Risk appetite: the number that ends a project
§1 · START HERE
The 90-second version
A runaway project looks like a planning failure. It is not. The planning is fine; the governance is missing.
- The estimate cannot stop a project. Only the appetite can. An estimate answers how long will this take? A answers how much is this worth before we’d rather stop than keep paying? A project with a sharp estimate and a blank appetite has no condition under which it ends. It runs until it is killed by exhaustion, not by a boundary.
- The thing that piles up while the appetite stays blank has a name — risk debt. Every scope expansion accepted without re-pricing the risk is one unit of . It does not sit in the schedule. It sits in the commitments — the quiet pile of “we already said yes” that no one re-reads.
- Three failures are the same failure. The never-ending project, boiling the ocean, and the executive trojan horse are not three problems. They are three shapes of one missing number. Name the appetite and all three lose their host.
- The force that keeps risk debt alive is mechanical, not moral. Barry Staw measured it in 1976: people commit the most resources to a failing course when they are personally responsible for the losses so far. The person who would have to call the project is the person the sunk cost is wired to. They will not call it. The boundary has to be set before they are that person.
- The counter-case is real. A hard appetite, applied to genuinely open-ended discovery, cuts off the exploration that was the point. Appetite governs bets. It does not govern learning. The difference is where this breaks, and §7 holds the line.
TERMINOLOGY — Risk appetite is the governance term: the amount and type of risk an organization is willing to pursue or retain (ISO Guide 73:2009). Appetite, in Ryan Singer’s Shape Up sense, is the same idea made operational on a single project: a number you start with, that the design has to fit inside. This piece welds the two together and names what leaks out when neither is set.
§2 · THE FALSE BELIEF
We’ll scope it as we go
Start with the sentence that launches most runaway projects. It sounds responsible. We’ll scope it as we go. It is the sound of an appetite never being set.
Here is the confusion underneath it. Teams believe the dangerous number on a project is the estimate — the guess about how long the work will take. So they invest in better estimates. Story points, three-point ranges, reference classes, planning poker. All of it sharpens the same number: how long?
That number cannot end a project. It was never built to.
An estimate starts with a design and ends with a number. You decide what you’re building, then you work out how long it takes. Ryan Singer’s line is exact: estimates start with a design and end with a number; start with a number and end with a design.
An appetite runs the other direction. You start with the number — this is worth three weeks, not three months — and the design has to fit inside it. The number is fixed first, on purpose, before the work can talk you out of it.
The number can be time or money — whichever one runs out first. Six weeks. Two engineers. Fifty thousand dollars. The unit changes with the job. What never changes is that it is set before the work starts, not after the work has started asking for more.
The direction is the whole point. An estimate is a prediction the work can prove wrong — and when it does, the honest move is to revise the estimate upward. So the estimate flexes to fit the work. An appetite is a decision the work is not allowed to revise. The scope flexes to fit the appetite.
You already run this rule when the money is your own. Buying a car, the first question is not which car — it is how much can I afford? You set that number first. Then you write down what the car has to do: seats five, handles the commute, tows the trailer or doesn’t. Only then do you test-drive the ones that fit both the budget and the list. Nobody sane test-drives the car they can’t afford, falls for it, and then works backward to justify the payment. That backward order — pick the thing first, then stretch to pay for it — is every runaway project. The appetite is the price cap you set before you fall in love.
* * *
Take the spine this piece will keep returning to. A composite, but every move in it is one you have seen.
An IT org decides to fix its monitoring. The dashboards lie — green lights over dead services, the watermelon problem this publication has written about before. The plan: stand up a new observability stack in Q1.
Notice what was set and what wasn’t. A target was set — new stack, Q1. That is an estimate dressed as a goal. No one set the appetite. No one wrote down the sentence: this is worth one quarter and two engineers, and if it needs a third quarter we would rather ship what we have and stop than keep going.
That missing sentence is not a formality. It is the only sentence in the room that can ever say stop. Without it, the project has a start and a direction and no stopping point. It is a process with no off-switch.
