Saturday, April 30, 2022

Risk Attitude and Risk Attitude Spectrum

Risk attitude, risk appetite, risk tolerance, and risk threshold are all separate and distinct terms. Understanding of these terms are foundational in risk management and to conduct proper risk management in the real-world. 

In this article, we will see these terms with examples, figures, explanations and video. The content for this article is taken from my new course, RMP Live Lessons, Guaranteed Pass

Attitude, put simply, is the thinking and approach, which are displayed in behaviors. Attitude is obviously displayed by people or persons involved in any work. Considering projects, attitude will come from the stakeholders of the project.

A project is almost always executed in an uncertain environment. Uncertainties lead to risks, which can positively or negatively impact the project objectives. Hence, we have to address those risks.

Now, attitude is displayed by stakeholders for many aspects of project such as quality (e.g., high quality or high grade), processes to be undertaken (e.g., heavy set of process or "just-enough" processes), life cycle to be selected (e.g. waterfall, agile or hybrid). Similarly, stakeholders will also have attitude towards project risks. Some stakeholders may not like risks at all, while few others may be very comfortable with a large number of risks.

Risk Attitude determines the extent to which individual risks or overall project risk matters. The Foundational Standard for Risk Management in Portfolios, Programs and Projects from the Project Management Institute (PMI®) defines Risk Attitude as follows:

A disposition toward uncertainty, adopted explicitly or implicitly by individuals and groups, driven by perception, and evidenced by observable behavior.

In other words, you can say a risk attitude basically informs how stakeholders behave towards the uncertainties. The risk attitudes of the stakeholders may be influenced by a number of factors such as:

  • Organizational Culture
  • Scale of Project
  • Strength of Public Commitment
  • Environmental Impact 
  • Industrial Relations

Stakeholders in a project will have different risk attitudes and also a stakeholder’s risk attitude varies throughout the project life cycle. Hence, their needs and expectations on risks should be properly managed. But why would you need that?

Because perception forms the attitude. Attitude results in behavior. And behavior will have consequences. 

As shown above, perception drive attitude, which in turn drives behavior resulting in consequences. 

Risk Attitude: Risk Averse and Risk Seeker

The risk attitude of stakeholders can range from risk averse to risk seeker. 

Risk Averse: Stakeholders with very low risk appetite and these stakeholders feel very uncomfortable in the presence of uncertainty. 

Risk Seeker: Stakeholders with high risk appetite and these stakeholders view uncertainty as a welcome challenge. 

Risk attitude is expressed in 3 themes:

  • Risk Appetite: It is the degree of uncertainty a stakeholder is willing to take in expectation of a reward.
  • Risk Tolerance: It is the degree of uncertainty a stakeholder will withstand (typically expressed in range). This is not as frequently used as risk appetite and risk threshold in the latest trends of risk management. It’s deprecated. 
  • Risk Threshold: It is the highest level of risk tolerance. Below the threshold, risk will be accepted. Above the threshold, risk won’t be accepted by stakeholders.

Risk threshold is the measure of acceptable variation around an objective that reflects the risk appetite of the organization and stakeholders. 

Examples: Risk Appetite, Risk Tolerance and Risk Threshold

Let’s take some examples to understand. 

Risk appetite and threshold values are set during risk management planning. This is pre-decided by managers above the project manager. However, these can be customized/set for an individual project with stakeholder analysis.

Risk appetite and threshold values for the individual project risks are calculated as numbers, e.g., 9, 11 or 15, during qualitative analysis. It also can be scaled textuals such as low, high, very high etc.

Risk tolerance is typically expressed in range, e.g., we will accept up-to 10% variation in cost, or we can accept up-to 30-days-delay in the project schedule.

The risk threshold reflects the risk appetite, as we saw earlier. Hence, a risk threshold of +/-10% around a cost objective reflects a higher risk appetite than a risk threshold of +/-5%. Similarly, one can consider other objectives.

There can be other examples of Risk thresholds, some of which are noted below.

  • Consider a risk’s exposure (potential impact). If the potential impact is below a minimum level, then it won’t be included in the Risk Register. In other words, the risk threshold value, related to minimal risk exposure, is not crossed.
  • Qualitative or quantitative definition of risk rating or risk score. The risk score is the multiplication of risk probability and impact. Considering qualitative risk definition, if the risk score is less than 9, then the risk threshold value is not crossed.

You can understand with more examples, you can refer to this PMP Protein Article.

Risk Attitude Spectrum

It is evident that stakeholders of a project will be different - not everyone thinks alike. Hence, the risk attitude will also be different. After all, risk attitude informs how a stakeholder perceives a risky situation – favorably or unfavorably. So, risk attitude may not be stable, or homogenous across the stakeholders. Risk attitudes, as we just came to know, are not homogenous among the stakeholders. It may also change over the life cycle of the project or program or portfolio. 

The same uncertain situation can result in different kinds of behavior from stakeholders depending on how they perceive the uncertainty. An uncertain situation, which is considered to be too risky for one stakeholder, may be accepted easily by another stakeholder. 

Consider the above aspects of stakeholders, many risk management practitioners conclude that risk attitudes actually exist on a spectrum – from very low or low risk-taking ability to high or extreme risk-taking ability. The spectrum of risk attitude for the stakeholders is shown in the below figure. 

As shown in the above figure, the responses to uncertainty and comfort/discomfort level of stakeholders are shown in X and Y axes, respectively. The risk tolerant ones have little/low or no comfort/discomfort level when uncertainty happens or arises. 

Video: Risk Attitude Spectrum

Let's have a relook at the previous graph. With an increase of comfort level reaching “high”, the stakeholder can be considered to be risk seeking or risk seeker. On the other hand, when the discomfort level is high, then the stakeholder can be considered to risk averse. Similarly, when there is an extreme level of comfort with uncertainty, the stakeholder will be termed as risk addicted. On the other hand, with an extreme level of discomfort, the stakeholder will be termed as risk paranoid.  

This is further explained in the below video [duration: 2m:44s], taken from RMP Live Lessons, Guaranteed Pass. You may want to plug-in your earphones to have a better experience. 


While preparing for the RMP Exam, you have to very familiar and conceptually clear about the below terms:

  • Risk Attitude
  • Risk Appetite
  • Risk Threshold
  • Risk Exposure
  • Risk Rating
  • Risk Value
  • Risk Score, among others.

Some the above terms are actually quite the same, but can differ based on the contextual application! 

Coming to the Risk Management Professional (RMP®) exam, questions are rarely direct. They will be mostly situational. With a strong foundational understanding and sufficient practice, you can easily answer them. 


[1] Course: RMP Live Lessons, Guaranteed Pass or Your Money Back, by Satya Narayan Dash

[2] Book: I Want To Be A RMP: The Plain and Simple Way To Be A RMP, 2nd Edition, by Satya Narayan Dash

[3] Course: RMP 30 Contact Hours with Money Back Guarantee, by Satya Narayan Dash

Friday, April 22, 2022

End to End Risk Management with MS Project and Primavera Risk Analysis

Imagine you are managing a large project, which is strategically important and complex. At the outset, you realize there will be a number of risks, which if not managed well, could paralyze the outcome and have negative impacts on the project objectives. You want to proactively identify, analyze, respond, track, and monitor your project’s risks. And, it would be great to have a dedicated risk management tool to use alongside your project management software.

What are your options? Will software tools like Excel help? Will a software tool for only project management meet your needs?

If you have ever managed risks, you know a spreadsheet is not the answer. A spreadsheet is not at all designed for project management–let alone risk management. It’s likely that a project management software tool only meets your need half-way.

One of the most frustrating experiences faced by management practitioners with respect to software tools and one response was related to risk management and tracking, specifically in a scenario where spreadsheets were being used. Another aspect that came to light was the need for an integrated and risk-adjusted schedule-cost management system, which brings up questions like: what are the duration estimates and cost estimates associated with the risks? How can a PM manage risks in with a single, centralized tool?

In this piece, I’d like to present an integrated approach to project management with strong end-to-end risk management capabilities. For this purpose, I’ll be using two software tools:

  • Microsoft Project (MSP) 2019 for project management, and
  • Primavera Risk Analysis (PRA) 8.7.5 for risk management.

The practical examples and samples for this article have been taken from Practical RMP with Primavera Risk Analysis, whereas the theoretical explanations are from RMP Live Lessons.

Let’s start with creating a project plan with MS Project. 

Create the Project Plan

While you can directly use PRA to create your project plan, most project managers use MSP frequently for planning because of its simplicity, ease of use, and user friendliness.  For this reason, we will create the plan first in MS Project. The plan depicted in the below figure.

The statistics of the project are these:

  • Duration: 38 days
  • Cost: $67,680 USD
  • Finish Date: June 30, 2021 (06/30/21)

The project is the creation of a Smart Site and involves multiple resources.

Do note that if you have modified the calendars for the project and/or have added custom calendars, you’ll need to ensure you have the corresponding calendars in PRA.

Set-up PRA for Risk Management

Before importing the plan, ensure that the settings for MS Project in PRA are correct. This can be opened by going to PRA tool’s File à Microsoft Project à Edit Default Import Mapping… menu.

Keep the “Show this dialog…” checkbox enabled so that when you open the MSP Plan in PRA, you can have a quick look at the settings before actual import happens.

Import the MSP Plan into PRA

Now that we have set the MSP related settings in PRA, we will import the project plan created in MSP into PRA. It will happen in a few seconds. Post import, in PRA, the plan will be shown as below.

The imported project plan in PRA has the following statistics:

  • Remaining Duration: 38 days
  • Remaining Cost: $67,680 USD
  • Finish Date: June 30, 2021 (06/30/21)

This is perfectly in sync with the statistics of our project plan created earlier in MSP. It’s also a good idea to check a few of the tasks in the project to see that the import has happened properly. In our case, the task/activity “PRD Preparation” has been considered. It matches perfectly with the MSP Plan considering Dates, Resources, and Cost, among other fields.

Important Notes

At this stage, I’ll recommend that you read this Risk Management Framework for Projects article to understand how risks are managed and monitored over various Risk Management processes. Here, I’ll be using only the Risk Register, not the Risk Report.

In addition, I’ll explain some key points with respect to risk management, which will help you to understand why I’ve taken the following steps and performed the associated activities. Take a look at the video [Duration: 4m:12s] below—it’s been taken from RMP Live Lessons. For a better experience, you may want to go full-screen with HD mode and plug-in your earphones.

Risk Identification and Risk Register

Now, we are going to prepare the Risk Register. Preparation of this key project artifact happens during the Risk Identification process.

To create the Risk Register with PRA software, go to Risk à Register… menu, or click on the Risk Register icon on the Risk Toolbar of PRA. The Risk Register creation dialog box will pop up, and we will use the standard risk register option.


When the standard Risk Register first opens, of course, it will be empty as shown below.

You can enter new risks easily by adding details for the identified individual project risks.

As you can enter the risks, provide all the needed information such as Risk ID, Threat or Opportunity, Risk Title, the Pre-mitigation information such as Probability scales, Impact Scales, etc. You can also add the Risk Details such as Cause, Effect, and Risk Category, among others.

As shown, we have four identified risks (threats) for this project with their respective details entered. The cause, effect, description, owner, RBS type, and status values have been entered for each of the risks.

Do not worry about the risk responses now. We will address them in the step for risk response planning as I explained in the earlier video. The risk score is calculated by taking the risk parameter values from the Risk Probability and Impact (PI) Matrix. For the sake of this example, I’ve used the following matrix.

The probability and impact scales notations in the Risk Register are these:

  • Very Low (VL)
  • Low (L)
  • Medium (M)
  • High (H)
  • Very High (VH)

As you multiply the probability and impact values, you will get the Risk Score. For more depth, refer to this detailed article on Risk Matrix Reporting.

Risk Qualification

Our next step is to qualify these individual risks. We will determine the probability and impact values of these risks. You can have other risk assessment parameters, as well, such as Risk Manageability or Risk Proximity, among many others.

Considering the probability and impact values of these risks, as we qualify them, the Risk Register will be updated as shown below.

As you can see, the current Risk Register has seen a number of updates. Considering Risk ID – 001, some of the key updates are:

  • Risk Score is now 21. (change from 72 to 21)
  • Risk Owner is confirmed. (John R is the confirmed owner)
  • Risk Status has been modified. (Status is “open” now; earlier “proposed”)

Similarly, we have also qualified other individual project risks: Risk 002, Risk 003, and Risk 004.

Risk Quantification

This step of risk quantification is optional, as we have seen in the RMP video. Though our project is a simple one, let’s do risk quantification for one individual risk (Risk 001: Poor understanding of design specification). After quantification of this risk, the pre-mitigated Quantified Risk Register will show as follows:

Note that Risk 001 has now been quantified from a schedule perspective by associating it with two tasks in the Project Plan, i.e. Task ID 000009 and Task ID 000010, from “Phase – 1” under the WBS element of “Design and Development Phase” at Level – 2 of the work breakdown structure (WBS).

I’ve used BetaPert probability distribution for the tasks mentioned and have entered the minimum, mostly likely, and maximum duration estimates. Similarly, you can also quantify with respect to cost estimates.

Post quantification, you can do a variety of analyzing such as:

Risk Response Planning and Response Integration

Next, we will do the risk response planning for the individual risks to bring down the probability and/or impact values of these risks. With this, we can keep the risk score within the risk threshold.

For this purpose, we again have to go to the Risk Register and modify the risk response strategies along with the associated risk response actions. The modified risk register is shown below.


Considering “Risk 004: Key resources unavailable,” the Risk Score has been reduced from 56 to 1, and similarly for certain other risks.

For Risk 004, the associated actions are noted under the highlighted “Mitigation” tab. There are two mitigation response actions:

  • Risk Response Action – 1: Get the resources from other functional departments.
  • Risk Response Action – 2: Prioritize project resources.

The assigned risk response owners and associated cost are noted. The associated cost also reflects on the top panel for Risk 004.

Risk Monitoring and Tracking

Our final step relates to risk monitoring and tracking. During risk monitoring, new risks may be identified, an existing risk status can change, an existing risk can become obsolete, or an existing risk may not occur.

Let’s say a new positive risk (opportunity) is identified, and we need to add this risk into the register. As we have seen earlier, risk management is both iterative and integrative in nature. 

As shown, we now have a new risk—“Risk 008: Reuse of previous design module.” As this risk is freshly detected, default values have been populated. The blue letter “O” represents an opportunity.

Subsequently, we have to determine the initial characteristics of this risk, followed by qualification and quantification (optional), and have the needed risk response strategies with associated risk response actions. Finally, we have to monitor this new adjusted risk with response and associated actions.

As we reach the end of this article, some of you may be thinking can this risk register be exported to MS Excel? After all, not all stakeholders will have MS Project 2019 and Primavera Risk Analysis software installed.

The answer is yes! You can export the Risk Register to MS Excel by going to Risk Register’s File à Export Risk Register As… menu. From there, while saving, choose “Microsoft Office Excel (.xls)” option to save.

With this process in mind, I believe you will have a sound understanding of end-to-end risk identification, analysis, response planning, and implementation, followed with risk monitoring and tracking.



This article was first published by on 18th May, 2021.


[1] Online Course: Practical RMP with Primavera Risk Analysis, by Satya Narayan Dash

[2] Online Course: RMP Live Lessons, Guaranteed Pass, by Satya Narayan Dash

[3] Online Course: MS Project Live Lessons, by Satya Narayan Dash

Friday, April 15, 2022

Using Probabilistic Linking in Risk Management

Probabilistic branching and probabilistic linking are two completely different concepts in risk management. Many risk management practitioners confuse these two and use them interchangeably. This is not correct. To understand probabilistic linking, first you need to understand probabilistic branching. You can refer to this detailed article to understand probabilistic branching.

I hope you have gone through the linked article. Probabilistic branching informs the probability of an activity existing or not. On the other hand, probabilistic linking allow you to model the probability of a link between two tasks existing or not existing. 

In this article, we will use a simple example and will follow some steps to understand how probabilistic linking can be there in a schedule. The content of this article is taken from my new course and book on Risk Management Professional (RMP) exam: 

RMP Live Lessons, Guaranteed Pass or Your Money Back

Now, let’s see the steps to perform a probabilistic linking and analysis.

Step – 1: Create the tasks and Link the tasks

Let’s create two tasks: 

  • Task A. It’s of 3 days duration.
  • Task B. It’s of 6 days duration.

I’m going to use the Primavera Risk Analysis (PRA) to build this simple plan. Next, we are going to select both these tasks and right click, which will give us the option to link. We are going to use the finish-to-start (FS) link. This is depicted below. 

The linked tasks will come as shown below. 

Step – 2: Add probability values to the links

Next, we are going to select Task B and go to the Risk and Uncertainty tab under the Task Details pane. Under this tab, we will select the “Probabilistic Links” sub-tab. As shown below, for Task B, the link is with respect to Task A. It’s mentioned as the preceding link. 

Here, we will add linking probability with Task A as 75%. In other words, the probability or chance of Task A being linked with Task B is 75%. Obviously, we will have 25% left to allocate. This is shown below.

Do note that there is another tab called Probabilistic Branch tab, just left of the Probabilistic Links tab. As noted in the beginning of the article, these two are completely different concepts.

Step – 3: Add another probabilistic link

Next, we are going to add another task of Task C. For Task C, we have the following operations:

  • Task C is of 5 days duration. 
  • Task C is linked to Task B and it’ll be the predecessor to Task B. The dependency will be again finish-to-start (FS). 
  • In other words, Task B has two predecessors now: Task A and Task C.

This is represented in the below figure.

Next, select Task B (not Task C) and click on the Probabilistic Links tab. Here, give the probability or chance of link between Task B and Task C as 25%. The linked values given are shown below.

As shown above:

  • Task B now has two preceding links: Task A and Task C.
  • Task A’s linking chance is 75%, whereas Task B’s linking chance is 25%.
  • Together it equals 100% or as noted in the above figure, total % left to allocate for probabilistic linking is now 0%.

Step – 4: Run a risk analysis

Next, we are going to run a risk analysis with the PRA tool. This can be done by simply using the command Run Risk Analysis from Risk menu list in the toolbar.

As you step through the analysis you will see the links disappearing and the effect on the plan. The below figure shows Iteration 1 out of 1000 and with it the link between Task B and Task C is not considered. 

As shown above, while Task B is actually connected to both Task A and Task C, in Iteration 1, only the link between Task A and Task B are considered! 

As you proceed with the Risk Analysis step after step, the links will keep on changing, i.e., one link will disappear and another one will appear. 

The above figure shows for Iteration 3, the link between Task B and Task C is considered, whereas the link between Task A and Task B has been removed. 

Step – 5: Complete the risk analysis

As your plan moves through multiple iterations, the probabilistic linking and its value will keep on changing for the tasks in the schedule. If you have applied probabilistic distribution for the activities or tasks in your project, then you run a complete Monte Carlo or Latin Hypercube simulation. You can learn a brief on probability distribution for tasks in this article

I’ve intended to keep the example very simple to make you understand the difference between Probabilistic Branching and Probabilistic Linking with a real-world software tool. 


In probabilistic linking, the preceding links for a concerned task can have a probability of 100%. When two or more preceding links are there for a task with less than 100% probability, then all of those probabilities must add up to 100%.

If you are preparing for your Risk Management Professional (RMP) exam, you need to understand all these:

  • Probability Distribution
  • Probabilistic Branching
  • Probabilistic Linking

Predominantly, your questions will be on probability distributions. However, you can expect a few questions on probabilistic branching and linking as well.


[1] New Course: RMP Live Lessons, Guaranteed Pass, by Satya Narayan Dash

[2] New Course: RMP 30 Contact Hours Online, by Satya Narayan Dash

[3] Book: I Want To Be A RMP, The Plain and Simple Way, Second Edition, by Satya Narayan Dash

Thursday, April 07, 2022

Risk Management: Possible Types of Risks

I receive many questions on Risk Management - particularly from the customers of my new risk management courses and readers of risk management book. Many times, there is a lack of clarity on possible type of risks.

Hence, I decided to write the possible types of risks that came to my mind and referenced my new course: RMP Live Lessons, Guaranteed Pass.

Note: This was posted earlier with a few risks. A new set of risks have been added to the list recently with the availability of new Risk Management Professional (RMP) courses. 

This list, by no means is exhaustive. There can be other types. Do note that these are types of risks, not categories or classifications of risks.

1# Individual project risk: An uncertain event or condition that, if it occurs, has a positive or negative effect on one or more objectives.

2 # Overall project risk: A risk that has an effect of uncertainty on the project as a whole.

3 # Positive risk (Opportunity): A risk that would have positive effect on one or more objectives.

4 # Negative risk (Threat): A risk that would have negative effect on one or more objectives.

5 # Known risk (Identified risk): A risk that is identified.

6 # Unknown risk (Unindentified risk): A risk that is not identified.

7 # Secondary risk: A risk that occurs because you took a risk response on a (primary) risk.

8 # Emergent risk: An arising risk that could not have been identified earlier.

9 # Residual risk: A risk that remains after you have taken a risk response.

10 # Outdated risk: A risk that didn't occur - either based on event or condition.

11 # Correlated risk: A risk that is correlated to one or more other risks.

12 # Connected risk: A risk that is connected to one or more other risks.

13 # Undifferentiated risk: A risk that has not been qualified.

14 # Differentiated risk (Qualified risk): A risk that has been qualified.

15 # Quantified risk: A risk that has been quantified, usually in terms of time and/or money.

16 # Aggregated risks: Risks that are aggregated with one or more other risks and pose a bigger threat or opportunity.

17 # Event based risk: A risk that occurs based on an event.

18 # Non-event risk: A risk that occurs, but not based on an event, e.g., variability risks, ambiguity risks. We have seen these in an earlier post:
Risk Classification: Known-Knowns, Known-Unknowns, Unknown-knowns and Unknown-unknowns

19 # Prioritized risk (High-priority risk)A risk that has been prioritized based on the risk score, which crosses the risk threshold. 

20 # Low-priority risk: A risk that has been prioritized based on the risk score, which is below the risk threshold. This risk will be on a watch-list.

21 # Enterprise risk: A risk of an entire enterprise or organization. It’s also known as Business risk..

If you know any other types, I welcome your comments. They will be added to this list.


[2] New Course - RMP 30 Contact Hours Online, by Satya Narayan Dash