Risk Management
Identify early, respond proactively — never react
GanttGrind.com — Free PMP Study Guide
Overview
Risk Management is about dealing with uncertainty before it deals with you. The PMBOK defines risk as an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives. That last word — positive — is frequently overlooked. Opportunities are risks too, and PMI expects PMs to actively pursue positive risks, not just defend against threats. Treating risk management as purely defensive misses half the discipline.
The risk management process flows from planning (how will we manage risks?) through identification (what could happen?) to analysis (how likely and how severe?) through response planning (what will we do?) to implementation and monitoring. Qualitative risk analysis (probability × impact matrix) is done on every project to prioritize risks. Quantitative risk analysis (EMV, Monte Carlo simulation, decision trees) is optional and done on projects where numerical modeling adds value.
Response strategies differ for threats and opportunities. For threats: Avoid (eliminate the threat entirely), Transfer (shift financial impact via insurance or contracts), Mitigate (reduce probability or impact), Accept (passive = do nothing; active = create contingency reserve). For opportunities: Exploit (ensure the opportunity occurs), Share (allocate ownership to a third party better positioned to capture it), Enhance (increase probability or impact), Accept (passive or active). Knowing these eight strategies and when to use them is essential.
Must Know at a Glance
| Term / Concept | Definition |
|---|---|
| Risk Register | Living document capturing all identified risks, their attributes, analysis results, and planned responses. |
| Risk Appetite | Degree of uncertainty an organization is willing to accept in pursuit of value. |
| Risk Threshold | The level of risk exposure at which a stakeholder will take action. |
| Probability × Impact Matrix | Qualitative tool to prioritize risks by multiplying probability score by impact score. |
| EMV | Expected Monetary Value = Probability × Impact (in $). Used in quantitative analysis and decision trees. |
| Threat Responses | Avoid (eliminate), Transfer (insure/outsource), Mitigate (reduce P or I), Accept (passive or active). |
| Opportunity Responses | Exploit (ensure it happens), Share (partner), Enhance (increase P or I), Accept. |
| Residual Risk | Risk that remains after a response strategy has been implemented. |
| Secondary Risk | New risk created as a direct result of implementing a risk response. |
| Contingency Reserve | Budget set aside for identified risks (known unknowns). Controlled by PM. |
| Management Reserve | Budget for unknown unknowns. NOT in the cost baseline; controlled by sponsor/management. |
Process Sequence
These processes run in order — each one builds on the outputs of the previous.
- 1
Plan Risk Management
Defining how to conduct risk management activities — methodology, roles, timing, and risk categories.
- 2
Identify Risks
Determining which risks may affect the project; documenting their characteristics in the risk register.
- 3
Perform Qualitative Risk Analysis
Prioritizing risks by assessing probability and impact using the P×I matrix.
- 4
Perform Quantitative Risk Analysis
Numerically analyzing the effect of identified risks on overall project objectives (EMV, Monte Carlo).
- 5
Plan Risk Responses
Developing options and actions to address overall project risk and individual risk exposure.
- 6
Implement Risk Responses
Implementing agreed-upon risk response plans and tracking their effectiveness.
- 7
Monitor Risks
Monitoring planned risk responses, identifying new risks, and evaluating overall risk process effectiveness.
Key Formulas
Expected Monetary Value
EMV = Probability × Impact ($)
Negative impact = threat (negative EMV). Positive impact = opportunity (positive EMV). Sum EMVs across branches for decision tree analysis.
Exam Strategy
How to approach these questions
Risk questions frequently test whether you know positive vs. negative risk responses. If asked about an opportunity, the response options are Exploit/Share/Enhance/Accept — not Avoid/Transfer/Mitigate. Also know: Quantitative Risk Analysis (PMBOK process 11.4) is optional — do not assume it always happens. Residual risk is what remains after your response; secondary risk is what your response creates. Management reserves are NOT in the cost baseline; contingency reserves are.
Common Mistakes
- ✕Forgetting that positive risks (opportunities) exist and require their own response strategies.
- ✕Confusing contingency reserves (known unknowns, PM controls) with management reserves (unknown unknowns, sponsor controls).
- ✕Assuming quantitative risk analysis is always performed — it is optional and done on complex projects.
- ✕Mixing up residual risk (remains after response) with secondary risk (created by the response).
All 30 Topics in This Domain
Click any topic for the full explanation, key points, exam tips, and FAQs.
Plan Risk Management
Plan Risk Management is the process of defining how to conduct risk management activities for a project. It produces the risk management plan, which guides all subsequent risk processes.
Risk Management Plan
The risk management plan is a component of the project management plan that describes how risk management activities will be structured and performed. It is the output of the Plan Risk Management process.
Identify Risks
Identify Risks is the process of determining which risks may affect the project and documenting their characteristics. It is performed iteratively throughout the project.
Risk Register
The risk register is a project document that records the details of individual project risks, including their identification, analysis results, response plans, and current status.
Risk Report
The risk report is a project document that presents information on overall project risk as well as summary information on individual risks. It is progressively developed throughout the risk management processes.
