the management or matters and issues relating to risk.

The reason being is that litigation, public enquiries, claims and investigations typically start with the question of reasonably practicable and work backwards through the decisions and influences that lead to choices that may/may not have contributed to negative risk outcomes, accidents, loss, damage, injury or death.

As the expressions goes...

You wouldn't spend $1 million to protect a $1 assets, yet you would be crazy not to spend $1 to protect a $1 million asset

The trick to this question though is how do you know the value of the asset, prevention, mitigation, utility, and worth of an asset if you don't calculate it?

In sum, reasonably practical in the context of matters relating to risk, threat, harm, security and safety mitigation typically comes with a financial and economic choice/s.

That is, what is perceived or believed to be a risk, determines investment, attention and management priority to either constrain risk to acceptable tolerance levels or reduce it in some way/s.

As a result, value, costs, options, choices and trade-offs must be calculated and documented if an individual or organisation is expected or required to defend and justify decisions or judgement.

If not, no matter how fancy the maths looks, it remains little more than a guess.

Notwithstanding that the majority expressions and notions of risk appetite, risk tolerance and risk culture remain largely marketing and management consulting tropes to placate regulators and entertain investors because they typically lack any real empirical underpinnings or risk science/s basis.

Tony Ridley, MSc CSyP MSyI M.ISRM

Security, Risk & Management Sciences