A risk is the potential or exposure to danger, harm or loss. The concept of risk is understandable to everyone involved in delivering work, at least at a basic level. We understand that “stuff” can happen when we least expect it to happen, in a project or in our individual lives. The question is whether any specific risk or the accumulation of risks is worth taking action to avoid. Which risks are perceived to be so daunting that they need to be actively avoided is based on personal and organizational perspectives and biases. The technical term for this behavior is risk tolerance. In response to Internal and External Risk, Matt Williams commented:
“An important step that I think often gets overlooked is the act of defining a risk tolerance.While many teams (or organizations) may have an intuitive sense of their risk tolerance, I think it’s helpful to have an explicit, conscious discussion about risk tolerance.”
We can define risk tolerance in simple terms as how much value are we willing to lose if a risk materializes. The impact of a risk materializing and becoming an issue can range from rework, a reduction in returns, shifting positive perceptions or a compliance failure. A reflection of risk tolerance, in the financial markets, is the difference between the rates of return for a financial instrument (e.g. stocks, bonds, and others) and another financial instrument (such as a treasury bond). In finance the higher the risk the higher the return is required to balance.
If risk tolerance is important for the governance of software development and maintenance projects, we need a mechanism to define tolerable and intolerable risks before we decide how to ROAM risks. Assessing risk tolerance is an evaluation of the willingness to take on risks and how much “exposure” from threats from outside the company are acceptable.
In a further comment Mr. Williams went on:
“I think risk tolerance is very context-specific. It depends in part on the organization – its size, culture, mission, etc. – in part on the project and its specific nature, and in part on the nature of the risk itself.”
Every person and organization has a different level of risk tolerance. We can visualize risk tolerance in a chart as a curve. Risk tolerance is a balance between probability the probability a risk occurs and the impact that will be realized if it does occur. In most software development and maintenance efforts defining the risk/tolerance curve is an implicit rather than explicit act. The issue is that a team’s or organization’s level of risk tolerance will cause different behaviors. Risk avoiders, teams or organizations that fear the impact of risks, will tend to do more research or analysis before committing to a direction. Risk takers tend to try approaches and then pivot if needed.
Risk tolerance affects how everyone in an organization behaves. Rarely, however, does everyone in an organization have the same tolerance towards risk. Defining or at least developing an understanding of a team’s risk tolerance isn’t merely an academic discussion. Differences in risk tolerance can generate tensions and risks of its own, therefore at the very least teams need in the words of Mr. Williams, “have an explicit, conscious discussion.”
Current Risk Arc:
Risk Tolerance (Current)