1.4 Frameworks, Principles & Delivery Approaches

Where Project Risk Sits

Project risk does not exist in a vacuum. It nests inside larger layers of the organization, and the exam expects you to know which level owns which risk.

When a project-level risk is outside the project manager's authority — a regulatory change, a strategic threat — the correct response is to escalate it to the program or portfolio level. Escalation is not avoidance: ownership simply moves to whoever can act. This nested view is why "escalate" appears in both the threat and opportunity response sets.

PMBOK Guide Seventh Edition Principles

The seventh edition shifted from a process-heavy model to 12 principles. Several directly govern risk work:

• Optimize risk responses — the dedicated risk principle: maximize positive impacts and minimize threats, proportionate to importance.
• Embrace adaptability and resiliency — build the capacity to absorb and recover from impacts.
• Be a diligent, respectful, and caring steward — manage uncertainty responsibly on others' behalf.
• Effectively engage with stakeholders — surface risk attitudes and reconcile thresholds.
• Tailor based on context — fit the risk approach to project size, complexity, and delivery method.

These principles explain why the exam favors judgment-based, scenario answers over rote process steps. The seventh edition also frames work around performance domains and tailoring, reinforcing that there is no single "correct" amount of risk process — you scale it to the project.

A companion reference, Risk Management in Portfolios, Programs, and Projects: A Practice Guide, supplies the detailed techniques (RBS, prompt lists, response strategies) that the principle-based PMBOK Guide intentionally leaves out. On the exam, expect the principle to set the direction and the practice guide techniques to be the concrete tools.

Predictive vs. Agile and Hybrid Risk

The delivery approach changes when and how often you manage risk.

• Predictive (waterfall): plan risk responses up front, hold reserves, and reassess at phase gates. Documentation is heavier and the register is detailed early.
• Agile: uncertainty is managed continuously. Teams use a risk-adjusted backlog, where high-risk or high-value items are pulled forward so risk is "burned down" early. Risk is reassessed every iteration — often in reviews, retrospectives, and daily standups.
• Hybrid: mixes both — predictive reserves and governance with agile reassessment cadence.

Frequent reassessment is the agile hallmark: short feedback loops surface new risks fast and let the team adapt before exposure compounds. In agile, the work itself is a risk response — building the riskiest feature first is mitigation through early validation, and a fast cadence shrinks the window in which an unaddressed risk can grow.

The exam may ask you to tailor the approach. The right answer matches the cadence to the method: phase-gate reviews for predictive, every-iteration reassessment for agile, and a blended rhythm for hybrid. Do not force a heavy, document-driven risk process onto a small agile team, and do not leave a large predictive project without formal reserves and gate reviews.

EEFs and OPAs

Two input categories appear throughout the risk processes:

• Enterprise Environmental Factors (EEFs) — conditions outside the team's control that influence the project: market conditions, regulations, organizational risk appetite, and risk tolerances.
• Organizational Process Assets (OPAs) — the organization's internal, reusable knowledge: risk policies, templates, risk-category lists, and historical data such as past risk registers and lessons learned.

Memory aid: EEFs are the weather (external); OPAs are your toolbox (internal). A quick test: if your organization created it and could change it, it is an OPA; if it is imposed from outside, it is an EEF.

Risk Governance

Risk governance is the framework of policies, roles, and oversight that sets the boundaries for project risk. Governance defines the organization's risk appetite, approves the risk management plan, and assigns accountability for monitoring exposure. A project risk professional operates within these boundaries — for example, you cannot accept a risk that breaches the organization's stated appetite without escalation.

Governance also ensures consistency: the same probability-impact definitions, the same reporting cadence, and the same escalation paths across projects. Strong governance is what turns isolated risk registers into organization-wide risk intelligence, feeding lessons learned back into the OPAs for the next project.

Knowing the level of risk also tells you who owns a response. A risk a project manager can manage stays in the project register. A risk that exceeds project authority is escalated to the program or portfolio, where someone with the mandate and budget can act. This connects directly to the response strategies: "escalate" exists precisely because the nested governance structure gives higher levels the authority that a single project lacks.

Putting it together: the delivery approach sets your cadence, the principles set your priorities, EEFs and OPAs supply the context and tools, and governance sets the boundaries. A capable risk professional reads all four before deciding how heavy or light the risk process should be.