PM Study Circle - A PMP Exam Preparation Blog

PMP Exam Preparation Study Materials, Lessons Learned, 35 Contact Hours, PMP FAQ, etc.

Risk Appetite, Risk Tolerance, and Risk Threshold

By 38 Comments

Risk Appetite, Risk Tolerance, and Risk ThresholdA few days ago I asked my subscribers if they wanted me to write any specific blog post.

I got many responses.

One such response was from Mr. Novzar Dastoor, in which he asked me to write on risk appetite, risk tolerance, and risk threshold.

These are very important concepts in risk management and are often misunderstood. Moreover, these topics were also not previously covered in my blog. Therefore, I have selected this topic for this blog post.

A risk management plan depends on these factors. If you failed to understand the stakeholders’ risk appetite, tolerance and threshold, your risk management plan may be jeopardized.

Before we start discussing this advanced topic, let’s have a quick look at the definition of risk.

As per the PMBOK Guide 5th edition, “Project risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives such as scope, schedule, cost, and quality.”

From the above definition, you can conclude that a risk can either be an opportunity or a threat: An opportunity has some positive effect on project objectives, while a threat brings some negative impact.

The objective of risk management is to increase the probability of positive risks (or increase the impact), and reduce the probability of negative risks (or reduce the impact).

The strategy to deal with these risks depends on the behavior of the stakeholders or the organization.

Every individual has specific behavior towards risks; some people may want to accept the risk and others may want to avoid it.

This behavior depends on the risk attitude of the individual, and for a proper risk management plan, you must find the risk attitude of your stakeholders.

There are many factors that determine the risk attitude. These factors can be broadly divided into three categories:

  1. Risk Appetite
  2. Risk Tolerance
  3. Risk Threshold

Risk Appetite

If you look in the dictionary, you will find that the meaning of “appetite” is “hunger”.

So risk appetite means “risk hungry”.

As per the 5th edition of the PMBOK Guide, risk appetite is the degree of uncertainty an entity is willing to take on in anticipation of a reward.

The risk appetite of an organization shows how much an organization is willing to take a risk in order to grow itself. It is the amount of risk that an organization is willing to accept to attain its business objective.

Some organizations might be willing to take a high risk if the reward is high; others may want to play safe or go conservatively.

If the organization is willing to take a risk, you will say that its risk appetite is high, and the organization that plays conservatively has a low risk appetite.

Risks Tolerance

As per the 5th edition of the PMBOK Guide, risk tolerance is the degree, amount, or volume of the risk that an organization or individual will withstand.

Risk tolerance tells you how sensitive the organization or people are to risks. High tolerance means people are willing to take a high risk, and low tolerance means people are not willing to take much risk.

It is the willingness of a group of people or organization to accept or avoid risk. It shows the risk attitude of stakeholders or an organization in measurable units.

There are many factors which affects the risk tolerance. If the project is critical, the organization will be willing to take more risk; however, if the project is not very important, the organization may not be willing to take much risk.

Other factors include customer satisfaction, impact of risk on profitability of the organization, and so on.

For example, your organization may allow schedule slippage by 5–10% or cost slippage by 3–5%. This is known as the risk tolerance of the organization or stakeholders.

Let’s consider a real world example.

You are bidding for a project. Your rough order estimates say that the cost of this project is approximately 100,000 USD. You are in the process of applying for this bid, and your organization told you that they cannot allow you to bid for more than 10% of this amount.

This 10% is your tolerance limit.

Risk Threshold

Risk threshold is an amount of risk that an organisation or individual is willing to accept. For example, for your project a $10,000 USD cost overrun is acceptable to your organization, but anything more than that is not acceptable.

As per the 5th edition of the PMBOK Guide, risk threshold is the level of impact at which a stakeholder may have a specific interest. Below the risk threshold, the organization will accept the risk, and above the risk threshold, the organization will not tolerate the risk.

The risk threshold is a further step in the risk tolerance; you can say that it quantifies the risk tolerance with a more precise figure.

In risk tolerance you have limits, but in risk threshold you have a clear figure.

For example, your organization can not allow taking a risk for slippage (or impact) for more than $10,000 USD.

The risk threshold is the limit beyond which your organization will not tolerate the risk.

Let’s consider a real world example.

You are planning to bid a contract. You think that the value for this contract will be approximately $100,000 USD. You are in the process of applying for this bid, and your organization has told you that due to some financial problems they cannot allow you to go beyond $10,000 USD, apart from the $100,000 USD.

In this case, your threshold for this project is 10,000 USD.

To determine the risk threshold, you will hold interviews and conduct meetings with stakeholders to find their risk appetite, then you will analyze their risk tolerance, and lastly you will define the risk threshold.

Here the discussion ends, however, before concluding this post, let’s have a quick summary on these terms.

Summary:

  • Risk appetite can be considered as a tendency of an individual or group of people towards risks.
  • Risk tolerance is an acceptable variance; e.g. +5% to -5%. Tolerance is a limit.
  • Risk threshold is a quantified limit beyond which your organization cannot go. Threshold is like an end point.