A project without an appetite is not a plan. It is a direction of travel with the brakes left in the box.
§3 · THE PRIMITIVE
The primitive — risk debt
The thing that piles up in that project has a name, and the name is not original to this article. It is borrowed, deliberately, from the same shelf as intent debt.
Risk debt is unpriced risk that has been accepted into a project’s commitments without anyone re-deriving whether it is still worth carrying. Technical debt accumulates in the estate — the unpatched box, the manual runbook, the script only one person understands. Cognitive debt accumulates in the operators. Risk debt accumulates in the pile of yeses — every “while we’re in there,” every “can it also,” every “the VP really wants,” accepted without re-pricing the bet it changed.
The unit is a single accepted expansion. Watch one accrue on the spine.
Week three of the monitoring project. Someone says: while we’re standing up the collector, we should pull in the log aggregation too — it’s right there. It is a reasonable sentence. The extra cost looks small because the collector is already open on the bench.
What just happened, in risk terms: the project’s surface area grew and the failure modes multiplied. The original appetite — if there had been one — was quietly overdrawn. But no one priced that. The expansion was waved through on a little extra effort (it’s right there) while the thing that actually changed was total risk (now two systems have to land, not one, and they have to land together).
That is one unit of risk debt. It does not show up on the schedule that week. It shows up four months later, when the log pipeline is the thing that won’t stabilize and no one can quite remember deciding to take it on.
* * *
Here is why it compounds instead of adding.
Each accepted expansion collides with every one before it. Two systems that must land together have more ways to fail than two systems landing apart — the ways to fail grow faster than the count. n expansions open on the order of n²/2 pairs that can break each other. The expansions arrive one at a time, each looking small. The risk they add to each other grows by the square.
And the rate of re-pricing — someone stopping to ask is the whole bet still worth it? — does not keep pace. It usually drops to zero after kickoff. So the two curves cross. Past the crossover, risk debt compounds at the rate people say yes, not the rate anyone audits the yeses.
Stage-gates and tranche funding are built to catch exactly this — scheduled moments to re-price the bet. They fail the same way. A gate re-prices on the calendar; risk debt accrues per yes, in the weeks between gates. By the review, the pile is already too tall to climb down. Risk debt is not a rival to the gate. It is the primitive underneath it — the thing the gate keeps missing.
This is not a small effect at the tail. Bent Flyvbjerg’s database of large projects is fat-tailed, not bell-shaped: most cluster near plan, but a long tail blows out catastrophically.
FIG 3.2 — The fat tail
| Figure | What it measures | Source |
|---|---|---|
| 18% | IT projects that run more than 50% over budget | Flyvbjerg & Budzier |
| 447% | Average overrun inside that tail — not the worst case, the average | Flyvbjerg & Budzier |
| 0.5% | Projects that hit cost, schedule, and benefits together | Flyvbjerg, How Big Things |
The distribution has no comfortable middle to fall back to. Once you are significantly over, the live question is not whether you’ll land near plan — it is whether you are about to go hundreds of percent over.
Risk debt does not make a project late. Lateness is the symptom you can see. Risk debt makes a project unkillable — because by the time it’s visibly failing, the pile of yeses is too tall for anyone to climb back down.
§4 · THE FAILURES
Three shapes of one missing number
The blank appetite does not fail in one way. It fails in three, depending on which direction the unpriced risk leaks. They share a root, so a reader who sees the root can predict all three.
Never-ending — the leak in time
Leak No appetite was set, so there is no number the duration can violate. The project cannot be “over budget” against a budget that was never written. So it is never over.
Mechanism Every status meeting asks the estimate question — how much longer? — and the honest answer is always a bit more, because the estimate revises to fit the work. The conversation that would end it — is this still worth what’s left to spend? — never has a number to be measured against, so it never happens.
