The Influence of Risk Tolerance on Risk Response Strategies

In a prior post on selecting means of communication, I quoted Master Kan, from the pilot to the early 1970’s television series, Kung Fu:

Avoid, rather than check. Check, rather than hurt. Hurt, rather than maim. Maim, rather than kill. For all life is precious, nor can any be replaced.

We should adopt a similar rubric for selecting risk response strategies:

Avoid, rather than transfer. Transfer, rather than mitigate. Mitigate, rather than accept. For all risk response strategies have both a cost and a residual risk.

Selecting Risk Response Strategies

I bring this up because I see so many organizations and managers choose to mitigate or accept risks that they could otherwise avoid or transfer. Avoiding a risk usually results in an opportunity cost, or at least deferring the benefit, but it tends to result in the least residual risk. For example: responding to a schedule risk by removing some element from scope avoids the risk, at the opportunity cost of not having the capability provided by that element. Transfer and Mitigate responses usually have at least somewhat predictable direct costs while retaining some residual risk. Accepting a risk means it’s all residual, and acceptance can have a complex mix of direct and opportunity costs.

In some cases, it’s about the perceived cost of the safer responses. But I see it happen most often in organizations following a merger or acquisition, where they haven’t reached an end state in their evolving culture. Perhaps one of the predecessor firms had a greater appetite for risk; perhaps middle management has internalized the acquisition itself as a willingness to take on significant risk. Or maybe their appetite for certain types of risks is higher than that of their new colleagues.

A few years ago, I worked with a customer that was being acquired by a much larger firm. They had initiated a project for the express purpose of reducing the chance of being found in non-compliance with a legal requirement, although they had relatively little exposure. The cost of the project far outweighed the potential cost of being found in non-compliance, or of making improvements to their existing manual process. But the decision-maker felt that the non-compliance risk absolutely had to be mitigated. That said, the project itself was very risky, in terms of schedule and quality. It was kicked off late, the vendor provided a relatively inexperienced team member in a key role, and there was no internal consensus on what business rules should be embedded in the process. In the end, a senior manager in the acquiring firm killed the project. Their view of the bundle of risks was quite different, and they decided to accept what they viewed as a relatively low-cost, low-impact risk, rather than take on all of that residual risk.

Gauging Appetite for Risk

It is extremely difficult to measure risk tolerance, or even to describe it in meaningful terms. In an interview, I once asked a PMO director about their organizational risk tolerance. He admitted that the question had never been asked before, and struggled to answer in a way that would be actionable for a contract project manager. Plainly, no organization is willing to admit that they have little appetite for risk, although few can express what level of risk they find acceptable. But in order to suggest risk response strategies, the team will benefit from an understanding of how the organization views their choices. So, let me propose a few interview questions that might start the process of gauging appetite for risk:

  • Are you willing to replace an established vendor with an acceptable level of performance in order to reduce costs? While the new vendor might have a lower price, any transition will have a learning curve and lower quality. If this is an acceptable trade-off, then they should be seen as having a somewhat higher appetite for risk.
  • Are you willing to accept higher retention risk after an implementation project is completed, in order to avoid the costs of augmenting your staff with temporary workers? Most projects that replace a legacy system provide a platform for team members to gain new skills and experience, and it is common for some folks to seek out greener pastures. If cost avoidance matters more than staff retention,  then that tells you a bit about what risks they are willing to accept.
  • Are you willing to accept higher quality risk, in order to finish on schedule? If the project does not have an immovable finish-by date, follow up with questions on what drives this response.
  • Are you willing to defer some deliverables in order to reduce schedule risk? The answer can lead to some interesting discussions on perceived benefits of the project deliverables.
  • Are you willing to add administrative complexity, in order to reduce implementation risk? Again, this speaks to the trade-off between quality and cost.

While this list is not particularly comprehensive, I think it will provide some insight into the organization’s appetite for risk. Or at the very least, their tolerance as it applies to the proposed project. If you have some additional interview questions you’d like to add to this short list, please leave a comment.

Risk Response Strategies: Transfer and Avoid

As I’ve noted in other posts, a risk is an uncertainty that matters. Some event has a significant probability of occurring, and there will be a significant consequence if it does. A risk represents a threat, and a wise project team endeavors to identify project threats and analyze them so that the probability of occurrence can be reduced or the cost of the consequences reduced. Or both.