Here is where this blog post on risk appetite, risk tolerance, and risk threshold ends. If you have something to share, you can do so through the comments section.

Share16
Share31
+15
WhatsApp

Comments

  1. mr Usmani
    with many thanks,enjoyed reading your article.
    seems to me that there is practically no difference in between risk tolerance and threshold.
    one has a limit in percentage the other has same mount of limitation, in figure.
    best regards
    m.,najmi
    may, 30th 2014

    Reply

    • Tolerance is a limit, which varies between two extreme points. for example -5% to +5%.

      On the other hand, a threshold is fixed figure, for example, $5,000 USD.

      Reply

      • Thanks for your good explanation but PMBOK appears to have two opposite explanations on page 311. After writing the three definitions, PMBOK writes, “For example, an organization’s risk attitude may include its appetite for uncertainty, its threshold for risk levels that are unacceptable or its risk tolerance at which point the organization may select a different risk response.” Now here tolerance can be read like a breaking point instead of a range within which risk is manageable.

        Reply

        • I think ‘a different risk response’ here simply means a tact for avoiding the negative results of the risk. This may or may not result in complete avoidance due to which we need to know a threshold post which the actions need to be halted.

          Reply

  3. Thank you Fahad,you have it covered once again! I am grateful. So can i interpret it this way:

    Risk apetite= The desire

    Risk torelance= The range

    Risk threshold = Upper ceiling

    Reply

  7. Good Article, enjoyed reading the concepts, however could not practically understand risk appetite in your article. Risk Appetite = desire seems quite vague especially when Risk Tolerance and Risk Threshold can be translated into $ number/ % or range for a specific project or aggregated for a portfolio. I haven’t come across practical examples so in my view:
    1. At the Portfolio level, Risk Appetite = Risk Acceptance of strategy or product. This is defined in the IT organisations strategy e.g. moving (or accepting) to cloud based solutions to reduce infrastructure and maintenance costs of current solutions or adopting bleeding edge technology for implementation
    2. At the project level, Risk Appetite = the constraints imposed on the projects.

    Reply

    • You can not define the risk appetite objectively. It is a subjective evaluation of any individual or organization.

      Reply

    • WaSalaam,

      Risk appetite is a subjective term and depends on the organization. It is about how much are you willing to take the risk.

      Reply

  10. Good article.

    In the PMP exam, I saw some questions related to risk, in which they mentioned as “Implementation phase”, that means, Is it executing phase?

    Please clarify?

    Thanks
    Senthil

    Reply

    • You implement the risk response in execution phase. Monitoring and controlling happens throughout the execution phase.

      Reply

  11. Very informative article. Enjoyed reading. Risk Appetite is the willingness level to take on risk which depends on the importance of Project for an organization like if an organization is innovating a new product, risk appetite level is high whereas in case of any enhancing features of existing product, which is a market leader product is low.
    Whereas Risk Tolerance is the level in terms of % i.e. ± 5 or 7 as the case may be. And Risk Thresholds are same like bench-marking e.g. $ 10,000 is risk threshold for a project and beyond that point Management will not accept.

    Reply

  12. Farhad I am preparing for my pmp exam and I find your blog the best when it comes to clarifying concepts in a just few words.

    May god bless you for the wonderful work you are doing.

    Sunil Kumar

    Reply

  15. Risk Tolerance and Risk Threshold are the terms used interchangeably. No specific definition to these terms.

    Reply

  16. Let me try to explain these concepts this way-
    I am owner of the company. I can take Risk of say $ 1000.
    So my Risk capacity is $ 1000.
    Out of these $1000, for a particular project I am willing to take Risk of $100 in anticipation of some reward.
    So my Risk Appetite for this project is $ 100.
    To monitor & control the Risks in this Project, I have kept threshold of $ 75. i.e If total impact of the Project Risks crosses this threshold and there is high probability that Project Risks will cross my risk appetite of $ 100, it will be alarming situation for me. I will take special interest in this project. Because it is coming closer to my risk appetite.
    Besides this I am also prepared that if the impact increases to even $110, I will be OK with that. It means my tolerance is 10 % above the risk appetite. Total risks beyond $110 will impact my interest in rewards or in other words beyond 10% no Risk will be acceptable to me. This is my tolerance limit.

    Reply

  17. Dear Fahad..
    Please correct me If i am wrong.
    Risk Appetite is for opportunity. Here, an organization tends to opt it.
    Risk tolerance is for possible threat and it, probably, lies below Risk Threshold. Here, an organization tends to change its response.
    Risk Threshold is again for negative risk. Here, an organization tends to quit if the value is above its threshold.

    Reply

  18. Say I have a regulatory limit 6%, that means the organization cannot go below this limit.

    Therefore, can you let me know how I will set Risk Appetite and Risk Tolerance.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

400 PMP Exam Sample QuestionsTry It Out