Risk tolerance is the degree of uncertainty a project stakeholder or organisation is willing to accept in pursuit of project objectives. In PMP and PMBOK terminology, it sits alongside risk appetite (overall willingness to pursue risk) and risk threshold (the measurable point at which a risk becomes unacceptable). On the PMP exam, you need to distinguish all three terms, understand how tolerance is identified from stakeholders, and know how it shapes every risk response decision β from how conservative your contingency reserve is to which response strategy you choose.
3
Related PMBOK terms: appetite, tolerance, threshold
Plan RMP
Risk tolerance is defined in the Risk Management Plan
4 types
Cost, schedule, scope and quality tolerance dimensions
Exam tested
Appears regularly in PMP scenario questions
Two project managers are briefed on the same risk: a 30% chance the primary vendor will deliver 3 weeks late. One immediately escalates to the sponsor and triggers a contingency plan. The other logs it in the register and schedules a check-in with the vendor in two weeks. Both are correct β for their respective projects and organisations. The difference is risk tolerance.
Risk tolerance is not a vague concept. In PMBOK, it is a specific, definable characteristic of the organisation, sponsor, and stakeholders that must be identified, documented and used to drive every risk management decision. Get it wrong β or leave it undefined β and your risk management plan will either over-respond to minor risks (wasting budget and credibility) or under-respond to serious ones (destroying project outcomes).
This guide covers exactly what risk tolerance means in PMP, how it differs from risk appetite and risk threshold, how to identify it from stakeholders, and how it should directly shape your risk response strategies.
π
Where this fits in PMBOK: Risk tolerance is defined as part of the Plan Risk Management process and referenced throughout all seven risk management processes. It is documented in the Risk Management Plan β the output of Plan Risk Management β alongside the probability and impact scales, risk categories, reporting formats and roles. It directly influences qualitative scoring thresholds, quantitative contingency reserves and which response strategies are considered proportionate. For the complete risk process, see the full Risk Management guide.
01 β Definitions
Risk Tolerance vs Risk Appetite vs Risk Threshold β The Three PMBOK Terms
These three terms are often used interchangeably outside formal PM contexts, but PMBOK defines them precisely and distinctly. The PMP exam regularly tests whether candidates understand the difference. Here is what each means and how they relate to each other.
π― Risk Appetite
Definition: The general degree of uncertainty an entity is willing to take on in anticipation of a reward.
Risk appetite is a strategic, high-level stance β it describes the organisation's overall attitude to risk-taking. A startup has high risk appetite; a nuclear plant operator has very low risk appetite.
Example: "Our organisation is willing to accept moderate schedule risk to achieve aggressive market entry targets."
βοΈ Risk Tolerance
Definition: The specific amount of risk exposure a stakeholder or organisation is willing to accept on a particular project or objective.
Tolerance is more specific than appetite β it applies to individual project objectives (cost, schedule, scope, quality) and to individual stakeholders, not just the organisation.
Example: "The sponsor will accept up to a 2-week schedule slip but has zero tolerance for scope reduction."
π¨ Risk Threshold
Definition: The measurable level of risk exposure above which action must be taken and below which the organisation accepts the risk.
Threshold translates the qualitative concept of tolerance into a specific, actionable trigger. It is the line on the probability-impact matrix above which a risk becomes High priority.
Example: "Any risk with a cost impact exceeding Β£25,000 must be escalated to the sponsor immediately."
π How They Connect
Think of them as a hierarchy:
Appetite is the strategic posture β "how much risk do we like?"
Tolerance is the project-level boundary β "how much can we absorb on this objective?"
Threshold is the operational trigger β "at what exact point do we act?"
Appetite β sets β Tolerance β is measured by β Threshold.
