Risk and change management - Assessing and managing risks

Learning Outcomes

After reading this article, you will be able to explain how project risks are identified, analyzed, prioritized, and managed throughout the project lifecycle. You will understand common risk response strategies, the distinction between threats and opportunities, the process for monitoring risks as projects proceed, and the connection between risk, change, and controlling project baselines—key knowledge for PMP exam questions on risk and change management.

PMP Syllabus

For PMP, you are required to understand the systematic process of risk and change management in projects. This includes recognizing the relationship between change and risk, applying risk identification and assessment techniques, and choosing appropriate responses. Revise:

  • The steps involved in project risk management (including planning, identification, qualitative and quantitative analysis, response planning, implementing responses, and risk monitoring).
  • The distinction between project threats (negative risks) and opportunities (positive risks).
  • Risk identification tools (brainstorming, checklists, prompt lists, etc.).
  • Construction and interpretation of probability-impact matrices.
  • Strategies for responding to both threats and opportunities.
  • The link between risk and project change, including justification and procedures for baseline adjustments.
  • Assigning risk ownership and tracking risk status.
  • Managing risk and change in both predictive and adaptive project approaches.

Test Your Knowledge

Attempt these questions before reading this article. If you find some difficult or cannot remember the answers, remember to look more closely at that area during your revision.

  1. What is the purpose of a probability-impact matrix in the qualitative risk analysis process?
  2. Which response strategy is best for a threat that cannot be completely eliminated but whose impact can be reduced?
  3. If a planned risk does not occur, what happens to the contingency reserve allocated for it?
  4. How does a risk become an issue during project execution?

Introduction

Risks are present in every project. Effective risk and change management involves systematically identifying, assessing, and controlling uncertainties that could hinder or improve project objectives. Not all risks are negative; opportunities should also be managed. This article outlines the process for managing both risk and project changes as required for the PMP exam.

What Is Project Risk?

Project risk is any uncertain event or condition that could impact one or more project objectives if it occurs. Risk is not always negative; it may also relate to opportunities. Risk management ensures that threats are reduced and opportunities are pursued.

Key Term: Project Risk An uncertain event or condition that, if it occurs, has a positive or negative effect on a project’s objectives.

Risk and Change Link

Risks are frequently the driver for project changes. If a risk event occurs or new risks are identified, the project plan or baselines may need to be updated. Change management processes help control these changes and keep the project aligned with its objectives.

Key Term: Change Management The process of evaluating, approving, and implementing modifications to project plans, baselines, or deliverables.

Steps in Risk Management

Project risk management consists of several iterative steps:

1. Plan Risk Management

Define how risk management will be conducted. Set standards for risk identification, analysis, roles and responsibilities, and reporting. This plan guides all risk-related project activities.

2. Identify Risks

Gather information about possible threats and opportunities throughout the project. Use team brainstorming, interviews, checklists, and prompt lists.

Key Term: Prompt List A standard set of risk categories (e.g., PESTLE, VUCA, TECOP) used to identify risks systematically.

Key Term: Risk Register A project document containing details of identified risks, their owners, responses, and status.

3. Perform Qualitative Risk Analysis

Prioritize identified risks using subjective methods—most commonly, a probability-impact matrix. Probability is assessed on a predefined scale (e.g., 1–5), as is impact, and the scores help distinguish which risks need further analysis or planned responses.

Key Term: Probability-Impact Matrix A tool that plots risks based on their likelihood and potential effect on objectives to prioritize which need response planning.

4. Perform Quantitative Risk Analysis (If Needed)

Estimate, in numeric terms, the likelihood and impact of the highest-priority risks. Use methods such as simulations (e.g., Monte Carlo), expected monetary value (EMV), and decision tree analysis.

Key Term: Expected Monetary Value (EMV) The average outcome when the future includes scenarios that may or may not happen, calculated as probability × impact.

5. Plan Risk Responses

Develop response strategies for threats (avoid, mitigate, transfer, accept) and opportunities (exploit, improve, share, accept). Assign a risk owner to be responsible for each risk and its response plan.

Key Term: Risk Owner The specific person assigned to monitor, report on, and implement responses to a given risk.

6. Implement Risk Responses

Risk owners act as needed—executing planned responses (e.g., using a contingency plan if a risk trigger is detected), and updating risk status.