Fix Shape Up’s circuit breaker. The appetite is fixed time; miss it and continuation has to be argued, not assumed. And the reframe matters — if it didn’t ship, the signal isn’t try harder, it’s the shaping was wrong, re-decide cold.
Boiling the ocean — the leak in scope
Leak No appetite bounded the scope, so no adjacent problem is out of bounds. And
almost everything is adjacent to almost everything — the monitoring project
touches the CMDB, which touches identity, which touches ticketing, which
touches the thing security has wanted for a year.
Mechanism When the boundary is fixed, scope is the variable that flexes to fit — you
cut to the must-haves because the wall won’t move. When nothing is fixed,
scope is free, and ambition is the gas that expands to fill it.
Fix Fix one number first. “Boiling the ocean” is not over-ambition as a
personality flaw. It is what scope does when no wall says no.
The executive trojan horse — the leak in authority
Leak A pet project arrives under an executive’s name. The risk it carries is real — large, vague, unpriced — but it does not get priced, because the sponsor’s authority is the price that was paid at the gate. To question the bet is read as questioning the sponsor.
Mechanism A trojan horse is a container that gets something past the gate by hiding it inside an accepted exterior. The accepted exterior here is status. The horse is inside the walls, and the risk is still in its belly, unpriced.
Fix Hold the pet project to the same appetite as everything else — and set that appetite before the sponsor’s name is attached, by someone who can still say no.
The third shape has a second lock on it. Once the horse is inside, the force that welds the gate shut has a name — . In 1976 Barry Staw ran the study — Knee-deep in the Big Muddy. He found that people commit the greatest resources to a failing course precisely when they are personally responsible for the losses so far. The sponsor who championed the horse is the person most wired to defend it as it fails. Every quarter of sunk cost makes the next quarter’s yes more certain, not less. The project that most needs killing is sponsored by the one person who structurally cannot.
The three failures are one failure seen from three sides. Time, scope, authority — pick the dimension with no number on it, and that is the dimension the project will bleed through.
§5 · THE FORMULA
Risk appetite, written out
The strategists in the room will want this as a formula. Here it is, and it stays at kitchen-table arithmetic — no symbol you can’t say out loud.
Start with the textbook line. Risk is two things multiplied:
Risk = how likely × how bad
Risk appetite draws a line on that product: the most how likely × how bad you will carry on purpose, before you act to cut it down. That is the ISO definition in plain words — the amount of risk you are willing to pursue or hold.
On a live project you cannot fix how likely — the work is already running. What you can fix, in advance, is a ceiling on how bad: the most spend you are willing to lose before you would rather stop. And how likely does not vanish. It moves into the cost to finish, because the odds of overrun are exactly what make that number uncertain. So for a project the appetite collapses to a single ceiling:
A = the most time or money this is worth, set cold, at kickoff
Now the stop rule, which is the only part that does any work. At every check-in, two numbers:
- s — spent so far. Sunk. Gone. The trap is that this number feels like it should count. It must not.
- r — the honest cost to finish from here.
The rule:
Keep going only while s + r ≤ A. The moment s + r > A, stop. Re-decide from zero — as if the money already spent were on someone else’s books.
That is the whole mechanism. The project ends when the spend already gone, plus the spend still needed to finish, runs past the number you set before you started.
There is a trap inside r. It is an estimate. The next section shows estimates rot once you are sunk-cost-deep — the invested self quotes the r it wants to be true. The rule survives this for one reason: A was set cold, before the work could argue. A hopeful r still has to clear a fixed wall. When r keeps sliding just enough to keep s + r under A, that sliding is the tell — the number is being managed, not measured. The fix is not a more honest r. It is a boundary that forces a cold re-decision, argued by someone not yet on the hook.
Now compare it to the formula a runaway project actually runs:
Keep going while s > 0 and someone important still wants it.
That second rule has no stop. s > 0 is true the day after kickoff and stays true forever. “Someone important still wants it” is §4’s trojan horse, restated as a rule. A project on this formula does not end, because the formula has no line to cross. The first formula has A — a wall the running total can hit. The second has no wall, which is why §2’s monitoring project is still “ninety percent done” two years in.
