Let's say for example that a business has identified a nice green pasture on the other side of a river.
The risk appetite of a business is to cross the river to the greener pasture as they see the reward being substantial. However, the tolerance level for losing people while crossing the river is zero. Not only would there be ethical and moral ramifications, but there would also be financial and lawful consequences.
In approaching this situation, the business makes observations and identifies ways to cross the river. 1. People can swim across the river2. People can use a boat3. People can cross the bridge further upstream
Based on these choices a business can analyse and identify the different risks associated with each crossing and choose the best course of action.
With option 1, the business determines that the risk associated with swimming across the river is far too high. The strength of their staff swimming in these conditions is unknown.
With option 2, while it appears to be safer, some boats are likely to drift downstream and not make it to the pasture.
With option 3, crossing the bridge is considered the safest, yet also very costly and time consuming.
By identifying the different options and looking at the risks applicable to each, a business can apply ratings for each risk and make an informed decision based on its risk tolerance.
In this example, the business determines that the third option falls within its tolerance level, however, is too costly and time consuming. Instead, they choose option 2 and implement a zip-cord to guide the boat across the river. By identifying this simple control (the zip-cord) and applying it to the process, the business has reduced its risk and found an effective way of operating that sits within its tolerance level.