Risk Acceptance in Risk Management
Welcome. In this blog, I want to talk about risk acceptance and the acceptance of risk as a treatment strategy. Too many organisations that I deal with are quick to jump on and say well we actually have to treat this particular risk. The question that you need to ask is, well do I? Some of the questions we need to go through in terms of asking that question of whether we are going to treat or accept the risk are going to be fundamental to us coming to that decision. So the first question we ask is, is that risk at a level that we are comfortable with as an organisation? Does it fit within our risk appetite? Does it fit within what we are willing to accept? If it is, potentially we can just park it there. We will put it in the risk register and continually monitor it because it may actually become a higher level risk later.
There are also risks that are going to be above our risk appetite, that we simply cannot do anything else about. So, somebody within the chain of command or within the organisation with the necessary level of authority needs to say, “you know what, I am willing to accept that risk on behalf of organisation noting there is nothing else that I can do about it”. What I will do however, is make sure that the controls around that particular risk remain effective. You need to make sure to document, document, document, to cover off if something does go wrong then they can say, “okay, these guys did recognise that as a risk and they took this decision because of this”.
There are also incidences where the control of that particular risk in terms of what would cause it to occur are completely out of your capability and you may not be able to do anything about the consequences either. So you are stuck in this particular situation where this particular event you have no way of stopping, and no way of reducing the consequences if it does occur, could impact on you. Once again, we need to record it and understand what are those controls that we do have in place and we have captured all of the essence of that particular risk.
Finally, it may not be cost effective to actually treat the risk. We have talked a little bit before about cost effectiveness of treatments in that it is not always about cost, you need to take into consideration, what is the safety impact? What is the reputational impact? What is the compliance impact? What we can do is once we have all of that information we can look at what it would cost to treat that particular risk. It might be that you are going to spend $500,000 to potentially save a million dollars. Even the W.A. cost legislation identifies that cost effectiveness when looking at safety risks. When you are looking at your decisions around treatment, don’t always jump to we need to treat this. We need to ask ourselves the question, is it cost effective? Is it inside of our control? Is it within our appetite any way or can we do anything about this to reduce the level of risk? If not, risk acceptance is a valid treatment strategy. So that’s all I have got for this blog, so as always, let’s be careful out there.