Project Management Central

Please login or join to subscribe to this thread

Topics: Risk Management
Using risk appetite with the execution of risk identification and monitoring

Once my client establishes their risk appetite, how do I apply that appetite and related tolerance ranges to the actual execution of risk identification and monitoring?
Sort By:

Risk appetite at organizational level will help you to take into consideration risk threshold when you create things like estimation or monitoring and control all related to your scope, time, cost, quality. But all related to project risk identification is about individuals more than organization. You will find risk averse, risk seeking and risk neutral people and when those people participate into risk identification activities you will surprise.

Cheryl -

This will be less of a concern for risk identification, but will impact your risk analysis if they participate in that, and definitely will impact the type of risk responses which they will agree to.

For example, if they tend to be very intolerant of threats, then they may be likely to rate the probability or impact of identified risks higher than they really are and they may prefer risk avoidance or transfer responses to mitigation or acceptance ones.


Cheryl, I agree with Kiron on this topic. risk appetite doesn't impact the risk identification process. If you follow the standard risk management process the first step is establishing the context and that's where the risk appetite is defined. Depending on the appetite for risk, a project manager, will define the risk management plan. First to be established is the contingency allocated to mitigate risk, the higher appetite the higher the contingency. Some organisation use bottom up approach where each (significant) risk has allocated contingency but at the start of the project a top down allocation is more practical.
The second step in the process that is impacted by the Risk appetite is the mitigation strategies. If the appetite is low then most risks will be either controlled to be reduced or transferred otherwise many risks will be accepted, reducing the cost of managing risk. Don't forget that risk can be positive, in which case the organisation can chose to take the risk.
Risk appetite also determine the project framework to be used. A conservative organisation will prefer planned approach with a lot of controls while others wil jump to the Agile approach.

Risk appetite should not have any influence in risk rating or risk identification process, other than resources allocated for those activities. A high risk is a high risk, the difference is what with do with that risk: do we spend money to eliminate, reduce, transfer or we (potentially) save money by accepting it?

Rating risks with the target of avoiding the band where we have to do something is not risk management, it is a waste of time.


The risk appetite and tolerance should produce a scale/level.

After risk identification, you need to qualify each risk.

Action take on risk will be in accordance with the nature of each risk and the appetite/tolerance of the organization.

You have many excellent comments in those previous post.

Risk rating are normally influenced with Risk appetite of the organisation.

I am actually reviewing our Enterprise Risk Management (ERM) policy, and other risk management documentation. What the others have said is correct, but what I have found that within our organization, it is almost exclusively a bottom-up approach which brings its own set of issues. This is especially true when the risk "appetite" or risk tolerance level of the organization at senior levels is not known. We have just introduced a new risk rating formulation that includes the following:

Risk Score = Impact x Likelihood x Urgency x Controllability

Each variable is given a score value of up to 5. This means that a total maximum score of 625 can be achieved. For threats we have arbitrarily decided that any score above X (risk appetite threshold) shall be forwarded to senior management for review. This rating scheme was put forth with the sole purpose of trying to better to sort out all the risks within our organization (100's of projects) so that we could better manage them from an enterprise level.

Please login or join to reply

Content ID:

"If you would be a real seeker after truth, it is necessary that at least once in your life you doubt, as far as possible, all things."

- Rene Descartes



Vendor Events

See all Vendor Events