## **Learning Outcomes**

After reading this article, you will be able to explain how project risks are identified, analyzed, prioritized, and managed throughout the project lifecycle. You will understand common risk response strategies, the distinction between threats and opportunities, the process for monitoring risks as projects proceed, and the connection between risk, change, and controlling project baselines—key knowledge for PMP exam questions on risk and change management.

## **PMP Syllabus**

For PMP, you are required to understand the systematic process of risk and change management in projects. This includes recognizing the relationship between change and risk, applying risk identification and assessment techniques, and choosing appropriate responses. Revise:

- The steps involved in project risk management (including planning, identification, qualitative and quantitative analysis, response planning, implementing responses, and risk monitoring).
- The distinction between project threats (negative risks) and opportunities (positive risks).
- Risk identification tools (brainstorming, checklists, prompt lists, etc.).
- Construction and interpretation of probability-impact matrices.
- Strategies for responding to both threats and opportunities.
- The link between risk and project change, including justification and procedures for baseline adjustments.
- Assigning risk ownership and tracking risk status.
- Managing risk and change in both predictive and adaptive project approaches.

## **Test Your Knowledge**

_Attempt these questions before reading this article. If you find some difficult or cannot remember the answers, remember to look more closely at that area during your revision._

1. What is the purpose of a probability-impact matrix in the qualitative risk analysis process?
2. Which response strategy is best for a threat that cannot be completely eliminated but whose impact can be reduced?
3. If a planned risk does not occur, what happens to the contingency reserve allocated for it?
4. How does a risk become an issue during project execution?

## **Introduction**

Risks are present in every project. Effective risk and change management involves systematically identifying, assessing, and controlling uncertainties that could hinder or improve project objectives. Not all risks are negative; opportunities should also be managed. This article outlines the process for managing both risk and project changes as required for the PMP exam.

### What Is Project Risk?

Project risk is any uncertain event or condition that could impact one or more project objectives if it occurs. Risk is not always negative; it may also relate to opportunities. Risk management ensures that threats are reduced and opportunities are pursued.

> **Key Term: Project Risk**
> An uncertain event or condition that, if it occurs, has a positive or negative effect on a project’s objectives.

### Risk and Change Link

Risks are frequently the driver for project changes. If a risk event occurs or new risks are identified, the project plan or baselines may need to be updated. Change management processes help control these changes and keep the project aligned with its objectives.

> **Key Term: Change Management**
> The process of evaluating, approving, and implementing modifications to project plans, baselines, or deliverables.

## Steps in Risk Management

Project risk management consists of several iterative steps:

### 1. Plan Risk Management

Define how risk management will be conducted. Set standards for risk identification, analysis, roles and responsibilities, and reporting. This plan guides all risk-related project activities.

### 2. Identify Risks

Gather information about possible threats and opportunities throughout the project. Use team brainstorming, interviews, checklists, and prompt lists.

> **Key Term: Prompt List**
> A standard set of risk categories (e.g., PESTLE, VUCA, TECOP) used to identify risks systematically.
>
> **Key Term: Risk Register**
> A project document containing details of identified risks, their owners, responses, and status.

### 3. Perform Qualitative Risk Analysis

Prioritize identified risks using subjective methods—most commonly, a probability-impact matrix. Probability is assessed on a predefined scale (e.g., 1–5), as is impact, and the scores help distinguish which risks need further analysis or planned responses.

> **Key Term: Probability-Impact Matrix**
> A tool that plots risks based on their likelihood and potential effect on objectives to prioritize which need response planning.

### 4. Perform Quantitative Risk Analysis (If Needed)

Estimate, in numeric terms, the likelihood and impact of the highest-priority risks. Use methods such as simulations (e.g., Monte Carlo), expected monetary value (EMV), and decision tree analysis.

> **Key Term: Expected Monetary Value (EMV)**
> The average outcome when the future includes scenarios that may or may not happen, calculated as probability × impact.

### 5. Plan Risk Responses

Develop response strategies for threats (avoid, mitigate, transfer, accept) and opportunities (exploit, improve, share, accept). Assign a risk owner to be responsible for each risk and its response plan.

> **Key Term: Risk Owner**
> The specific person assigned to monitor, report on, and implement responses to a given risk.

### 6. Implement Risk Responses

Risk owners act as needed—executing planned responses (e.g., using a contingency plan if a risk trigger is detected), and updating risk status.

### 7. Monitor Risks

Review risk status frequently at regular meetings. Reassess old risks, identify new ones, and update the risk register and response plans. Adjust contingencies or escalate unresolved risks.

## Relationship Between Risk and Change

Whenever a risk occurs, or a risk's impact changes significantly, a project change may be required. All significant changes must be assessed for their effect on time, cost, scope, quality, and risk. Change requests—which may cover risk responses, contingency reserve adjustments, or schedule revisions—must follow the formal change control process.

### **Worked Example 1.1**

_During a project to upgrade a clinic's IT infrastructure, the project manager identifies the risk that critical software will not be compatible with the new operating system. The probability-impact assessment gives this risk a high score. The risk response plan is to create a test environment for early compatibility testing (mitigation), and to contract a specialist for troubleshooting if issues are found (transfer)._

_The mitigation response reduces the likelihood of failure. If, despite these steps, incompatibility does severely delay implementation, additional project costs and schedule extensions are likely, and a formal change request is submitted for approval by the change control board._

> **Answer:** The mitigation response proactively reduces the likelihood of the threat. The transfer response shifts responsibility outside the project team. If the risk materializes, its transition to an issue triggers a change request.

