Risk Appetite, Tolerance and Threshold are very important concepts in risk management and are often misunderstood. If you failed to understand the stakeholders’ risk appetite, tolerance and threshold, your risk management plan may be jeopardized. Not just this, how can we have a productive conversation about risk management unless we use the same language?
Before we proceed further and discuss about these very important concepts, lets revisit the definition of Risk. As per the PMBOK Guide 5th edition, “Project risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives such as scope, schedule, cost, and quality.”
From the above definition, you can conclude that a risk can either be an opportunity or a threat: An opportunity has some positive effect on project objectives, while a threat brings some negative impact. The objective of risk management is to increase the probability of positive risks (or increase the impact), and reduce the probability of negative risks (or reduce the impact). Every individual has specific behavior towards risks; some people may want to accept the risk and others may want to avoid it. This behavior depends on the risk attitude of the individual, and for a proper risk management plan, you must find the risk attitude of your stakeholders. There are many factors that determine the risk attitude. These factors can be broadly divided into three categories: Risk Appetite, Risk Tolerance and Risk Threshold.
Risk appetite can be described as the amount and type of risk an organization is willing to accept in pursuit of its business objectives, Risk tolerance is the specific maximum risk that an organization is willing to take regarding each relevant risk & Risk threshold is the threshold to monitor that actual risk exposure does not deviate too much from the risk target and stays within an organization’s risk tolerance/risk appetite. Exceeding risk threshold will typically act as a trigger for management action.
To explain what I mentioned here, let me take help diagram listed towards left side. PMBOK lists below definitions for these 3 terms.
PMBOK® Guide, Fifth Edition defines it as “ The degree of uncertainty an entity is willing to take on in anticipation of a reward.”
PMBOK® Guide, Fifth Edition defines it as ”The degree, amount, or volume of risk that an organization or individual will withstand.”
PMBOK® Guide, Fifth Edition defines it as “ measures along the level of uncertainty or the level of impact at which a stakeholder may have a specific interest. Below that risk threshold, the organization will accept the risk. Above that risk threshold, the organization will not tolerate the risk.”
Appetite is often referred in terms of Low, medium or high. If you speak to your stakeholders and they mention that they have been able to grow because of risks they have taken in life and believe in order to grow further they need to take more risks, you are getting message that they have high risk appetite.
As the definition indicates, Risk tolerance is amount of risk that individual or organization will withstand. E.g. if you invest in stock market, even if the stock goes down by 2.5% or 5%, you might be ok with it. However, you have put a stop loss at 10% making that as Threshold limit.