Risk tolerance can be visualized as a curve. Above the curve represents a combination of high probability and a potential negative impact that will prevent the team from accepting the risk. Below the curve, the risk is deemed acceptable. Outside of a few psychologically damaged individuals, everyone has a risk curve (whether they know it or not). On a team, everyone’s natural risk tolerance differs. Complicating the discussion is that risk tolerance changes depending on context the person or team faces. For example, at one point in my life riding my bike down a hill at top speed to see if I could slalom stop at the bottom was an acceptable risk. I have the scars to prove I was that silly. Thinking back, I am not sure why I am alive today. My risk tolerance is different now. While reminiscing about my unsafe days as a seven-year-old is fun, what is more important is to recognize that the same lesson can be applied to teams and in organizations. This leads us to the conclusion that we must talk about risk tolerance.
Knowing and being able to predict a team’s risk tolerance is important. For example, a few years ago I was asked to assess a team that had operated like clockwork for several years delivering superb value and quality work. However recently their quality had been questionable (their clients were finding significant defects in production). There had been no significant personnel changes, nor was the type of work that they were doing significantly different. In the end, we determined that someone up the hierarchy had decided to remove quality from the team’s objectives (therefore how raises and promotions would be assessed) and doubled down on making dates and meeting budgets. The change had the unintended consequence of changing the team’s risk tolerance curve. On the surface at least, taking chances that might impact quality became less risky to the team, therefore more easy to change.
Two relatively simple ways to approach a discussion of risk tolerance are:
- Every team and project has an implicit risk tolerance curve; some risks are acceptable and some are not. Shifting team or organization’s risk tolerance from implicit to explicit requires explicit discussion. In the project environment, the simplest approach is to hold an explicit discussion of risk. Specifically, ask participants to achieve consensus on whether examples of risks should be accepted or not. It is powerful for the examples to be risks that have been recognized by the team and organization in the past, peppered with a few examples that are possible but more external to the team. The discussion will tend to touch on probability and potential impact and expose the participant’s perception of the risk. The team must end by agreeing on whether the team would accept or not accept the risk (accept can include taking on mitigation tasks). While an explicit risk tolerance curve is not generated, the team will develop a clearer understanding of which risks it will tolerate and which it will not. The examples also provide a set of analogies that can be used to assess risks as there are recognized. A handy set of analogies is EXTREMELY useful for every team member (Using analogies is a form of pattern recognition which is a cognitive bias).
- A more quantitative approach to quantify risk uses a approach popularized by Michael Lant (any other quantitative scheme can be used), which assess each risk based on impact and probability to determine just how risky the risk is. Lant’s model equates a low impact/low probability to a 1, and the highest probability/highest impact to 25. Based on the quantification, the team can quickly develop a consensus that any combination of impact and risk above a certain number can’t be accepted by the team. In essence, the team says that up to a certain point they can mitigate or deal with a potential risk, but after that someone outside the team needs to own or indemnify the team from the potential that the risk turns into an issue or they can’t go forward. The quantification provides a proxy for the line in the risk tolerance curve, and the rated risks can be used as a set of analogies for team members to do a real-time triage of newly discovered risks.
Both of these approaches represent a mechanism to have an explicit and structured discussion of risk tolerance. Both approaches have an advantage over less structured approaches because they generate group knowledge and memory and artifacts that can be used to aid in using the team’s consensus and as a tool to reinforce that memory.