Project Risk Appetite and Tolerance

Attitudes to project risk in organisations are determined in the context of the general risk environment and the objective of protecting and enhancing shareholder/stakeholder value. Choices have to be made when considerations are given to new products and/or services, how they are made and distributed and so on in what is a turbulent business environment. This is when the concepts of risk appetite and tolerance play an important role. Some use the terms interchangeably while others see clear differences as outlined below.

RISKS APPETITE

Risk appetite is the broad-based amount of risk an organisation or other- entity is willing to accept in the pursuit of its mission. It is determined by two factors (ISACA 2009). First, the organisation's capacity to absorb losses such as reputation damage, and second, management's culture or predisposition towards risk taking, ranging from risk averse to risk seeking. The positive aspect of risk appetite is the amount of satisfaction or pleasure received from a potential risk payoff. This is referred to as risk utility and is linked to risk preference. Utility rises at a decreasing rate for people who are risk averse. Those who are risk seeking have a higher tolerance for risk and their satisfaction increases when more payoff is at stake. The risk-neutral approach achieves a balance between risk and payoff.

'Risk appetite is not a static concept with individuals', according to Kendrick (2004: 73). He refers to research that has shown differences in perceptions of risk and risk decision-making according to a range of factors: gender, ethnicity, risk framing, mood factors, dispersion effects, moral and ethical considerations, and experience from previous risk situations. Basic risk preferences can be observed in the way people behave in actual circumstances and assess risk severity (Schoemaker 1993). There are distinct behaviours that risk-takers exhibit: economic, decision theoretic, psychological and biological.

Under the economic perspective, risk-taking is largely determined by the shape of the relevant utility function (e.g. achieving optimal savings). Someone applying decision theory would use a rigorous methodology, while under the psychological view the risk-taker considers task, decision frames and acknowledges limitations in human information processing capabilities. A biological perspective can be observed in behaviour such as sensation seeking, impulsivity, extraversion. For example, low-sensation seekers appraise risk as more dangerous and less pleasurable than high- sensation seekers. The above diversity potentially poses problems to the risk manager not familiar with human nature. He or she may observe different manifestations to risk-taking with different project members and under different project circumstances.

RISK TOLERANCE

This can be defined as the acceptable variation relative to the achievement of an objective. It is the tolerable deviation from the level set by the risk appetite and business objective. While at lower levels different tolerance levels may apply, at the enterprise level the overall exposure must not exceed the specified risk appetite. Risk appetite and risk tolerance therefore go hand in hand and both are determined and covered by policies set by executives. ISACA (2009) warned that levels that are 'cast in stone' may inhibit the organisation in exploiting new business opportunities. Kendrick (2004) suggested that organisations should be sufficiently robust to deal with environmental fluctuations and be flexible enough to rapidly sense and respond to changes. It may, therefore, be preferable to have Tines in the sand' as opposed to fixed limits of risk tolerance to permit a degree of agility and innovativeness.

There may, however, be situations where the organisation has no choice but to enforce a strict risk tolerance when failure to comply with specific legal requirements or regulations attract severe penalties. Each organisation will have to define its own risk appetite and tolerance levels. This ensures that there is board approval and clear communications to all stakeholders that organisational decision-making is risk based and track is kept of the overall risk profile.

APPROACHES

The approach to determining risk appetite and tolerance may well differ across the globe. Differences are due to the two main corporate governance styles (Taliento 2007). Under the Anglo-Saxon/American (including Australia) paradigm, governance is market based (believing in free competition) and shareholder oriented (maximising their return), while the Latin/German/ Japanese paradigm is credit based (influenced by lenders such as banks) and stakeholder oriented (meeting the needs of suppliers and customers). The attitude to risk management in Australia, for example, is influenced by the following characteristics: large corporations with decision power in the hands of managers, watchdog oversight over management activity by auditors and legislators, and management seeking to create value for shareholders with a habit of preferring short-term performance.

What the Australian approach appears to be lacking is the orientation of the Latin/German/Japanese paradigm, namely considering the interests of all stakeholders. This points to the need to indude diverse opinions and achieve a balance between formal processes and structure and human behaviour. Renn (2010:3) referred to this as dealing with both the physical and social dimensions of risk in order 'to avoid the naive realism of risk as a purely objective category, as well as the relativistic perspective of making all risk judgments subjective reflections of power and interests'.

Kutsch and Hall (2010: 245) saw a further problem as one of ignoring the input to risk analysis; 'the precise nature of the input does not seem to have been explored adequately in previous research'. Traditionally, risk management techniques have focused on techniques and outputs rather than inputs. The question arises to what extent inputs are identified and processed to determine risk outputs, especially when there is 'a deliberate inattention of risk actors to risk'. The authors found that deliberate ignorance of risk events by stakeholders has not attracted the attention of project managers. Attention towards the relevance of risk information may therefore be determined by organisational rather than project management culture.

Conclusion

This chapter indicated the complexity of the project risk concept. In its simplest form, project risk is uncertainty inherent in future events or conditions. These events/conditions arise from many sources and are determined by human perception. Humans in turn rely on information about the future which can range from complete, creating certainty, to incomplete, creating uncertainty. Perceptions are influences by a range of factors including how the person judges the risk/rewards equation, and vary between being issue-driven, adopting a customer view or seeking risk efficiency. The issues associated with each project risk event or condition need to be understood so that risk triggers are recognised and probabilities and consequences are determined. Finally, the organisation has to determine and publish its project risks appetite and tolerance levels to provide guidance to risk behaviour.

Checklist: Understanding the Concepts of Risk Appetite and Risk Tolerance

• Are the concepts of risk appetite and tolerance used interchangeably or separately?

• Is the definition of risk appetite known?

• Are the factors that determine risk appetite known?

• Is a distinction made between the risk utility and risk preference?

• Is it accepted that risk appetite is not static?

• Are the different attitudes to risk, ranging from risk averse to risk seeking, identified?

• Is the definition of risk tolerance known?

• Is the relationship between risk appetite and tolerance understood?

• Is there a preference for having 'lines in the sand' rather than fixed limits for risk tolerance?

• Does the corporate governance style impact on the attitude to risk appetite and tolerance?

• Does PRG consider project risk appetites and tolerances?

• Do organisational risk appetites and tolerances support the objectives of project risk value-protecting and value-creating strategies?

• Do the risk appetites and tolerances of the project team align with those of the organisation?