Two risk managers are discussing how an organization's risk tolerance should be determined. The first manager says, "The risk tolerance must reflect the losses or shortfalls that will cause the organization to fail to meet critical objectives." The second manager responds, "The risk tolerance must reflect the external forces that bring uncertainty to the organization." Which of them is most likely correct?