PMP Certification Study Notes 11 – Project Risk Management

PMP Risk Management

UPDATED for the new PMP Exam in 2023. Happy learning!

Introduction: This part of the PMP exam study notes (already updated/will be updated for new PMP Exam in 2023) is based on Section 11 of new PMBOK® Guide 6th Edition. The study notes have been rewritten to reflect the latest changes in the PMBOK® Guide for the new PMP Exam. More information on my PMP certification exam preparation can be found at my PMP exam and certification journey (with free PMP study resources and tips) here.

Please note that the study notes below is intended to include only the most important or esaily confused PMP concepts. It is by no means complete in the sense that one can rely on it to be fully prepared for the PMP Exam. Aspirants are advised to make use of this piece of study notes for revision purposes. Wish you PMP success!

Project Risk Management

  • Project Risk Management is involved in risk identification, management and response strategy impacts every area of the project management lifecycle
    • risk = uncertainty
    • risk management= increase the probability of project success by minimizing/eliminating negative risks (threats) and increasing positive events (opportunities)
    • everyone is responsible for identifying risks for the project
  • risk has one or more causes and has one or more impacts
  • risk attitudes (EEF): risk appetite (willingness to take risks for rewards), tolerance for risk (risk tolerant or risk-averse), risk threshold (level beyond which the organization refuses to tolerate risks and may change its response)
  • pure (insurable) risk vs business risk (can be +ve or -ve)
  • known risks that cannot be dealt with proactively (active acceptance) should be assigned a contingency reserve or if the known risks cannot be analyzed, just wait for its happening and implement the workaround (which is considered passive acceptance)

Plan Risk Management

  • Inputs: Project Charter, Project Management Plan, Project Documents, EEF, OPA
  • Tools & Techniques: Expert Judgement, Data Analysis, Meetings
  • Outputs: Risk Management Plan

  • The Plan Risk Mangement process is involved in defining and providing resources and time to perform risk management.
    • including methodology, roles and responsibilities, budget, timing (when and how often), risk categories (e.g. risk breakdown structure RBS), definitions, stakeholder tolerances (an EEF), reporting and tracking
  • performed at project initiation and early in the Planning process
  • failure to address risks early on can ultimately be more costly later on in the project
  • Data Analysis techniques include stakeholder risk profile analysis (using the stakeholder register), strategic risk scoring sheets, etc.
  • a risk breakdown structure (RBS) (included in the PM Plan) – risks grouped by categories and occurring areas
  • key risk categories:
    • scope creep
    • inherent schedule flaws
    • employee turnover
    • specification breakdown (conflicts in deliverable specifications)
    • poor productivity

Identify Risks

  • Inputs: Project Management Plan, Project Documents, Agreements, Procurement Documentation, EEF, OPA
  • Tools & Techniques: Expert Judgement, Data Gathering, Data Analysis, Interpersonal and Team Skills, Prompt Lists, Meetings
  • Outputs: Risk Register, Risk Report, Project Document Updates

  • to find out and document all risks affecting the project from all aspects of the project, including:
    • agreements/contracts within/outside of the organization
    • procurements
    • requirements, schedule, cost, resource, quality, scope, etc. from the project management plan
  • Data Gathering Techniques: brainstorming, checklists, interviews, Delphi technique [a panel of independent experts, maintain anonymity, use questionnaire, encourage open critique],
  • Data Analysis Techniques:
    • root cause analysis [performed after an event to gain understanding to prevent similar events from occurring], SWOT analysis, assumption and constraint analysis
      • root cause analysis: safety-based (prevent accidents), production-based, process-based (include business process), failure-based, systems-based (all above)
      • root cause analysis tools: FMEA, Pareto Analysis, Bayesian Inference (conditional probability), Ishikawa Diagrams, Kepner-Tregoe
    • Monte Carlo analysis can identify points of schedule risks
  • Prompt List
    • The prompt list (newly added in PMBOK® Guide 6th Edition) is a predetermined list of risk categories that are at the lowest level of the risk breakdown structure which is used to assist in identifying risks of the projects
    • examples of prompt lists:
      • PESTLE (political, economic, social, technological, legal, environmental)
      • TECOP (technical, environmental, commercial, operations, political)
      • VUCA (volatility, uncertainty, complexity, ambiguity)
  • Risk Register (typically not including the risk reserve)
    • The Risk Register may include a risk statement
    • any risk with a probability of >70% is an issue (to be dealt with proactively and recorded in the issue log)
  • The Risk Report (new in PMBOK® Guide 6th Edition) is a document used to present information (e.g. no. of identified threats and opportunities, distribution of risks across risk categories, metrics and trends) on overall project risk. It also includes a summary information on individual project risks.