7. Monitor Risks

Review risk status frequently at regular meetings. Reassess old risks, identify new ones, and update the risk register and response plans. Adjust contingencies or escalate unresolved risks.

Relationship Between Risk and Change

Whenever a risk occurs, or a risk's impact changes significantly, a project change may be required. All significant changes must be assessed for their effect on time, cost, scope, quality, and risk. Change requests—which may cover risk responses, contingency reserve adjustments, or schedule revisions—must follow the formal change control process.

Worked Example 1.1

During a project to upgrade a clinic's IT infrastructure, the project manager identifies the risk that critical software will not be compatible with the new operating system. The probability-impact assessment gives this risk a high score. The risk response plan is to create a test environment for early compatibility testing (mitigation), and to contract a specialist for troubleshooting if issues are found (transfer).

The mitigation response reduces the likelihood of failure. If, despite these steps, incompatibility does severely delay implementation, additional project costs and schedule extensions are likely, and a formal change request is submitted for approval by the change control board.

Answer: The mitigation response proactively reduces the likelihood of the threat. The transfer response shifts responsibility outside the project team. If the risk materializes, its transition to an issue triggers a change request.

Types of Risks

Threats and Opportunities

Most project risks are threats, but opportunities—uncertain events that could help achieve objectives—should also be managed using the same process.

Key Term: Threat An uncertain event with a potential negative effect on objectives.

Key Term: Opportunity An uncertain event that could have a beneficial effect on objectives.

Individual and Overall Project Risk

Risks can be at the individual (event) or overall project level. Both must be considered.

Key Term: Residual Risk A risk that remains after response strategies have been implemented.

Key Term: Secondary Risk New risks that emerge as a direct result of implementing a risk response.

Risk Response Strategies

For Threats

  • Avoid: Change plans to eliminate the threat.
  • Mitigate: Reduce probability and/or impact.
  • Transfer: Shift responsibility elsewhere (e.g., insurance, contracts).
  • Accept: Do nothing proactively except monitor; prepare a contingent plan if needed.

For Opportunities

  • Exploit: Ensure the opportunity occurs (e.g., assign best resources).
  • Improve: Increase likelihood or impact.
  • Share: Allocate ownership to a party better able to realize the opportunity.
  • Accept: Take advantage if it arises without proactive action.

Key Term: Contingency Plan A predefined set of actions to implement if a risk event occurs.

Key Term: Risk Trigger An indicator that a risk is about to occur, prompting planned response.

Worked Example 1.2

You are managing a bridge construction project. One risk is that supply chain disruptions could delay steel deliveries. You rate this risk as high-probability, high-impact. You choose to mitigate the risk by arranging multiple suppliers. You also create a contingency plan to use substitute materials if delivery is delayed beyond 10 days. The project schedule and budget allow for up to a 2-week delay without impacting the overall project objectives.

Answer: The risk response reduces the likelihood of supply problems (mitigation) and ensures the team is ready if the risk occurs (contingency plan). The contingency reserve is set according to the risk impact.

Exam Warning

Project change management and risk management questions may overlap. Always check if the scenario describes a risk (uncertain event) or an issue (event that has already happened). Only issues, not risks, can necessitate immediate change requests.

Risk Monitoring and Control

Regularly review risks at meetings. Watch for "risk triggers" and changes that impact the risk profile. Risks that occur become issues and are then managed as such, possibly with new change requests or workarounds.

  • Close risks that are no longer a threat or opportunity.
  • Monitor contingency reserves; unused reserves for risks that did not occur can be returned to the business.
  • Reassess project risk on a scheduled basis as well as after major changes.

Worked Example 1.3

On a software rollout, the team identified a high-probability risk that remote installation could fail due to bandwidth issues. They developed a mitigation plan (testing the process at off-peak hours). Shortly after rollout, the risk materializes: many installations fail. The risk owner follows the contingency plan: delay installations until bandwidth increases. A change request is raised to extend the rollout deadline. The risk is now closed as an issue, and the contingency reserve is reallocated.

Answer: When risk becomes issue, the planned contingency is implemented. Formal change control is followed for project baseline adjustments.

Risk Management in Agile and Predictive Projects

  • In predictive projects, risks are identified up front and monitored throughout defined stages using risk registers and scheduled reviews.
  • In agile projects, new risks can emerge each cycle. The risk register and backlog are updated frequently. Daily meetings and iterations enable quick identification and action.

