A visitor to my blog, Mr. Novzar Dastoor, asked me to write on risk appetite, risk tolerance, and risk threshold.
These are basic risk management concepts that can be confusing to new aspirants.
A risk management plan depends on the stakeholders’ risk appetite, tolerance, and threshold. Therefore, you should understand these concepts in depth.
According to the PMBOK Guide, “Project risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives such as scope, schedule, cost, and quality.”
A risk can be either an opportunity or a threat. The former has a positive effect on project objectives, while the latter has a negative impact.
The aim of risk management is to increase the probability or impact of positive risks and reduce the probability or impact of negative risks. The strategy you will use to deal with these risks depends on the behavior of your stakeholders.
Every individual behaves differently towards risks. Some people may want to accept, and others may want to avoid it. This behavior depends on the risk attitude of the stakeholders. Therefore, analyzing the risk attitudes of your stakeholders is necessary for the success of your risk management plan.
Many factors determine one’s risk attitude. You can divide these factors into three categories:
- Risk appetite
- Risk tolerance
- Risk threshold
Appetite is synonymous with hunger. So, risk appetite means “risk-hunger”.
According to the PMBOK Guide, 6th edition, “Risk appetite is the degree of uncertainty an organization or individual is willing to accept in anticipation of a reward.”
Some organizations might take a high risk if the reward is high; others may want to play it safe or be conservative. If they take risks, it means that their risk appetite is high, and the organization that plays conservatively has a low-risk appetite.
According to the PMBOK Guide, 6th edition, “Tolerance is the specified range of acceptable results.”
Risk tolerance tells you how much risk an organization or individual can withstand. High tolerance means that they are willing to take more, and low tolerance means that they are not willing.
Risk tolerance shows the risk attitude of stakeholders or an organization in measurable units.
Many factors affect risk tolerance.
For example, an organization will take risks if the project is critical. Other factors include customer satisfaction, risk impact on profitability, etc.
For example, your organization may allow schedule or cost slippage by 3–5%. This limit is known as risk tolerance.
Let’s consider a real-world example.
You are bidding for a project. Your rough order estimates say that the cost of this project is approximately 100,000 USD. Your organization told you that they cannot allow you to bid for more than 10% of this amount.
This 10% is your tolerance limit.
The risk threshold is an amount of risk that an organization or individual is willing to accept. Say for your project, a 10,000 USD cost overrun is acceptable to your organization, but no more.
According to the PMBOK Guide, 6th edition, “Risk threshold is the level of exposure above which risks are addressed and below which risks may be accepted.”
The risk threshold is the next step up from risk tolerance; it quantifies the risk tolerance with a precise figure. You have limits in risk tolerance, but in risk threshold, you have a figure.
For example, your organization cannot take a risk with an impact of more than 10,000 USD.
The threshold is the limit beyond which your organization will not tolerate the risk.
Let’s consider a real-world example.
You are planning to bid on a contract. You think that the value of this contract will be approximately 100,000 USD. Your organization has told you that, because of budgetary constraints, they cannot allow you to go beyond 110,000 USD.
Here, your threshold is 10,000 USD.
You will hold interviews and meetings with stakeholders to ascertain their risk appetite and analyze their risk tolerance. Afterward, you will define the risk threshold.
Understanding risk appetite, tolerance, and threshold will help you develop your risk management plan. Risk appetite is a tendency towards risks, tolerance is an acceptable variance?—for example, 5-10%?—and the threshold is a quantified limit beyond which your organization will not accept the risk.
Are you involved in risk management? If you are, how do risk appetite, risk tolerance, and risk threshold affect your risk management plan? Please share your thoughts in the comments section.