I'll admit to being hyperbolic with the title of this article, but a question posed today in one of the project management LinkedIn discussion groups managed to sidetrack what I was intending to write about this week. The author asked what needs to be considered when planning risk responses. The majority of the answers offered focused on characteristics of the individual risks themselves such as their probability, impact, ability to be responded to and so on.
But what we should consider is not just the specifics of a risk but also the context in which that risk exists. Enterprise environmental factors will also affect not just the nature of risk responses but also their effectiveness, and one of the more significant ones is risk appetite.The PMBOK Guide®, Sixth Edition defines risk appetite as the "degree of uncertainty an organization or individual is willing to accept in anticipation of a reward". This definition acknowledges that appetite should be considered from the perspective of multiple stakeholders and not just that of the project team or sponsor.
Stakeholders with a low appetite for a particular type of risk might influence a stronger risk response than is warranted which can impact efficiency. Those with a higher appetite can reduce the effectiveness of the overall project risk management approach. As with so much else in project management, the Goldilocks principle applies to risk response.
Risks can be positive or negative, but risk appetite usually has a greater influence on how we handle threats rather than opportunities. The exception are cases where the realization of an opportunity generates secondary negative risks.
Companies operating in risk-driven industries such as financial services are more likely to have appetite statements defined organization-wide. Such statements can help governance staff to define policies and to provide practitioners with clear examples of the types of risk which might be passively accepted and which ones should be actively managed. However there remains a degree of subjectivity when it comes to risk based on one's own biases, and with ever increasing project complexity and uncertainty, such statements can only go so far in creating consistency.
One way to address this is for a project manager to facilitate a risk response guidelines workshop with key stakeholders early in the life of the project. Take each of the project's constraints and success criteria, define a range of outcomes for those based on the impact of a risk event and ask stakeholders which risk response (e.g. mitigate, transfer, avoid, accept, escalate) should be utilized for each potential outcome. Not only might this help to create some consistency in practice but it would also provide the project manager with insights about the relative biases of each stakeholder to different types of risk. This information can then be captured in the Risk Management Plan.
Finally when it comes to managing risks over the life of a project, it is important to remember that stakeholders' risk appetite will change.
“But doth not the appetite alter? A man loves the meat in his youth that he cannot endure in his age.” - Shakespeare, 'Much Ado About Nothing'