PMP Exam Flashcards: Risk Management, Identification, Analysis, Response Strategies

The risk management process follows six steps. Plan Risk Management establishes how risk activities will be conducted. Identify Risks determines which risks may affect the project through brainstorming, checklists, interviews, and SWOT analysis. Perform Qualitative Risk Analysis prioritizes risks by probability and impact using a probability-impact matrix. Perform Quantitative Risk Analysis numerically estimates the effect of risks on project objectives using techniques like Monte Carlo simulation. Plan Risk Responses develops strategies to reduce threats and exploit opportunities.

The four strategies for negative risks are avoid, transfer, mitigate, and accept. Avoid eliminates the threat by changing the project plan, such as removing a risky feature from scope. Transfer shifts the impact to a third party, most commonly through insurance, warranties, or outsourcing. Mitigate reduces the probability or impact of the risk, such as adding testing to catch defects early. Accept acknowledges the risk without proactive action, either passively by doing nothing or actively by establishing a contingency reserve.

The four strategies for positive risks or opportunities are exploit, share, enhance, and accept. Exploit ensures the opportunity is realized, such as assigning the best team members to capitalize on a new technology advantage. Share allocates ownership to a third party best positioned to capture the opportunity, such as forming a joint venture. Enhance increases the probability or impact of the opportunity, such as adding resources to accelerate a feature that would provide competitive advantage. Accept takes no proactive action but acknowledges the opportunity if it occurs.

A probability-impact matrix is a grid that maps each identified risk by its probability of occurring on one axis and its impact on project objectives on the other axis. Each cell represents a combined risk score, typically calculated by multiplying probability times impact. Risks falling in the high-probability, high-impact zone are prioritized for response planning. Risks in low-probability, low-impact zones may only require monitoring. The matrix enables consistent, objective risk prioritization across the team rather than relying on subjective judgment.

A risk register is the document that records all identified risks and their related information throughout the project. For each risk, it includes a unique identifier, description, category, probability rating, impact rating, overall risk score, risk owner responsible for monitoring and response, planned response strategy, triggers or warning signs, contingency plan, fallback plan if the primary response fails, current status, and residual risk remaining after response implementation.

A contingency reserve is time or budget set aside for identified risks that have been analyzed and have planned responses, also called known unknowns. The project manager controls contingency reserves, and they are included in the cost baseline. A management reserve is time or budget set aside for unidentified risks, also called unknown unknowns, and for unforeseen work within the project scope. Management reserves are controlled by senior management or the sponsor and are not included in the cost baseline but are part of the project budget.

A Monte Carlo simulation is a quantitative risk analysis technique that runs thousands of project simulations using random values within defined ranges for uncertain variables like activity durations and costs. Each simulation produces a different possible outcome, and the aggregate results create a probability distribution showing the likelihood of various project completion dates or total costs. For example, a Monte Carlo analysis might show an 80 percent probability of completing the project by a certain date.

A risk trigger, also called a risk symptom or warning sign, is an event or condition that indicates a risk is about to occur or has already occurred. Identifying triggers is important because they serve as early warning signals that activate the planned risk response. For example, a vendor consistently missing minor milestones might be a trigger that the vendor will miss the critical delivery date. Triggers are documented in the risk register alongside the associated risk and response plan. ---