⚠️ Risk Management
Study Notes — Page 5 | ClearPMPExam.com
1. What is Risk Management?
Risk Management is the process of identifying, analysing, and responding to uncertainties that could affect the project — either negatively (threats) or positively (opportunities).
Most people think of risk as bad news — something going wrong. In PMP, risk includes both threats and opportunities. A vendor delivering early is a risk. A new regulation making your product more valuable is a risk. A flood delaying construction is a risk. Risk = uncertainty, not just danger.
🏥 Real Example — Pharma Campaign Launch
Threat: The regulatory body may delay approval of the campaign materials, pushing the launch date back by 3 weeks.
Opportunity: A competitor withdrawing their product may open up a larger market window if our campaign launches early.
👉 A good PM plans responses for BOTH — not just the bad scenarios. Ignoring opportunities is as much a failure as ignoring threats.
Risk = something that might happen in the future. Issue = something that has already happened. Risk Register tracks future risks. Issue Log tracks current problems. These are two different documents.
2. The 6-Step Risk Management Process — In Order
Plan Risk Management
Decide how risk activities will be conducted, who is responsible, how often risks are reviewed, and what tools will be used. Sets the ground rules.
Output → Risk Management PlanIdentify Risks
Find all possible risks — threats AND opportunities. Use brainstorming, checklists, interviews, SWOT analysis, and the Delphi technique. Document everything in the Risk Register. This is an ongoing activity — new risks can appear at any time.
Output → Risk Register (initial), Risk ReportPerform Qualitative Risk Analysis
Prioritise risks using subjective judgement — assess each risk’s probability and impact on a scale (High / Medium / Low). Uses the Probability & Impact Matrix. Fast, done first, always required.
Output → Updated Risk Register with priority rankingsPerform Quantitative Risk Analysis
Analyse high-priority risks using numbers and data — assign actual probabilities and financial impact values. Uses Monte Carlo Simulation, Decision Tree Analysis, and Expected Monetary Value (EMV). Not always done — only for complex/high-stakes projects.
Output → Quantitative Risk Analysis Report, Updated Risk RegisterPlan Risk Responses
Develop specific actions to handle each risk. For threats: Avoid, Transfer, Mitigate, Accept. For opportunities: Exploit, Share, Enhance, Accept. Each response is assigned to a risk owner.
Output → Risk Response Plan, Updated Risk Register, Contingency ReservesImplement Risk Responses & Monitor Risks
Execute the planned responses when risks occur. Continuously watch for new risks, check if responses are working, and update the risk register throughout the project. Risk monitoring happens in every phase — not just at the start.
Output → Work Performance Information, Change Requests, Updated Risk Register“Plan → Identify → Qualitative → Quantitative → Respond → Monitor” = “People In Quiet Queues Read Maps”
3. Risk Response Strategies — Threats vs Opportunities
This is the single most tested section in Risk Management. Every strategy has a mirror image — one for threats (bad risks) and one for opportunities (good risks). Know both sides.
Avoid
Eliminate the threat entirely. Change the project plan so the risk can no longer occur.
Example: The vendor is unreliable. Drop them entirely and use a different vendor.
Exploit
Make sure the opportunity definitely happens. Remove uncertainty so the benefit is guaranteed.
Example: Assign your best developer to ensure the early delivery bonus is earned.
Transfer
Shift the financial impact of the risk to a third party. You still own the risk but someone else bears the cost.
Example: Buy insurance. Outsource a risky activity to a vendor via a fixed-price contract.
Share
Partner with another party to capture the opportunity together. Split the benefit.
Example: Joint venture with a partner who has market access you don’t have.
Mitigate
Reduce the probability or impact of the threat. You can’t eliminate it — but you can make it smaller.
Example: Run more testing cycles to reduce the probability of a defect reaching production.
Enhance
Increase the probability or impact of the opportunity. Make the good thing more likely to happen.
Example: Add more marketing resources to increase the chance of early market adoption.
Accept
Acknowledge the risk and take no proactive action. Used for low-priority risks. Can be Active (create contingency plan) or Passive (do nothing and deal with it if it happens).
Example: Low-probability, low-impact risk. Document it and monitor.
Accept
Take advantage of the opportunity if it occurs naturally, but don’t actively pursue it. Used for low-priority opportunities.
Example: If a beneficial market change happens on its own, take advantage — but don’t invest to force it.
4. Probability & Impact Matrix — Prioritising Risks
After identifying risks, you need to decide which ones deserve the most attention. The Probability & Impact Matrix is the tool for this. It plots each risk on two dimensions: how likely it is, and how badly it would affect the project if it happened.
Monitor closely
Priority response needed
Immediate action
Accept or watch
Plan response
Priority response needed
Accept
Accept or watch
Monitor
The Probability & Impact Matrix is part of Qualitative Risk Analysis — not Quantitative. Qualitative = subjective scoring (High/Medium/Low). Quantitative = actual numbers and financial values. Qualitative always comes first and is always done. Quantitative is optional and only for complex projects.
5. The Risk Register — What Goes in It
The Risk Register is a living document that records all identified risks, their analysis results, planned responses, and current status. It is created in Identify Risks and updated throughout the entire project.
Here is what a real Risk Register looks like — using a pharma digital campaign as the example:
Risk Register vs Issue Log: Risk Register = future uncertainties that might happen. Issue Log = problems that have already happened and need resolution. When a risk occurs, it becomes an issue and moves to the Issue Log.
