In 2015, the North Carolina Department of Transportation (NC DOT) completed the I-485 project it began in 1988. This delivered to Charlotte a 67-mile outer belt loop around the city that it had desperately needed. With the completion of the last 5.7 miles of the freeway, the NC DOT also declared that the speed limit would rise from 65 to 70 mph.
Two reasons were given for this decision, the first of which was that they had determined that (after all that time) the freeway was actually designed to handle a higher speed limit. However, it’s the second reason that gives rise to some interesting risk-based decision making. NC DOT said that they had done traffic studies and determined that everyone was already driving on this freeway at speeds of 70-75 mph.
Jack Freund is co-author with Jack Jones of Measuring and Managing Information Risk: A FAIR Approach
It goes without saying to anyone who has traveled recently on virtually any freeway in any part of the United States that everyone is driving five to ten miles per hour above the posted speed limit. However, it was an amazing act of atonement (and rare honesty) to acknowledge that everyone had already calibrated their internal risk calculus to a higher speed limit. What was refreshing about this wasn’t so much that the speed limit changed but that there was widespread acknowledgement that faster speeds were safer.
Think about speed limit as a form of risk appetite (with corresponding tolerances). Are there examples in your organizations where the decision makers are routinely driving five to ten miles per hour above the risk limit? Even if this is still within tolerance, perhaps it is an indicator that your organization is ready to accept an elevated risk appetite.
It's far too common for organizations to espouse a “zero risk” approach to risk appetite. Even more risk appetite statements utilize Goldilocks and the Three Bears statements eschewing any ‘high’ risk scenarios but acknowledging that zero risk isn’t a viable option. Indeed, these organizations want their risk to be “just right.”
There is a subtleness to determining when your organization has exceeded its risk appetite enough that it might have found a new normal. In many ways this is a parallel to selecting an initial risk appetite. Such a process (especially when pursuing a quantitative approach) can be a form of trial and error. It's often best to put a stake in the ground and measure against that, but in a way that allows people to challenge and “feel out” how that value reflects their appetite.
Risk Appetite vs Risk Tolerance: What's the Difference?
If you decide to choose a low value (because your organization doesn’t want to accept “any” risk) that gives you the opportunity to demonstrate what a “no risk” appetite means in practice.
Say you choose $1,000 as the appetite and then you proceed to measure against that. You may find that 99% of your risk scenarios/assets/issues/etc. exceed that value. Well, if that truly was the risk appetite for the firm, then it would follow that you would be funded as much as you need to remediate those discrepancies.
However, if you aren’t, then perhaps it's time to raise that value to reflect a new equilibrium. After showing your organization what risk management looks like at $1,000 level they might be more apt to select a higher value such as $100,000 and manage the 1% that exceed that threshold.
Snarkiness aside, what the NC DOT did was actually an example of very good risk management. They ensured that the road could handle a higher speed (compare this to how you might ensure regulatory compliance for your organization), then determined everyone’s comfort level with the higher speed (compare to loss exceedance). This approach is an exemplar of how you should think about measuring and managing your organization's risk appetite and tolerance, and using feedback loops to calibrate against them.