Perform Qualitative Risk Analysis

  • Inputs: Project Management Plan, Project Documents, Agreements, Procurement Documentation, EEF, OPA
  • Tools & Techniques: Expert Judgement, Data Gathering, Data Analysis, Interpersonal and Team Skills, Risk Categorization, Data Representation, Meetings
  • Outputs: Project Document Updates (e.g. Risk Register)

  • prioritizing risks for further analysis/action and identify high priority risks
    • risks requiring near-term responses are more urgent to address
    • need to identify bias and correct it (e.g. risk attitude of the stakeholders)
  • Data Analysis Techniques include:
    • Risk data quality assessment
    • Risk probability and impact assessment
    • Assessment of other risk parameters (e.g. urgency, proximity, dormancy, manageability, controllability, detectability, connectivity, strategic impact, propinquity)
  • Data Representation Tools:
    • qualitative risk assessment matrix (format described in the Risk Management Plan)
    • hierarchical-type charts
  • the risk register is updated along the following processes: Perform Qualitative Risk Analysis, Perform Quantitative Analysis, Plan Risk Responses, Implement and Monitor Risks

Perform Quantitative Risk Analysis

  • Inputs: Project Management Plan, Project Documents, Agreements, Procurement Documentation, EEF, OPA
  • Tools & Techniques: Expert Judgement, Data Gathering, Interpersonal and Team Skills, Representation of Uncertainty, Data Analysis
  • Outputs: Project Document Updates

  • the cost, schedule and risk management plan contains guidelines on how to quantitatively analyze risks
    • involves mathematical modelling for forecasts and trend analysis
  • Representation of Uncertainty (probability distribution) reflects the risks as a probability distribution, which can be in the following distribution types:
    • Triangular
    • Normal (bell-shaped curve)
    • Lognormal
    • Beta
    • Uniform
    • Discrete
  • Data Analysis Techniques:
    • sensitivity analysis (using the tornado diagram as presentation) for determining the risks that have the most impact on the project
    • Failure Modes Effects Analysis (FMEA)
    • FMEA for manufactured product or where risk may be undetectable, Risk Priority Number (RPN) = severity (1-10) x occurrence ([0.07%] 1-10 [20%]) X detectability (1-10 [undetectable]), also a non-proprietary approach for risk management
    • Expected Value / Expected Monetary Value (EMV), probability x impact (cost/effort lost), opportunities (+ve values), threats (-ve values)
    • Simulations/Monte Carlo Analysis – by running simulations many times over in order to calculate those same probabilities heuristically just like actually playing and recording your results in a real casino situation, ‘S’ curve (cumulative distribution) will result, may use PERT/triangular distribution to model data, may use thousands of data points (a random variable), for budget/schedule analysis
    • Decision Tree Analysis – another form of EMV, branching: decision squares (decision branch – options), circles (uncertainty branch – possible outcomes)
    • Influence Diagram – graphical representations of situations showing causal influences, time ordering of events, and other relationships among variables and outcomes

Plan Risk Responses

  • Inputs: Project Management Plan, Project Documents, Agreements, Procurement Documentation, EEF, OPA
  • Tools & Techniques: Expert Judgement, Data Gathering, Interpersonal and Team Skills, Strategies for Threats, Strategies for Opportunities, Contingent Response Strategies, Strategies for Overall Project Risks, Data Analysis, Decision Making
  • Outputs: Change Requests, Project Management Plan Updates, Project Document Updates

