Risk capacity is the maximum level of risk that an organization or individual is able to withstand in order to achieve their goals. It represents the total amount of risk exposure that is consistent with the organization’s or individual’s strategy and objectives. Risk capacity is often compared to risk tolerance, which refers to an organization or individual’s willingness to take on risk. Risk tolerance may be influenced by factors such as the organization’s or individual’s risk appetite, risk culture, and risk management capabilities.
Determining an organization’s or individual’s risk capacity involves evaluating the potential consequences of different risks and assessing the organization’s or individual’s ability to absorb or mitigate those risks. This can be done using a variety of techniques, such as risk assessment tools, risk analysis techniques, or risk management software. Understanding risk capacity is an important aspect of risk management, as it helps organizations and individuals to align their risk-taking with their goals and objectives. By accurately assessing risk capacity, organizations and individuals can make more informed decisions about the risks they are willing and able to take on, and allocate resources more effectively to manage and mitigate those risks. The following are illustrative examples of a risk capacity.
An investor is completely risk adverse but wants to make 7% per year to meet their goals for retirement. This may require the investor to increase their risk capacity beyond their risk tolerance. The exact level of risk required depends on market conditions, particularly interest rates. If interest rates are near 7%, the investor may achieve their goals with little risk. Alternatively, if interest rates are near 0% significant risk may be required to have any chance of returns exceeding 7%.
An investment manager is expected to outperform the market which typically requires taking on more risk than the market average. However, the investment manager is also constrained to a risk exposure level set by a risk management team. This risk exposure level can be described as the manager’s risk capacity.
A professional wants a promotion within a year to pay for changes to their lifestyle. This typically requires taking on additional responsibilities and increased visibility. If the individual is risk adverse, they may need to take on risk exposure that exceeds their risk tolerance to have a realistic chance of a timely promotion.
An IT project has zero risk tolerance, needs to be completed in a month, has a $1 million budget and a long list of requirements that are all high priority. A risk analysis shows that there is an 95% chance of project failure with a total risk exposure of $5 million meaning that the budget and schedule have a high probability of significant overruns. The business unit has a choice to accept this risk and proceed as planned with a $5 million risk capacity. Alternatively, dropping requirements, extending budget and increasing timelines will reduce risk capacity towards their risk tolerance level.
A dread risk is a risk that people fear such that they are willing to pay to minimize risk exposure. When the goal is to minimize risk, risk capacity is near zero and risk exposure is driven as low as is feasible given constraints such as budget and technical limitations. For example, the public expect aircraft to be extremely safe and it is not considered acceptable to take risks with flight safety.
An unmanaged risk is a risk that isn’t managed despite its ability to disrupt your goals. In this case, risk capacity may be low as you aren’t expecting an unmanaged risk to disrupt your plans but actual risk exposure may be very high as nothing is done to treat risk. For example, a society that leaves known environmental risks unmanaged despite the likelihood these risks will disrupt quality of life, health and economic goals.