2.3 Risk Appetite, Thresholds & Governance

Appetite vs tolerance vs threshold

These three terms are among the most heavily tested on PMI-RMP, and candidates routinely mix them up. They form a hierarchy from broad strategy to a precise number.

Think of it as: appetite is the philosophy, tolerance is the band, and threshold is the line.

Two related terms round out the picture. Risk capacity is the maximum risk the organization can actually absorb before it is endangered — appetite should sit below capacity. Risk attitude is a stakeholder's disposition toward uncertainty (risk-seeking, neutral, or averse), shaped by appetite, tolerance, threshold, and perception. Reconciling differing stakeholder attitudes into one agreed set of project criteria is a core duty of the risk professional.

Setting measurable thresholds

A threshold is only useful if it is measurable and objective. "Don't take too much risk" cannot trigger anything; "escalate any risk with EMV exposure above $50,000" or "act if cost variance exceeds 8%" can.

Thresholds operationalize appetite and tolerance. The risk professional derives them from the organization's stated appetite, the sponsor's tolerance, and the project's objectives, then records them in the Risk Management Plan. When a metric crosses a threshold, it forces a defined response — analyze, respond, or escalate — removing subjective judgment from the moment of action.

Good thresholds are tied to objectives the project actually tracks: cost variance, schedule float, defect rates, or aggregated risk exposure. Setting them too tight floods governance with escalations; too loose, and serious risks pass unnoticed. The risk professional calibrates thresholds with the sponsor so they fire at genuinely significant moments and align upward with enterprise limits.

Risk governance

Risk governance is the framework of policies, roles, and decision rights that directs how risk is managed and keeps the project aligned with enterprise risk management (ERM). It ensures a project does not accept risks the wider organization would reject, and that significant risks reach the right decision-makers.

Governance elements include the organization's risk policy, defined accountabilities, reporting cadence, and escalation paths. Aligning to ERM means project thresholds inherit from corporate appetite, and escalated risks flow into program, portfolio, or enterprise registers rather than dying inside the project.

Governance also shapes risk culture — the shared values and behaviors that determine whether people surface bad news early or hide it. A healthy culture treats raised risks as good practice, not blame, which is essential because the best register is worthless if stakeholders conceal exposure. The risk professional actively fosters this openness.

RACI for risk and escalation

A risk RACI clarifies who is Responsible, Accountable, Consulted, and Informed for each risk activity. It prevents the gap where everyone assumes someone else owns a risk.

Escalation paths define where a risk goes when it exceeds the project's authority or threshold. A risk that is strategic, cross-project, or beyond the project's mandate is escalated to program or portfolio governance. Escalation is both a governance mechanism and a formal response strategy: once escalated and accepted at the higher level, the risk leaves the project's active register and is monitored elsewhere.

A subtle exam point: escalation only succeeds once the higher level accepts ownership. Until then the project still tracks the risk. And escalation is not a way to dodge a risk you simply find hard — it is reserved for risks whose response genuinely lies outside the project's authority, such as an enterprise-wide regulatory change affecting many projects at once.

Defining risk roles

PMI distinguishes several risk roles, and questions frequently test who does what:

• Risk owner — the person accountable for monitoring a specific risk and ensuring its response is effective. One owner per risk.
• Risk action owner — the person who carries out a specific assigned response action. The owner oversees; the action owner executes.
• Sponsor — provides the project's risk authority, owns escalated risks and the management reserve, and reconciles appetite with enterprise expectations.

Keeping owner versus action owner straight is a recurring trap: accountability for the risk stays with the owner even when several action owners execute the response steps. One risk has exactly one owner; it may have many action owners. The project manager integrates the whole effort but is not automatically the owner of every risk — ownership is assigned to the person best placed to monitor and control each one, which is often a subject-matter lead rather than the PM.

These roles connect back to governance: the RACI maps each role to each activity, escalation paths define where the sponsor steps in, and aligning to enterprise risk management ensures the sponsor's authority and the management reserve reflect organizational appetite rather than the project's own preferences.