ExamsPracticeResourcesBlogGlossaryUpdates

Key Takeaways

  • The Risk Register is the central repository for all identified risks, including descriptions, categories, causes, probability, impact, and response plans
  • Probability-Impact Matrix is a qualitative tool that rates risks on likelihood and severity to prioritize response planning
  • EMV (Expected Monetary Value) = Probability x Impact calculates the weighted average outcome considering uncertainty
  • Decision Trees graphically represent decision points and chance events to calculate EMV for different options
  • Risk responses for threats include Escalate, Avoid, Transfer, Mitigate, and Accept; for opportunities: Escalate, Exploit, Share, Enhance, and Accept
Last updated: January 2026

Risk Management Process

Risk management is the systematic process of identifying, analyzing, and responding to project risks. In predictive projects, risks are identified early and managed proactively throughout the project lifecycle.

Risk Management Processes

ProcessPurposeKey Output
Plan Risk ManagementDefine how risk will be managedRisk Management Plan
Identify RisksDetermine which risks may affect the projectRisk Register
Perform Qualitative Risk AnalysisPrioritize risks based on probability and impactUpdated Risk Register
Perform Quantitative Risk AnalysisNumerically analyze effect on objectivesQuantified risk exposure
Plan Risk ResponsesDevelop options and actions to address risksResponse strategies
Implement Risk ResponsesExecute agreed-upon response plansUpdated Risk Register
Monitor RisksTrack risks and evaluate response effectivenessWork Performance Information

Understanding Project Risk

Risk Definition

A risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives.

Risk TypeDefinitionExample
ThreatNegative riskKey team member may resign
OpportunityPositive riskNew technology may reduce costs

Risk Components

  • Uncertainty — May or may not occur
  • Probability — Likelihood of occurrence
  • Impact — Effect on objectives if it occurs

Risk Register

The Risk Register is the central repository for all risk-related information:

Risk Register Contents

FieldDescription
Risk IDUnique identifier
Risk DescriptionClear statement of uncertainty and impact
CategoryTechnical, external, organizational, PM
ProbabilityLikelihood of occurrence (0-100%)
ImpactEffect on objectives if risk occurs
Risk ScoreProbability x Impact
Risk OwnerPerson responsible for monitoring and response
Response StrategyChosen approach to address the risk
Contingency PlanActions if risk occurs
TriggersWarning signs that risk is about to occur
StatusActive, closed, occurred

Qualitative Risk Analysis

Qualitative Risk Analysis prioritizes risks for further action based on their probability and impact.

Probability-Impact Matrix

The Probability-Impact Matrix is the primary tool for qualitative risk analysis:

ProbabilityVery Low ImpactLow ImpactModerate ImpactHigh ImpactVery High Impact
Very High (0.9)0.090.180.360.540.72
High (0.7)0.070.140.280.420.56
Medium (0.5)0.050.100.200.300.40
Low (0.3)0.030.060.120.180.24
Very Low (0.1)0.010.020.040.060.08

Risk Prioritization

Risk LevelScore RangeAction
High (Red)> 0.40Immediate attention, detailed response plan
Medium (Yellow)0.15-0.40Monitor closely, develop contingency
Low (Green)< 0.15Monitor periodically

Quantitative Risk Analysis

Quantitative Risk Analysis numerically analyzes the effect of identified risks on overall project objectives.

