As per the PMBOK Guide 5th edition, “Project risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives such as scope, schedule, cost, and quality.”

From the above definition, you can conclude that a risk can either be an opportunity or a threat: An opportunity has some positive effect on project objectives, while a threat brings some negative impact.

The objective of risk management is to increase the probability of positive risks (or increase the impact), and reduce the probability of negative risks (or reduce the impact).

The strategy to deal with these risks depends on the behavior of the stakeholders or the organization.

Every individual has specific behavior towards risks; some people may want to accept the risk and others may want to avoid it.

This behavior depends on the risk attitude of the individual, and for a proper risk management plan, you must find the risk attitude of your stakeholders.

There are many factors that determine the risk attitude. These factors can be broadly divided into three categories:

1. Risk Appetite
2. Risk Tolerance
3. Risk Threshold

Risk Appetite

If you look in the dictionary, you will find that the meaning of “appetite” is “hunger”.

So risk appetite means “risk hungry”.

As per the 5th edition of the PMBOK Guide, risk appetite is the degree of uncertainty an entity is willing to take on in anticipation of a reward.

The risk appetite of an organization shows how much an organization is willing to take a risk in order to grow itself. It is the amount of risk that an organization is willing to accept to attain its business objective.

Some organizations might be willing to take a high risk if the reward is high; others may want to play safe or go conservatively.

If the organization is willing to take a risk, you will say that its risk appetite is high, and the organization that plays conservatively has a low risk appetite.

Risks Tolerance

As per the 5th edition of the PMBOK Guide, risk tolerance is the degree, amount, or volume of the risk that an organization or individual will withstand.

Risk tolerance tells you how sensitive the organization or people are to risks. High tolerance means people are willing to take a high risk, and low tolerance means people are not willing to take much risk.

It is the willingness of a group of people or organization to accept or avoid risk. It shows the risk attitude of stakeholders or an organization in measurable units.

There are many factors which affects the risk tolerance. If the project is critical, the organization will be willing to take more risk; however, if the project is not very important, the organization may not be willing to take much risk.

Other factors include customer satisfaction, impact of risk on profitability of the organization, and so on.

For example, your organization may allow schedule slippage by 5–10% or cost slippage by 3–5%. This is known as the risk tolerance of the organization or stakeholders.

Let’s consider a real world example.

You are bidding for a project. Your rough order estimates say that the cost of this project is approximately 100,000 USD. You are in the process of applying for this bid, and your organization told you that they cannot allow you to bid for more than 10% of this amount.

This 10% is your tolerance limit.

Risk Threshold

Risk threshold is an amount of risk that an organisation or individual is willing to accept. For example, for your project a $10,000 USD cost overrun is acceptable to your organization, but anything more than that is not acceptable.

As per the 5th edition of the PMBOK Guide, risk threshold is the level of impact at which a stakeholder may have a specific interest. Below the risk threshold, the organization will accept the risk, and above the risk threshold, the organization will not tolerate the risk.

The risk threshold is a further step in the risk tolerance; you can say that it quantifies the risk tolerance with a more precise figure.

In risk tolerance you have limits, but in risk threshold you have a clear figure.

For example, your organization can not allow taking a risk for slippage (or impact) for more than $10,000 USD.

The risk threshold is the limit beyond which your organization will not tolerate the risk.

Let’s consider a real world example.

You are planning to bid a contract. You think that the value for this contract will be approximately $100,000 USD. You are in the process of applying for this bid, and your organization has told you that due to some financial problems they cannot allow you to go beyond $10,000 USD, apart from the $100,000 USD.

In this case, your threshold for this project is 10,000 USD.

To determine the risk threshold, you will hold interviews and conduct meetings with stakeholders to find their risk appetite, then you will analyze their risk tolerance, and lastly you will define the risk threshold.

Here the discussion ends, however, before concluding this post, let’s have a quick summary on these terms.

Summary:

• Risk appetite can be considered as a tendency of an individual or group of people towards risks.
• Risk tolerance is an acceptable variance; e.g. +5% to -5%. Tolerance is a limit.
• Risk threshold is a quantified limit beyond which your organization cannot go. Threshold is like an end point.

Risk Response

There are four possible responses to a risk, depending on whether there is low or high probability of its occurring, and whether the financial impact if it does occurs is either high or lowoccurs is either high or low.

• Avoid: For high probability, high impact events
• Transfer (such as purchasing insurance):  For low probability, high impact events
• Mitigate:  For high probability, low impact events
• Accept: For low probability low impact events– Accept:  For low probability, low impact even