• First Reference
  • About us
  • Contact us
  • Blog Signup 📨

First Reference Talks

Discussions on Human Resources, Employment Law, Payroll and Internal Controls

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies
You are here: Home / Business / When an acceptable level of risk is not acceptable

By Norman D. Marks, CPA, CRMA | 3 Minutes Read May 3, 2017

When an acceptable level of risk is not acceptable

riskWe are used to identifying a risk, analyzing the potential consequences and their likelihood, and then establishing a ‘risk level’. We evaluate whether the level of risk is acceptable or not, based on risk appetite, risk criteria, or the like.
But is that sufficient?
Let’s imagine we are planning a trip from our home in Paris to Lyon. The plan is to take a taxi to the train station and then a fast train to Lyon. An uncle will meet the train and bring us to his home, where we will spend a few days.
You and your spouse assess the risks.
There’s a possibility that either of you or the kids will get sick. You assess that risk as low but will monitor it as the date gets closer.
Strikes in Paris are always a possibility and you are vulnerable to either a taxi or train strike. In addition, if the Metro workers go on strike finding a taxi will be hard. Again, you accept the risk but agree to monitor it.
Other risks include the possibility that your uncle or members of his family will be sick, or that either you or your spouse will be called into work to handle an emergency.
Overall, though, the risks are each assessed as low but need to be watched.
The week before the trip, two of your children start to show the symptoms of a bad cold. You are at home looking after them and have to make a decision. Will there be time to treat them so that it’s ok to travel rather than stay home? You decide that more likely than not they will recover in time and the risk is acceptable.
But meantime, your spouse is hearing from a manager that there’s a decent chance (maybe 30%) that a potential major deal will close in a couple of days. If that happens, you will need to cancel the vacation. Your spouse decides that the risk is acceptable.
That evening, you get together and share your assessments of the individual risks.
While each may be acceptable individually, the combination troubles you. You decide to check the weather and see that there’s a 30% chance of rain in Lyon for each of the days you will be there.
Overall, you decide it is better to cancel. The overall situation is not to your liking. You are not going to take the risk.
The same thing can happen with a business situation.
If your company is considering opening an office in Japan, you might identify a number of risks such as:

  • Inability to hire Japanese-speaking employees with the experience and contacts necessary to make the new office a success
  • The ‘stickiness’ of Japanese companies when it comes to being open to buying products from you rather than their traditional Japanese vendors
  • The ability to deliver products to the Japanese market, given the long supply chain from your factories in Europe
  • The level of competition from your competitors, including the possibility of their lowering prices to keep you out
  • Your unfamiliarity with Japanese customs and regulations, leading to potential compliance risk
  • The increase in cyber risk from extending the network into Japan, especially as you expect the staff there to need Japanese language cloud-based systems
  • The additional cost of providing materials in the Japanese language
  • The ability to find warehouses with the necessary conditions to support sales in Japan

Each of these might be assessed separately, perhaps by different teams.
While each may seem to be individually acceptable, it is possible that the aggregate effect is such that there’s an unacceptable level of risk of failure.
Why is this important?
A risk register or heat map that focuses on individual risks does not easily support business decisions like this.
Your thoughts? How do you address this?

  • About
  • Latest Posts
Norman D. Marks, CPA, CRMA
Norman has led large and small internal audit departments, been the Chief Risk Officer and Chief Compliance Officer, and managed IT security and governance functions.

He retired in early 2013. However,he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.
Latest posts by Norman D. Marks, CPA, CRMA (see all)
  • Twitter and risk - January 18, 2023
  • When the board insists on a list of the top risks - December 9, 2022
  • The greatest risk and the greatest asset - November 25, 2022

Article by Norman D. Marks, CPA, CRMA / Business, Finance and Accounting, Information Technology, Privacy / business decisions, risk, risk level

Share with a friend or colleague

Get the Latest Posts in your Inbox for Free!

Electronic monitoring

About Norman D. Marks, CPA, CRMA

Norman has led large and small internal audit departments, been the Chief Risk Officer and Chief Compliance Officer, and managed IT security and governance functions.

He retired in early 2013. However, he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.

Footer

About us

Established in 1995, First Reference is the leading publisher of up to date, practical and authoritative HR compliance and policy databases that are essential to ensure organizations meet their due diligence and duty of care requirements.

First Reference Talks

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies

Main Menu

  • About First Reference
  • Resources
  • Contact us
  • 1 800 750 8175

Stay Connected

  • Facebook
  • LinkedIn
  • Twitter
  • YouTube

We welcome your comments on our blog articles. However, we do not respond to specific legal questions in this space.
We do not provide any form of legal advice or legal opinion. Please consult a lawyer in your jurisdiction or try one of our products.


Copyright © 2009 - 2023 · First Reference Inc. · All Rights Reserved
Legal and Copyright Notices · Publisher's Disclaimer · Privacy Policy · Accessibility Policy