  • plan response to enhance opportunities and reduce threats
  • each risk is owned by a responsible person
  • the watch list is the list of low priority risks items in the risk register
  • a fallback plan will be used if 1) risk response not effective, 2) accepted risk occurs
  • Negative Risk Strategies:
    • eliminate/avoid (not to use, extend the schedule)
    • transfer (outsource, warranty, insurance)
    • mitigate (reduce the risk of more testing/precautionary actions/redundancy)
    • accept (passive – do nothing or active – contingency)
    • escalate (escalates a risk to the appropriate party — can be deleted from the risk register or retain in the risk register with a remark)
  • Positive Risk Strategies:
    • exploit (ensure opportunity by using internal resources e.g. reduce cost/use of top talents/new tech)
    • share (contractor with specialized skills, joint venture)
    • enhance (increase likelihood / impact e.g. fast-tracking, add resources etc.)
    • accept
  • passive risk acceptance to be dealt with when the risk occurs
  • Strategies for Overall Project Risk
    • the PM needs to address the overall project risks with one of the following strategies:
      • Avoid
      • Exploit
      • Mitigate/Enhance
      • Accept
  • Contingency Plan (contingent response strategies) (plan A) are developed for specific risk (when you have accepted a risk) with certain triggers vs Fallback Plan (plan B)
  • Residual Risks – risks remain after the risk response strategy was implemented, may be identified in the planning process (may subject to contingency/fallback planning) They don’t need any further analysis because you have already planned the complete response strategy you know in dealing with the risk that came before them.
  • Secondary Risks –  risk arises when the risk response strategy was implemented
  • Reserve Types
  • The Risk Register is now completed with: risks and descriptions, triggers, response strategy, persons responsible, results from qualitative and quantitative analysis, residual and secondary risks, contingency and fallback, risk budget/time

Implement Risk Responses (new in PMBOK® Guide 6th Edition)

  • Inputs: Project Management Plan, Project Documents, OPA
  • Tools & Techniques: Expert Judgement, Interpersonal and Team Skills, Project Management Information System
  • Outputs: Change Requests, Project Document Updates

  • in the Executing process group
  • implementing risk responses is the responsibilities of the risk owners
  • to ensure that agreed upon risk responses (as from the Plan Risk Response process) are executed as planned to
    • address overall project risk exposure
    • minimize individual project threats
    • maximize individual project opportunities
  • the Project Management Information System provides the information to allow agreed-upon risk response plans and associated activities to be executed alongside other project activities

Monitor Risks

  • Inputs: Project Management Plan, Project Documents, Agreements, Work Performance Data, Work Performance Reports
  • Tools & Techniques: Data Analysis, Audits, Meetings
  • Outputs: Work Performance Information, Change Requests, Project Management Plan Updates, Project Document Updates, OPA Updates

  • when all the above risk planning processes have been performed with due diligence, the project is said to have a low-risk profile
  • responsibilities include:
    • to check if assumptions are still valid, procedures are being followed and any deviance
    • to identify new risks and evaluate effectiveness of risk response plan
    • any need to adjust contingency and management reserves
    • to re-assess the individual risk response strategies to see if they are effective
  • risk audits deal with the effectiveness of risk response and the risk management process
    • risk audits are usually performed by experts outside project team for the whole risk management process
  • Data Analysis Techniques:
    • reserve analysis – apply only to the specific risks of the project for which they were set aside
    • technical performance analysis
  • workaround: when no contingency plan exists, executed on-the-fly to address unplanned events – still need to pass through normal change control if change requests are needed
    • determine the workaround is performed in monitor risks

Most Popular PMP Certification Exam Articles

Support website running for FREE, thanks!

If you find this post helpful and if you are thinking of buying from Amazon, please support the running cost of this website at no extra cost to you by searching and buying through the search box below. Thank you very much for your help!

