6.3 Implementing Responses, Reserves & Residual Risk

Implementing Risk Responses

Planning a response is not enough — the Implement Risk Responses process executes the agreed-upon plans so that exposure actually changes. A common exam theme is that risks worsen because response plans existed on paper but were never carried out. Implementation requires clear ownership and well-defined triggers.

The outputs of implementation include change requests (when a response alters scope, schedule, or cost baselines) and updates to project documents such as the risk register and lessons-learned register. Implementation is where the chosen strategy from sections 6.1 and 6.2 becomes real action on the project.

Risk Owner vs Risk Action Owner

PMI separates two roles:

• Risk owner — the person accountable for monitoring a risk and ensuring its response is effective. The owner watches the risk over its life.
• Risk action owner — the person assigned to carry out a specific response action. One risk may have several action owners for different actions.

Memory hook: the owner oversees, the action owner executes. A single individual can fill both roles, but the exam distinguishes the responsibilities, and the risk owner is not necessarily the project manager.

Contingency Plans, Fallback Plans & Triggers

Trigger conditions are the warning signs or symptoms that indicate a risk is about to occur or has occurred. They are defined in advance so the team knows exactly when to act.

• Contingency plan (Plan A) — a pre-planned response that executes when the trigger fires. It is prepared ahead of time and tied to a specific risk and trigger.
• Fallback plan (Plan B) — a backup held in reserve that activates only if the contingency plan fails or the risk exceeds tolerance.

Think of it as layered defense: the trigger fires, the contingency plan runs first, and the fallback plan is the safety net behind it. Both are planned in advance — what distinguishes them from a workaround is precisely that pre-planning.

Well-defined triggers are critical because a contingency plan is useless if no one recognizes when to launch it. The risk register should record each risk's trigger conditions alongside its contingency and fallback plans so the team acts at the right moment rather than after the impact has already landed.

Residual vs Secondary Risk

These two terms are heavily tested and easy to swap.

Example: a project mitigates a data-loss threat by moving to a cloud backup. The residual risk is the small remaining chance of loss the backup does not fully cover. The secondary risk is the new exposure to a cloud-vendor outage that the response introduced. Residual is leftover; secondary is side-effect. Residual risk is normal and expected — a response rarely drives exposure to zero, so the remaining residual is documented and accepted if it sits within tolerance.

Reserves: Contingency vs Management

Reserves fund the consequences of risk, and PMI draws a sharp line between two types.

The key relationships: cost baseline = work estimates + contingency reserve, and total budget = cost baseline + management reserve. Because management reserve sits outside the baseline, spending it actually changes the baseline and usually requires a change request.

A frequent trap: contingency handles known-unknowns (risks you identified but cannot predict the timing or size of), while management reserve handles unknown-unknowns (risks no one foresaw). Another exam favorite is who controls each reserve — the project manager can authorize contingency spending without escalation, but tapping management reserve needs management or sponsor approval. Schedule reserves follow the same logic in time rather than money.

Workarounds

Not every risk is identified in advance. A workaround is an unplanned, improvised response to a risk that was never identified, or to a residual risk that has now occurred. Because there was no contingency plan, the team responds reactively during execution.

The distinction the exam wants:

• Contingency plan — prepared before the risk occurs, for an identified risk with a trigger.
• Workaround — devised after an unidentified (or residual) risk occurs, on the spot.

Workarounds are typically funded from management reserve, since unidentified risks are unknown-unknowns and fall outside the contingency reserve. After a workaround, the new risk and its response should be added to the risk register so that monitoring continues and lessons are captured.

A subtle exam point: a workaround can also respond to a residual risk that was accepted and then occurred. Either way, the defining feature is that no pre-planned response existed, so the team improvises in the moment. Contrast this once more with the contingency plan, which is deliberately prepared in advance for a specific identified risk and trigger — preparation, not improvisation, is the dividing line.