A visitor to my blog, Mr. Novzar Dastoor, asked me to write on risk appetite, risk tolerance, and risk threshold.
These are basic risk management concepts that can be confusing to new aspirants.
A risk management plan depends on the stakeholders’ risk appetite, tolerance, and threshold. Therefore, you should understand these concepts in depth.
According to the PMBOK Guide, “Project risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives such as scope, schedule, cost, and quality.”
A risk can be either an opportunity or a threat. The former has a positive effect on project objectives, while the latter has a negative impact.
The aim of risk management is to increase the probability or impact of positive risks and reduce the probability or impact of negative risks. The strategy you will use to deal with these risks depends on the behavior of your stakeholders.
Every individual behaves differently towards risks. Some people may want to accept, and others may want to avoid it. This behavior depends on the risk attitude of the stakeholders. Therefore, analyzing the risk attitudes of your stakeholders is necessary for the success of your risk management plan.
Many factors determine one’s risk attitude. You can divide these factors into three categories:
- Risk appetite
- Risk tolerance
- Risk threshold
Risk Appetite
Appetite is synonymous with hunger. So, risk appetite means “risk-hunger”.
According to the PMBOK Guide, 6th edition, “Risk appetite is the degree of uncertainty an organization or individual is willing to accept in anticipation of a reward.”
Some organizations might take a high risk if the reward is high; others may want to play it safe or be conservative. If they take risks, it means that their risk appetite is high, and the organization that plays conservatively has a low-risk appetite.
Risk Tolerance
According to the PMBOK Guide, 6th edition, “Tolerance is the specified range of acceptable results.”
Risk tolerance tells you how much risk an organization or individual can withstand. High tolerance means that they are willing to take more, and low tolerance means that they are not willing.
Risk tolerance shows the risk attitude of stakeholders or an organization in measurable units.
Many factors affect risk tolerance.
For example, an organization will take risks if the project is critical. Other factors include customer satisfaction, risk impact on profitability, etc.
For example, your organization may allow schedule or cost slippage by 3–5%. This limit is known as risk tolerance.
Let’s consider a real-world example.
You are bidding for a project. Your rough order estimates say that the cost of this project is approximately 100,000 USD. Your organization told you that they cannot allow you to bid for more than 10% of this amount.
This 10% is your tolerance limit.
Risk Threshold
The risk threshold is an amount of risk that an organization or individual is willing to accept. Say for your project, a 10,000 USD cost overrun is acceptable to your organization, but no more.
According to the PMBOK Guide, 6th edition, “Risk threshold is the level of exposure above which risks are addressed and below which risks may be accepted.”
The risk threshold is the next step up from risk tolerance; it quantifies the risk tolerance with a precise figure. You have limits in risk tolerance, but in risk threshold, you have a figure.
For example, your organization cannot take a risk with an impact of more than 10,000 USD.
The threshold is the limit beyond which your organization will not tolerate the risk.
Let’s consider a real-world example.
You are planning to bid on a contract. You think that the value of this contract will be approximately 100,000 USD. Your organization has told you that, because of budgetary constraints, they cannot allow you to go beyond 110,000 USD.
Here, your threshold is 10,000 USD.
You will hold interviews and meetings with stakeholders to ascertain their risk appetite and analyze their risk tolerance. Afterward, you will define the risk threshold.
Summary
Understanding risk appetite, tolerance, and threshold will help you develop your risk management plan. Risk appetite is a tendency towards risks, tolerance is an acceptable variance?—for example, 5-10%?—and the threshold is a quantified limit beyond which your organization will not accept the risk.
Are you involved in risk management? If you are, how do risk appetite, risk tolerance, and risk threshold affect your risk management plan? Please share your thoughts in the comments section.
Your explanation is fundamentally wrong, also you say According to the 6th edition of the PMBOK Guide, “Risk tolerance is the specified range of acceptable results.” there is not such a definition in the PMBOK
According to the 6th edition of the PMBOK Guide, “tolerance is the specified range of acceptable results.” Please refer to the page 274 of the PMBOK Guide 6th edition.
Sorry for the confusion as I mistakenly insert the term “risk” from the quote.
The explanation in the comments for difference between Threshold is and Tolerance is incorrect.