6. Qualitative vs Quantitative Risk Analysis
Two types of analysis happen after risks are identified. The exam tests whether you know what each one does, when it is done, and what tools it uses.
🟢 Qualitative Risk Analysis
Uses subjective judgement to prioritise risks based on probability and impact ratings.
Always done. Done first. Fast.
Tools used:
- Probability & Impact Matrix
- Risk Data Quality Assessment
- Risk Categorisation
- Risk Urgency Assessment
Output: Risks ranked as High / Medium / Low priority
🔵 Quantitative Risk Analysis
Uses actual numbers to analyse the financial and schedule impact of high-priority risks.
Optional. Done after Qualitative. Time-consuming.
Tools used:
- Monte Carlo Simulation
- Decision Tree Analysis
- Expected Monetary Value (EMV)
- Tornado Diagram (shows biggest impact risks)
Output: Numerical probability of meeting cost/schedule targets
Qualitative = Qual = Quality of judgment (gut feel, High/Med/Low). Quantitative = Quant = Quantity = actual numbers (₹, %, probabilities). Qual first, Quant second, Quant optional.
7. Types of Risk — Know These Terms
🔵 Known Risk
A risk that has been identified and analysed during planning. Goes into the Risk Register. A contingency reserve is set aside for it. The PM controls the contingency response.
Example: Known vendor delivery risk → contingency plan ready.
🔴 Unknown Risk
A risk that was not anticipated — a complete surprise. Cannot be planned for. Management Reserve covers these. Management approves use of this reserve.
Example: Sudden government regulation change affecting the project.
🟣 Residual Risk
Risk that remains after a response has been applied. You mitigated a risk but couldn’t eliminate it fully — what’s left is residual risk. Must still be monitored.
Example: You ran extra testing (mitigate) but a 5% chance of defect still exists.
🟠 Secondary Risk
A new risk created by your risk response. The act of responding to one risk accidentally creates another risk that must also be managed.
Example: You hired a new vendor to avoid vendor risk — but now there is a risk the new vendor is unfamiliar with your processes.
Secondary risk is a new risk caused by your response. Residual risk is the leftover risk after your response. If the exam says “the PM implemented a response and a new risk appeared” → that is Secondary Risk.
8. Expected Monetary Value (EMV) — Simple Explained
EMV is a technique used in Quantitative Risk Analysis. It calculates the average outcome of a risk by multiplying its probability by its financial impact.
Formula: EMV = Probability × Impact
🧮 Worked Example — Campaign Risk
Threat: 30% chance the campaign is delayed. Financial impact = ₹5,00,000 loss.
EMV (threat) = 0.30 × −₹5,00,000 = −₹1,50,000
Opportunity: 40% chance a competitor withdraws, giving us extra revenue = ₹3,00,000.
EMV (opportunity) = 0.40 × +₹3,00,000 = +₹1,20,000
Net EMV = −₹1,50,000 + ₹1,20,000 = −₹30,000
👉 Net negative — the threats outweigh the opportunities. PM should focus on risk reduction.
Threats always have a negative EMV (money you could lose). Opportunities always have a positive EMV (money you could gain). Sum them up for overall risk exposure.
9. Quick Summary — Everything at a Glance
| Term / Concept | One-line meaning | Exam trigger word |
|---|---|---|
| Risk | Uncertain event that could affect the project (good or bad) | “might happen” / “uncertainty” |
| Issue | A problem that has already happened | “has happened” / “current problem” |
| Risk Register | Document listing all identified risks, analysis, and responses | “track risks” / “risk documentation” |
| Issue Log | Document tracking problems that have already occurred | “problem occurred” / “active issue” |
| Avoid | Eliminate the threat by changing the plan | “change the plan” / “remove the cause” |
| Transfer | Shift risk to a third party (insurance, fixed-price contract) | “insurance” / “outsource” / “fixed-price” |
| Mitigate | Reduce probability or impact of the threat | “reduce” / “decrease probability” |
| Accept | Acknowledge and take no action (low priority risks) | “low probability and low impact” |
| Exploit | Guarantee the opportunity happens | “make sure it happens” / “guarantee” |
| Share | Partner to capture the opportunity together | “joint venture” / “partner” |
| Enhance | Increase probability or impact of the opportunity | “increase chance” / “make more likely” |
| Residual Risk | Risk remaining after response is applied | “still remains after response” |
| Secondary Risk | New risk created by the risk response | “new risk created by our response” |
| Qualitative Analysis | Subjective H/M/L priority ranking — always done first | “prioritise” / “probability and impact” |
| Quantitative Analysis | Numerical analysis — Monte Carlo, EMV, Decision Tree | “numeric” / “Monte Carlo” / “EMV” |
| EMV | Probability × Impact — average financial outcome | “expected value” / “probability × impact” |
| Tornado Diagram | Shows which risks have the biggest impact — ranked bar chart | “biggest effect” / “most impactful risk” |
🎯 Practice Q&A — Test Yourself
Think of your answer first. Then click to reveal.
Quantitative: Numerical — assigns actual probabilities and financial values. Uses Monte Carlo, EMV, Decision Tree. Optional, only for high-stakes/complex projects. Done after Qualitative.
✅ Page 5 complete. Next up: Page 6 — Quality, Communication & Stakeholder Management — Plan vs Manage vs Control Quality, the communication formula, stakeholder engagement levels, and the Power/Interest Grid.