π
PMP exam tip: If a question describes a stakeholder saying "we cannot afford to go over budget by more than 5%" β that is a risk threshold, not just a tolerance. If it says "the sponsor is comfortable with some schedule risk" β that is risk appetite. If it says "the team can absorb up to a 3-week delay on Phase 2" β that is risk tolerance for a specific project objective. The distinction matters in scenario questions. For comprehensive PMP scenario practice, see 200 free PMP practice questions.
02 β Four Dimensions
The Four Dimensions of Risk Tolerance in Project Management
Risk tolerance is not a single number β it applies separately to each of the four primary project objectives. A sponsor may have high tolerance for schedule risk but near-zero tolerance for budget overruns. A regulatory body may have zero tolerance for quality compromises but significant flexibility on delivery dates. A complete risk management plan documents tolerance across all four dimensions.
Dimension
What it means
Low Tolerance Example
High Tolerance Example
How it shapes responses
Cost
Willingness to absorb budget overruns
Fixed-price contract β any overrun comes from PM's budget
Tolerance varies by stakeholder β not just by project. The sponsor, the PMO, the client and the delivery team often have different risk tolerances for the same objective. A client may have zero cost tolerance (they have a fixed budget). The PM's organisation may have moderate cost tolerance (willing to absorb small overruns to retain the client relationship). Document each key stakeholder's tolerance separately in the Risk Management Plan and identify whose tolerance is binding when they conflict. Usually the sponsor's and client's tolerances set the operational thresholds.
03 β Identification
How to Identify Risk Tolerance β Practical Techniques
Risk tolerance is not self-reported accurately. Ask a sponsor "how much risk are you willing to take?" and they will almost always say "as little as possible." The real answer only emerges through structured elicitation techniques that reveal their actual behaviour and priorities β not their stated preferences.
1
Ask trade-off questions, not attitude questions
Instead of "how much risk are you comfortable with?", ask: "If we could guarantee hitting the deadline but it would cost Β£30,000 more, would you approve that?" or "If a 20% chance of a 3-week delay would save Β£15,000, would you accept that risk?" Trade-off questions reveal real tolerance because they force actual decisions.
2
Review historical project decisions
How did the organisation respond to risk events on previous projects? Did they approve contingency spend to protect the schedule, or accept delays to protect budget? Past behaviour is the most reliable indicator of real tolerance β more reliable than anything said in an interview.
3
Examine contracts and governance documents
Penalty clauses, SLAs, regulatory requirements and governance frameworks reveal threshold-level tolerances directly. A contract with a Β£50,000 per-week delay penalty tells you the sponsor's effective schedule threshold without any conversation being necessary.
4
Run a structured tolerance workshop
Present key stakeholders with a set of pre-built risk scenarios across cost, schedule, scope and quality dimensions and ask them to categorise each as "acceptable", "needs monitoring" or "unacceptable". The boundary between "needs monitoring" and "unacceptable" reveals the threshold. This can be done in 60β90 minutes during project initiation and produces documented, defensible tolerance levels.
5
Document and validate in the Risk Management Plan
Once identified, tolerance levels must be documented in the Risk Management Plan and validated with stakeholders. This is not a formality β it creates a shared baseline that allows you to escalate risks objectively ("this risk exceeds the Β£25,000 cost threshold we agreed in the Risk Management Plan") rather than subjectively ("I think this is serious").
04 β Application
How Risk Tolerance Shapes Every Risk Management Decision
Risk tolerance is not background context β it is the input that drives specific, quantifiable decisions across all seven risk management processes. Here is how it applies at each stage.
1. Risk Tolerance Sets Your Probability-Impact Thresholds
The probability-impact matrix in qualitative analysis is not objective β its High/Medium/Low zones are defined by tolerance. An organisation with low cost tolerance will define "High" impact at a lower absolute cost value than one with high tolerance. The same Β£20,000 cost risk might be High priority at one organisation and Medium priority at another, depending on their documented tolerance.
