← PMP Risk Management Flashcards

PMP Project Management Professional Exam Study Guide

Key concepts, definitions, and exam tips organized by topic.

30 cards covered

PMP Risk Management: Comprehensive Study Guide


Overview

Risk management is one of the most heavily tested domains on the PMP exam, covering the systematic processes of identifying, analyzing, responding to, and monitoring project risks. Risks can be threats (negative) or opportunities (positive), and effective risk management requires both proactive planning and adaptive response. This guide covers all five core risk management processes as defined by the PMBOK® Guide.


---


## 1. Risk Identification


Core Concept

Risk identification is the process of finding, recognizing, and documenting risks that could affect project objectives. The goal is comprehensive coverage — no risk can be managed if it hasn't been identified first.


Primary Output

  • Risk Register — The foundational document containing:

    • - List of identified risks

    - Potential risk owners

    - Potential risk responses

    - (Updated and refined throughout all subsequent risk processes)


    Key Techniques


    | Technique | Description |

    |---|---|

    | Brainstorming | Structured group discussion using "what if" scenarios; facilitator-guided; open idea generation |

    | Document Analysis | Reviews plans, assumptions, contracts, and prior project artifacts to uncover embedded risks |

    | Delphi Technique | Anonymous expert consensus through multiple rounds; reduces groupthink and bias |

    | Risk Breakdown Structure (RBS) | Hierarchical chart of risk categories ensuring systematic, comprehensive coverage by source |


    Key Definitions

  • Risk — An uncertain future event that may have positive or negative effects on project objectives
  • Issue — A risk that has already occurred and requires immediate action
  • Residual Risk — Risk remaining after risk responses have been implemented; the leftover exposure

    • Key Terms

  • Risk Register
  • Risk Breakdown Structure (RBS)
  • Document Analysis
  • Residual Risk
  • Assumptions
  • Constraints

    • ⚠️ Watch Out For

    > Risk vs. Issue confusion is a frequent trap. If an exam question describes something that has already happened, it's an issue, not a risk. Risks are always future-oriented and uncertain.


    > The Delphi Technique appears in both identification and qualitative analysis questions — know that its defining feature is anonymity and multiple rounds of input.


    ---


    ## 2. Qualitative Risk Analysis


    Core Concept

    Qualitative Risk Analysis prioritizes risks based on subjective probability and impact assessments. It acts as a filter, determining which risks deserve further quantitative analysis or immediate response planning.


    Primary Tool: Probability and Impact Matrix

  • • Plots each risk on two axes: Probability of Occurrence × Impact on Objectives
  • • Produces a High / Medium / Low priority rating
  • • Thresholds are set based on organizational risk appetite

    • Key Concepts


  • Risk Appetite — The degree of uncertainty an organization is willing to accept; directly influences priority thresholds and response triggers
  • Risk Urgency Assessment — Evaluates how soon a response must be implemented; high-urgency risks receive elevated priority even if impact/probability scores are moderate
  • Secondary Risk — A new risk created by implementing a risk response; must be analyzed and planned for like any original risk

    • Delphi Technique (Revisited)

    Used here for expert elicitation during analysis — anonymous inputs reduce bias when assessing probability and impact of complex risks.


    Key Terms

  • Probability and Impact Matrix
  • Risk Appetite
  • Risk Urgency
  • Risk Threshold
  • Secondary Risk
  • Risk Categorization

    • ⚠️ Watch Out For

    > Secondary risks are one of the most tested concepts. When you implement a response, always ask: "Did this create a new risk?" Secondary risks must go back into the Risk Register.


    > Qualitative ≠ Quantitative. Qualitative uses descriptive scales (High/Medium/Low). If numbers and probabilities appear, you've moved to quantitative territory.


    ---


    ## 3. Quantitative Risk Analysis


    Core Concept

    Quantitative Risk Analysis assigns numerical values to risk probability and impact to model the overall effect on project objectives. It is typically performed only on high-priority risks identified during qualitative analysis and is not always required on every project.


    Key Techniques


    #### Expected Monetary Value (EMV)

    > Formula: EMV = Probability (%) × Monetary Impact ($)


  • • Used in Decision Tree Analysis
  • • Negative EMV = threat; Positive EMV = opportunity
  • • Helps select the option with the best expected value across decision branches

    • #### Monte Carlo Simulation

  • • Runs thousands of scenarios using random variable inputs
  • • Produces a probability distribution of possible project outcomes
  • • Answers: "What is the probability of finishing by Date X or within Budget Y?"
  • • Output: S-curve or histogram of cost/schedule outcomes

    • #### Sensitivity Analysis & Tornado Diagram

  • • Identifies which individual risks have the greatest impact on overall project outcomes
  • Tornado Diagram — A bar chart where the longest bars (at the top) represent the variables with the highest sensitivity/influence
  • • Helps focus management attention on the most critical risks

    • #### Decision Tree Analysis

  • • Each branch = a possible decision or chance event outcome
  • • Calculates EMV at each node
  • • Selects the path with the optimal expected value

    • Key Terms

  • Expected Monetary Value (EMV)
  • Monte Carlo Simulation
  • Sensitivity Analysis
  • Tornado Diagram
  • Decision Tree
  • Probability Distribution
  • Confidence Level

    • ⚠️ Watch Out For

    > EMV calculation questions on the exam often include multiple risks — calculate each separately, then sum them for total project EMV exposure.


