15
Tolerate, treat,
transfer and
terminate
compliance risks.
The benchmark test for significance should be set
at a level that represents a significant impact for the
organization. Having identified the priority
significant risks, the organization then needs to
review the controls in place and decide whether
further actions are required. For hazard risks, the
range of responses available is often described as the
4Ts.
There is a broad range of terminology available to
describe risk response options. In fact, both British
Standard BS 31100 and ISO 31000 use the term 'risk
treatment' as the more generic description. For
example, the British Standard defines risk treatment
as the 'process of developing, selecting and
implementing controls'. Likewise, ISO 31000
defines risk treatment as 'development and
implementation of measures to modify risk'.
The terminology used in the Orange Book has been
adopted for this text for the risk response stage of
the risk management process. The options for
responding to risk can then be identified as the 4ts.
Appendix B contains information on the alternative
definitions that are used by different publications.
TABLE 15.1 Description of the 4Ts of
hazard response
Control/reduce risks will be addressed in this
way. The purpose of treatment
is that, whilst continuing
within the organization with
the activity giving rise to the
risk, action (control) is taken to
constrain the risk to an
acceptable level.
3 Transfer
For some risks the best
Insurance/contract response may be to transfer
them. This might be done by
conventional insurance, or it
might be done by paying a third
party to take the risk in another
way. This option is particularly
good for mitigating financial
risks or risks to assets.
4 Terminate
Some risks will only be
Avoid/eliminate treatable, or containable to
acceptable levels, by
terminating the activity. It
should be noted that the option
of termination of activities may
be severely limited in
government when compared
to the private sector.
The 4 Ts of hazard response
Priority significant risks facing an organization are
those that have:
• high or very high impact in relation to the
benchmark test for significance;
• high or very high likelihood of materializing at or
above the benchmark level;
• high or very high scope for cost-effective
improvement in control.
More information and a brief description of each of
the 4Ts is provided in Table 15.1. The 4Ts of hazard
risk management can be summarized as:
1 Tolerate
Accept/retain
Generally speaking, it is only priority significant
risks that require attention at the most senior level
of the organization. However, it is appropriate that
compliance risks also receive boardroom attention.
In practice, the board will expect these compliance
risks to be properly managed and the board will only
receive routine/annual reports describing risk
performance, or a special report if a specific issue
has arisen. The organization will seek to introduce
effective and efficient controls to minimize
• tolerate;
• treat;
transfer;
• terminate.
The exposure may be tolerable
without any further action
being taken. Even if it is not
tolerable, the ability to do
anything about some risks may
be limited, or the cost of taking
any action may be
disproportionate to the
potential benefit gained.
By far the greater number of
Figure 15.1 suggests that there is a dominant
response in relation to each of the 4 Ts, according to
the position of the risk on a risk matrix. For risks
that are low likelihood/low impact, the main
2 Treat
response is tolerate. For risks that are high
likelihood/low impact, the main response is treat.
For risks that are low likelihood/high impact, the
main response is transfer, and for risks that are high
likelihood/high impact, the main response is
terminate.
In order to give some context to the range of risks
that is being considered, Table 15.2 provides
examples of the range of potentially significant risks
associated with the headings of the FIRM risk
scorecard. Assessment of each of the risks will enable
the organization to place the risk on a risk matrix.
The position of the risk on the risk matrix will then
indicate the most likely response to that risk. If the
risk assessment is undertaken at the current level of
risk, the effect of the existing controls will already
have been evaluated as part of the risk assessment
exercise.
Consider the case of a theatre that needs to
respond to the increasing use of agents who require
payment at the time of the booking, rather than
after the performance. Also, a recent failure of an
actor to arrive on the night of the performance
caused the theatre considerable financial loss. This
has resulted in the theatre reviewing the booking
and appearance arrangements for actors and
deciding responses that are appropriate in relation
to all 4 Ts.