How Tolerance Changes Risk Priority β Same Risk, Different Organisations
Risk
Probability
Cost Impact
Low Cost Tolerance Org
High Cost Tolerance Org
Vendor price increase
0.3
Β£20,000
HIGH β threshold is Β£15K
MEDIUM β threshold is Β£50K
2-week schedule slip
0.4
2 weeks
LOW β schedule flexibility exists
HIGH β contractual penalty clause
Scope change request
0.5
+10% scope
MEDIUM β some scope flex
HIGH β fixed-scope contract
Key insight: The risk has not changed β the organisation has. Tolerance is what makes risk management context-dependent. This is why copying a risk register from a previous project without re-assessing tolerance produces incorrect priorities.
2. Risk Tolerance Determines Your Contingency Reserve Size
The contingency reserve β the budget held for known risks β is sized based on both the Expected Monetary Value (EMV) calculation and the organisation's tolerance. A risk-averse organisation (low tolerance) may set contingency at the 90th percentile of the EMV distribution. A risk-tolerant organisation may accept the 70th percentile. Same risk profile, different reserve size, because tolerance differs.
For the complete guide to EMV calculations and how they feed into contingency reserve, see the Earned Value Management guide.
3. Risk Tolerance Dictates Which Response Strategy Is Proportionate
Low Tolerance
Avoid or Transfer β eliminate the risk or move it off the project
When tolerance for a risk dimension is near zero, acceptance is not viable and mitigation may be insufficient. The only proportionate responses are avoiding the risk entirely (change the plan to eliminate the cause) or transferring the financial consequence to a third party through contract or insurance.
Medium Tolerance
Mitigate β reduce probability or impact to within tolerance
With moderate tolerance, the objective is not elimination but reduction. Mitigation actions target either the cause (reduce probability) or the effect (reduce impact) until the residual risk sits within the documented tolerance band. Contingency reserve covers the residual.
High Tolerance
Accept β acknowledge the risk and proceed
When tolerance is high and the risk sits within bounds, active acceptance (allocating a small contingency reserve) or passive acceptance (dealing with it if it occurs) is the correct response. Spending mitigation budget on a risk within tolerance wastes resources better allocated to higher-priority risks.
05 β Stakeholder Dynamics
Managing Conflicting Risk Tolerances Across Stakeholders
In most projects, different stakeholders have genuinely different tolerances β and they rarely tell you this directly. A project sponsor focused on strategic delivery may have high schedule tolerance but low scope tolerance. A finance director may have zero cost tolerance but doesn't care about the delivery timeline. A regulatory compliance officer may have zero quality tolerance but is flexible on everything else.
Managing these conflicts is one of the most nuanced aspects of risk management β and one of the skills the PMP exam specifically tests through stakeholder scenario questions. For deep coverage of how to map and engage different stakeholders, the Stakeholder Management guide covers the full engagement process.
A Framework for Resolving Tolerance Conflicts
When stakeholder tolerances conflict, the Risk Management Plan needs a documented escalation hierarchy β whose tolerance takes precedence when they differ. In practice:
Contract terms override stakeholder preferences β if the contract sets a deadline penalty, that overrides the sponsor's stated schedule flexibility
Regulatory requirements override commercial tolerances β a statutory quality standard cannot be relaxed by any sponsor regardless of their tolerance
Sponsor tolerance is the default project-level setting β where no contractual or regulatory constraint applies, the sponsor's documented tolerance is the operational threshold
Conflicts between stakeholders should be escalated, not resolved unilaterally β when the client and the sponsor have materially different tolerances, the PM should present the conflict explicitly and get a documented resolution, not make the call independently
π‘
Connecting risk tolerance to the books you study: Understanding how cognitive bias distorts perceived risk tolerance is a topic covered in depth in Thinking, Fast and Slow by Daniel Kahneman β one of the recommended reads in our Best Books for Aspiring Project Managers guide. Kahneman's work on loss aversion directly explains why stakeholders consistently understate their real risk tolerance in conversations but reveal it through actual decisions β exactly why trade-off questions work better than direct elicitation.
