risk-appetite, risk-tolerance, risk-threshold

A visitor to my blog, Mr. Novzar Dastoor, asked me to write on risk appetite, risk tolerance, and risk threshold. 

These are basic risk management concepts that can be confusing to new aspirants.

A risk management plan depends on the stakeholders’ risk appetite, tolerance, and threshold. Therefore, you should understand these concepts in depth. 

According to the PMBOK Guide, “Project risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives such as scope, schedule, cost, and quality.” 

A risk can be either an opportunity or a threat. The former has a positive effect on project objectives, while the latter has a negative impact. 

The aim of risk management is to increase the probability or impact of positive risks and reduce the probability or impact of negative risks. The strategy you will use to deal with these risks depends on the behavior of your stakeholders

Every individual behaves differently towards risks. Some people may want to accept, and others may want to avoid it. This behavior depends on the risk attitude of the stakeholders. Therefore, analyzing the risk attitudes of your stakeholders is necessary for the success of your risk management plan. 

Many factors determine one’s risk attitude. You can divide these factors into three categories: 

  1. Risk appetite
  2. Risk tolerance
  3. Risk threshold

Risk Appetite

Appetite is synonymous with hunger. So, risk appetite means “risk-hunger”. 

According to the PMBOK Guide, 6th edition, “Risk appetite is the degree of uncertainty an organization or individual is willing to accept in anticipation of a reward.” 

Some organizations might take a high risk if the reward is high; others may want to play it safe or be conservative. If they take risks, it means that their risk appetite is high, and the organization that plays conservatively has a low-risk appetite.

Risk Tolerance

According to the PMBOK Guide, 6th edition, “Tolerance is the specified range of acceptable results.” 

Risk tolerance tells you how much risk an organization or individual can withstand. High tolerance means that they are willing to take more, and low tolerance means that they are not willing. 

Risk tolerance shows the risk attitude of stakeholders or an organization in measurable units. 

Many factors affect risk tolerance. 

For example, an organization will take risks if the project is critical.  Other factors include customer satisfaction, risk impact on profitability, etc. 

For example, your organization may allow schedule or cost slippage by 3–5%. This limit is known as risk tolerance. 

Let’s consider a real-world example. 

You are bidding for a project. Your rough order estimates say that the cost of this project is approximately 100,000 USD. Your organization told you that they cannot allow you to bid for more than 10% of this amount. 

This 10% is your tolerance limit.

Risk Threshold

The risk threshold is an amount of risk that an organization or individual is willing to accept. Say for your project, a 10,000 USD cost overrun is acceptable to your organization, but no more. 

According to the PMBOK Guide, 6th edition, “Risk threshold is the level of exposure above which risks are addressed and below which risks may be accepted.” 

The risk threshold is the next step up from risk tolerance; it quantifies the risk tolerance with a precise figure. You have limits in risk tolerance, but in risk threshold, you have a figure.

For example, your organization cannot take a risk with an impact of more than 10,000 USD.

The threshold is the limit beyond which your organization will not tolerate the risk. 

Let’s consider a real-world example. 

You are planning to bid on a contract. You think that the value of this contract will be approximately 100,000 USD. Your organization has told you that, because of budgetary constraints, they cannot allow you to go beyond 110,000 USD. 

Here, your threshold is 10,000 USD. 

You will hold interviews and meetings with stakeholders to ascertain their risk appetite and analyze their risk tolerance. Afterward, you will define the risk threshold.

Summary

Understanding risk appetite, tolerance, and threshold will help you develop your risk management plan. Risk appetite is a tendency towards risks, tolerance is an acceptable variance?—for example, 5-10%?—and the threshold is a quantified limit beyond which your organization will not accept the risk. 

Are you involved in risk management? If you are, how do risk appetite, risk tolerance, and risk threshold affect your risk management plan? Please share your thoughts in the comments section.

PMP Question Bank

This is the most popular Question Bank for the PMP Exam. To date, this PMP Question Bank has helped over 10,000 PMP aspirants pass the PMP exam. 

__CONFIG_colors_palette__{"active_palette":0,"config":{"colors":{"62516":{"name":"Main Accent","parent":-1}},"gradients":[]},"palettes":[{"name":"Default Palette","value":{"colors":{"62516":{"val":"rgb(59, 60, 61)"}},"gradients":[]}}]}__CONFIG_colors_palette__
More Details

PMP Formula Guide

This is the most popular Formula Guide for the PMP Exam. If you face difficulty with attempting mathematical questions for the PMP exam.

