Task 17: Assess and Manage Risks
Every project operates in an environment of uncertainty. Risks — uncertain events or conditions that, if they occur, affect project objectives — are present from initiation through closing. The PMP Exam Content Outline addresses this reality in ECO Task 17: Assess and Manage Risks. This task demands that project managers not only identify risks but continuously evaluate them, determine appropriate management options, and iteratively prioritize which risks deserve the most attention as the project evolves.
Risk management is not a one-time planning exercise. Effective risk management is a continuous, iterative process that runs parallel to every other project activity. PMI's message is clear: risks that are identified early and managed proactively rarely become problems, while risks that are ignored almost always do. This study guide covers the three ECO enablers for Task 17, the full risk management framework as reflected in PMBOK, and how to answer risk-related questions on the PMP exam.
ECO Enablers for Task 17
The PMP Exam Content Outline defines three enablers for assessing and managing risks. Each one represents a critical capability that the project manager must demonstrate throughout the project lifecycle:
- Determine risk management options. Once risks are identified, the PM must evaluate the full range of possible responses. This includes understanding risk strategies for both threats (negative risks) and opportunities (positive risks), as well as the trade-offs between different response approaches.
- Iteratively assess and prioritize risks. Risk assessment is not a one-time event. As the project progresses, new risks emerge, known risks change in probability or impact, and the relative priority of risks shifts. The PM must continuously reassess the risk landscape and adjust priorities accordingly.
- Determine and manage risks throughout the project lifecycle. Risk management spans all project phases. The specific risks, the appropriate responses, and the ownership of risk management activities evolve as the project moves from initiation through planning, execution, monitoring, and closing.
These enablers map directly to PMBOK 7's Risk principle: "Continually evaluate exposure to risk, both opportunities and threats, to maximize positive impacts and minimize negative impacts to the project and its outcomes." They also connect to the Uncertainty performance domain, which addresses how projects navigate ambiguity and volatility.
The PMP exam frequently tests whether you understand the difference between a risk and an issue. A risk is an uncertain event that may happen in the future — it has not occurred yet. An issue is an event that has already occurred and is now affecting the project. Risks are managed proactively through risk responses and contingency plans. Issues are managed reactively through problem-solving and corrective actions. If an exam scenario says "a key vendor might go out of business," that's a risk. If it says "a key vendor has gone out of business," that's an issue — the response changes from prevention to mitigation of consequences. A risk that materializes becomes an issue and should be logged in the issue log, not the risk register.
Risk Management Options: Strategies for Threats and Opportunities
The first enabler — determining risk management options — requires the PM to understand the complete toolkit of risk response strategies. PMI provides five strategies for negative risks (threats) and five for positive risks (opportunities). The exam expects you to know each strategy, when it is appropriate, and how to distinguish between them in situational scenarios.
Response Strategies for Threats (Negative Risks)
| Strategy | Description | When to Use | Example |
|---|---|---|---|
| Escalate | The risk is outside the project's scope or authority; it is transferred to the program, portfolio, or organizational level. | The PM lacks the authority or resources to address the risk. The risk affects multiple projects or the entire organization. | A regulatory change that will affect all projects in the portfolio — the PM escalates to the PMO for a coordinated response. |
| Avoid | Eliminate the threat entirely by changing the project plan, scope, or approach so that the risk can no longer occur. | The risk has high probability and high impact, and avoidance is feasible without undermining project objectives. | Choosing a proven technology over an experimental one to eliminate the risk of technical failure. |
| Transfer | Shift the ownership and impact of the risk to a third party, typically through insurance, warranties, guarantees, or contractual arrangements. | The risk is financial or contractual in nature, and a third party is better positioned to manage it. Transfer does not eliminate the risk — it shifts responsibility. | Purchasing performance bonds, outsourcing high-risk work to a specialized contractor, buying insurance for natural disasters. |
| Mitigate | Reduce the probability and/or impact of the risk to an acceptable level. Mitigation takes action before the risk occurs. | The risk cannot be avoided or transferred, but its severity can be reduced through proactive measures. | Adding redundant servers to reduce the impact of a single server failure; conducting more testing to reduce the probability of defects reaching production. |
