A few days ago I asked my subscribers if they wanted me to write about any specific post on my blog.
I received many responses.
One such response was from Mr. Novzar Dastoor, in which he asked me to write on risk appetite, risk tolerance, and risk threshold.
These are very important concepts in risk management and are often misunderstood. Moreover, these topics were also not previously covered on my blog. Therefore, I have selected this topic for this blog post.
A risk management plan depends on these factors. If you failed to understand the stakeholders’ risk appetite, tolerance, and threshold, your risk management plan may be jeopardized.
Before we start discussing this advanced topic, let’s quickly review the definition of risk.
As per the PMBOK Guide 5th edition, “Project risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives such as scope, schedule, cost, and quality.”
From the above definition, you can conclude that a risk can either be an opportunity or a threat: An opportunity has some positive effect on project objectives, while a threat brings some negative impact.
The objective of risk management is to increase the probability of positive risks (or increase the impact), and reduce the probability of negative risks (or reduce the impact).
The strategy to deal with these risks depends on the behavior of the stakeholders or the organization.
Every individual has a specific behavior towards risks; some people may want to accept the risk and others may want to avoid it.
This behavior depends on the risk attitude of the individual, and for a proper risk management plan, you must find the risk attitude of your stakeholders.
There are many factors that determine the risk attitude. These factors can be broadly divided into three categories:
- Risk appetite
- Risk tolerance
- Risk threshold
If you look in the dictionary, you will find that the meaning of “appetite” is “hunger”.
So, risk appetite means “risk hungry”.
As per the 5th edition of the PMBOK Guide, “Risk appetite is the degree of uncertainty an entity is willing to take on in anticipation of a reward.”
The risk appetite of an organization shows how much an organization is willing to take a risk in order to grow itself. It is the amount of risk that an organization is willing to accept to attain its business objective.
Some organizations might be willing to take a high risk if the reward is high; others may want to play safe or go conservatively.
If the organization is willing to take a risk, you will say that its risk appetite is high, and the organization that plays conservatively has a low-risk appetite.
As per the 5th edition of the PMBOK Guide, “Risk tolerance is the degree, amount, or volume of the risk that an organization or individual will withstand.”
Risk tolerance tells you how sensitive the organization or people are to risks. High tolerance means people are willing to take a high risk, and low tolerance means people are not willing to take many risks.
It is the willingness of a group of people or organization to accept or avoid risk. It shows the risk attitude of stakeholders or an organization in measurable units.
There are many factors which affect the risk tolerance. If the project is critical, the organization will be willing to take more risk; however, if the project is not very important, the organization may not be willing to take much risk.
Other factors include customer satisfaction, impact of risk on the profitability of the organization, and so on.
For example, your organization may allow schedule slippage by 5 – 10% or cost slippage by 3 – 5%. This is known as the risk tolerance of the organization or stakeholders.
Let’s consider a real-world example.
You are bidding for a project. Your rough order estimates say that the cost of this project is approximately 100,000 USD. You are in the process of applying for this bid, and your organization told you that they cannot allow you to bid for more than 10% of this amount.
This 10% is your tolerance limit.
Risk threshold is an amount of risk that an organization or individual is willing to accept. For example, for your project a 10,000 USD cost overrun is acceptable to your organization, but anything more than that is not acceptable.
As per the 5th edition of the PMBOK Guide, “Risk threshold is the level of impact at which a stakeholder may have a specific interest. Below the risk threshold, the organization will accept the risk, and above the risk threshold, the organization will not tolerate the risk.”
The risk threshold is a further step in the risk tolerance; you can say that it quantifies the risk tolerance with a more precise figure.
In risk tolerance you have limits, but in risk threshold you have a clear figure.
For example, your organization can not allow taking a risk for slippage (or impact) for more than 10,000 USD.
The risk threshold is the limit beyond which your organization will not tolerate the risk.
Let’s consider a real-world example.
You are planning to bid a contract. You think that the value for this contract will be approximately 100,000 USD. You are in the process of applying for this bid, and your organization has told you that due to some financial problems they cannot allow you to go beyond 10,000 USD, apart from the 100,000 USD.
In this case, your threshold for this project is 10,000 USD.
To determine the risk threshold, you will hold interviews and conduct meetings with stakeholders to find their risk appetite, then you will analyze their risk tolerance, and lastly, you will define the risk threshold.
- Risk appetite can be considered as a tendency of an individual or group of people towards risks.
- Risk tolerance is an acceptable variance; e.g. +5% to -5%. Tolerance is a limit.
- Risk threshold is a quantified limit beyond which your organization cannot go. Threshold is like an end point.
Here is where this blog post on risk appetite, risk tolerance, and risk threshold ends. If you have something to share you can do so through the comments section.