The theatre might decide that it has to tolerate the
new booking fee arrangements. It has also decided
that in order to treat/reduce the risk, it will only deal
with established agents in future and terminate
existing arrangements with an agency that has
proved unreliable in the past. The theatre might also
investigate the possibility of buying insurance, so
that the theatre can transfer the cost of a
performance cancelled because the actor fails to
arrive on the night.
under control liabilities arise in the
pension fund
Infrastructure People
Failure to
achieve/maintain
health and safety
standards
Premises
Damage to key
location caused by
insured peril
Processes IT control systems not
available because of
virus or hacker
activity
Products Disruption because of
failure of supplier
Reputational Brand
Product recall causes
damage to product
image and brand
Public opinion Lost sales or revenue
because of change in
public tastes
Regulators Regulator
enforcement action
causes loss of public
confidence
CSR
Allegations of
unethical product-
sourcing causes loss of
Impact
TABLE 15.2 Key dependencies and
significant risks
Transfer
the risk to another party
Terminate
the activity generating the risk
FIRM risk
scorecard
Financial
sales
Tolerate
the risk and its likely impact
Treat
the risk to reduce the likely
impact or exposure
Marketplace Regulatory
environment
Example Example of a
dependencies significant risk
Availability of Insufficient funds
funds
available from parent
company
Correct Inadequate profit
allocation of because of incorrect
funds
capital expenditure
decisions
Internal Fraud occurs because
control of inadequate internal
controls
Liabilities Higher than expected
Likelihood
Economic
health
Change in tax regime
results in unbudgeted
tax demands
Decline in world or
national economy
reduces consumer
spending
Changes in technology
FIGURE 15.1 Risk matrix and the 4 Ts of
hazard management
Product
development reduce product appeal
and sales
Competitor Competitor
behaviour substantially reduces
prices to win market
share
decision. For example, an electricity company
operating independently in the northern states of
the United States may have to accept the impact of
variation in temperature on electricity sales. By
merging (or setting up a joint venture) with an
electricity company in the southern states, the
north/south combined operation will be able to
smooth the temperature-related variation in
electricity sales. The combined operation will then
sell more electricity in the northern states during
cold weather, when demand in the southern states is
low. Conversely, the combined operation will sell
more electricity for air-conditioning units in the
southern states in the summer, when demand for
electricity in the northern states may be lower.
Tolerate risk
Treat risk
Risk tolerance is defined in Guide 73 as the
organization's or stakeholder's readiness to bear the
risk after risk treatment in order to achieve its
objectives. The guide then adds that risk tolerance
can be influenced by legal or regulatory (compliance)
requirements. The comment about legal or
regulatory requirements is very relevant, in that
organizations will often have to tolerate a risk
because of legal or regulatory requirements, even in
circumstances where the organization would
otherwise not wish to tolerate that risk. It should be
noted that tolerance relates to a specific or
individual risk, rather than the more general
approach represented by risk appetite. Risk appetite
refers to the amount and type of risk that an
organization is willing to pursue or retain.
There is a confusion of terminology between when
an organization is willing to tolerate a risk and the
concept of risk tolerance. The concept of tolerate is
normally concerned with the organization being
willing to retain or tolerate a risk, even if it is higher
than the organization would choose to accept. The
other concept is that of risk tolerance. Many
organizations use risk tolerance in the engineering
sense to represent the range of risk that is broadly
acceptable. In Figure 25.1, the central sections of
concerned zone and cautious zone draw the
boundary around the risk tolerance. As with the
engineering use of the word tolerance, these zones
define the boundaries within which the organization
desires the level of risk to be confined.
An organization may have to tolerate risks that
have a current level beyond its comfort zone and its
risk appetite. On occasions, an organization may
even have to tolerate risks that are beyond its actual
risk capacity. However, this situation would not be
sustainable and the organization would be
vulnerable during this period.
When the hazard risk is considered to be within
the risk appetite of the organization, the
organization will tolerate that risk. Risk tolerance is
shown as the approach that will be adopted in
relation to low-likelihood risks with low impact.
However, an organization may decide to tolerate risk
levels that are high because they are associated with
a potentially profitable activity or relate to a core
process that is fundamental to the nature of the
organization
It is unusual for a hazard risk to be accepted or
tolerated before any risk control measures have been
applied. Generally speaking, a risk only becomes
tolerable when all cost-effective control measures
have been put in place, so that the organization is
accepting or tolerating the risk at its current level.