Perform Qualitative Risk Analysis
Perform Qualitative Risk Analysis is the process of prioritizing individual project risks by assessing their probability of occurrence and impact on project objectives.
Probability and Impact Matrix
The probability and impact matrix is a grid that maps the probability of a risk occurring against its potential impact on project objectives, producing a risk score used to prioritize risks.
Risk Categorization
Risk categorization is the grouping of risks by their source, affected area, or other useful criteria to identify concentrations of risk exposure and common root causes.
Risk Breakdown Structure (RBS)
A risk breakdown structure (RBS) is a hierarchical representation of potential sources of risk, organized by category and subcategory, used to structure and guide the risk identification process.
Perform Quantitative Risk Analysis
Perform Quantitative Risk Analysis is the process of numerically analyzing the combined effect of identified individual risks and other sources of uncertainty on overall project objectives.
Monte Carlo Simulation
Monte Carlo simulation is a quantitative risk analysis technique that uses random sampling of probability distributions for cost and schedule estimates to model possible project outcomes and calculate the probability of achieving targets.
Sensitivity Analysis (Tornado Diagram)
Sensitivity analysis is a quantitative technique that determines which individual risks or uncertainties have the greatest potential impact on project outcomes. The tornado diagram is its primary visual output.
Expected Monetary Value (EMV)
Expected monetary value (EMV) is a quantitative risk analysis technique that calculates the average outcome of a risk event by multiplying the probability of occurrence by the monetary impact. EMV for threats is negative; for opportunities, it is positive.
Decision Tree Analysis
Decision tree analysis is a diagramming and quantitative technique used to evaluate multiple decision alternatives, each with associated costs, probabilities, and outcomes, to select the option with the best expected monetary value.
Plan Risk Responses
Plan Risk Responses is the process of developing options, selecting strategies, and agreeing on actions to address overall project risk exposure and to treat individual project risks.
Risk Response Strategies for Threats
Risk response strategies for threats are the five approaches available to address negative risks: avoid, mitigate, transfer, accept, and escalate. Each strategy aims to reduce the probability, impact, or exposure of a threat.
Avoid (Risk Strategy)
Avoid is a threat response strategy that eliminates the threat by changing the project management plan to remove the risk entirely, protect the project objectives, or relax the objective that is at risk.
Mitigate (Risk Strategy)
Mitigate is a threat response strategy that reduces the probability of occurrence and/or the impact of a threat to within acceptable limits. The risk is not eliminated but brought to a manageable level.
Transfer (Risk Strategy)
Transfer is a threat response strategy that shifts the negative impact and ownership of a threat to a third party. The risk is not eliminated but the responsibility for managing it moves to another entity.
Accept (Risk Strategy)
Accept is a risk response strategy where the project team acknowledges a risk but takes no proactive action to address it. Acceptance can be passive (do nothing) or active (establish a contingency reserve or plan).
Escalate (Risk Strategy)
Escalate is a risk response strategy used when a risk is outside the scope or authority of the project team. The risk is transferred upward to a program, portfolio, or organizational level where it can be effectively managed.
Risk Response Strategies for Opportunities
Risk response strategies for opportunities are the five approaches used to address positive risks: exploit, enhance, share, accept, and escalate. Each strategy aims to increase the probability, impact, or both of a beneficial risk event.
Exploit (Opportunity Strategy)
Exploit is an opportunity response strategy that ensures the positive risk is realized by eliminating the uncertainty associated with the opportunity. It is the most aggressive opportunity strategy.
Enhance (Opportunity Strategy)
Enhance is an opportunity response strategy that increases the probability and/or positive impact of an opportunity. Unlike exploit, it does not guarantee the opportunity will occur.
Share (Opportunity Strategy)
Share is an opportunity response strategy that allocates ownership of an opportunity to a third party who is best able to capture the benefit for the project. It is the opportunity equivalent of the threat strategy "transfer."
Implement Risk Responses
Implement Risk Responses is the process of executing the agreed-upon risk response plans. It ensures that risk responses are carried out as planned, with the goal of minimizing threats and maximizing opportunities.
Monitor Risks
Monitor Risks is the process of monitoring the implementation of agreed-upon risk response plans, tracking identified risks, identifying and analyzing new risks, and evaluating risk process effectiveness throughout the project.
Risk Triggers
Risk triggers (also called risk symptoms or warning signs) are events or conditions that indicate a risk is about to occur or has already occurred. They signal the need to activate a risk response.
Workarounds
Workarounds are unplanned responses to risks that were not previously identified or to risks for which no planned response was adequate. They are developed in the moment when a risk event occurs without a contingency plan.
Secondary Risks and Residual Risks
Secondary risks are new risks that arise as a direct result of implementing a risk response. Residual risks are risks that remain after planned responses have been implemented, including minor risks that were deliberately accepted.
Related Domains
Cost Management
Estimating, budgeting, and controlling costs — earned value management, reserves, and forecasting.
Schedule Management
Planning and controlling the project timeline — critical path, dependencies, estimating, and compression.
Integration Management
Coordinating all project elements — charter, change control, lessons learned, and project closure.
Test your knowledge
Practice scenario-based questions on this topic with detailed explanations.