| Accept | Acknowledge the risk and take no proactive action, either because the cost of response exceeds the potential impact or because no viable response exists. Acceptance can be passive (do nothing) or active (establish a contingency reserve). | The risk has low probability and/or low impact, or the cost of any response is disproportionate to the potential loss. | Accepting the risk of minor weather delays on an outdoor construction project, with a small schedule contingency reserve. |
Response Strategies for Opportunities (Positive Risks)
| Strategy | Description | Example |
|---|---|---|
| Escalate | The opportunity exceeds the project's scope; it is elevated to the program or portfolio level for pursuit. | A technology breakthrough discovered during the project that could benefit the entire organization — escalated to the PMO. |
| Exploit | Take aggressive action to ensure the opportunity is realized. This is the positive counterpart to "avoid" — you actively make it happen. | Assigning the organization's best experts to a project when a competitor exits the market, to capture market share as quickly as possible. |
| Share | Partner with another organization or team to increase the probability of capturing the opportunity. Both parties benefit. | Forming a joint venture with a local company to pursue a project in a new geographic market where the local partner provides market access. |
| Enhance | Increase the probability and/or impact of the opportunity. This is the positive counterpart to "mitigate" — you make the opportunity more likely or more valuable. | Adding resources to an activity that is ahead of schedule to finish even earlier, capturing early-delivery incentives. |
| Accept | Acknowledge the opportunity but take no proactive action to pursue it. If it happens, it happens — but you are not investing resources to make it happen. | A vendor announces a discount on materials the project uses; the PM takes advantage of the savings if procurement timing aligns, but does not alter the schedule to chase it. |
These three threat strategies are frequently confused on the exam. Remember the critical distinctions: Avoid eliminates the risk entirely by changing the plan — the risk can no longer happen. Transfer moves the risk to a third party — the risk can still happen, but someone else bears the consequences. Mitigate reduces probability or impact — the risk can still happen, and you still own it, but it will hurt less. A question about buying insurance is transfer (the insurance company bears the financial loss). A question about using a proven technology instead of a new one is avoid (the risk of new-tech failure is eliminated). A question about adding more testing is mitigate (you're reducing the probability of defects).
Iterative Risk Assessment and Prioritization
The second enabler — iteratively assessing and prioritizing risks — reflects the reality that risk management is a continuous cycle, not a linear process. The risk landscape changes with every sprint, every phase, and every external event. PMI describes two complementary approaches to risk assessment:
Qualitative Risk Analysis
Qualitative analysis is subjective and rapid. It prioritizes risks for further analysis or action by assessing their probability and impact, usually on a defined scale (Low/Medium/High or 1–5). The output is a probability and impact matrix (sometimes called a risk matrix or heat map) that categorizes each risk:
- High probability, High impact (Red zone) — These risks demand immediate attention. They require detailed quantitative analysis and robust response plans.
- Medium probability/impact (Yellow zone) — These risks require monitoring and may warrant response plans depending on project context and risk appetite.
- Low probability, Low impact (Green zone) — These risks are typically accepted and placed on a watch list for periodic review.
Qualitative analysis is typically performed first because it is faster and helps focus limited resources on the risks that matter most. Every identified risk should undergo qualitative analysis.
Quantitative Risk Analysis
Quantitative analysis is objective and numerically rigorous. It models the combined effect of risks on project objectives, typically using techniques such as:
- Monte Carlo simulation — Runs thousands of iterations with varying risk inputs to produce a probability distribution for project cost, schedule, or other objectives. Outputs include confidence levels (e.g., "There is an 80% probability of completing within $2.1M").
- Decision tree analysis — Evaluates choices under uncertainty by calculating the expected monetary value (EMV) of each path. EMV = Probability × Impact (in dollars).
- Sensitivity analysis (Tornado diagram) — Identifies which individual risks have the greatest influence on project outcomes by showing how much the outcome varies when each risk input is adjusted.
- Expected Monetary Value (EMV) — Calculates the average outcome when the future includes scenarios that may or may not happen. EMV is used in both threats and opportunities analysis.