PMI’s definition is apt. here is how you look at it.
Lets say your org’s risk tolerance is 10% for a project of 100K use that information for budgeting and bidding.
Your threshold for risk can be defined as
Accept if it the impact is less than 5K
Mitigate if the impact is more than 5K and less than 10K.
xxxx if the impact is more than 10K
You use thresholds to define your response.
Hello Arun, which comment are you talking about?
This one:
Tolerance is a limit, which varies between two extreme points. for example -5% to +5%.
On the other hand, a threshold is fixed figure, for example, $5,000 USD
and when you responded “Correct” to Muhammad Ali’s September 11, 2018 at 12:21 PM comment.
And the whole explanation of how to use tolerance and threshold.
What is your point here?
My point is, your explanation that Tolerance is a range and Threshold is a fixed figure are principally incorrect.
Hello Arun, as per my understanding, tolerance is about range and threshold is about end point.
I am ready to review it if you can provide me with any resource to support your point.
crystal clear!
Thanks Victor.
Nice article. Can you write an article on Monte Carlo method, in your next blog. Any way thank you so much, for such a Crispi an clear explanation. In PMBOK I always feel that, they knowingly made the language and sentence construction complex to confuse people, they could have write all these things in simple explanation…another way PMI make money or strategy ..in PMI way
Here is my blog post on Monte Carlo Simulation:
https://pmstudycircle.com/2015/02/monte-carlo-simulation/
I am a trainer myself and I love reading your explanations.
This helps me be better at my job.
Thanks Biswatosh for your visit and leaving your comment.
Thank you for your article it was educative and I’m happy to get an idea behind their meaning
You are welcome Jean.
Kindly am requesting you to send for me the year/edition of the book you wrote”projectised Organisational Structure.
Hello Ferida, I did not write any book on projectized organization structure.
Hi is very good article.
Thanks a lot.
I am also struggling to understand these 3 thing. now i am understand and can apply it.
You are welcome Zaki.
This is my understanding
Tolerance is for a specific project and Threshold is at the overall program
Say for example a program with a budget of $100,000 can set the threshold of $10,000, meaning overall program budget can’t exceed $110,000
and the tolerance can be set at the project level, if there are 4 projects for simiplicity each of them is $25,000. The Risk tolerance can be set as 10%, assuming that all the projects have equal tolerance limits.
Even if all the 4 projects were to hit the tolerance limits, it will meet the program threshold
Let me know if this example makes sense
Please, can you provide me an example of Risk appetite statement for a construction company?
Hello Syed,
Precise measurement of risk appetite is not always possible and it usually defined by a broad statement of approach.
Please refer to the following urls:
https://en.wikipedia.org/wiki/Risk_appetite
https://www.theirm.org/knowledge-and-resources/thought-leadership/risk-appetite-and-tolerance.aspx
Say I have a regulatory limit 6%, that means the organization cannot go below this limit.
Therefore, can you let me know how I will set Risk Appetite and Risk Tolerance.
Hello Shabba,
Your risk tolerance is 6%.
Precise measurement of risk appetite is not always possible and it usually defined by a broad statement of approach.
Please refer to the following urls:
https://en.wikipedia.org/wiki/Risk_appetite
https://www.theirm.org/knowledge-and-resources/thought-leadership/risk-appetite-and-tolerance.aspx
Dear Fahad..
Please correct me If i am wrong.
Risk Appetite is for opportunity. Here, an organization tends to opt it.
Risk tolerance is for possible threat and it, probably, lies below Risk Threshold. Here, an organization tends to change its response.
Risk Threshold is again for negative risk. Here, an organization tends to quit if the value is above its threshold.
You need to correct your understanding a bit. Please read this blog post again.
Let me try to explain these concepts this way-
I am owner of the company. I can take Risk of say $ 1000.
So my Risk capacity is $ 1000.
Out of these $1000, for a particular project I am willing to take Risk of $100 in anticipation of some reward.
So my Risk Appetite for this project is $ 100.
To monitor & control the Risks in this Project, I have kept threshold of $ 75. i.e If total impact of the Project Risks crosses this threshold and there is high probability that Project Risks will cross my risk appetite of $ 100, it will be alarming situation for me. I will take special interest in this project. Because it is coming closer to my risk appetite.
