As young children, our parents do their best to protect us from harm. We’re taught not to play in the road or speak with strangers. As we grow and our environment changes, these foundational lessons guide us even when we are old enough to know better than to touch a hot stove.
When my wife and I had our first daughter, we had a very low Risk tolerance. We child-proofed every corner of the house, sanitized every surface, and never fed her candy. At that moment, our Risk radar was solid red. It was hard to see areas where there wasn’t danger around every corner. Over the years we relaxed, and by the time we had our third child, we stopped sanitizing surfaces that likely would never be touched and even allowed the youngest to eat that piece of candy Grandma was always trying to give the kids. Our Risk tolerance level raised significantly as we gained context on parenthood.
We didn’t realize that all along we were conducting Risk analysis. Risk analysis is a process of evaluating the result, or Exposure, of either a positive or a negative event occurring. When considering Risk Exposure, consideration is given to two factors:
What is the Probability of that Risk?
What is the Impact of that Risk if it were to occur?
Based on that assessment, Risks are generally categorized into one of three buckets:
Red Risks have a high exposure rating. These are the Risks that we continuously monitor. For these Risks, we develop detailed qualitative mitigation plans. However, with Red Risks, we also spend time to determine the quantitative impact of the Risk.
Amber Risks are the Risks we monitor regularly, but not continuously. For these Risks, we generally only focus on the qualitative impact of the Risk.
Green Risks are similar to the tooth your dentist tells you “we’re going to keep an eye on this one”. You know these Risks could become an issue down the line, but that is either of low impact or low probability.
Risk tolerance is unique to the culture of an organization. Teams dealing with life safety or teams that are extremely risk-averse might have a Risk tolerance table that looks like this: