Lee Merkhofer Consulting Priority Systems
Implementing project portfolio management

Risk Tolerance

Part 4 of this paper explained how to construct a project selection decision model that estimates the impact of a project on the organization's objectives and, based on those impacts, estimates the value of the project. The project selection decision model is flexible with regard to the number of objectives that can be accommodated. For many companies and many projects, only one objective is considered; namely profit. In this case the project selection decision model is simply a calculation of net present value (NPV). Other organizations, particularly those with non-financial objectives, will want the project selection decision model to account for impacts on the organization's non-financial objectives.


Project Selection Decision Model

Figure 45:   The project selection decision model computes the value of projects.


This Part 4 of the paper explained the various ways that organizations identify and characterize project risks. Identifying risks helps the project team come up with ways to eliminate and reduce those risks, but some residual risks will likely remain. Because of these risks, at the time the project portfolio is being selected the value to be derived from conducting a risky project is uncertain. What I've not yet explained is how the value of a project can be adjusted based on risk. That question is the topic of this subsection.

Traditional Methods

Before describing the formal method for adjusting project value based on risk, let's review the traditional methods still being used by most organizations. For convenience, I've summarized them in the table below. Use the links to go to other locations on this website that explain the methods in more detail.


Method Description
Sensitivity analysis Systematically vary the inputs to the project selection decision model in order to see the impact on estimated project value. The sensitivity of project value to project uncertainties indicates how much project value could change depending on how uncertainties turn out. Although informative, it’s hard to know how to modify project values or priorities based on results.
Conservatism Rather than use most likely or mean estimates for uncertainties that contribute to risk, assume outcomes that are less favorable for project performance. This approach is especially popular when the concern is health or safety risks, where it reflects the philosophy of erring on the side of prudence. Studies show that conservative estimates can compound to the point that the impact of risk on decisions is far overstated.
Scenario analysis Conduct the valuation with uncertain variables set consistent with pessimistic, expected, and optimistic scenarios. Like single variable sensitivities, it’s hard to know how to modify project values based on results. However, scenario analysis can be more realistic than single variable sensitivity analysis when uncertainties are highly correlated.
Monte Carlo analysis Use Monte Carlo analysis to compute a probability distribution over project value. The results quantify the uncertainty over project value, but don’t answer the question of how project values or priorities should be adjusted. .
Decision tree Build a decision tree to capture the sequence by which decisions must be made and uncertainties resolved. Analyzing the tree provides the probability distribution over project value and shows the choices that maximize the expected value, but a means for adjusting value to account for risk is still needed. .
Risk-adjusted discount rates The discount rate is adjusted upward to compensate for higher than normal risk or downward to adjust for lower than normal risk. The risk-adjusted discount rate allows a risk-adjusted project value to be computed. The problem with the approach is that it is not defensible because it confounds time preference with risk preference and produces biases in estimates of project value.

With the exception of risk-adjusted discount rates, all of the above methods rely on managerial judgment to determine exactly how the results of applying the method should be used to adjust the value or priority of a project. In the case of risk adjusted discount rates, also called hurdle rates, the method does produce a risk-adjusted value, but the logic is not defensible and the results are biased depending on the timing of project costs and benefits. In contrast, what is described below is a formal, logic-based method for determining the impact of risk on value. The method takes into account uncertainty over the project outcomes and the decision maker's willingness to take on risk.

If You Don't Mind Risk, Maximize Expected Value

If decision makers did not care about risk, they would want to "go with the odds;" that is, they would want to make decisions so as to maximize expected value. The expected value is defined as the probability-weighted sum of the possible uncertain outcomes. Decision makers unconcerned about risk would want to maximize expected value because the expected value is the amount that they would obtain on average each time the uncertainty is faced. As an example, the expected value of a coin flip that pays $1 on "heads" and zero on "tails" is 50 cents. If you played this gamble over and over again, you'd earn approximately 50 cents times the number of coin flips, and, the more times you played the closer your earnings would be to the expected value estimate.

The Certain Equivalent

For substantial risks, most organizations (and individuals) are risk averse, meaning that they value uncertainties at less than their expected values. The certain equivalent is defined as the amount of money for which a decision maker would be indifferent between receiving that amount for certain and receiving the uncertain outcomes of the gamble. For example, a risk-averse decision maker might assign a certain equivalent of $500,000 to a risky project with equal chances of yielding $0 and $2,000,000, even though the expected value of the project is $1,000,000. Note that this same logic means that a gamble with negative expected value (large downside risk) has a certain equivalent that is even more negative than its expected value (which is why individuals and organizations are willing to pay more for insurance premiums than the expected loss that they are eliminating). The goal of a risk averse decision maker is to maximize the certain equivalent.

For risks with complex payoff distributions, it is generally difficult for an individual to estimate the certain equivalent directly. However, the certain equivalent can be estimated for a simple gamble and the results used to infer the certain equivalents of more complicated risks. The approach involves constructing a utility function that represents the degree of aversion to taking risks.