The appetite is the wall. The formula is how you know you have hit it.
§6 · THE TIMING
Why the number has to come first
If the cure is “set an appetite,” the objection lands fast: fine, we’ll set one once we can see the project — a few weeks in, when we understand it. That is the trap. The timing is the entire mechanism.
An appetite set after the work begins is not an appetite. It is an estimate with a confident face. By then the design exists, the team is invested, the first yeses are already in the pile — and any number you write down will be worked backward to fit what you’ve already started. The work sets the number instead of the number bounding the work.
Watch what the sunk cost does to the call, quarter by quarter, when no appetite was set to stop it.
State
Two engineers, one quarter spent. The honest read: behind, but recoverable.
The call
Cheap to stop here. Almost no one is personally on the hook yet, so almost no one fights it.
State
Scope has grown twice. The sponsor has defended the project in two reviews.
The call
Stopping now means the sponsor eats two quarters in public. The pull is to push.
State
It still doesn’t work. The sunk cost has flipped from a cost into an argument for continuing.
The call
“We’ve come too far to stop.” The person who must call it is the person the loss is wired to. The call does not come.
The appetite has to be set before, while you are coldest, for one reason: it is a against your own future judgment.
The mechanical analogy maps cleanly, so use it. Ulysses had himself tied to the mast before the ship reached the sirens — not because he was weak, but because he knew the version of himself that would hear the song could not be trusted to steer. The binding is made by the cold self, to constrain the hot self, at the one moment the cold self is in charge.
The appetite is the mast. You write the kill condition at kickoff — worth one quarter and two engineers; a third quarter means we ship what we have and stop — because the you at kickoff is the only version not yet sunk-cost-deep, not yet personally responsible for the losses, not yet hearing the song. Staw’s finding is the siren. The pre-commitment is the rope. Set the number after you can hear the song, and you’ll untie yourself every time.
This is also why the appetite cannot be a tripwire that fires automatically. A number that hard-kills a project the week before it would have worked is its own failure mode. The appetite does not pull the trigger. It forces the re-decision — at the boundary, the default flips and continuation has to be argued cold, by someone who can say no. The rope doesn’t sink the ship. It makes you decide about the sirens with your hands tied, which is the only honest time to decide.
§7 · THE COUNTER
Where this breaks — discovery is not a bet
Every directional claim on this site carries the conditions under which it flips. Here is this one’s.
Appetite governs bets — work where you can name, at the start, what “worth it” means: a deliverable, a capability, a fixed outcome. The monitoring stack is a bet. Most internal IT projects are bets. For bets, a blank appetite is pure risk debt and the argument above holds without exception.
Appetite does not govern discovery — genuine research, security threat-hunting, the early exploration where the point is that you don’t yet know what “done” looks like. Put a hard deliverable-appetite on real discovery and you cut off the exploration that was the entire point. The team learns to stop at the first answer that fits the box, which is exactly the answer discovery exists to get past.
The resolution is not to drop the appetite. It is to move it. On discovery work you set an appetite on the learning, not the deliverable: two weeks to find out whether it can even be done, then we decide with what we learned. The boundary still exists — it still forces a cold re-decision — but it is priced in knowledge gained, not features shipped.
The stop rule reshapes to match. Not s + r ≤ A against a deliverable, but a question at the boundary: can we now name what “done” looks like? If yes, the discovery is over — re-shape it as a bet and set a real appetite. If no, you re-decide cold whether more learning is worth buying, with only what you have in hand. The wall is paid in knowledge, not features, but the cold re-decision at the wall is the same move.
Confuse the two and you get opposite failures. A deliverable-appetite on discovery kills the thing too early. A learning-appetite on a bet is a blank appetite with a research-shaped excuse — and the ocean boils on schedule.
