6.4 Monitor Risks & Reporting

The Monitor Risks Process

Monitor Risks runs continuously through execution to track identified risks, watch for triggers, implement responses, evaluate response effectiveness, and surface new risks. The exam frames monitoring as an ongoing loop, not a one-time event — risk exposure changes as the project progresses, so the register and report must stay current.

Key inputs to the process include the risk register, the risk report, work performance data, and performance reports; key outputs include change requests and updates to the register, report, and other project documents. The aim is simple: confirm responses are working, decide whether the project's exposure is still acceptable, and act before risks turn into problems.

Risk Reassessment

Risk reassessment is the recurring activity that identifies new risks, reassesses the probability and impact of existing risks, and closes risks that are no longer relevant. It is the engine that keeps the risk register accurate as conditions shift, and is typically scheduled into regular project reviews.

Reassessment matters because risk is dynamic: a low-priority risk early in the project may become critical as deadlines approach, and brand-new risks appear as scope and environment evolve. In agile and hybrid projects, reassessment happens every iteration through backlog reprioritization and short feedback loops, reducing exposure as work proceeds.

Audits, Reviews & Reserve Analysis

Three monitoring tools are constantly confused on the exam:

A risk audit examines whether the risk management process and the chosen responses are effective — it evaluates method, not individual risks. A risk review (or reassessment meeting) revisits the risks: closing outdated ones and finding new ones. Reserve analysis compares remaining contingency and management reserves against the remaining risk exposure to confirm reserves are still adequate; a shrinking reserve against rising exposure is a warning sign.

Memory cue: audit the process, review the risks. If a question describes evaluating whether your risk method is working, the answer is risk audit; if it describes re-examining the risks themselves, the answer is risk review. The two are easy to swap under exam pressure, so anchor on what each one targets.

Technical Performance & Indicators

Technical performance measurement (TPM) compares actual technical achievements against the plan — for example, measured weight, throughput, or defect rates versus targets. A negative variance can signal emerging technical risk before it becomes a schedule or cost problem.

KRIs vs Triggers

• Key Risk Indicators (KRIs) are leading metrics tracked over time that signal changing risk exposure — a trend you watch. Rising defect counts or slipping velocity are KRIs.
• Triggers are the specific point at which a particular risk is occurring or about to occur — a line that, once crossed, prompts the planned response.

Memory cue: KRIs trend; triggers fire. Monitoring both gives early warning (KRI) and a clear action signal (trigger). A well-chosen KRI lets the team intervene before a trigger is reached, while the trigger marks the point where the planned contingency response must launch.

The Risk Register, Risk Report & Status Reporting

Two artifacts carry risk information to stakeholders, and the exam expects you to keep them straight.

• Risk register — individual-risk detail: description, owner, response strategy, action owner, status, residual and secondary risks. Continuously updated as monitoring produces new information.
• Risk report — the overall project risk summary: sources of overall exposure, key individual risks, and trends. It is the primary vehicle for communicating big-picture risk to sponsors and stakeholders.

Register = detail; report = summary. Status reporting delivers risk information to stakeholders at the agreed cadence, using the risk report to manage expectations and prevent surprises. Both artifacts are updated through the Monitor Risks process as risks are reassessed, responses are implemented, and exposure changes.

Closing Risks, Lessons Learned & Trend Analysis

Closing Risks

A risk is closed when it can no longer occur (its window has passed) or its response is fully complete (it occurred and was handled). Closed risks are removed from the active register and archived with notes, freeing the team to focus monitoring on live exposure. Premature closure is a trap — close a risk only when it genuinely can no longer affect objectives.

Lessons Learned

Lessons learned are captured throughout the project and at closure: which risks occurred, how effective each response was, and what to repeat or avoid. They feed organizational process assets so future projects start with better checklists, prompt lists, and reserve estimates.

Variance and Trend Analysis

Variance and trend analysis reviews cost and schedule performance — often through earned value variances such as cost variance (CV) and schedule variance (SV) — to forecast emerging risk exposure. Worsening trends warn that overall project risk is rising, prompting reassessment, reserve checks, and possible new responses before the situation deteriorates. A steadily negative CV, for instance, can be an early signal that contingency reserve is being consumed faster than planned and that overall risk needs re-evaluation.