4.3 Risk Management Fundamentals
Key Takeaways
- A risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives
- Threats are negative risks that could harm the project; opportunities are positive risks that could benefit it
- Risk responses for threats include Avoid, Mitigate, Transfer, Accept, and Escalate
- Risk responses for opportunities include Exploit, Enhance, Share, Accept, and Escalate
- The risk register documents identified risks, their probability and impact, response strategies, and risk owners
Risk Management Fundamentals
Risk management is one of the most important knowledge areas tested on the CAPM exam. Effective risk management helps project teams anticipate and address uncertainties that could affect project objectives.
Key Risk Definitions
| Term | Definition |
|---|---|
| Risk | An uncertain event or condition that, if it occurs, has a positive or negative effect on project objectives |
| Threat | A negative risk that could harm the project |
| Opportunity | A positive risk that could benefit the project |
| Risk Owner | The person responsible for monitoring and implementing the risk response |
| Risk Trigger | An indicator that a risk event is about to occur |
| Residual Risk | Risk remaining after risk responses have been implemented |
| Secondary Risk | A new risk that arises as a direct result of implementing a risk response |
| Workaround | An unplanned response to a risk that has occurred without a planned response |
Risk Management Processes
| Process | Process Group | Purpose |
|---|---|---|
| Plan Risk Management | Planning | Establish how risk activities will be structured |
| Identify Risks | Planning | Determine which risks may affect the project |
| Perform Qualitative Risk Analysis | Planning | Prioritize risks by probability and impact |
| Perform Quantitative Risk Analysis | Planning | Numerically analyze combined risk effects |
| Plan Risk Responses | Planning | Develop strategies for addressing risks |
| Implement Risk Responses | Executing | Execute agreed-upon risk responses |
| Monitor Risks | Monitoring & Controlling | Track risks and evaluate response effectiveness |
Risk Identification Tools
| Tool | Description |
|---|---|
| Brainstorming | Group session to generate a comprehensive list of risks |
| Interviews | One-on-one discussions with experienced stakeholders |
| Checklists | Pre-made lists from historical data and organizational knowledge |
| SWOT Analysis | Examines Strengths, Weaknesses, Opportunities, and Threats |
| Assumption Analysis | Explores assumptions for validity and potential risks |
| Root Cause Analysis | Identifies underlying causes that could generate multiple risks |
| Prompt Lists | Categories to stimulate risk identification (e.g., PESTLE: Political, Economic, Social, Technological, Legal, Environmental) |
Qualitative Risk Analysis
Qualitative analysis prioritizes risks using subjective probability and impact assessments.
Probability and Impact Matrix
| Low Impact (1) | Medium Impact (2) | High Impact (3) | |
|---|---|---|---|
| High Probability (3) | 3 (Medium) | 6 (High) | 9 (Very High) |
| Medium Probability (2) | 2 (Low) | 4 (Medium) | 6 (High) |
| Low Probability (1) | 1 (Very Low) | 2 (Low) | 3 (Medium) |
Risks in the high-priority zone require immediate attention and robust response strategies.
Risk Response Strategies
For Threats (Negative Risks)
| Strategy | Action | Example |
|---|---|---|
| Avoid | Eliminate the threat entirely | Change project plan to remove the risk source |
| Mitigate | Reduce probability and/or impact | Add testing cycles to reduce defect risk |
| Transfer | Shift the impact to a third party | Purchase insurance, use fixed-price contracts |
| Accept | Acknowledge the risk without action | Set aside contingency reserves for potential impact |
| Escalate | Move to a higher authority level | Risk is outside the project's scope to manage |
For Opportunities (Positive Risks)
| Strategy | Action | Example |
|---|---|---|
| Exploit | Ensure the opportunity is realized | Assign best resources to capitalize on opportunity |
| Enhance | Increase probability and/or impact | Increase investment in promising technology |
| Share | Allocate ownership to a third party best positioned to capture | Joint ventures, partnerships |
| Accept | Recognize without actively pursuing | Be ready to take advantage if it occurs |
| Escalate | Move to a higher authority level | Opportunity is beyond project scope |
The Risk Register
The risk register is the central document for tracking all identified risks. It typically includes:
- Risk ID and description
- Risk category
- Probability and impact ratings
- Priority ranking
- Response strategy
- Risk owner
- Risk triggers
- Status and updates
Exam Tip: The risk register is a living document that is updated throughout the project. New risks are added, resolved risks are closed, and risk responses are monitored and adjusted as needed.
Purchasing insurance to cover potential project losses is an example of which threat response strategy?
A new risk that arises as a direct result of implementing a risk response is called a:
Which risk response strategy for opportunities involves assigning the best resources to ensure the opportunity is realized?
Which of the following are risk response strategies for THREATS? (Select THREE)
Select all that apply