All projects have some risks. They may only have low-level risks, but they have some risks nonetheless. The purpose of risk management is to identify risks that are important enough for you to manage—and then manage them!
You evaluate risks based on two factors—the likelihood of occurrence and the impact to your project. As a project manager, you need to decide if these risks are important enough for you to worry about. Your answer says something about your risk tolerance.
For example, let's say we have a project that will cost $50,000 and take six months of duration. Early in the project you identify a risk that is very likely to occur, but has an impact of $100 and one-half-day duration. You may choose to ignore this risk since the impact is small, rather than incur the effort and cost of managing the risk.
In that example, the numbers were fairly trivial and the risk was easy to ignore. But, ratchet the impact up a little higher. Let's say the risk now had an impact of $2,500 and one week duration. What about $5,000 and two weeks duration? Would you manage either of those risks now? Your answer provides a sense for the level of risk you are willing to tolerate.
When you are performing risk identification, you need to determine your tolerance level for risks. This will help you focus on the risks that are important, while ignoring risks where the impact falls below your tolerance level.
Risk tolerance can be unique to the project manager but it can also be cultural in your organization. Some organizations will generally accept riskier projects. They will also tend to have a higher threshold before they chose to manage a risk on specific projects. This doesn't mean they don't do risk management. In fact they might perform rigorous risk management. However, the project managers in these organizations tend to accept a higher threshold for risk probability and risk impact before they will put a specific risk plan in place to manage the risk.
On the other hand, some organizations tend to accept less risky projects and tend to have a lower threshold to manage risks on projects. In other words, let's say you have a similar project in both organizations. The project managers in these risk-averse organizations will tend to manage risks that a project manager in the other organization might choose to leave.
What does the risk tolerance mean to you? First, understand that you don't need to manage every risk—only the important ones. You should have a model to help you determine which ones are important. This may be a way to classify risks as high, medium or low—and then manage the high risks. It might mean that you will manage every risk that has more than 50% likelihood of occurrence and a risk impact of over 5% of schedule and budget.
These are just examples. You need to come up with the tolerance level on your project and then map your identified risks against it. Those that fall under your risk tolerance will be the ones you will ignore, while those over your risk tolerance will be managed.