Consider the following proverb:

“The early bird gets the worm, but the second mouse gets the cheese.” — David Jakovac

Mr. Jakovac is correct only if the cheese is in a trap; otherwise, the Second Mouse goes hungry while the First Mouse eats his dinner. Thus, the Wise Mouse looks at the context, seeking potential threats and assessing her exposure to them. If the cheese is indeed in a trap, waiting to be triggered, then she has four potential risk management strategies to consider:

  • Mitigate – try to either trigger the trap from a safe distance or find a way to survive the snap
  • Accept – in effect, volunteer to be the First Mouse
  • Transfer – recruit a First Mouse (or possibly a whole tribe of mice)
  • Avoid – look for another food source

After considering the technical limits of the alternatives available for mitigation (little chance of reducing the probability of occurrence) and the fatal consequences of triggering the snap (little ability to reduce the cost of the event), the Wise Mouse will abandon the first two strategies as unworkable. At this point, Ms. Mouse needs to consider the economics of the Transfer and Avoid strategies.


Crappy BumperGenerally, a risk is transferred using one of two mechanisms: pooling and delegating. In pooling, a number of parties at risk contribute funds to finance recovery from an event experienced by a member of the pool. If that sounds like an insurance policy, it is. Surety bonds are also a form of risk transfer, commonly used to absorb the impact of non-performance. Currency exchange rates can be a risk, and appropriate financial derivatives are used to partially absorb a loss. In most cases, pooling is about reducing the financial impact of an event, at some initial fixed cost.

The Wise Mouse is considering a delegation strategy. Delegation can take many forms—from sub-contracting to an experienced performing agency to engaging a contingent worker. Crowd-sourcing is a delegation strategy, as is the use of open-source software. Delegation to someone with more expertise is intended to reduce the likelihood of the event, again at some cost. Other times, as in the case of the recruited First Mouse, delegation is about transferring the consequences. Note that some residual risk will usually be present; in other words, some of the consequences will be borne by the Wise Mouse, possibly at the hands of the First Mouse’s mourners.


We avoid a risk by accepting the opportunity cost of not doing something. In projects, this can range from taking something out of scope to making adjustments to the project delivery schedule. Depending on the goals of the project and the nature of the risk, we may determine that the remaining value of all-but-this-one-thing still exceeds the adjusted cost, and we may proceed without it.

Of course, if the value no longer exceeds the cost, it may be better to abandon the project. The Wise Mouse is considering exactly that approach.

Certainty is for People With No Imagination

Eats, Won’t Leave, So Shoot!

Leadership requires a willingness to make decisions under conditions of uncertainty. To be certain, you must believe that you have perfect knowledge of the circumstances and absolute control over the outcome. It also requires you to have absolutely no imagination; “Nothing will go wrong.”  These people often go on to win Darwin Awards. The rest of us acknowledge the limits of our understanding and control. We have horrible dreams, and yell at the heroine in the horror film to turn on the damned lights when you enter the room! We often live long enough to reproduce, or at least have roles in the sequel.

Risk management is about improving the quality of decisions made under conditions of uncertainty. It is unrealistic to demand certainty before taking action and foolish to assume that all will go well, simply because you need it to. Identifying and analyzing risks may help reduce uncertainty to acceptable levels, or it may lead to cancellation of a doomed project. In either case, the analysis of the risk and alternative strategies allows a rational basis for decision making.

Now You Can Follow My Sources of PM Content


I got a nice EMail from Immánuel Fodor in Budapest this morning. Immánuel has been following my weekly round-up via the RSS feed on my blog for years. Now that I’m no longer posting the round-up, I’d like to share the list of RSS feeds that I used for all these years. I’ve downloaded the OPML file from Feedly and posted it for upload, below. If you have your own Feedly account set up, or you use another RSS reader, you should be able to import this list. You might want to review and prune the ones you aren’t interested in, since this list generates well over 600 links a week.

If you also have a deep and abiding interest in project management (and no social life or cable TV connection), I would encourage you to curate a list of content, at least occasionally, and share it with the project management community.