1.2 Core Risk Concepts

What Risk Means to PMI

The most-tested idea on the exam is also the simplest: a risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives. The phrase positive or negative is deliberate — PMI treats risk as two-sided.

• A threat is a risk with a negative effect (cost overrun, schedule slip, a key vendor failing).
• An opportunity is a risk with a positive effect (a cheaper material, an early supplier, a chance to reuse code).

Managing risk therefore means minimizing threats and maximizing opportunities at the same time. Exam questions that mention "taking advantage of" or "capitalizing on" an event are almost always opportunity questions.

Two related terms round out the vocabulary. A risk trigger is a warning sign or symptom that a risk is about to occur — not the risk itself, but the early signal that prompts a response. An issue is different again: it is a risk that has already materialized, so it is managed through change control and the issue log, not the risk register. Confusing a trigger, a risk, and an issue is a common exam slip.

Individual vs. Overall Project Risk

These two terms are easy to confuse and frequently tested.

Individual risks live in the risk register; overall risk is summarized in the risk report. You can have many low individual risks yet high overall risk if they interact.

The Sources of Uncertainty

PMI's seventh-edition material breaks uncertainty into related concepts you should be able to tell apart:

• Uncertainty — a general lack of knowledge about an event or outcome.
• Ambiguity — uncertainty about what to do because conditions are unclear or could be interpreted many ways.
• Volatility — rapid, unpredictable change in the project environment.
• Complexity — many interacting components whose combined behavior is hard to predict.

These map to the VUCA lens (volatility, uncertainty, complexity, ambiguity) and to prompt lists such as PESTLE and TECOP used during identification.

Risk Attitude

Risk attitude is the chosen response of a person or group to uncertainty, driven by perception. The three classic positions are:

• Risk-averse — uncomfortable with uncertainty; willing to pay to reduce it.
• Risk-seeking — comfortable with uncertainty; will accept risk for potential reward.
• Risk-neutral — indifferent, deciding purely on expected value.

Attitude is not fixed: the same sponsor may be averse about safety yet seeking about schedule. Surfacing and reconciling differing attitudes is a Stakeholder Engagement task.

Stakeholder risk attitudes

Different stakeholders bring different attitudes to the same project, and a risk professional must reconcile them. A finance director may be averse to cost overruns; a sales leader may be seeking on schedule to win a market window. When attitudes conflict, you do not pick a winner — you make the attitudes explicit, document agreed thresholds, and escalate where they cannot be reconciled. Two related terms support this:

• Risk capacity — the amount of risk the organization can actually absorb (its objective limit).

• Risk culture — the shared values and behaviors that shape how people surface and respond to risk.

Appetite, Tolerance, and Threshold

Three terms describe how much risk is acceptable, and the exam loves to swap them. Keep them distinct:

Tip: tolerance is a band; threshold is a line. Crossing the threshold forces a response.

Utility Theory and EMV

Utility theory explains why two people facing the same numbers decide differently: a dollar of loss often "hurts" more than a dollar of gain feels good, which produces risk-averse behavior. Utility is the satisfaction (or pain) a stakeholder attaches to an outcome, not just its raw value.

Expected Monetary Value (EMV) turns a risk into a number: EMV = probability x impact. Threats carry a negative sign and opportunities a positive one. A threat with 20% probability and a $50,000 impact has an EMV of -$10,000.

EMV becomes powerful when you sum it across many risks: a register with -$10,000, -$4,000, and +$3,000 has a combined EMV of -$11,000, which informs how large a contingency reserve to hold. EMV is also the engine of decision trees and a building block for quantitative analysis covered in later chapters.

Keep one caution in mind: EMV uses a single probability and a single impact, so it assumes you can estimate both. When impact spans a wide range, Monte Carlo simulation — which samples thousands of outcomes — gives a fuller picture than a single EMV figure.