Edward Chung

Edward Chung aspires to become a full-stack web developer and project manager. In the quest to become a more competent professional, Edward studied for and passed the PMP Certification, ITIL v3 Foundation Certification, PMI-ACP Certification and Zend PHP Certification. Edward shares his certification experience and resources here in the hope of helping others who are pursuing these certification exams to achieve exam success.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

18 Responses

  1. clark says:

    Edward – Like others I found your blog while doing some studying – it was most helpful to cover the materials and it was very good for study and review. Since the exam changed this year my studying was good for PM but not as directly aligned to the PMP exam.

    Thanks for the efforts! Much appreciation.

  2. Jeff says:

    this was extremely helpful and easy to comprehend. thank-you for putting this together!

  3. Rajiv Singal says:

    Hi Edward, many thanks for putting this blog. The info provided is really precise and thorough. And I also discovered Andy Crowe’s book. Kudos to what you have you done and wish you all the success
    P.S. in response to the Q of Rajendra Darshi Prakash, I agree with the response of Neela: the statement says probability is 20% in a given month, so basically at the start of each month during the project, the risk has a 20% chance of happening. e.g., it may be due to team members taking leave and the average risk of that may be 20%

  4. Neela says:

    Response to the question below “If a risk has a 20 percent chance of happening in a given month, and the project is expected to last five months, what is the probability that the risk event will occur during the fourth month of the project?” – The answer is 20 percent. The risk has a 20 percent chance of occurring in a ‘given’ month. Therefore, irrespective of the month the project is in, the chance is the same.


    Hi Edward,
    Thanks for putting together all the resources. Like To know “If a risk has a 20 percent chance of happening in a given month, and the project is expected to last five months, what is the probability that the risk event will occur during the fourth month of the project?”

  6. Ugo Chris-Aluta says:

    Dear Edward, I discovered your blog in the last week before my exam. I have to say it became one of my most helpful resources as I prepared intensively in that last week. Where do I start? From the very helpful list of sites for free practice tests? Or the extensive resources – in-depth, straight to the point study notes, comparisons of confusing terms…your blog is really written from the student’s perspective and was 110% relevant and 200% useful. I referred to your page up to the morning of the exam to clear up some niggling areas.
    I am very happy to say I passed the PMP exam yesterday with “Above Target” rating in all 5 process groups! You are a hero, Edward! Thank you for your wonderful blog, your honesty and transparency in sharing even your test scores which really motivated me. I will be passing along your webpage to all my colleagues!
    God bless!

  7. RA says:

    Thank you for the valuable briefs. However, I believe it’s ‘Monitor Risk’ and not ‘Control Risk’ since we are monitoring the risk with possibility of re-assessment and not controlling them. Please correct me if I’m wrong

  8. Mary says:

    Hi Edward, Study notes 12 link is not working.

  9. Rodrigo Fernandez says:

    Appreciate your notes and tips but recommend to review them to avoid misunderstanding for others. For example, as far as I understand; Agreements in an input in this module of Plan Risk Management ONLY for the process of Identify Risks. Accordint to your above notes it is an input of several RISK processes .

    Also, you wrote: “any risk with a probability of >70% is an issue (to be dealt with proactively and recorded in the issue log)”. Can you confirm me on what page of the PMBOK Guide 6th Edition does this statement appear on? I only found that “70%” appeared on page 407 but it was an EXAMPLE for showing a Very significant impact on overall functionality

    • Edward Chung says:

      Thanks for your comment. Will review the content asap. As for info not found from PMBOK Guide, some of them may be from experience or other project management titles as the PMP Exam is more than the PMBOK Guide.

      Wish you PMP success!

  10. Barry Swayn says:

    The download function is not working for ‘Project Risk Management’.
    Downloading identifies “that there is an error with the file and that it cannot be downloaded. The damaged file could not be repaired”.
    Edward, your image as a PMP web developer and project manager is at risk!
    In reading this email, if you can send the file in acknowledgement would be appreciated?
    Thank you

    • Edward Chung says:

      Hi Barry,

      I have tried downloading the PDF file and it works fine. I’m afraid there is something wrong on your browser or the network connection that resulted in the damaged file which is beyond my control. Please try downloading again. Thanks!