Besides this I am also prepared that if the impact increases to even $110, I will be OK with that. It means my tolerance is 10 % above the risk appetite. Total risks beyond $110 will impact my interest in rewards or in other words beyond 10% no Risk will be acceptable to me. This is my tolerance limit.
Risk Tolerance and Risk Threshold are the terms used interchangeably. No specific definition to these terms.
Although you can use them interchangeable, they are different as explained in this blog post.
Very nice to understand the concept
Thanks
You are welcome Thirumal.
Risk tolerance is very well clarified.
Thank you Fahad.
You are welcome Mirna.
Farhad I am preparing for my pmp exam and I find your blog the best when it comes to clarifying concepts in a just few words.
May god bless you for the wonderful work you are doing.
Sunil Kumar
Thanks Sunil for your comment.
Very informative article. Enjoyed reading. Risk Appetite is the willingness level to take on risk which depends on the importance of Project for an organization like if an organization is innovating a new product, risk appetite level is high whereas in case of any enhancing features of existing product, which is a market leader product is low.
Whereas Risk Tolerance is the level in terms of % i.e. ± 5 or 7 as the case may be. And Risk Thresholds are same like bench-marking e.g. $ 10,000 is risk threshold for a project and beyond that point Management will not accept.
Well said Javed.
Good article.
In the PMP exam, I saw some questions related to risk, in which they mentioned as “Implementation phase”, that means, Is it executing phase?
Please clarify?
Thanks
Senthil
You implement the risk response in execution phase. Monitoring and controlling happens throughout the execution phase.
Aslam Alikum
Can you Give us example of appetite
WaSalaam,
Risk appetite is a subjective term and depends on the organization. It is about how much are you willing to take the risk.
Very Good Article …
Thanks Krishna.
Good Article, enjoyed reading the concepts, however could not practically understand risk appetite in your article. Risk Appetite = desire seems quite vague especially when Risk Tolerance and Risk Threshold can be translated into $ number/ % or range for a specific project or aggregated for a portfolio. I haven’t come across practical examples so in my view:
1. At the Portfolio level, Risk Appetite = Risk Acceptance of strategy or product. This is defined in the IT organisations strategy e.g. moving (or accepting) to cloud based solutions to reduce infrastructure and maintenance costs of current solutions or adopting bleeding edge technology for implementation
2. At the project level, Risk Appetite = the constraints imposed on the projects.
You can not define the risk appetite objectively. It is a subjective evaluation of any individual or organization.
Fahed
For risk tolerance , the range has to be + or – standard devision or not necessary ?
It can be + or -.
great and simple explanation.
Thanks Hamad for your comment.
Very good explanation
Thanks Charles.
Thank you Fahad,you have it covered once again! I am grateful. So can i interpret it this way:
Risk apetite= The desire
Risk torelance= The range
Risk threshold = Upper ceiling
You are welcome Bonosus.
Great to the point explanation. Thank you!
You’re welcome Xavier.
mr Usmani
with many thanks,enjoyed reading your article.
seems to me that there is practically no difference in between risk tolerance and threshold.
one has a limit in percentage the other has same mount of limitation, in figure.
best regards
m.,najmi
may, 30th 2014
Tolerance is a limit, which varies between two extreme points. for example -5% to +5%.
On the other hand, a threshold is fixed figure, for example, $5,000 USD.
Thanks for your good explanation but PMBOK appears to have two opposite explanations on page 311. After writing the three definitions, PMBOK writes, “For example, an organization’s risk attitude may include its appetite for uncertainty, its threshold for risk levels that are unacceptable or its risk tolerance at which point the organization may select a different risk response.” Now here tolerance can be read like a breaking point instead of a range within which risk is manageable.
I think ‘a different risk response’ here simply means a tact for avoiding the negative results of the risk. This may or may not result in complete avoidance due to which we need to know a threshold post which the actions need to be halted.
Appreciates to Mr. Usmani sahab, I think risk tolerance and Threshold are same, Risk Tolerance is in between range while Threshold is an exact amount or figure.
Correct.
It seems also to me that there is no difference between risk tolerance and threshold
Tolerance is expressed in percentage and threshold is a number.