__CONFIG_colors_palette__{"active_palette":0,"config":{"colors":{"62516":{"name":"Main Accent","parent":-1}},"gradients":[]},"palettes":[{"name":"Default Palette","value":{"colors":{"62516":{"val":"rgb(59, 60, 61)"}},"gradients":[]}}]}__CONFIG_colors_palette__
More Details


Recommended Reading


Speak Your Mind

  • Your explanation is fundamentally wrong, also you say According to the 6th edition of the PMBOK Guide, “Risk tolerance is the specified range of acceptable results.” there is not such a definition in the PMBOK

    • According to the 6th edition of the PMBOK Guide, “tolerance is the specified range of acceptable results.” Please refer to the page 274 of the PMBOK Guide 6th edition.

      Sorry for the confusion as I mistakenly insert the term “risk” from the quote.

  • The explanation in the comments for difference between Threshold is and Tolerance is incorrect.
    PMI’s definition is apt. here is how you look at it.
    Lets say your org’s risk tolerance is 10% for a project of 100K use that information for budgeting and bidding.
    Your threshold for risk can be defined as
    Accept if it the impact is less than 5K
    Mitigate if the impact is more than 5K and less than 10K.
    xxxx if the impact is more than 10K
    You use thresholds to define your response.

      • This one:

        Tolerance is a limit, which varies between two extreme points. for example -5% to +5%.

        On the other hand, a threshold is fixed figure, for example, $5,000 USD

        and when you responded “Correct” to Muhammad Ali’s September 11, 2018 at 12:21 PM comment.

        And the whole explanation of how to use tolerance and threshold.

  • Nice article. Can you write an article on Monte Carlo method, in your next blog. Any way thank you so much, for such a Crispi an clear explanation. In PMBOK I always feel that, they knowingly made the language and sentence construction complex to confuse people, they could have write all these things in simple explanation…another way PMI make money or strategy ..in PMI way

  • Kindly am requesting you to send for me the year/edition of the book you wrote”projectised Organisational Structure.

  • Hi is very good article.

    Thanks a lot.

    I am also struggling to understand these 3 thing. now i am understand and can apply it.

  • This is my understanding

    Tolerance is for a specific project and Threshold is at the overall program

    Say for example a program with a budget of $100,000 can set the threshold of $10,000, meaning overall program budget can’t exceed $110,000

    and the tolerance can be set at the project level, if there are 4 projects for simiplicity each of them is $25,000. The Risk tolerance can be set as 10%, assuming that all the projects have equal tolerance limits.

    Even if all the 4 projects were to hit the tolerance limits, it will meet the program threshold

    Let me know if this example makes sense

  • Say I have a regulatory limit 6%, that means the organization cannot go below this limit.

    Therefore, can you let me know how I will set Risk Appetite and Risk Tolerance.

  • Dear Fahad..
    Please correct me If i am wrong.
    Risk Appetite is for opportunity. Here, an organization tends to opt it.
    Risk tolerance is for possible threat and it, probably, lies below Risk Threshold. Here, an organization tends to change its response.
    Risk Threshold is again for negative risk. Here, an organization tends to quit if the value is above its threshold.

  • Let me try to explain these concepts this way-
    I am owner of the company. I can take Risk of say $ 1000.
    So my Risk capacity is $ 1000.
    Out of these $1000, for a particular project I am willing to take Risk of $100 in anticipation of some reward.
    So my Risk Appetite for this project is $ 100.
    To monitor & control the Risks in this Project, I have kept threshold of $ 75. i.e If total impact of the Project Risks crosses this threshold and there is high probability that Project Risks will cross my risk appetite of $ 100, it will be alarming situation for me. I will take special interest in this project. Because it is coming closer to my risk appetite.
    Besides this I am also prepared that if the impact increases to even $110, I will be OK with that. It means my tolerance is 10 % above the risk appetite. Total risks beyond $110 will impact my interest in rewards or in other words beyond 10% no Risk will be acceptable to me. This is my tolerance limit.

  • Farhad I am preparing for my pmp exam and I find your blog the best when it comes to clarifying concepts in a just few words.

    May god bless you for the wonderful work you are doing.

    Sunil Kumar

  • Very informative article. Enjoyed reading. Risk Appetite is the willingness level to take on risk which depends on the importance of Project for an organization like if an organization is innovating a new product, risk appetite level is high whereas in case of any enhancing features of existing product, which is a market leader product is low.
    Whereas Risk Tolerance is the level in terms of % i.e. ± 5 or 7 as the case may be. And Risk Thresholds are same like bench-marking e.g. $ 10,000 is risk threshold for a project and beyond that point Management will not accept.

  • Good article.

    In the PMP exam, I saw some questions related to risk, in which they mentioned as “Implementation phase”, that means, Is it executing phase?

    Please clarify?

