4.3 Risk Management Fundamentals
Key Takeaways
- A risk is an uncertain event with a positive or negative effect on objectives — opportunities are risks too, not just threats
- Threat responses are Avoid, Mitigate, Transfer, Accept, Escalate; opportunity responses are Exploit, Enhance, Share, Accept, Escalate
- Qualitative analysis prioritizes risks subjectively (probability x impact); quantitative analysis assigns numbers (EMV, Monte Carlo, decision trees)
- Expected Monetary Value (EMV) = probability x impact; negative EMV for threats, positive for opportunities
- The risk register is a living document; contingency reserves cover known risks, management reserves cover unknown ones
Key Risk Definitions
A risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on project objectives. Beginners assume risk means "bad" — the CAPM tests whether you remember that opportunities (positive risks) are managed too.
| Term | Definition |
|---|---|
| Threat | A negative risk that could harm the project |
| Opportunity | A positive risk that could benefit the project |
| Risk owner | Person assigned to monitor a risk and execute its response |
| Risk trigger | An early-warning sign that a risk is about to occur |
| Residual risk | Risk remaining after responses are implemented |
| Secondary risk | A new risk created by a response (e.g., outsourcing creates a vendor-communication risk) |
| Workaround | An unplanned response to a risk that occurred without a planned response |
The Risk Management Processes
Seven processes run across the project life cycle:
- Plan Risk Management (Planning) — how risk work will be done
- Identify Risks (Planning) — find risks; output is the risk register
- Perform Qualitative Risk Analysis (Planning) — prioritize subjectively
- Perform Quantitative Risk Analysis (Planning) — model risks numerically
- Plan Risk Responses (Planning) — choose strategies
- Implement Risk Responses (Executing) — carry them out
- Monitor Risks (Monitoring & Controlling) — track and adjust
Identification tools include brainstorming, interviews, checklists, SWOT analysis, assumption and constraint analysis, root cause analysis, and prompt lists such as PESTLE (Political, Economic, Social, Technological, Legal, Environmental).
Qualitative vs. Quantitative Analysis
Qualitative analysis ranks risks subjectively using a probability-and-impact matrix. Score = probability x impact:
| Low impact (1) | Medium impact (2) | High impact (3) | |
|---|---|---|---|
| High probability (3) | 3 (Medium) | 6 (High) | 9 (Very High) |
| Medium probability (2) | 2 (Low) | 4 (Medium) | 6 (High) |
| Low probability (1) | 1 (Very Low) | 2 (Low) | 3 (Medium) |
Quantitative analysis assigns real numbers. The most-tested tool is Expected Monetary Value (EMV) = probability x impact, where threats are negative and opportunities positive.
Worked example: A risk has a 30% chance of causing a $50,000 overrun. EMV = 0.30 x (-$50,000) = -$15,000. If the same project has a 20% chance of a $40,000 savings, EMV = 0.20 x (+$40,000) = +$8,000. The net EMV across both is -$7,000, which becomes input to a contingency reserve. Other quantitative tools include decision-tree analysis, Monte Carlo simulation, and sensitivity analysis (tornado diagrams).
Risk Response Strategies
Memorize the two parallel lists — mixing them up is the most common error.
Threats (negative):
| Strategy | Action | Example |
|---|---|---|
| Avoid | Eliminate the threat | Drop the risky feature from scope |
| Mitigate | Reduce probability/impact | Add testing cycles |
| Transfer | Shift impact to a third party | Insurance, fixed-price contract |
| Accept | Take no action (set contingency) | Acknowledge a minor risk |
| Escalate | Raise above the project's authority | Risk affects the whole portfolio |
Opportunities (positive):
| Strategy | Action | Example |
|---|---|---|
| Exploit | Make sure it happens | Assign your best people to capture it |
| Enhance | Increase probability/impact | Add funding to a promising option |
| Share | Partner with someone better positioned | Joint venture |
| Accept | Be ready but don't pursue | Take the gain if it arrives |
| Escalate | Raise above the project | Benefit is beyond project scope |
Reserves and the Risk Register
Contingency reserves cover identified (known) risks and are part of the cost/schedule baseline; the PM can spend them. Management reserves cover unknown risks ("unknown unknowns"), sit outside the baseline, and require management approval to release.
The risk register is the living home for risk IDs, descriptions, categories, probability/impact, priority, chosen response, owner, triggers, and status.
Exam tip: "Buying insurance" = Transfer. "Adding contingency money and doing nothing else" = Accept (active acceptance). "Removing the feature that causes the risk" = Avoid. When the answer involves a third party absorbing the downside, it's Transfer, not Mitigate.
Acceptance, Attitude, and a Decision-Tree Example
Acceptance comes in two flavors that the CAPM likes to separate. Active acceptance means you acknowledge the risk and set up a contingency reserve or plan in case it occurs but take no action now to change it. Passive acceptance means you do nothing at all — no reserve, no plan — and simply deal with the consequences if they arrive. Reading the answer choices for whether a reserve is mentioned tells you which one applies.
Risk appetite also appears. Risk appetite is the general level of uncertainty an organization is willing to take on; risk tolerance is the measurable amount it will accept on a specific objective; and the risk threshold is the point at which a risk becomes unacceptable and triggers a response. A risk-averse stakeholder wants more buffers and avoidance; a risk-seeking stakeholder will pursue opportunities others decline.
Decision-tree worked example: Suppose you must choose between two suppliers. Supplier A costs $100,000 and has a 70% chance of on-time delivery (no penalty) and a 30% chance of a $50,000 late penalty. Supplier B costs $120,000 with a 95% chance of no penalty and a 5% chance of a $50,000 penalty. The EMV of A's penalty is 0.30 x $50,000 = $15,000, so A's total expected cost is $115,000. B's penalty EMV is 0.05 x $50,000 = $2,500, so B's total expected cost is $122,500.
Despite B's higher sticker price, the lower expected cost belongs to Supplier A ($115,000), illustrating how decision-tree analysis combines fixed costs with probability-weighted outcomes to guide the choice. The CAPM may give you the numbers and ask for the option with the lowest expected cost — always fold in both the base cost and the EMV of each branch.
Process reminder: You identify and analyze risks before you can respond to them, and you keep monitoring throughout. A question that asks "what comes next" after a risk is identified is pointing to qualitative analysis to prioritize it, not jumping straight to a response.
A risk has a 40% probability of causing a $25,000 cost overrun. What is its Expected Monetary Value (EMV)?
A new risk arises as a direct result of implementing a planned risk response. This is called a:
Purchasing insurance to cover potential project losses is an example of which threat-response strategy?
Which reserve covers UNKNOWN risks, sits outside the cost baseline, and requires management approval to use?