Thinking About Risk…
Do you thrive in uncertainty? Or do you have a Plan B, C, D, and E?
Projects can reflect very different attitudes toward risk management. By gauging the risk appetite of stakeholders, a Project Manager can understand the relative importance of achieving or missing specific project or work stream objectives. With this understanding, risks can be more readily identified and prioritized to address the risks of greatest importance to the stakeholders. Understanding stakeholders’ attitudes toward risk is an important component of risk management planning. When this assessment precedes risk identification and analysis, it can improve project outcomes and foster stakeholder satisfaction.
This article offers an approach to gauge risk appetite and tolerance by engaging in discussion with the project sponsor, team members, and other stakeholders to:
- Stimulate communication regarding project objectives and priorities and identify a communication plan for key concerns.
- Better understand the stakeholders’ risk appetite, tolerance, and any associated thresholds.
- Use takeaways to tailor risk analysis, prioritization, planning, and communication, including when to escalate risk-related information to management and other stakeholders.
- Improve the project team’s risk management approach.
Let’s start by trying to understand risk appetite and risk tolerance thresholds. According to the Project Management Body of Knowledge (PMBOK), risk appetite is “the degree of uncertainty an organization or individual is willing to accept in anticipation of a reward.” If you are approaching an intersection, do you speed up when you see a yellow light or hit the brakes and stop as quickly as possible because you are concerned it will turn red quickly and you may get a ticket or hit a car? Risk appetite is variable from person to person and can change over time. Focused discussions can capture the willingness of the project team members to avoid or accept risks. Risk appetite may be characterized along a range from low, or conservative, to high, or aggressive.
Risk tolerance and risk threshold are measures that set controls based on risk appetite. According to ISACA’s Risk IT Framework, 2nd Edition, risk tolerance is “the acceptable deviation from the level set by the risk appetite and business objectives.” Tolerance may be described without a corresponding threshold. Risk tolerance is considered along a spectrum of how well a stakeholder may tolerate uncertainty. For example:
- Very little to no tolerance for uncertainty: “I want to make sure I know all the things that can go wrong and have a backup plan for all of them.”
- Very accepting of uncertainty: “If it happens, it happens.”
The PMBOK defines risk threshold as “the measure of acceptable variation around an objective that reflects the risk appetite of the organization and stakeholders.” A threshold is a companion to the concept of risk tolerance. Thresholds are quantitative and state the degree of acceptable variation around a project objective. For example, “more than a 10-day delay in releasing the product.”
Practical Approach to Assessing Risk Tolerance
Still confused? No worries! The following is a practical approach you can still apply to strengthen your project risk management practice.
In simple terms, the approach is the Project Manager initiating discussions with stakeholders and documenting the outcome to effectively manage risk. The process does not require a high degree of precision in gathering risk appetite and tolerance information. The process steps are captured in the following graphic.
Prepare for Discussion
Think of risk tolerance assessment as an opportunity for dialogue with project leadership to better understand their concerns or priorities. In simplest terms, the Project Manager should try to assess overall project risk appetite and risk tolerance for work streams or specific tasks, whatever may be most relevant to the project team’s perspective.
The Project Manager can gather this information early in the project lifecycle or project phases and update it as the project progresses. You may want to plan for several discussions over the course of your project. Since your discussion is used for risk identification and qualitative analysis that informs the risk response, there is a benefit to using the most updated risk tolerance information.
The following steps can help organize the discussion:
- Determine who to talk to – key stakeholders. Perhaps talk first to the project sponsor or business owner and the work stream leads.
- Let interviewees know ahead of time the purpose of this discussion. Educate them on the concepts and how the result of the discussions can further support successful project outcomes.
- Take the following into account to gauge the project’s unique risk perspective:
- Project objectives
- Project life cycle phase
- Current work streams
- Stakeholder expectations
- Team experience and knowledge
- Contractor/IT system dependencies
- External vs. internal risks
- Current project workload
- Existing or historical risk or lessons learned documentation
- Plan a series of questions and scenarios to figure out what the risk tolerance levels are at a particular point in the project life cycle. The analogy is like interviewing a candidate for a job by having a set of questions to start the discussion. Probe into areas that are important to the outcome; use scenario-based questions.
