New project managers and young professionals often struggle with the concept of risk appetite and how it impacts decision making. The long answer is that risk appetite is real and has been included in the works of decision analysis academics and gurus over the past fifty years.
The shorter and more practical answer is that risk appetite exists in every organization, but it is more implicit than explicitly expressed. Context (timing and where you sit) greatly impacts risk appetite.
My appetite is often driven by what I ate recently, who else is sharing the meal, and who is doing the cooking. But then, some days I want chicken and some days I want steak.
Risk Defined
Colloquially and according to most dictionaries, risk is defined as “the possibility of loss or injury; peril” (Merriam-Webster).
Risk management professionals and project managers more elegantly define risk as “the effect of uncertainty on objectives” (ISO 31000 and the Project Management Institute). The notes to the definition go on to expand that an effect is a deviation from the expected and that objectives can have different aspects and categories. Plus, objectives can be applied at different levels. Oh yeah, risk can be positive, negative, or both.
Getting back to plain talk, risk is a surprise that depends on where you sit. "Deviation" and "where you sit" have practical implications for risk appetite.
Definition Risk Appetite
Dictionaries define appetite as “a taste or preference.”
ISO 31010 defines risk appetite as “criteria for deciding whether risk can be accepted” (Section 6.1.6.2). Criteria for defining the nature and extent of risk that can be accepted in pursuit of objectives, sometimes referred to as risk appetite, can be defined by specifying a technique to determine the magnitude of risk, or a parameter related to risk, together with a limit beyond which risk becomes unacceptable. The limit set for unacceptable adverse risk can depend on potential rewards.
The standard says risk acceptability can also be defined by specifying the acceptable variation in specific performance measures linked to objectives. Different criteria might be specified according to the type of consequence. For example, an organization's criteria for accepting financial risk may differ from those defined for risk to human life.
Risk appetite boils down to a criterion someone chooses based on circumstances and where you sit in the organization.
Risk Appetite is Out of Style
The whole risk appetite definition is gone from ISO 31001-2018, probably because risk appetite is a little out of style these days in the risk management community. ISO 31001-2009 included the topic. Its definition of risk attitude, "an organization's approach to assess and eventually pursue, retain, take or turn away from risk," is similar to PMI's current definition of risk appetite.
The Project Management Institute defines risk appetite as “the degree of uncertainty an entity is willing to take on, in anticipation of a reward (PMBOK Guide— Fifth Edition).
Risk is Missing a Time Element
The fact that the definition of risk lacks a time element (that we must consider and define) is typically overlooked.
Those who believe there should be a singular risk appetite for any organization are confounded like those who seek to reduce risk into a single, quantitative, calculus-based function. Functions do exist to describe behavior over any period of time; however, in human behavior, the freedom of choice provides many functions that we can choose to enable given the context.
Decision makers do not use a single function over time. Instead, decision makers use one function in the morning, maybe a different one in the afternoon, and perhaps a different function tomorrow. It depends on the context, and the choice of function is not independent but rather highly dependent on other simultaneously-occurring events.
In other words, context matters as multiple options and uncertainties crisscross before us at any one point in time. The portfolio of projects impacts how we evaluate a single project at any point in time, just as the organizational culture is often impacted by the business climate of the day, month, or year.
Once again, it matters where you sit.
Risk Appetite Exists
Risk appetite does exist. The better question is whether we can explicitly express risk appetite in a formal, written statement (i.e., is there a singular mathematical function?). We can, but it will not mean much daily or monthly to project managers working on singular projects.
Yet few people, if any, are risk-averse or risk seeking. Most turn out to practice both, but in different domains, like the carefree chain smoker who is concerned about getting cancer from genetically modified corn. Risk aversion is not a general trait, but domain-specific. The social limitation of fear explains that there is a specific pattern of socially acquired risk that individuals are willing to take or anxious to avoid. – Gerd Gigerenzer, Risk Savvy (2014)
The reality is that an organization’s risk appetite is implicitly expressed all around us in the form of documented processes, procedures, standards, contracts, performance measures, and communications. When it comes to risk appetite, the elements that are not in place are as indicative as the elements that are in place.
How Does This Help Me?
For young professionals and new project managers, realize that risk appetite does exist in every organization. Avoid being confused by risk management and project management expert that engage in mental masturbation on the theories.
The implicit elements of an organization’s risk appetite are more important than the explicit ones. Decisions concerning one project or aspect of a project may be frustrating, but no decision is independent of its context and the other projects within the portfolio. Risk appetite is a social and personal construction.
Effective communication is the single most important aspect. It always is.
Can understanding risk appetite help a project manager's career? You bet it can! And by the way, what are we eating for lunch today?
JD Solomon, Inc provides services at the nexus of facilities, infrastructure, and the environment. Contact us for more information on making reliability, risk, resilience, and asset management more operational for your organization.
Comments