Not every project requires quantitative analysis. It is typically reserved for large, complex, or strategically critical projects where the cost of analysis is justified by the value of the insight it provides. On the PMP exam, questions about EMV and Monte Carlo simulation appear regularly in the Process domain.
| Aspect | Qualitative Risk Analysis | Quantitative Risk Analysis |
|---|---|---|
| Approach | Subjective, based on expert judgment and rating scales | Objective, based on numerical data and statistical modeling |
| Speed | Fast — can be done in a workshop or meeting | Slow — requires data collection, modeling, and specialized tools |
| Output | Risk ranking (High/Medium/Low), probability-impact matrix | Probability distributions, EMV, confidence intervals, tornado diagrams |
| When Used | On all identified risks, early and often | On high-priority risks from qualitative analysis; on large/complex projects |
| Key Exam Concept | Performed first, used to prioritize | Performed on prioritized risks, used for detailed contingency planning |
Risk Management Across the Project Lifecycle
The third enabler emphasizes that risk management is not confined to a single phase. The specific activities evolve as the project progresses:
- Initiation — High-level risk identification during the project charter development. The project's feasibility and strategic alignment are assessed. Major risks may influence the go/no-go decision.
- Planning — Comprehensive risk identification (brainstorming, Delphi technique, SWOT analysis, assumption analysis, document reviews). The risk management plan is created. Qualitative and quantitative analysis are performed. Risk responses are developed and assigned to risk owners. Contingency and management reserves are established.
- Execution — Risk responses are implemented. Risk owners monitor their assigned risks. The team identifies new risks as work progresses. The risk register is actively maintained. Risk audits may be conducted to evaluate the effectiveness of the risk management process.
- Monitoring & Controlling — Ongoing risk reassessment (iterative, per the second enabler). Tracking of risk triggers and early warning signs. Evaluating the effectiveness of implemented responses. Reassessing residual risks and identifying secondary risks. Updating the risk register and reporting risk status to stakeholders.
- Closing — Ensuring that all risk-related activities are concluded. Documenting lessons learned about risk management effectiveness. Transitioning any ongoing risks to operations or the benefits realization team.
A critical concept: contingency reserve (for known risks — the "known unknowns") versus management reserve (for unidentified risks — the "unknown unknowns"). The PM controls the contingency reserve; the sponsor or management controls the management reserve. Using management reserve typically requires a change request.
How Risk Questions Appear on the PMP Exam
Risk questions are among the most common on the PMP exam, and they span all three domains (People, Process, Business Environment). Here are the patterns to recognize:
Pattern 1: "A risk has been identified. What should the PM do first?"
Enter it into the risk register. The risk register is the central repository for all risk information. Before analyzing, prioritizing, or responding, the risk must be documented. The risk register includes: risk ID, description, category, probability, impact, risk score, response strategy, risk owner, contingency plans, and status.
Pattern 2: "A risk has occurred. What should the PM do?"
When a risk materializes, it becomes an issue. The PM should implement the contingency plan (or fallback plan if the contingency plan fails), update the issue log, and assess whether any reserves need to be drawn upon. Avoid answers that suggest going back to identify new risks — address the current issue first, then update the risk register for any secondary or residual risks.
Pattern 3: "The project has a risk with 30% probability and $100,000 impact..."
Calculate the Expected Monetary Value: EMV = 0.30 × $100,000 = $30,000. This represents the statistical expected cost of this risk over many similar projects. On the PMP exam, EMV questions may ask you to calculate the total EMV of multiple risks, or use EMV in a decision tree to choose between alternatives.
Pattern 4: "A team member identifies a risk during a sprint retrospective..."
Agile environments manage risks continuously, not just at planning milestones. The risk should be added to the risk-adjusted backlog (or the risk register), discussed with the team, and responded to within the sprint cadence. Agile risk management is embedded in daily standups, sprint reviews, and retrospectives rather than being a separate process.
Study Checklist for Task 17
- ✅ Can you name all five threat response strategies and all five opportunity response strategies?
- ✅ Can you clearly distinguish between escalate, avoid, transfer, mitigate, and accept for threats?
- ✅ Do you understand the difference between qualitative and quantitative risk analysis?
- ✅ Can you calculate Expected Monetary Value (EMV) from probability and impact?
- ✅ Do you know the difference between contingency reserve and management reserve — and who controls each?
- ✅ Can you distinguish between a risk (future) and an issue (present) in exam scenarios?
- ✅ Do you understand how risk management activities differ across the project lifecycle?
- ✅ Are you familiar with risk identification techniques: brainstorming, Delphi technique, SWOT analysis, assumption analysis, and document reviews?
Risk management is one of the most heavily tested topics on the PMP exam because it touches every aspect of project management. Mastering Task 17 will serve you well not only on the exam but in every real project you lead. Continue to the ECO Study Guide Index to explore other Process domain tasks and build a comprehensive understanding of the PMP exam content.
← Back to ECO Study Guide Index | Practice Process Domain Questions →