Risk capacity is the maximum level of risk that an organization or individual is able to withstand in order to achieve their goals. It represents the total amount of risk exposure that is consistent with the organization’s or individual’s strategy and objectives. Risk capacity is often compared to risk tolerance, which refers to an organization or individual’s willingness to take on risk. Risk tolerance may be influenced by factors such as the organization’s or individual’s risk appetite, risk culture, and risk management capabilities.

Determining an organization’s or individual’s risk capacity involves evaluating the potential consequences of different risks and assessing the organization’s or individual’s ability to absorb or mitigate those risks. This can be done using a variety of techniques, such as risk assessment tools, risk analysis techniques, or risk management software. Understanding risk capacity is an important aspect of risk management, as it helps organizations and individuals to align their risk-taking with their goals and objectives. By accurately assessing risk capacity, organizations and individuals can make more informed decisions about the risks they are willing and able to take on, and allocate resources more effectively to manage and mitigate those risks. The following are illustrative examples of a risk capacity.

Investing

An investor is completely risk adverse but wants to make 7% per year to meet their goals for retirement. This may require the investor to increase their risk capacity beyond their risk tolerance. The exact level of risk required depends on market conditions, particularly interest rates. If interest rates are near 7%, the investor may achieve their goals with little risk. Alternatively, if interest rates are near 0% significant risk may be required to have any chance of returns exceeding 7%.

Risk Management

An investment manager is expected to outperform the market which typically requires taking on more risk than the market average. However, the investment manager is also constrained to a risk exposure level set by a risk management team. This risk exposure level can be described as the manager’s risk capacity.

Professional

A professional wants a promotion within a year to pay for changes to their lifestyle. This typically requires taking on additional responsibilities and increased visibility. If the individual is risk adverse, they may need to take on risk exposure that exceeds their risk tolerance to have a realistic chance of a timely promotion.

Projects

An IT project has zero risk tolerance, needs to be completed in a month, has a $1 million budget and a long list of requirements that are all high priority. A risk analysis shows that there is an 95% chance of project failure with a total risk exposure of $5 million meaning that the budget and schedule have a high probability of significant overruns. The business unit has a choice to accept this risk and proceed as planned with a $5 million risk capacity. Alternatively, dropping requirements, extending budget and increasing timelines will reduce risk capacity towards their risk tolerance level.

Dread Risk

A dread risk is a risk that people fear such that they are willing to pay to minimize risk exposure. When the goal is to minimize risk, risk capacity is near zero and risk exposure is driven as low as is feasible given constraints such as budget and technical limitations. For example, the public expect aircraft to be extremely safe and it is not considered acceptable to take risks with flight safety.

Unmanaged Risk

An unmanaged risk is a risk that isn’t managed despite its ability to disrupt your goals. In this case, risk capacity may be low as you aren’t expecting an unmanaged risk to disrupt your plans but actual risk exposure may be very high as nothing is done to treat risk. For example, a society that leaves known environmental risks unmanaged despite the likelihood these risks will disrupt quality of life, health and economic goals.

Risk estimates are predictions or projections of the likelihood and potential consequences of risks. They are used to inform risk management efforts, such as measuring risk exposure and identifying strategies for reducing or mitigating risks.

There are a variety of methods that organizations can use to estimate risks, including probability analysis, impact analysis, risk assessment tools, risk analysis techniques, and risk management software. These methods can help organizations to understand the potential impacts of risks, to prioritize risks based on their likelihood and potential impact, and to develop strategies for managing and mitigating risks.

Risk estimates are an important element of effective risk management, as they help organizations to better understand and manage the risks that they face. By accurately forecasting the probability and impact of risks, organizations can make more informed decisions and allocate resources more effectively to mitigate or reduce risks.

Basic

A single estimate of probability and impact based on historical comparisons and/or the opinions of subject matter experts. For example, a product development team estimates the risk that a product will fail on the market as a 20% chance of a $100,000 loss. The risk exposure calculation is an estimate of the probable cost of a risk. It isn’t an upper bound on risk.

Risk Exposure = 0.2 x 100,000 = $20,000

Probability-Impact Matrix

A single estimate of probability and impact is often overly simplistic as there may be many levels of potential impact, each with a separate probability of occurring. A more accurate risk estimate can often be obtained with a matrix of probabilities and impacts.

Probability Distribution

A more detailed risk estimate can be represented with a smooth curve that gives you a probability for every possible impact.

Parametric Estimates

Risk estimates that go beyond the educated guesses of subject matter experts to calculate risk probabilities and impacts using formulas or algorithms based on a number of parameters. Such calculations are industry and risk specific.

Reference Class Forecasting

Developing or validating risk estimates using data about historical losses that occurred with comparable strategies, operations or projects. For example, risk estimates for an infrastructure project based on a database of historical infrastructure projects of similar magnitude. If projects in your industry have a 20% failure rate and your risk estimate is 3%, you might be missing something.

Risk exposure refers to the potential costs that an organization could incur as a result of a particular risk or set of risks. This concept is used to assess the potential impact of risks on an organization’s operations, and is typically calculated for a specific strategy, program, project, or initiative.

To calculate risk exposure, organizations typically consider the probability of a risk occurring, as well as the potential impact of the risk if it does occur. This can be done using a variety of techniques, such as risk assessment tools, risk analysis techniques, or risk management software. The results of this analysis can be used to inform decision making and to develop strategies for managing and mitigating risks.