Utility Function

An exponential form is most often chosen for the utility function:

U(x) = 1 - e-x/R

where x is value, R is a positive parameter called risk tolerance, and e ≈ 2.7182 is Euler's constant, the base of the natural logarithm.


Project risk-adjusted value = project expected value - project variance / Risk tolerance × 2


Or, in terms of the risk premium: RP(x+~z ) ? r(x)E[~z 2] = r(x)Var[~z ] (1)Thus, your premium for risks is proportional to the variance of the payoff, where the constant of proportionality is your local risk aversion measure (times one-half). This means that r(x) is the "price per unit of variance" that you are willing to pay to get rid of small risks in the vicinity of an otherwise-constant wealth level x.

By the way, while the exponential utility function jibes smoothly with normal probability distributions, the logarithmic and power utility functions jibe smoothly with lognormal probability distributions, which are often used to model movements in stock prices.

Figure 46 shows a plot of the utility function for several different risk tolerances. The horizontal x-axis shows possible values or certain equivalents expressed in monetary units. The vertical y-axis shows the corresponding "utility," where utility is a numerical rating assigned to every possible x value. With this form of the exponential utility function, utilities are scaled from 0 to 1 when the x values are positive. The utility numbers on the vertical scale do not have specific meanings, except that larger numbers are more preferred.


Exponential utility function

Figure 46:   The exponential utility function is often used to model risk aversion.



The shape of the utility function determines the degree of aversion to taking risks. The more the plot curves or bends over, the more risk aversion is represented. With the exponential utility function, the degree of curvature is determined by R. Thus, risk tolerance is an indicator of a decision maker's or organization's willingness to accept risk. Risk tolerance, as defined here, is not the maximum amount that the decision maker can afford to lose, although decision makers and organizations with greater wealth generally have larger risk tolerances.

Computing the Certain Equivalent

To calculate the certain equivalent for a risky project you must first convert the equivalent dollar values associated with each possible project outcome to utilities, using the utility function. Then, you calculate the expected value of these utilities using the same procedure that you'd use to calculate any other expected value.

  • First, locate each possible outcome value x on the horizontal axis and determine the corresponding utility U(x) on the vertical axis. For example, if risk tolerance is $1 million and the risk is 50% chance of $0 or $2 million, the corresponding utilities (from Figure 46) are 0 [U(0) = 1 - e-0/1 = 0] and 0.86 [U(2) = 1 - e-2/1 = 0.86].
  • Second, compute the expected utility by multiplying each utility by its probability and summing the products. For the example, the expected utility is 0.5×0 + 0.5×0.86 = 0.43.
  • Third, locate the expected utility on the vertical axis and determine the corresponding certain equivalent on the horizontal axis [CE = - 1 * ln(1 - 0.43) = .56.

The result for the example is approximately $560,000. In other words, a 50/50 gamble for $2 million (which has an expected value of $1 million), is worth only $560,000 to a decision maker with a risk tolerance of $1 million.

As we saw in the previous subsection, the output of a Monte Carlo or decision tree analysis of project risk is a probability distribution or frequency plot identifying many possible outcome values for the project. In that case, each of the possible outcome values is converted to a utility. Computing the expected utility and then translating the result back into dollar units gives the certain equivalent for the risky project. With a decision tree, you can replace the monetary values in the tree with their utilities. Rolling back the tree in the usual fashion then provides the certain equivalent and optimal decision policy for the risk averse decision maker.

To understand why applying the utility function produces a certain equivalent less than an expected value, note that the utility function grows less rapidly as the value measure increases, while it drops off rapidly as the value measure becomes goes negative. Intuitively, this is saying that what we lose from each unit of decrease of value becomes increasingly great as the level become more negative. Therefore, if we take an expected value of the utilities of the value measure, projects that have a significant probability of yielding bad outcomes will be penalized more heavily in the calculation procedure than if expected value were used to evaluate the alternatives. Hence, an alternative with a significant chance of yielding bad outcomes will be down rated more using a utility function than from using expected value to evaluate projects.

Utility function for losses

San Bruno Pipeline Explosion

Risk Tolerance and Project Deferral Risk

Occasionally, hazardous facilities, such as gas pipelines, chemical processing plants, oil pumping stations, and electric generating plants experience accidents, sometimes quite serious. To reduce risk, operators of hazardous facilities conduct inspection and maintenance activities and install protections. However, maintenance and inspection aren't perfect and can sometimes be expensive. How much should the organization spend in an attempt to minimize low-probability, high-consequence accidents?

As an example, the 2010 San Bruno explosion of a PG&E gas pipeline leveled 35 homes and killed 8 people. The cause of the accident was eventually determined to be faulty welding. PG&E had been using an inspection method in pipe segments in the vicinity of the segment of pipe that exploded. That method was capable of detecting corrosion problems, but not welding problems. A more expensive test that could have identified the welding problem that caused the explosion would have been to pump the pipe segment full with high-pressurized water.

Suppose a risk assessment conducted for a company operating some hazardous facility concludes that there is one-chance-in-10,000 of an accident that, all told, could cost the company $500 million in losses. The expected value (probability-weighted) cost of this risk is 0.00001 times $500 million, or $50,000. If the company is risk neutral, logic would say that no more than $50,000 should be spent to eliminate this risk. I suspect most organizations would be willing to spend more than this to avoid a risk that could cost the company a half billion dollars.