    > Monte Carlo does NOT give a single answer — it gives a range of possibilities with associated probabilities. If a question asks what Monte Carlo produces, the answer involves probability distributions, not a single point estimate.


    > Quantitative analysis is not required on every project — the exam may ask when it's appropriate to skip it.


    ---


    ## 4. Risk Response Planning


    Core Concept

    Risk Response Planning develops options and actions to address individual risks. Responses must be appropriate, timely, cost-effective, and agreed upon by relevant stakeholders. Every response strategy is categorized by whether it addresses a threat or an opportunity.


    Response Strategies for THREATS (Negative Risks)


    | Strategy | Description | Example |

    |---|---|---|

    | Avoid | Eliminate the risk entirely by changing the plan | Remove a risky feature from scope |

    | Transfer | Shift financial impact to a third party | Purchase insurance; use fixed-price contracts |

    | Mitigate | Reduce probability and/or impact | Add testing phases; hire more experienced staff |

    | Accept | Acknowledge the risk; no proactive action | Document it; set aside contingency reserve |


    Response Strategies for OPPORTUNITIES (Positive Risks)


    | Strategy | Description | Example |

    |---|---|---|

    | Exploit | Ensure the opportunity definitely occurs | Assign best resources to guarantee early delivery |

    | Enhance | Increase probability or impact of the opportunity | Add resources to accelerate a promising activity |

    | Share | Partner with a third party to capture the opportunity | Form a joint venture to leverage shared expertise |

    | Accept | Take advantage of it if it occurs, but don't actively pursue | No special action taken |


    The Special Strategy: Escalate

  • • Used for both threats AND opportunities
  • • Applied when a risk is outside the project manager's authority to address
  • • Ownership transfers to program manager, portfolio manager, or organizational leadership
  • • The PM no longer owns the risk once escalated

    • Reserve Types


    | Reserve | Covers | Controlled By | In Baseline? |

    |---|---|---|---|

    | Contingency Reserve | Known-unknown risks (identified risks) | Project Manager | ✅ Yes |

    | Management Reserve | Unknown-unknown risks (unforeseen events) | Senior Management/Sponsor | ❌ No |


    Additional Key Concepts

  • Risk Response Owner — Responsible for implementing the response, monitoring trigger conditions, and reporting status to the PM
  • Fallback Plan — A predefined secondary response activated when the primary contingency plan fails
  • Contingency Plan — The primary planned response activated when a trigger condition is met

    • Key Terms

  • Avoid, Transfer, Mitigate, Accept (threats)
  • Exploit, Enhance, Share, Accept (opportunities)
  • Escalate
  • Contingency Reserve
  • Management Reserve
  • Fallback Plan
  • Risk Response Owner
  • Trigger Condition

    • ⚠️ Watch Out For

    > Accept appears in BOTH threat and opportunity strategies — don't assume "accept" only applies to threats. Context determines which category it falls under.


    > Transfer does NOT eliminate the risk — it shifts the financial consequence to another party (e.g., insurance company), but the risk event can still occur.


    > Contingency vs. Management Reserve is heavily tested. Remember: contingency = PM controls it; management reserve = requires formal authorization and is outside the baseline.


    > Fallback plan ≠ contingency plan. The fallback is triggered only when the primary contingency plan fails.


    ---


    ## 5. Risk Monitoring & Control


    Core Concept

    Monitor Risks ensures that risk management activities are executed as planned, risk responses are effective, and new risks are identified as the project evolves. Risk management is continuous, not a one-time event.