Risk exposure is an important concept in risk management, as it helps organizations to understand the potential costs associated with risks and to allocate resources accordingly. It is also useful for identifying the risks that pose the greatest threat to an organization, and for developing strategies to address these risks. By accurately assessing risk exposure, organizations can better prepare for and respond to potential risks, and minimize their impact on operations.

There are several ways that organizations can calculate risk exposure, including:

1. Probability analysis: This involves estimating the likelihood that a particular risk will occur. This can be done using a variety of techniques, such as historical data analysis, expert judgment, or statistical modeling.
2. Impact analysis: This involves estimating the potential consequences of a risk occurring. This can include financial impacts, as well as non-financial impacts such as damage to reputation or the environment.
3. Risk assessment tools: There are a variety of risk assessment tools that organizations can use to assess risk exposure. These tools often use a combination of probability and impact analysis to estimate the risk exposure of a particular risk or set of risks.
4. Risk analysis techniques: There are several risk analysis techniques that organizations can use to assess risk exposure, including risk matrices, fault tree analysis, and Monte Carlo simulations. These techniques can help organizations to understand the potential consequences of risks and to identify strategies for managing and mitigating them.
5. Risk management software: There are a variety of risk management software tools that organizations can use to assess risk exposure. These tools often use a combination of probability and impact analysis, as well as risk assessment tools and risk analysis techniques, to calculate risk exposure.

By using one or more of these methods, organizations can accurately assess risk exposure and develop strategies for managing and mitigating risks.

An acceptable risk is a level of risk that is deemed to be tolerable for an individual, organization, community, or nation. These risks are determined based on their probability and potential impact, and are used as a guide for risk management efforts.

The moment of risk refers to the expected time frame in which an identified risk is likely to occur. Risks often change over time and may be associated with specific events or periods. For example, the risk associated with testing a new rocket may be concentrated at the time of launch. Identifying the moment of risk can help to mitigate or avoid it. For example, if an investor anticipates that a stock may be volatile around its quarterly earnings announcement, they may choose to sell the stock beforehand in order to reduce their risk.

It is generally not possible to completely eliminate all risks, due to factors such as cost and the potential for creating new risks in the process of reducing others. Acceptable risks provide a practical goal for risk management and are often more useful than the ideal of zero risk. The following are illustrative examples of acceptable risk.

Infrastructure

A proposed tsunami shelter is constructed to withstand a 12 meter, or 39 foot, tsunami. Models indicate that a tsunami larger than 12 meters will strike the area once every 1300 years. This risk is published to the community and accepted as part of the project approval process.

Transportation

A jet engine has a historical failure rate of 0.4 per million departures. Regulators and customers generally view this as an acceptable level of risk.

Business

A bicycle manufacturer depends on a single supplier for tires. Without a supply of these tires, production will cease and revenue will decline. The probability of a major supply disruption is forecast to be 0.6% per annum. The management of the company decide to accept this risk.

Individual

A professional skateboarder estimates a 20% chance of a broken bone in a year. They decide this is acceptable given the rewards they find in the sport.

Risk management is the process of identifying, assessing, and prioritizing risks in order to minimize their potential impact on an organization. It is an essential element of effective business planning and decision making, as it helps organizations to identify and mitigate potential negative consequences that could arise from their operations or activities. The following are common risk management techniques and considerations.

Risk Identification
Risk identification involves a creative element as it is essentially a process of imagining the future. It is also approached using analysis and systems thinking.

• Known Unknowns
• Reference Class Forecasting
• Risk Intelligence
• Risk Register
• Systems Thinking
• Unintended Consequences

Risk Analysis
Modeling and measuring risk.

• Acceptable Risk
• Cone Of Uncertainty
• Extreme Value Theory
• Moment Of Risk
• Risk Capacity
• Risk Estimates
• Risk Evaluation
• Risk Exposure
• Risk Impact
• Risk Matrix
• Risk Probability
• Risk Profile
• Risk Tolerance
• Risk Triggers
• Risk-Reward Ratio
• Uncertainty

Treatments
At its core, risk management is a process of treating risks. The following are types of risk treatment.

• Antifragile
• Resilience
• Risk Acceptance
• Risk Contingency
• Risk Control
• Risk Mitigation
• Risk Monitoring
• Risk Prevention
• Risk Reduction
• Risk Response
• Risk Sharing

Strategies & Techniques
Techniques that go beyond the regular process of identifying and treating risk.

• Business As Usual
• Calculated Risk
• Fail Well
• Failure Is Not An Option
• Resilience
• Risk Communication
• Risk Culture
• Sanity Check

Special Practices
Variations of risk management for special categories of risk.

• Contingency Planning
• Disaster Preparedness
• Dread Risks
• Enterprise Risk Management
• Innovation Risk Management
• Positive Risk
• Project Risk
• Upside Risk

Plan
Pulling everything together as a risk management plan.

• Contingency Plan
• Risk Management Plan

Risks
Types of risk.

• Business Risks
• Competition
• Compliance
• Economic Risk
• Financial Risk
• Innovation Risk
• Investing Risk
• Political Risk
• Positive Risk
• Reputational Risk
• Resource Risk
• Seasonal Risk
• Strategy Risk
• Tactical Risk
• Technology Risk

Failures & Challenges
Common challenges and patterns of risk management failure.

• Cascading Failure
• Failure Of Imagination
• Residual Risk
• Risk Awareness
• Secondary Risk
• Unknown Risks