Basic questions that may start the discussion include:
- What are the challenges in project design, development, and/or operations?
- What are potential concerns with respect to participants/external stakeholders in the project?
- When we identify risks, what tasks stand out in your mind as most risky (for example, obtaining materials, staffing with appropriate skills, timeliness of project communication, etc.)? Which are less risky?
- What keeps you up at night?
- What types of risks were realized to become issues in the past and affected the project or similar projects?
- The project recently experienced an issue with x, y, z; are there other issues of concern on the horizon?
- Recently leadership made a decision on x – how may that affect project plans?
- Walking through upcoming work streams or tasks, what is your level of concern with…?
- How much risk is okay for this project?
- What are the most significant risks we should be considering?
- Are we addressing your greatest concerns and considering the “right” risks?
- We are taking/proposing x action to mitigate y risk – is that the desired investment of resources?
- What is leadership’s view of risk management? What areas have they expressed greatest interest or concern?
- Consider preparing a matrix of current work streams/tasks/topical areas to guide the discussion and capture notes. This example risk discussion table shows a simple example.
6. Invite stakeholders to the discussion. Introduce the overall concept and invite the sponsor or business owner to this discussion. This dialog may take place as part of a regularly scheduled meeting or at a special meeting. If the project sponsor concurs, then schedule sessions with additional stakeholders (e.g., work stream leads, risk owners) to explore risk attitude, tolerance, and thresholds for the project.
Capture and Summarize Information from Discussion
Document key notes and the interviewee’s views on the degree of concern regarding each work stream and key tasks or deliverables, using the suggested scale in the risk discussion table:
- 1 – Not a concern
- 2 – Medium level of concern
- 3 – Very high concern and interest
When possible, capture any specific discussion of thresholds that define the quantitative degree of acceptable risk impact. (e.g., stakeholder considers moderate schedule impact is a 2-week variance). Stakeholders can approach risk management in many ways, including disinterest, active engagement, supportive delegation, or direction not to invest time in risk management. The following table provides some ideas on understanding and applying the findings from the risk tolerance discussion to refine and prioritize project risk management.
Review the discussion notes. If there is a wide variance in opinions collected from different stakeholders (for example, major slippage in schedule is acceptable vs. only minimal slippage in schedule is acceptable), consider different ways to reconcile. For example, give more weight to the sponsor’s perspective or follow up with stakeholders to further understand and reconcile the different perspectives, taking into consideration objective information when available (e.g., external deadline).
It is essential to create a summary of how the project plans to use the outcome of the discussion for the risk management process. Provide the collected information and analysis to the sponsor and other stakeholders for review and confirmation.
One consideration to help communicate the results is to summarize the assessment in a more quantitative manner and create a visual in Excel. This visual or chart may be used as part of the project’s risk management plan and to communicate an overall risk management process strategy for that project. Visual representations such as a radar chart or a scatter diagram may be useful.
Apply Findings to Project Risk Management
The risk attitude and tolerance assessment analysis factors into the development of the project’s risk management plan. Risks to the work streams or tasks for which only minimal variance is acceptable (i.e., low risk tolerance) might be prioritized for focusing risk management efforts and limited resources. Risks to the work streams or tasks for which major variance is acceptable (i.e., high risk tolerance) might be monitored on a watch list. Consider initiating risk tolerance and threshold discussions when there is a major change in the project, the project lifecycle phase changes, and/or there is new leadership on the project.
Communication is a key tool for a Project Manager to effectively manage risk and successfully deliver a project to stakeholder satisfaction.
Join MPUG to attend live training webinars, access 500+ hours of on-demand sessions, receive certificates of completion and earn the Project Management Institute (PMI)® Professional Development Units (PDUs) that you need. Watch an MPUG training webinar for free and improve your Microsoft Project skills in less than 1 hour.