    Thanks
    Senthil

    • WaSalaam,

      Risk appetite is a subjective term and depends on the organization. It is about how much are you willing to take the risk.

  • Good Article, enjoyed reading the concepts, however could not practically understand risk appetite in your article. Risk Appetite = desire seems quite vague especially when Risk Tolerance and Risk Threshold can be translated into $ number/ % or range for a specific project or aggregated for a portfolio. I haven’t come across practical examples so in my view:
    1. At the Portfolio level, Risk Appetite = Risk Acceptance of strategy or product. This is defined in the IT organisations strategy e.g. moving (or accepting) to cloud based solutions to reduce infrastructure and maintenance costs of current solutions or adopting bleeding edge technology for implementation
    2. At the project level, Risk Appetite = the constraints imposed on the projects.

    • You can not define the risk appetite objectively. It is a subjective evaluation of any individual or organization.

  • Thank you Fahad,you have it covered once again! I am grateful. So can i interpret it this way:

    Risk apetite= The desire

    Risk torelance= The range

    Risk threshold = Upper ceiling

  • mr Usmani
    with many thanks,enjoyed reading your article.
    seems to me that there is practically no difference in between risk tolerance and threshold.
    one has a limit in percentage the other has same mount of limitation, in figure.
    best regards
    m.,najmi
    may, 30th 2014

    • Tolerance is a limit, which varies between two extreme points. for example -5% to +5%.

      On the other hand, a threshold is fixed figure, for example, $5,000 USD.

      • Thanks for your good explanation but PMBOK appears to have two opposite explanations on page 311. After writing the three definitions, PMBOK writes, “For example, an organization’s risk attitude may include its appetite for uncertainty, its threshold for risk levels that are unacceptable or its risk tolerance at which point the organization may select a different risk response.” Now here tolerance can be read like a breaking point instead of a range within which risk is manageable.

        • I think ‘a different risk response’ here simply means a tact for avoiding the negative results of the risk. This may or may not result in complete avoidance due to which we need to know a threshold post which the actions need to be halted.

        • Appreciates to Mr. Usmani sahab, I think risk tolerance and Threshold are same, Risk Tolerance is in between range while Threshold is an exact amount or figure.

  • {"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

    Recommended Resources

    Use these resources for your PMP certification exam preparation and pass the exam with minimal effort.

    __CONFIG_group_edit__{"jv80vv8f":{"name":"All Image(s)","singular":"-- Image %s"},"jv812jsg":{"name":"All Title(s)","singular":"-- Text %s"},"jv812qp8":{"name":"All Name(s)","singular":"-- Text %s"},"jv812zdt":{"name":"All Divider(s)","singular":"-- Divider %s"},"jv813402":{"name":"All Paragraph(s)","singular":"-- Text %s"},"jv813af5":{"name":"All Button(s)","singular":"-- Button %s"},"jv813f5t":{"name":"All Content Box(s)","singular":"-- Content Box %s"},"jv813k1c":{"name":"All Column(s)","singular":"-- Column %s"}}__CONFIG_group_edit__
    __CONFIG_local_colors__{"colors":{"c85e2":"Button ","f242c":"Border"},"gradients":{}}__CONFIG_local_colors__

    The PMP Training Program


    The PMI approved 35 contact hours training program that is 100% online, affordable, and help you prepare the PMP exam.

    __CONFIG_colors_palette__{"active_palette":0,"config":{"colors":{"3e1f8":{"name":"Main Accent","parent":-1}},"gradients":[]},"palettes":[{"name":"Default Palette","value":{"colors":{"3e1f8":{"val":"rgb(255, 255, 255)","hsl":{"h":210,"s":0.01,"l":0.99}}},"gradients":[]},"original":{"colors":{"3e1f8":{"val":"rgb(19, 114, 211)","hsl":{"h":210,"s":0.83,"l":0.45}}},"gradients":[]}}]}__CONFIG_colors_palette__
    Read More

    The PMP Exam Preparation Tool


    A PMP exam preparation course, that is 100% online and provide you everything you need to pass the PMP exam.

    __CONFIG_colors_palette__{"active_palette":0,"config":{"colors":{"3e1f8":{"name":"Main Accent","parent":-1}},"gradients":[]},"palettes":[{"name":"Default Palette","value":{"colors":{"3e1f8":{"val":"rgb(255, 255, 255)","hsl":{"h":210,"s":0.01,"l":0.99}}},"gradients":[]},"original":{"colors":{"3e1f8":{"val":"rgb(19, 114, 211)","hsl":{"h":210,"s":0.83,"l":0.45}}},"gradients":[]}}]}__CONFIG_colors_palette__
    Read More
    >