The other honest caveat is the data. The Standish CHAOS figures — large projects succeeding under 10% of the time, small ones near 90% — point the same direction as everything here, and they are contested. The methodology has been criticized for years for unstable definitions of “success.” Treat them as a weather vane, not a measurement. Flyvbjerg’s fat-tail numbers are the firmer ground. The argument does not lean on Standish; it survives if you delete that sentence.
§8 · WHAT TO DO
The test you can run Monday
No framework, no permission needed. One question, asked of your three longest-running projects:
What was the appetite — the number — and who set it, and when?
If the answer comes back as a number set at kickoff by someone who can still say stop, the project is governed. It may be late; lateness is survivable. It is not running on risk debt.
If the answer is an estimate (“it was supposed to be done in Q1”), or a target with no terminal condition, or — the trojan-horse tell — “it’s a priority for [name]” offered as though that were a number, then you have found unpriced risk. The amount you are carrying is everything waved through since kickoff — each yes small, the total never re-priced.
You cannot pay that debt down by working harder. Working harder is more yeses on the pile. You pay it down the only way risk debt is ever paid down: someone stops, re-prices the whole bet cold, and writes the appetite that should have been written at the start — the one sentence that is allowed to say stop.
Most people reading this cannot write that sentence themselves. You run the team; you do not own the capital. The move is still yours. Name the missing number out loud: no one set the price at which we’d stop. Put it in front of whoever owns the capital — as a decision they have to make, not a status you have to defend. You cannot pull the brake. You can refuse to let its absence stay invisible. Risk debt is unpriced until someone says so out loud, and saying so is the part that needs no authority.
§9 · LAST WORD
Close
The estimate and the appetite look like the same number. They are opposites — one the work may revise, one it may not. Only the kind it may not can end anything.
Risk debt is what fills the gap where the appetite should be. It accumulates in the yeses, compounds in the interactions, and goes uncollected because the one who would collect it is the one the loss already owns. The never-ending project, the boiled ocean, the trojan horse: one missing number, leaking through whichever dimension you forgot to price.
The fix is not a better estimate. It is a number set cold, before the song starts, by someone with their hands tied — and the discipline to re-decide at the boundary instead of untying the rope.
* * *
If you cannot say how your project ends, you do not understand how it works. You only understand which direction it’s heading, and that it has no brakes.
Citations
§1, §2 — Appetite, estimate
- International Organization for Standardization. ISO Guide 73:2009, Risk management — Vocabulary. Risk appetite: “amount and type of risk that an organization is willing to pursue or retain.”
- Singer, R. (2019). Shape Up: Stop Running in Circles and Ship Work that Matters. Basecamp. Appetite vs. estimate; fixed time, variable scope; the circuit breaker. basecamp.com/shapeup
§3 — Risk debt / fat-tailed overruns
- Flyvbjerg, B., & Gardner, D. (2023). How Big Things Get Done. Currency. (8.5% of projects hit cost and time; 0.5% hit cost, time, and benefits.)
- Flyvbjerg, B., Budzier, A., et al. (2022). The Empirical Reality of IT Project Cost Overruns: Discovering a Power-Law Distribution. Journal of Management Information Systems, 39(3). — 18% of IT projects overrun >50%, with an in-tail average of 447%.
§4, §6 — Escalation of commitment
- Staw, B. M. (1976). Knee-deep in the Big Muddy: A study of escalating commitment to a chosen course of action. Organizational Behavior and Human Performance, 16(1), 27–44.
§7 — Contested data
- The Standish Group. CHAOS Report 2020. Large-project vs. small-project success rates. Cited as contested.
- Eveleens, J. L., & Verhoef, C. (2010). The Rise and Fall of the Chaos Report Figures. IEEE Software, 27(1), 30–36. The methodological critique.
Continue
If this changed how you see the problem
The diagnosis names the gap. These packs are where you close it — and where a topic ships an audit, you can measure your exposure first.
Start here — The Experience Outcome Layer6 self-paced segments · OrchestratorOr take it from another angle