Risk (in)tolerance

Here’s a question. What’s your tolerance for risk, and do you think it’s the same as your employer’s?

Risk tolerance differs

Let’s look at an example. Seat belts are pretty popular in the UK. In fact, they’re mandatory for almost everyone (except taxi drivers, interestingly). The risk? That you’ll get thrown through the windscreen, and die horribly, if there is an accident. But so many people in the past decided to accept that risk that wearing a seatbelt was made law, to improve the number of people actually using seatbelts. The risk tolerance of many individuals differed from the risk tolerance of the Government. It also differs from the risk tolerance of anyone who has been in a car accident and has benefited from the use of a seat belt.

In the same way, each individual will have a different risk tolerance. Some people wore seat belts before they were mandatory.

What’s the impact?

Where personal risk tolerance is different enough from the risk tolerance of an employer, this can cause real problems.

An individual who has a significantly lower risk tolerance than that of their company will be constantly worried that the security measures are inadequate. They may believe that the company is on the verge of disaster. They may start to try to force other people to apply security measures which are not mandatory, and report risks which are at a level where the organisation will not act. They believe that the organisation should lower its risk tolerance to match theirs.

Conversely, a person whose risk tolerance is higher than that of their organisation will exist in a state of perpetual frustration.

They see unnecessary and pettifogging rules everywhere, designed to get in their way and waste time and money. They may develop work-arounds to evade security measures, or simply refuse to comply with them. They believe that the organisation should raise its risk tolerance to match theirs.

Closing the gap

What’s the solution? There’s no silver bullet here (I feel another blog post about easy answers coming on). However, there are approaches to get everyone on the same page. I’m assuming here that you are acting on behalf of the organisation.

Encourage a neutral perspective

First, stop worrying about who is “right” or “justified”. That basically guarantees fisticuffs at dawn, and other adversarial outcomes. The organisation has its own risk tolerance. There are things which are objectively correct or incorrect, but risk tolerance as a whole is a very qualitative thing.

Awareness is key

Second, ensure that staff have a good understanding of risks and threats. Half of an understanding is worse than none.

Here is an example. Did you know that patient data is used for research without patient consent, sent to multiple universities and even private companies?

That sounds alarming, yes? But you only have half the knowledge you need to make an informed decision!

Now add in the following: There are incredibly strict rules and clearly governed processes to allow identifiable patient data to be used without consent, and the data is very well protected. Much of the research is intended to do things like identify causes of, and potential cures for, deeply unpleasant and lethal medical conditions, and it’s working.

That sounds better. You now know there are benefits to this data sharing, and that the risk is being managed.

In the same way, if people are informed of risks, benefits, and how security measures work to protect them, they are more comfortable with the risk and also more likely to implement the security measures.

A sense of separation

A fundamental truth which is difficult for really committed people to accept: this is actually not their risk. Risk belongs to the organisation, just as the information does. Letting go of this feeling of personal ownership without losing a sense of personal pride in your work can be a really hard balance to strike.

Don’t discount organisational error

Finally, don’t forget that the organisation might have a risk tolerance which really is too high or too low.