By Henrique Moura, PMP, RMP, ACP, EVP, ITIL, PSM

Professor of the Introduction to Project Management course in the Master in Project Management Program at the University for International Cooperation.

December, 2015

An overview of risk attitude

How much risk is too much? How are stakeholders willing to balance risks with rewards? Do stakeholders react differently to schedule risks than to cost risks? How do we establish limits on risk exposure? How does stakeholder’s attitude towards risk impact the adopted risk response strategies?

This article attempts to answer these questions by describing the concepts of risk appetite and risk tolerance.

Risk appetite

Risk appetite is a classification of how much risk are specific stakeholders, or the overall organization, willing to accept while pursuing project objectives.

Risk appetite is not usually defined around measurable criteria, but rather a broad classification of stakeholders’ profile. There are several ways to describe risk appetite. A common approach is to describe stakeholders’ risk appetite as either averse, minimal, cautious, neutral or seeker. The differences among these risk profiles are described next, along with a risk appetite statement example:

  • Risk averse stakeholders’ are not willing to accept any risk exposure. As an example, a pharmaceutical company that adopted a Six Sigma approach may be focused on eliminating any level of quality risk exposure.
  • Minimal risk stakeholders believe that the less risk the better. They would require a lot of benefits to compensate for any small level of risk exposure. As an example, a health care organization might be extremely reluctant to accept risks that can negatively impact critical patients waiting time.
  • Risk cautious stakeholders favor safer options, even if it sacrifices benefits. As an example, a consulting company working in an economically challenged country can be reluctant to accept cost risks.
  • Risk neutral stakeholder will assess available project options, balancing existing risks with potential rewards. As an example, a software development company might be willing to consider eliminating some scope requirements, or accepting schedule delays, while considering schedule risks in its new development project.
  • Risk seekers are actively pursuing high value rewards, at the expense of high risk exposure. As an example, a pharmaceutical company might be willing to take significant cost risks in the short-term while developing a break-through vaccine.

Interestingly enough, an organization risk appetite is not necessarily the same for each type of risk and can depend on the context. A pharmaceutical company can be averse to quality risks and be categorized as seeker regarding cost risks while developing a vaccine. At the same time, different individuals might adopt different profiles according to their own profile. The project manager should attempt to understand the dominant risk profile, regarding the key project constraints.

Risk tolerance

While a broad classification of risk profile helps to understand how stakeholders will be willing to balance risks and rewards, it will not tell us how much risk is too much. Risk tolerance defines how much uncertainty are stakeholders willing to accept. As an example, cost risk tolerance would define how much potential negative cost variances are stakeholders willing to bear.

Risk tolerances are usually defined around the key project constraints, such as scope, schedule or cost. As an example, the previously discussed pharmaceutical company, although categorized as risk seeker, might be unwilling to accept an overall cost risk exposure above 50% of the agreed-upon budget.

Risk tolerances can also be defined around specific project risks. While addressing risks that have a potential impact on patients’ waiting time, a health care organization might establish that it is not willing to accept any risk that can compromise the goal to treat emergency patients within 15 minutes and non-critical patients within 120 minutes.

Risk tolerances should be documented as they help to generate risk thresholds for each risk. These thresholds will then guide the team and signal when time has come to implement conditional risk responses.