Certain control measures may have been applied
because the inherent level of the risk may have been
unacceptable. Control effort seeks to move the risk to
the low-likelihood /low-impact quadrant of the risk
matrix, as illustrated in Figure 16.1.
Sometimes risks are only accepted as part of an
arrangement whereby one risk is balanced against
another. This is a simple description of neutralizing
or hedging risks, but on a business level this may
represent a fundamentally important strategic
When the level of risk exposure (likelihood)
associated with a particular hazard is high but the
potential loss (impact) associated with it is low, the
organization will wish to treat the risk. Risk
treatment will often be undertaken with the risk at
the inherent and/or current level, so that when the
risk has been treated, the new current level or target
level may become tolerable.
Actions to improve the standard of risk control
will always be under constant review in an
organization. On a personal level, wearing a seat belt
when driving a car or fitting an intruder alarm in a
house are examples of risk reduction actions.
Improvements to standards of risk control in
relation to physical insurable) risks are well known.
Fitting sprinklers to buildings, providing enhanced
building security arrangements and employee
security vetting are all examples of risk
improvement actions designed to better manage
hazard risks.
When identifying suitable risk treatment options,
the organization will need to look at the effect of the
treatment on the likelihood of the risk materializing
as well as looking at the impact of the risk should it
materialize. Cost-effective risk treatments will need
to be selected and the effect of different control
measures can be shown on a risk matrix, as in Figure
16.1.
There is an issue of terminology associated with
treat risk. ISO 31000 considers that treat risk' is the
main heading under which various options exist,
such as:
terminology is dictated by the internal context
within the organization. If the terminology that has
developed within the organization is inconsistent
with the terminology in ISO 31000, it is probably the
case that the risk manager would be better advised
to use the terminology that already exists within the
organization, rather than trying to introduce new
terms or new meanings for existing terms.
Transfer risk
.
avoiding the risk by deciding not to start or
continue with the activity;
taking or increasing the risk in order to pursue an
opportunity;
• removing the risk source;
• changing the likelihood or the consequences;
• sharing the risk with another party or parties;
• retaining the risk by informed decision.
Other risk management standards refer to "risk
response' as the main heading and this is the
approach taken in this chapter. Using risk response
as the main heading then gives rise to the options of
tolerate, treat, transfer and terminate. As with all
issues of terminology, it is for the organization to
establish its own risk vocabulary, one that is
consistent with the external, internal and risk
management context.
In some cases, terminology will be dictated by the
external context. For example, banks and other
financial institutions will need to use the
terminology of the regulator. On occasions,
When the likelihood of a risk materializing is low but
the potential is high, the organization will wish to
transfer that risk. Insurance is a well-established
mechanism for transferring the financial impact of
losses arising from hazard risks and (to a lesser
extent) control risks. The issues associated with the
use of insurance as a risk transfer mechanism are
considered in more detail in Chapter 17.
In some cases, risk transfer is closely related to the
desire to eliminate or terminate the risk. However,
many risks cannot be transferred to the insurance
market, either because of prohibitively high
insurance premiums because the risks under
consideration have (traditionally) not been
insurable.
Risk transfer can be achieved by conventional
insurance and also by contractual agreement. It may
also be possible to find a joint-venture partner, or
some other means of sharing the risk. Risk hedging
or neutralization may therefore be considered to be a
risk transfer option, as well as a risk treatment
option.
The cost of risk transfer is a component of risk
financing. Once again, there is variation in the
definitions used. In relation to risk financing, both
BS 31100 and ISO 31000 agree that risk financing
involves the cost of contingent arrangements for the
provision of funds to meet the financial impact of a
risk materializing. Such arrangements are usually
provided by insurance, and insurance is, therefore,
finance that is contingent upon certain insured
events taking place.
A difference in the definitions in BS 31100:2008
and ISO 31000:2009 is that ISO 31000 also
considers that the cost of risk financing should
include the provision of funds to meet the cost of
risk treatment. In this text, resourcing of controls is
considered to be a separate step in the risk
management process. This is another example that
illustrates that there is no universally agreed or
common language of risk.