Revision Tip

For the PMP exam, ensure you can distinguish between threats and opportunities, and can select appropriate responses for both. In scenario questions, focus on the impact to project objectives and whether the risk is specific (individual) or affects the whole project.

Summary

Effective risk and change management means anticipating, prioritizing, and preparing for uncertainties—responding proactively to threats and capitalizing on opportunities. Systematic procedures (risk register; probability-impact assessment; contingency planning) reduce negative impacts and maximize benefits. Regular reviews, formal change controls, and risk ownership keep your project aligned with PMP best practice.

Key Point Checklist

This article has covered the following key knowledge points:

  • Project risk means uncertainty with potential positive or negative effects on objectives.
  • Risk management involves planning, identification, analysis, response, monitoring, and control.
  • Risk responses are chosen depending on whether the risk is a threat or opportunity.
  • Probability-impact matrices are used in qualitative analysis to prioritize risks.
  • Contingency reserves are budgeted for known risks; unused reserves can be released if risks don't occur.
  • A risk becomes an issue once it materializes; issues require immediate action and may prompt change requests.
  • Formal change control must be followed for approval of risk responses that affect project plans or baselines.
  • Regular review of risks is necessary to respond to changes and evolving project environments.

Key Terms and Concepts

  • Project Risk
  • Change Management
  • Prompt List
  • Risk Register
  • Probability-Impact Matrix
  • Expected Monetary Value (EMV)
  • Risk Owner
  • Threat
  • Opportunity
  • Residual Risk
  • Secondary Risk
  • Contingency Plan
  • Risk Trigger
The answers, solutions, explanations, and written content provided on this page represent PastPaperHero's interpretation of academic material and potential responses to given questions. These are not guaranteed to be the only correct or definitive answers or explanations. Alternative valid responses, interpretations, or approaches may exist. If you believe any content is incorrect, outdated, or could be improved, please get in touch with us and we will review and make necessary amendments if we deem it appropriate. As per our terms and conditions, PastPaperHero shall not be held liable or responsible for any consequences arising. This includes, but is not limited to, incorrect answers in assignments, exams, or any form of testing administered by educational institutions or examination boards, as well as any misunderstandings or misapplications of concepts explained in our written content. Users are responsible for verifying that the methods, procedures, and explanations presented align with those taught in their respective educational settings and with current academic standards. While we strive to provide high-quality, accurate, and up-to-date content, PastPaperHero does not guarantee the completeness or accuracy of our written explanations, nor any specific outcomes in academic understanding or testing, whether formal or informal.
No resources available.

Job & Test Prep on a Budget

Compare PastPaperHero's subscription offering to the wider market

PastPaperHero
Monthly Plan
$10
4PM Training Insti...
One-time Fee
$1,990-2,090
Assessment Day
One-time Fee
$20-39
Job Test Prep
One-time Fee
$90-350
Simplilearn
One-time Fee
$649
StarAgile
One-time Fee
$449

Note the above prices are approximate and based on prices listed on the respective websites as of May 2025. Prices may vary based on location, currency exchange rates, and other factors.

Get unlimited access to thousands of practice questions, flashcards, and detailed explanations. Save over 90% compared to one-time courses while maintaining the flexibility to learn at your own pace.

All-in-one Learning Platform

Everything you need to master your assessments and job tests in one place

  • Comprehensive Content

    Access thousands of fully explained questions and cases across multiple subjects

  • Visual Learning

    Understand complex concepts with intuitive diagrams and flowcharts

  • Focused Practice

    Prepare for assessments with targeted practice materials and expert guidance

  • Personalized Learning

    Track your progress and focus on areas where you need improvement

  • Affordable Access

    Get quality educational resources at a fraction of traditional costs

Tell Us What You Think

Help us improve our resources by sharing your experience

Pleased to share that I have successfully passed the SQE1 exam on 1st attempt. With SQE2 exempted, I’m now one step closer to getting enrolled as a Solicitor of England and Wales! Would like to thank my seniors, colleagues, mentors and friends for all the support during this grueling journey. This is one of the most difficult bar exams in the world to undertake, especially alongside a full time job! So happy to help out any aspirant who may be reading this message! I had prepared from the University of Law SQE Manuals and the AI powered MCQ bank from PastPaperHero.

Saptarshi Chatterjee

Saptarshi Chatterjee

Senior Associate at Trilegal