The risk criteria guide our recommendations about what to do with a given risk or collection of risks. We define what risk is acceptable to the organization. We can plot risks and risk criteria to see the results of our analysis.

It might be tempting for someone in the organization to suggest that we have “zero tolerance” for risk. This bit of hyperbole is rarely helpful. Every organization operates with risk and uncertainty. The real question for legal risk management is how much to invest to reduce the risk to an acceptable level.

Likelihood and consequences define the risk plot

When establishing the risk criteria consider which consequences matter or are “within scope.”

In addition to leveraging the definition of likelihood from the risk framework, we want to identify the timeframe that matter. The fact that some risk might materialize at some distance point may not warrant our attention. However, the likelihood of a risk event in the next two year is sufficiently near term. The important point is to have a clear sense of the timeframe within which we will consider risks.

Our risk criteria should include the overall risk rating as well as the independent variables likelihood and consequences. It is not unusual, for example, to tolerate high likelihood/low consequence risks more than low likelihood/high consequence risks, even though they are mathematically the same.

Plotting risks and risk criteria

Risk Criteria Acceptable and Unacceptable Risks
Acceptable v. Unacceptable Risk Tolerance

Here is a plot of our two previous legal risks. The risk in the upper left is rated as having significant consequences so we gave it a 3. The likelihood, however, is unlikely or a 1.

The second risk in the lower right has insignificant consequences (rated as a 1) and somewhat likely (a 2 on the likelihood scale).

The yellow area indicates our risk criteria or our risk tolerance. Risks within the yellow area are tolerable, otherwise they are unacceptable.

Why isn’t the diagonal line straight? Why aren’t the points placed precisely on each scale?

We don’t want to convey a false sense of precision, unless we know with certainty how to draw the diagonal and were to pin the height and width of the risk tolerance area. The objective of this exercise is to see how different organizations approach risk tolerance and how those differences shape their investments in risk management.

Plotting risks with risk treatment

Risk Criteria Where All Current Risks Are Acceptable
Risk Criteria Where All Current Risks Are Acceptable

In this example, we have invested in risk mitigation to lower the consequences of the risk. Notice that we did nothing to change the likelihood. We lowered the consequences from 3 (Significant) to 2 (Material).

We will learn strategies to achieve this result later, but for now let’s assume that we acquire additional insurance proactively to cover some of the potential loss.

Also, notice that we did not eliminate the risk. There is still some likelihood that there will be a lawsuit that prevails. We simply reduce the financial damages from such an event.

Collection of Risks by Likelihod and Consequences
Collection of Risks by Likelihod and Consequences

This chart shows eight risks. Each risk has a different likelihood and consequence rating. We have “common sized” these risks. Some are litigation, some are contract issues, and some are regulatory. They all fit on the chart.

Risk tolerance and risk criteria in context

Now let’s see how different organizations approach this same basket of risks. Keep in mind that the organizations can be different sizes, the ratings are relative.

Risk averse risk criteria

Risk Criteria for Risk Averse Organization
Risk Criteria for Risk Averse Organization

The first organization is strongly risk adverse. It will only accept risks whether either the likelihood or consequences is rated a 1 and the other can be a 2 at most. You can see that a risk which is rated a 2 on both consequences and likelihood would be outside the yellow triangle and therefore unacceptable.

Even the one risk down in that corner straddles the boundary. The legal risk management team will definitely debate whether or not to invest resources to reduce that risk.

Moderate risk tolerance risk criteria

Risk Criteria for Organization with Medium Risk Tolerance
Risk Criteria for Organization with Medium Risk Tolerance

This organization has a bit more tolerance for risk. There is one risk that is clearly tolerable and one that is borderline. The tolerable risk will receive no risk mitigation.

Risk tolerant risk criteria

Risk Criteria for Risk Tolerant Organization
Risk Criteria for Risk Tolerant Organization

This organization is much more risk tolerant. Most of the risks are tolerable. Notice how this organization does not accept risks that approach 3 on either the likelihood or consequences scale.

Risk tolerances compared

Three Levels of Risk Tolerance and Risk Criteria
Three Levels of Risk Tolerance and Risk Criteria

Here are all three organizations layered together. Of course, each organization agrees that the risk in the upper right is unacceptable.

Each organization draws this line differently. Consistent application of the risk tolerance policy is more important than chasing a universal approach.