There is another issue of terminology with the use
of the phrase "risk transfer'. ISO 31000 recommends
that risk sharing should be used in preference to risk
transfer. The argument is that a risk can never be
fully transferred and whatever the intention of the
parties, the risk will always be, to some extent,
shared. This is an accurate analysis, but the choice of
terminology used within an organization will also be
influenced by other factors. In relation to risk
sharing, the insurance industry uses the
terminology risk transfer. It may be difficult for the
enterprise risk manager to insist on the use of the
phrase risk sharing when the insurance manager in
the organization prefers to use the terminology of
risk transfer because that is the standard
terminology used in part of the external context that
is the insurance market.
Terminate risk
organization. The organization may find that it has
to tolerate risks beyond its empirical risk appetite in
order to continue to undertake a certain activity.
rewards will increase while the level of risk will
remain high. The organization will seek to achieve
growth, but may feel that growth is too slow or the
level of risk remains too high, and if so it will exit
from those operations.
Potential
reward
Exploit
opportunity until
competitors arrive
Expand
depending on risk
appetite and capacity
Exist
in mature/declining
Explore
entrepreneurial
markets
opportunities
When a risk is both of high likelihood and high
potential impact, the organization will wish to
terminate or eliminate the risk. It may be that the
risks of trading in a certain part of the world or the
environmental risks associated with continuing to
use certain chemicals are unacceptable to the
organization and/or its stakeholders. In these
circumstances, appropriate responses would be
elimination of the risk by stopping the process or
activity, substituting an alternative activity or
outsourcing the activity that is associated with the
risk.
An organization may wish to terminate a risk, but
it could be the case that the activity that gives rise to
it is fundamental to the ongoing operation of the
organization. In such circumstances, the
organization may not be able to terminate or
eliminate the risk entirely and thus will need to
implement alternative control measures.
This is a particular issue for public services. There
may be certain risks that have high likelihood and
high impact, but the organization is unable to
terminate the activities giving rise to them. This
may be because the activity is a statutory
requirement placed on a government agency or
public authority. The public service imperative may
restrict the ability to cease the activity, so the
organization will need to introduce control
measures, to the greatest extent that is cost-
effective.
It is likely that such control measures will be a
combination of risk treatment and risk transfer. As
these control measures are applied, the level of risk
will move to a level where the organization will be
able to tolerate the risk. Because of the variable
nature of risks, it may not be possible to get all risks
to a level that is within the risk appetite of the
Level of risk
Strategic risk response
The overall approach to the management of control
and opportunity risks is similar to the approach
adopted for the management of hazard risks.
However, there are sufficient differences in the
range of options available for these to be presented
separately. It is worth remembering that projects
normally reflect and implement the tactics that are
being employed to implement strategy.
Figure 16.1 illustrates the 4 Ts of hazard risk
management and the type of controls that are most
likely to be associated with each type of hazard risk
response. The types of controls are considered below.
This chapter has been concerned almost exclusively
with responding to hazard risks. The 4 Ts represent
the options for mitigating hazard risks.
Figure 15.2 suggests that there are a range of
responses available for the management of
opportunity risks. Developing and implementing
effective and efficient strategy will require the
evaluation of the level of risk associated with each
available strategy and the level of reward that the
strategy will deliver.
The 4 Es of opportunity management are set out as
exist, explore, exploit and exit. There is a close
relationship between the 4 Es and the status of the
organization, as illustrated in Figure 15.2. A start-up
operation will face a higher level of risk and low
potential rewards.
Entrepreneurial opportunities will be explored at
this time. As the organization grows, potential
FIGURE 15.2 Risk versus reward in
strategy
After a period of growth, the organization should be
achieving a high reward for a reduced risk. This
represents the phase where the organization will
exploit opportunities until competitors arrive. This
is a mature operation. All mature operations are
exposed to the possibility of decline, although many
organizations choose to exist in a mature, declining
market, where risk exposure is low and so are
potential rewards.
The application of the 4 Es to the management of
strategic, opportunity or speculative risks is
consistent with the description of risk and reward
Purchase answer to see full
attachment