Expected Monetary Value (EMV)

EMV calculates the average outcome when the future includes scenarios that may or may not happen:

EMV = Probability x Impact

EMV Example

RiskProbabilityImpactEMV
Server failure30%-$50,000-$15,000
Early delivery bonus40%+$20,000+$8,000
Regulatory fine10%-$100,000-$10,000
Total Project EMV-$17,000

Decision Tree Analysis

Decision Trees graphically represent decisions and chance events:

Decision Tree Components

SymbolMeaning
SquareDecision node (choice to be made)
CircleChance node (uncertain event)
TriangleEnd point (outcome)

Decision Tree Example

A company must decide whether to build a new factory ($5M) or upgrade existing ($2M):

Build New Factory ($5M investment):

  • High demand (60%): Profit $10M → EMV = 0.6 x $10M = $6M
  • Low demand (40%): Profit $3M → EMV = 0.4 x $3M = $1.2M
  • Total EMV = $6M + $1.2M - $5M = $2.2M

Upgrade Existing ($2M investment):

  • High demand (60%): Profit $5M → EMV = 0.6 x $5M = $3M
  • Low demand (40%): Profit $2M → EMV = 0.4 x $2M = $0.8M
  • Total EMV = $3M + $0.8M - $2M = $1.8M

Decision: Build New Factory (higher EMV of $2.2M vs. $1.8M)

Monte Carlo Simulation

Monte Carlo Simulation uses computer modeling to run thousands of scenarios:

How It Works

  1. Define probability distributions for uncertain variables
  2. Randomly sample from each distribution
  3. Calculate project outcome
  4. Repeat thousands of times
  5. Analyze probability distribution of results

Interpreting Results

Confidence LevelMeaning
P5050% probability of achieving this outcome or better
P8080% probability of achieving this outcome or better
P9090% probability of achieving this outcome or better

Example Output

"There is an 80% probability (P80) that the project will complete within 18 months and cost less than $2.5M."

Risk Response Strategies

Strategies for Threats (Negative Risks)

StrategyDescriptionExample
EscalateRisk is outside project scope, escalate to appropriate levelOrganization-wide risks to sponsor
AvoidEliminate the threat by eliminating the causeChange scope to remove risky work
TransferShift impact to a third partyPurchase insurance, fixed-price contract
MitigateReduce probability and/or impactAdd redundancy, prototype, train team
AcceptAcknowledge risk without proactive actionDocument risk, monitor for changes

Strategies for Opportunities (Positive Risks)

StrategyDescriptionExample
EscalateOpportunity is outside project scopeStrategic opportunities to executives
ExploitEnsure the opportunity is realizedAssign best resources to capture opportunity
ShareAllocate to third party best able to captureJoint venture, partnership
EnhanceIncrease probability and/or impactInvest in R&D to maximize benefit
AcceptTake advantage if it occurs, but no proactive actionDocument, be ready to capitalize

Contingency Reserves

Contingency Reserves address "known unknowns" — identified risks:

Calculation Methods

MethodFormulaUse
Percentage of BudgetBudget x 10-15%Quick estimate
EMV SummationSum of all risk EMVsQuantitative approach
Expected Value of ProjectFrom Monte Carlo simulationMost accurate

Reserve Types

ReserveForControlled By
Contingency ReserveKnown unknowns (identified risks)Project Manager
Management ReserveUnknown unknownsManagement/Sponsor

Key Takeaways

  • The Risk Register is the central repository for all risk information
  • Probability-Impact Matrix prioritizes risks based on likelihood and severity
  • EMV = Probability x Impact calculates weighted average outcomes
  • Decision Trees help choose between alternatives under uncertainty
  • Monte Carlo Simulation provides probability distributions for project outcomes
  • Threat responses: Escalate, Avoid, Transfer, Mitigate, Accept
  • Opportunity responses: Escalate, Exploit, Share, Enhance, Accept
Loading diagram...
Risk Management Process Flow
Test Your Knowledge

A risk has a 25% probability of occurring and would cost $80,000 if it occurs. What is the Expected Monetary Value (EMV) of this risk?

A
B
C
D
Test Your Knowledge

Which risk response strategy involves shifting the negative impact of a threat to a third party?

A
B
C
D
Test Your Knowledge

A Monte Carlo simulation shows a P80 value of $2.5 million for project cost. What does this mean?

A
B
C
D
Up Next

8.7 Procurement & Contracts

Continue learning