06 β PMP Exam
Risk Tolerance on the PMP Exam β What You Must Know
Risk tolerance questions on the PMP exam appear in two forms: definitional questions (testing whether you know the correct term for a described concept) and scenario questions (testing whether you can apply tolerance concepts to a realistic project situation). Scenario questions are far more common in the current exam format.
The Key Distinctions the Exam Tests
Appetite vs tolerance vs threshold β the exam will describe one and name another; you need to identify the mismatch
Tolerance is stakeholder-specific β an answer that applies the same tolerance to all stakeholders is likely wrong
Tolerance is documented in the Risk Management Plan β not the risk register, not the project charter
Low tolerance requires more active response strategies β an answer suggesting "accept" as the response for a risk that exceeds documented tolerance is wrong
Tolerance shapes contingency reserve size β a lower tolerance means a higher contingency reserve for the same risk profile
Common PMP Exam Scenario Pattern
A typical scenario: "The project sponsor has stated that any cost overrun exceeding 10% is unacceptable. The PM identifies a risk with a 35% probability of causing a 12% budget overrun. What should the PM do first?"
The correct answer involves escalating to the sponsor (the risk exceeds the documented threshold of 10%) and developing an avoidance or transfer strategy β not simply logging it as medium priority and mitigating. The threshold has been explicitly stated, and a 12% impact exceeds it, making acceptance disproportionate regardless of the probability.
π
PMP exam context: Risk tolerance questions fall within the Uncertainty performance domain in PMBOK 7th edition and map to the Risk Management knowledge area in earlier editions. They appear across the Business Environment, Process and People ECO domains. For scenario-based practice specifically on risk topics, work through the 200 free PMP practice questions and filter for risk management scenarios. Combined with the free PMP Study Guide, these cover the tolerance concepts that regularly appear in exam questions.
07 β Best Practices
Best Practices for Managing Risk Tolerance on Real Projects
1
Define tolerance in the Risk Management Plan β before risks are identified
Tolerance thresholds must be defined before qualitative analysis begins, not after. If you identify risks first and then set thresholds, there is a strong cognitive bias to set them in ways that make your risks look manageable. Define tolerance early β in the initiation or planning phase β to ensure it reflects genuine stakeholder expectations, not PM convenience.
2
Make tolerance quantitative, not qualitative
"The sponsor has low cost tolerance" is not actionable. "The sponsor's cost threshold is Β£25,000 β any risk with an expected cost impact above this requires immediate escalation and an avoidance or transfer response" is actionable. Convert qualitative tolerance statements into specific numerical thresholds for each objective dimension before closing the Risk Management Plan.
3
Re-assess tolerance at each phase gate
Risk tolerance is not fixed for the life of the project. A sponsor who had high schedule tolerance in Phase 1 may have near-zero tolerance in Phase 3 as the deadline approaches. An organisation that accepted significant financial risk in year one may have become risk-averse after a difficult audit. Review and re-document tolerance at each significant phase gate or milestone, and update the Risk Management Plan accordingly.
4
Use tolerance as an objective escalation trigger
One of the most valuable uses of documented tolerance is depersonalising escalation decisions. Instead of "I think this risk is serious enough to escalate" β which invites challenge β you can say "this risk's expected cost impact of Β£28,000 exceeds the documented threshold of Β£25,000, which requires sponsor escalation per the Risk Management Plan." The threshold does the escalating. You are following the plan.
5
Align your contingency reserve to tolerance, not just EMV
EMV gives you the statistically expected cost of your risk portfolio. Tolerance tells you how confident your reserve needs to be. A low-tolerance organisation should hold contingency at the 85thβ90th percentile confidence level β meaning the reserve is large enough that only 10β15% of simulated project outcomes would exhaust it. A high-tolerance organisation might accept the 70th percentile. Align reserve size to tolerance explicitly.
Build Your Full Risk Management Capability
Risk tolerance is one component of a complete risk management process. The full guide covers identification, qualitative and quantitative analysis, all eight response strategies, and the risk register structure with a free downloadable template.