## Types of Risks

### Threats and Opportunities

Most project risks are threats, but opportunities—uncertain events that could help achieve objectives—should also be managed using the same process.

> **Key Term: Threat**
> An uncertain event with a potential negative effect on objectives.
>
> **Key Term: Opportunity**
> An uncertain event that could have a beneficial effect on objectives.

### Individual and Overall Project Risk

Risks can be at the individual (event) or overall project level. Both must be considered.

> **Key Term: Residual Risk**
> A risk that remains after response strategies have been implemented.
>
> **Key Term: Secondary Risk**
> New risks that emerge as a direct result of implementing a risk response.

## Risk Response Strategies

### For Threats

- Avoid: Change plans to eliminate the threat.
- Mitigate: Reduce probability and/or impact.
- Transfer: Shift responsibility elsewhere (e.g., insurance, contracts).
- Accept: Do nothing proactively except monitor; prepare a contingent plan if needed.

### For Opportunities

- Exploit: Ensure the opportunity occurs (e.g., assign best resources).
- Improve: Increase likelihood or impact.
- Share: Allocate ownership to a party better able to realize the opportunity.
- Accept: Take advantage if it arises without proactive action.

> **Key Term: Contingency Plan**
> A predefined set of actions to implement if a risk event occurs.
>
> **Key Term: Risk Trigger**
> An indicator that a risk is about to occur, prompting planned response.

### **Worked Example 1.2**

_You are managing a bridge construction project. One risk is that supply chain disruptions could delay steel deliveries. You rate this risk as high-probability, high-impact. You choose to mitigate the risk by arranging multiple suppliers. You also create a contingency plan to use substitute materials if delivery is delayed beyond 10 days. The project schedule and budget allow for up to a 2-week delay without impacting the overall project objectives._

> **Answer:** The risk response reduces the likelihood of supply problems (mitigation) and ensures the team is ready if the risk occurs (contingency plan). The contingency reserve is set according to the risk impact.

### **Exam Warning**

> Project change management and risk management questions may overlap. Always check if the scenario describes a risk (uncertain event) or an issue (event that has already happened). Only issues, not risks, can necessitate immediate change requests.

## Risk Monitoring and Control

Regularly review risks at meetings. Watch for "risk triggers" and changes that impact the risk profile. Risks that occur become issues and are then managed as such, possibly with new change requests or workarounds.

- Close risks that are no longer a threat or opportunity.
- Monitor contingency reserves; unused reserves for risks that did **not** occur can be returned to the business.
- Reassess project risk on a scheduled basis as well as after major changes.

### **Worked Example 1.3**

_On a software rollout, the team identified a high-probability risk that remote installation could fail due to bandwidth issues. They developed a mitigation plan (testing the process at off-peak hours). Shortly after rollout, the risk materializes: many installations fail. The risk owner follows the contingency plan: delay installations until bandwidth increases. A change request is raised to extend the rollout deadline. The risk is now closed as an issue, and the contingency reserve is reallocated._

> **Answer:** When risk becomes issue, the planned contingency is implemented. Formal change control is followed for project baseline adjustments.

## Risk Management in Agile and Predictive Projects

- In predictive projects, risks are identified up front and monitored throughout defined stages using risk registers and scheduled reviews.
- In agile projects, new risks can emerge each cycle. The risk register and backlog are updated frequently. Daily meetings and iterations enable quick identification and action.

### **Revision Tip**

> For the PMP exam, ensure you can distinguish between threats and opportunities, and can select appropriate responses for both. In scenario questions, focus on the impact to project objectives and whether the risk is specific (individual) or affects the whole project.

## **Summary**

Effective risk and change management means anticipating, prioritizing, and preparing for uncertainties—responding proactively to threats and capitalizing on opportunities. Systematic procedures (risk register; probability-impact assessment; contingency planning) reduce negative impacts and maximize benefits. Regular reviews, formal change controls, and risk ownership keep your project aligned with PMP best practice.

## **Key Point Checklist**

_This article has covered the following key knowledge points:_

- Project risk means uncertainty with potential positive or negative effects on objectives.
- Risk management involves planning, identification, analysis, response, monitoring, and control.
- Risk responses are chosen depending on whether the risk is a threat or opportunity.
- Probability-impact matrices are used in qualitative analysis to prioritize risks.
- Contingency reserves are budgeted for known risks; unused reserves can be released if risks don't occur.
- A risk becomes an issue once it materializes; issues require immediate action and may prompt change requests.
- Formal change control must be followed for approval of risk responses that affect project plans or baselines.
- Regular review of risks is necessary to respond to changes and evolving project environments.

## **Key Terms and Concepts**

- Project Risk
- Change Management
- Prompt List
- Risk Register
- Probability-Impact Matrix
- Expected Monetary Value (EMV)
- Risk Owner
- Threat
- Opportunity
- Residual Risk
- Secondary Risk
- Contingency Plan
- Risk Trigger


Risk and change management - Assessing and managing risks