Let's see what an analysis based on risk tolerance says. Suppose the company has a risk tolerance of $50 million. Applying the risk transform to the $500 million loss gives a utility of:

U(-500) = 1 - e(-500/50) = -22,025.

The expected utility is then -22,025/10,000 = -.22025. The certain equivalent is:

CE = -50 * ln(1 -.22025) = 12.43.

Accounting for risk tolerance, the company should reasonably spend up to $12.43 million to eliminate the risk!

Risk tolerance provides a logical way to determine how much to spend to manage risks, including low-probability, high-consequence risks. Adopting the risk tolerance approach can ensure that risk management decisions are made consistently throughout the organization. If each such decision is made based on judgment, the organization is certain to spend more in some cases to reduce risk and less in others.

Determining Risk Tolerance

There are several ways to determine the risk tolerance for an organization. One is to ask senior decision makers (ideally, the CEO) to answer the following hypothetical question. Suppose you have an opportunity to make a risky, but potentially profitable investment. The required investment is an amount R that, for the moment, is unspecified. The investment has a 50-50 chance of success. If it succeeds, it will generate the full amount invested, including the cost of capital, plus that amount again. In other words, the return will be R if the investment is successful. If the investment fails, half the investment will be lost, so the return is minus R/2. Figure 47 illustrates the opportunity. Note that the expected value of the investment is R/4.


Assessing risk tolerance

Figure 47:   What is the maximum amount R you would accept in this gamble?



If R were very low, most CEOs would want to make the investment. If R were very large, for example, close to the market value of the enterprise, most CEOs would not take the investment. The risk tolerance is the amount R for which decision makers would just be indifferent between making and not making the investment. In other words, the risk tolerance is the value of R for which the certain equivalent of the investment is zero.

Empirical studies have been conducted to measure organizational risk tolerances. The results show that risk tolerances obtained from different executives within the same organization vary tremendously. Generally, those lower in the organization have lower risk tolerances. Howard [9] reports that assessments from CEO's in the oil and chemicals industry concluded that risk tolerance is roughly six per cent of sales, one to one and a half times net income, or one-sixth of equity. McNamee and Celona [10] add to this list a ratio of market value to risk tolerance of one-fifth. They also comment that the ratio of risk tolerance to equity or market value [usually translates best between companies in different industries.

Once risk tolerance has been established, the certain equivalent for any risky project or project portfolio can be obtained via the utility function. The effect, as illustrated in Figure 44, is to subtract a risk adjustment factor from the expected value (if projects allow you to avoid risks, the effect is to add, rather than subtract, adjustment factors). The risk adjustment depends on the risk tolerance and the amount of risk. If the projects are independent (i.e., their risks are uncorrelated), then the certain equivalent of the project portfolio will be the sum of the certain equivalents of the individual projects. If project risks are correlated, the certain equivalent for the portfolio can be obtained once the distribution of payoffs for the portfolio are computed (accounting for correlations as described above).


Calculating the certain equivalent

Figure 48:   Adjusting project value for risk



An advantage of this approach is that a single risk tolerance can be established for the organization. Use of the common risk tolerance ensures that risks are treated consistently, thus avoiding the common bias in which greater levels of risk aversion tend to be applied by lower-level managers.

Note that the method presented in this paper do not guarantee that the outcome of a particular risky decision will be optimal or "good," but only that the decision will be rational in the face of uncertainty and that repeated application of these methods will maximize the decision maker's welfare over the long run.

For a demonstration of the importance in the context of project prioritization of addressing risk and risk tolerance, see the Risk Demo.

References for Part 5

  1. L. Kahaner and A. Greenspan, The Quotations of Chairman Greenspan, Adams Media Corporation, 2000.
  2. S. Labarge, "Valuing the Risk Management Function," Presentation at the Risk Management Association's Capital Management Conference, Washington DC. April 10, 2003.
  3. M Boucher, "Project Portfolio Management: Selecting the Right Projects for Optimal Investment Opportunity," Aberdeen Group, p. 9, March 2011.
  4. "Project Risk Mitigation: A Holistic Approach to Project Risk Management," Assurance & Advisory Business Services, Ernst & Young, 2002.
  5. D. Aswath, Strategic Risk Taking: A Framework For Risk Management
  6. Pearson Prentice Hall, 2008.
  7. S. Savage, S Scholtes and D. Zweidler, "Probability Management," ORMS Today, February 2006, 20-4.
  8. M. R. Durrenberger, "True Estimates Reduce Project Risk," Oak Associates, Inc., 1999.
  9. "Behind AIG's Fall, Risk Models Failed to Pass Real-World Test," The Wall Street Journal, p.1, November 3, 2008.
  10. J. R. Meredith and S. J. Mantel, Jr., "Project Selection," in Project Portfolio Management, L. D. Dye and J. S. Pennypacker, eds., Center for Business Practices, p. 157, 1999.