risk-appetite, risk-tolerance, risk-threshold

A visitor to my blog, Mr. Novzar Dastoor, asked me to write on risk appetite, risk tolerance, and risk threshold. These are basic risk management concepts that can confuse new aspirants.

A risk management plan depends on the stakeholders’ risk attitude, and the risk attitude depends on risk appetite, risk tolerance, and risk threshold. 

According to the PMBOK Guide, “Project risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives such as scope, schedule, cost, and quality.” 

A risk can be an opportunity or a threat. The former has a positive effect on project objectives, while the latter has a negative impact. 

Risk management aims to increase the probability or impact of positive risks and reduce the probability or impact of negative risks. The strategy you will use depends on the behavior of your stakeholders

Risk Appetite, Risk Tolerance, and Risk Threshold

Every individual behaves differently towards risks. Some may want to accept, and others may want to avoid. This behavior depends on the risk attitude of the stakeholders. Therefore, analyzing their risk attitudes is necessary for the success of your risk management plan

Many factors determine one’s risk attitude. 

You can divide these factors into three categories: 

  1. Risk Appetite
  2. Risk Tolerance
  3. Risk Threshold

Risk Appetite

Appetite is synonymous with hunger. So, this means “risk-hunger.” 

According to the PMBOK Guide, “Risk appetite is the degree of uncertainty an organization or individual is willing to accept in anticipation of a reward.” 

Some organizations might take a high risk if the reward is vast; others may want to play it safe or be conservative. If they take risks, it means that their appetite is high, and the organization that plays conservatively has a lower risk appetite.

Risk appetite shows the organization’s hunger to take risks, and you cannot quantify hunger. 

Though you can rate the risk appetite of an organization from high to low.

Risk Tolerance

According to the PMBOK Guide, “Tolerance is the specified range of acceptable results.” 

Risk tolerance tells you how much risk an organization or individual can withstand. A high-risk tolerance means they are willing to take more, and a low tolerance means they are unwilling. 

Risk tolerance shows the risk attitude of stakeholders or an organization in measurable units. 

Several factors affect risk tolerance. 

These include how critical the project is, impacts on profitability, and how the risk will satisfy customers. 

For example, your organization may allow schedule or cost slippage of 3–5%. This limit is known as risk tolerance. 

Risk Tolerance Example 

You are bidding for a project. Your rough order estimates say that the cost of this project is approximately 100,000 USD. Your organization cannot allow you to bid for more than 10% of this amount. 

This 10% is your risk tolerance limit.

Risk Threshold

The risk threshold is the amount of risk that an organization or individual is willing to accept. Say a 10,000 USD cost overrun is acceptable to your organization but no more. 

According to the PMBOK Guide, “Risk threshold is the level of exposure above which risks are addressed and below which risks may be accepted.” 

Risk threshold is the next step up from risk tolerance; it quantifies the tolerance with a precise figure. You have limits in risk tolerance, but in risk threshold, you have a figure.

For example, your organization cannot take a risk with an impact of over 10,000 USD.

The threshold is the limit beyond which your organization will not tolerate the risk. 

Example of Risk Threshold 

You are planning to bid on a contract, and you think that the value will be approximately 100,000 USD. Your organization has told you that they cannot allow you to go beyond 110,000 USD because of budgetary constraints. 

Here, your risk threshold is 10,000 USD. 

You will hold interviews and meetings with stakeholders to ascertain their risk appetite and analyze their risk tolerance. Afterward, you will define the risk threshold.

Summary

Understanding risk appetite, risk tolerance, and risk threshold will help you develop your risk management plan. Risk appetite is a tendency towards risks, and risk tolerance is an acceptable variance—for example, 5-10%—and the risk threshold is a quantified limit beyond which your organization will not accept the risk. 

Are you involved in risk management? If you are, how do risk appetite, risk tolerance, and risk threshold affect your plan? Please share your thoughts in the comments section.