If someone asked you to explain the difference between risk appetite, risk tolerance, and risk threshold—could you do it confidently?
If you hesitated, you’re not alone.
These three terms consistently confuse PMP® and PMI-RMP® candidates, not because they’re difficult, but because they sound similar and all deal with “how much risk is acceptable.” The problem is that PMI doesn’t treat them as interchangeable at all.
In fact, these concepts:
Operate at different organizational levels
Serve different decision-making purposes
And are tested explicitly on PMI exams
In this article, you’ll learn:
Clear definitions of risk appetite, risk tolerance, and risk threshold
How they cascade from the boardroom to the project
A simple memory framework so you never confuse them again
Exactly how PMI expects you to apply them on the exam
The Big Picture: How Risk Decisions Flow Through an Organization
Before diving into definitions, you need to understand one critical insight:
Risk appetite, risk tolerance, and risk thresholds form a hierarchy.
They flow from organizational strategy down to project execution.
Think of it like this:
Risk appetite sets the organization’s attitude toward risk
Risk tolerance defines how much deviation the organization can absorb
Risk thresholds establish the specific triggers that tell project managers when to act or escalate
Together, these three elements define an organization’s overall risk capacity.
This hierarchy is foundational to how PMI expects risk to be governed.
What is Risk Appetite?
Risk appetite is the degree of uncertainty an organization is willing to accept in pursuit of its objectives.
This definition aligns closely with language used by the Project Management Institute and appears in PMI’s standards and exam content.
Key Characteristics of Risk Appetite:
Set at the organizational or executive level
Defined by senior leadership or the board
Expressed qualitatively, not numerically
Relatively stable across projects
Risk appetite answers one core question:
How much risk are we willing to take as an organization to achieve our strategic goals?
Examples of Risk Appetite:
A venture capital firm has a high risk appetite, accepting frequent failures in exchange for breakthrough returns.
A nuclear power plant has an extremely low risk appetite, because the consequences of failure are catastrophic.
A pharmaceutical company may have:
High appetite for research and development risk
Zero appetite for manufacturing contamination risk
This illustrates an important nuance: one organization can have different risk appetites for different risk categories.
What is Risk Tolerance?
Risk tolerance is the acceptable variation around objectives that an organization is willing to withstand without compromising strategic goals.
If appetite is the attitude, tolerance defines the limits of deviation.
Key Characteristics of Risk Tolerance:
Set at the program or portfolio level
More quantifiable than appetite
Often expressed as ranges or percentages
Can vary by stakeholder or risk category
Risk tolerance answers the question:
How much deviation from our objectives can we absorb before it becomes unacceptable?
Examples of Risk Tolerance:
A program can tolerate up to a 15% cost overrun before other initiatives are impacted
A product launch can tolerate a three-month delay before missing a market window
A brand can tolerate a 2% defect rate before customer satisfaction declines
⚠️ Exam Tip:
Different stakeholders often have different tolerances. A sponsor may have:
Low tolerance for budget variance
High tolerance for schedule delays
PMI expects you to identify and manage these differences during stakeholder analysis.
What is Risk Threshold?
Risk thresholds are the specific, measurable levels of risk exposure that trigger a defined response or escalation.
This is where risk management becomes actionable.
Characteristics of Risk Threshold:
Set at the project level
Directly informed by risk appetite and risk tolerance
Typically quantitative
Documented in the risk management plan
Risk thresholds answer one critical question:
At what point must we act or escalate?
Examples of Risk Thresholds:
If EMV exceeds $50,000, sponsor approval is required
If the critical path slips by more than 10 working days, escalate to the steering committee
If contingency reserve usage reaches 60%, perform a formal risk reassessment
These thresholds remove ambiguity. They tell the project manager exactly when action is required.
How These Concepts Work Together?
Imagine a construction company building a hospital.
Organizational Level - Risk Appetite
“We are a conservative organization that prioritizes safety and quality over aggressive timelines. We will not pursue contracts that compromise safety standards.”
Program Level – Risk Tolerance
Up to 10% cost overrun is acceptable
Up to six months of schedule delay is acceptable
Zero tolerance for safety incidents resulting in lost-time injuries
Project Threshold - Risk Thresholds
Any risk with EMV greater than $100,000 must be escalated to the program manager
Any near-miss safety incident triggers an immediate stand-down and review
This shows how:
Strategic philosophy becomes quantified boundaries
Boundaries become operational triggers
That cascade is exactly what PMI wants you to understand.
The ATT Memory Framework (So You Never Mix These Up)
Use this simple acronym to lock the concepts in place:
ATT
A – Appetite: Organizational attitude toward risk
T – Tolerance: Acceptable variation around objectives
T – Thresholds: Action triggers that require response or escalation
Attitude → Tolerance → Triggers
If you remember nothing else, remember that order.
How PMI Tests These Concepts
On the PMP® Exam
You are tested at a working knowledge level:
Recognizing that organizational appetite influences project decisions
Identifying stakeholder tolerances during analysis
Knowing that thresholds are documented in the risk management plan
On the PMI-RMP® Exam
Expect deeper application:
Clearly differentiating all three concepts
Using appetite and tolerance as inputs to risk planning
Defining thresholds used in qualitative and quantitative risk analysis
Selecting risk responses based on stakeholder tolerances
Key Takeaways
Risk appetite defines how much risk an organization is willing to take
Risk tolerance defines how much deviation it can absorb
Risk thresholds define when action or escalation is required
They are not interchangeable.
They form a hierarchy.
And PMI expects you to understand how they work together.
Use ATT — Attitude, Tolerance, Triggers — and these concepts will stay clear on exam day and beyond.
About 44Risk PM, LLC
This analysis was prepared by 44Risk PM LLC, specializing in PMI-RMP® and PMP® certification training with a focus on practical, real-world risk management.
Contact:
Russ Parker
PMP®, PMI-RMP®, PMI-ACP®
PMI-ATP Instructor – PMP® & PMI-RMP®
Owner, Forty-Four Risk PM, LLC
An Approved PMI-Authorized Training Partner
Connect with me on Linkedin
Subscribe to my YouTube
Find me on Substack
“Stay Proactive Over Reactive”
“The PMI-Authorized Training Partner seal, PMP®, PMI-RMP®, and PMI-ACP® are registered marks of the Project Management Institute, Inc.”