In PMP and PMBOK, risk tolerance is the specific amount of risk exposure a stakeholder or organisation is willing to accept on a particular project objective. It is more specific than risk appetite (the organisation's overall attitude to risk-taking) and is measured by risk thresholds (the quantitative points at which risk becomes unacceptable). Risk tolerance is documented in the Risk Management Plan during the Plan Risk Management process and directly influences every subsequent risk management decision β including which risks are prioritised, which response strategies are proportionate, and how large the contingency reserve needs to be.
Risk appetite is a strategic, organisation-level concept β it describes the general degree of uncertainty the organisation is willing to pursue in exchange for potential reward. It is set at the organisational or programme level and applies broadly. Risk tolerance is more specific β it describes how much risk exposure a particular stakeholder or team is willing to accept for a specific project objective (cost, schedule, scope, quality). An organisation may have moderate risk appetite overall while a specific project sponsor has zero tolerance for schedule slippage due to a contractual penalty clause. Both terms are tested on the PMP exam and the distinction is frequently examined in scenario questions.
Risk tolerance is documented in the Risk Management Plan β the output of the Plan Risk Management process. The Risk Management Plan includes the probability and impact scales, risk categories, reporting formats, risk thresholds (the quantitative expression of tolerance), roles and responsibilities, and stakeholder risk tolerance levels. It is not documented in the risk register (which records individual risks) or the project charter (which records high-level project constraints). On the PMP exam, if a question asks where risk tolerance thresholds are formally captured, the answer is the Risk Management Plan.
Risk tolerance directly determines the confidence level at which contingency reserve is sized. Expected Monetary Value (EMV) analysis gives the statistically expected cost of the risk portfolio β but how much above that expected value to hold in reserve depends on tolerance. A low-tolerance organisation typically sets contingency at the 85thβ90th percentile confidence level (meaning the reserve covers all but the most extreme scenarios). A high-tolerance organisation may accept the 70th percentile. Same risk data, different reserve size, because their tolerance for running out of contingency differs. This is why contingency reserve decisions require stakeholder input, not just quantitative modelling.
Yes β risk tolerance frequently changes during a project and must be re-assessed at key milestones. As a project approaches its delivery date, schedule tolerance typically decreases even if it was high in early phases. After a significant cost overrun, cost tolerance drops. Following a change in organisational leadership or market conditions, the overall risk appetite may shift, changing tolerance across all dimensions. Best practice is to review and re-document stakeholder tolerance at each phase gate and update the Risk Management Plan accordingly. Treating tolerance as a fixed parameter set at initiation is one of the most common risk management errors on long or complex projects.
When stakeholders have conflicting risk tolerances, the Risk Management Plan should document a clear hierarchy for resolving conflicts: regulatory and contractual constraints override stakeholder preferences; sponsor tolerance is the default project-level threshold where no contractual constraint applies; conflicts between stakeholders of equal standing should be escalated and resolved explicitly rather than by the PM unilaterally. Document each key stakeholder's tolerance separately in the Risk Management Plan and identify in advance whose tolerance is binding when they conflict. The Stakeholder Management guide on this site covers the full stakeholder engagement process, including managing conflicting expectations.
For the PMP exam, risk management requires both conceptual understanding and scenario-application practice. Start with the PMBOK Guide's Uncertainty Performance Domain and the Risk Management knowledge area chapters for conceptual grounding. Then read a structured study text β Verzuh's Fast Forward MBA in Project Management or Rita Mulcahy's PMP Exam Prep are both strong β for worked examples. Practice with at least 200β300 risk-specific scenario questions before the exam; the PMP heavily tests application, not definition recall. For a full recommended reading list covering PMP preparation and beyond, see the Best Books for Aspiring Project Managers guide. For exam-focused scenario practice, the 200 free PMP practice questions on this site include a strong representation of risk management scenarios.