    Primary Purpose of Monitor Risks

    1. Track identified risks and their status

    2. Monitor residual risks

    3. Identify new risks

    4. Evaluate risk response effectiveness

    5. Ensure risk management plans are executed correctly


    Key Tools & Outputs


    #### Risk Register (Continued Updates)

  • • Continuously updated with new risks, closed risks, response effectiveness, and trigger status

    • #### Risk Report

  • Summary-level communication document for stakeholders
  • • Contains: overall project risk exposure, trends in risk assessments, status of agreed responses
  • Distinction: Risk Register = detailed individual risks; Risk Report = executive summary of overall risk health

    • #### Risk Audit

  • • Examines effectiveness of risk responses and the overall risk management process
  • • Can occur during routine project reviews OR dedicated audit sessions
  • • Documents lessons learned about what worked and what didn't

    • Key Definitions

  • Risk Trigger (Warning Sign/Symptom) — An indicator that a risk event is about to occur or has occurred; activates the contingency plan
  • Workaround — An unplanned, reactive response to a risk that was not previously identified or accepted
  • Residual Risk — Risk remaining after responses are implemented (monitored continuously)

    • Agile vs. Predictive Risk Management


    | Aspect | Predictive (Waterfall) | Agile |

    |---|---|---|

    | Timing | Discrete planning phases | Continuous; every iteration |

    | Forum | Risk management plan, formal reviews | Iteration reviews, retrospectives, daily standups |

    | Backlog | Risk register | Risk-adjusted backlog stories |

    | Response | Pre-planned contingency responses | Short feedback cycles; incremental resolution |


    Key Terms

  • Monitor Risks
  • Risk Trigger / Warning Sign
  • Workaround
  • Risk Audit
  • Risk Report
  • Risk Register (updates)
  • Technical Performance Measurements
  • Reserve Analysis

    • ⚠️ Watch Out For

    > Workaround vs. Contingency Plan — A contingency plan is pre-planned for identified risks; a workaround is reactive to unidentified or previously accepted risks. The exam will test whether you know which is appropriate.


    > The Risk Report and Risk Register are different documents. The Risk Report is for stakeholder communication; the Risk Register is the detailed working document for the team.


    > In agile contexts, the exam may ask how risks are managed — the answer involves continuous review and the product backlog, not formal discrete risk phases.


    ---


    ## Process Flow Summary


    ```

    Identify Risks

    Qualitative Risk Analysis (prioritize)

    Quantitative Risk Analysis (numerically model — if needed)

    Plan Risk Responses (develop strategies)

    Implement Risk Responses (execute strategies)

    Monitor Risks (track, reassess, identify new risks) ←→ loops back continuously

    ```


    ---


    ## Risk Document Reference Guide


    | Document | Purpose | Owner |

    |---|---|---|

    | Risk Register | Detailed log of all individual risks, owners, responses, status | Project Manager |

    | Risk Report | Summary of overall risk exposure for stakeholders | Project Manager |

    | Risk Management Plan | Defines HOW risk management will be conducted | Project Manager |

    | Contingency Reserve | Budget/time for known-unknown risks | Project Manager |

    | Management Reserve | Budget for unknown-unknown risks | Senior Management |


    ---


    ## Quick Review Checklist


    Use this checklist before your exam to confirm mastery of the most critical concepts:


  • • [ ] I can define the difference between a risk and an issue
  • • [ ] I know the primary output of Identify Risks is the Risk Register
  • • [ ] I can distinguish Document Analysis, Brainstorming, and Delphi Technique by their defining characteristics
  • • [ ] I understand that Delphi = anonymous + multiple rounds
  • • [ ] I can name all four threat strategies: Avoid, Transfer, Mitigate, Accept
  • • [ ] I can name all four opportunity strategies: Exploit, Enhance, Share, Accept
  • • [ ] I know when to use Escalate (outside PM's authority)
  • • [ ] I can calculate EMV = Probability × Impact
  • • [ ] I know Monte Carlo produces a probability distribution, not a single answer
  • • [ ] I can identify a Tornado Diagram as the output of sensitivity analysis
  • • [ ] I understand the difference between contingency reserve (PM-controlled, in baseline) and management reserve (senior management, outside baseline)
  • • [ ] I know a secondary risk is created by implementing a risk response
  • • [ ] I know a residual risk is what remains after a response is applied
  • • [ ] I can distinguish a contingency plan (pre-planned) from a workaround (reactive)
  • • [ ] I can distinguish a contingency plan (primary response) from a fallback plan (secondary, when primary fails)
  • • [ ] I know a risk trigger signals that a risk event is imminent or has occurred
  • • [ ] I understand that in agile projects, risk is managed continuously via iteration reviews and the backlog
  • • [ ] I can differentiate the Risk Register (detailed) from the Risk Report (summary for stakeholders)
  • • [ ] I know risk appetite influences how risks are prioritized in qualitative analysis
  • • [ ] I understand the Monitor Risks process is continuous throughout the entire project lifecycle

    • ---


    Study Tip: For scenario-based PMP questions on risk, always identify: (1) Is this a threat or opportunity? (2) Has it occurred yet? (3) Who has authority to act? These three questions will guide you to the correct answer strategy.

    📝

    Take a Practice Test

    Test yourself with multiple choice questions
    📇

    Study with Flashcards

    Flip through all 30 cards

    Want more study tools?

    Subscribe for $7.99/mo and turn your own notes into personalized flashcards and study guides.

    View Pricing