Take calculated risks. That is quite different from being rash.
—General George S. Patton (1885–1945)
The objective of this chapter is to enable you, the reader, to understand and use risk tolerance.1 To do so, we answer these questions: What is risk tolerance? Why is setting risk tolerance important? What are the factors to consider in setting risk tolerance? And, once determined, how can you make risk tolerance useful in managing risk?
Given this objective, the approach and principles set out in this chapter are practical rather than academic.2 Moreover, in applying them, it is important to remember that risk tolerance is but one topic to consider in implementing enterprise risk management (ERM). ERM, stripped to its bare essence, is all about an organization ensuring and demonstrating that it is identifying and managing the significant risks to which it is exposed. ERM also is but one component of a broader framework that brings together corporate governance,3 strategic management,4 and risk management5—all supported by an organization’s control environment.6 These components are interconnected and they must work together in order for an organization to purport that it is “well managed.”7 Risk tolerance is a topic that underlies each of the four components ...