Risk and change management - Risk response strategies

Learning Outcomes

After studying this article, you will be able to identify, explain, and select the key risk response strategies for both threats and opportunities on the PMP exam. You will know how to assign and monitor risk owners, recognize when to escalate risks, distinguish secondary and residual risks, and understand how risk response planning links to change management and project monitoring.

PMP Syllabus

For PMP, you are required to understand how to manage project risks using appropriate response actions. This article covers key principles for responding to risks, including integrating risk handling with project change management and monitoring. Review the following syllabus points:

  • Identify and distinguish between risk response strategies for negative risks (threats) and positive risks (opportunities).
  • Decide when to escalate, transfer, mitigate, share, exploit, accept, or avoid risks.
  • Assign risk owners who are responsible for response actions.
  • Recognize and manage secondary and residual risks after response.
  • Integrate risk responses with project plans and change management.
  • Monitor and document risk responses and lessons learned.

Test Your Knowledge

Attempt these questions before reading this article. If you find some difficult or cannot remember the answers, remember to look more closely at that area during your revision.

  1. Which risk response strategy is used when a threat is outside the authority or scope of the project manager?
    1. Transfer
    2. Escalate
    3. Accept
    4. Mitigate
  2. Which approach is most appropriate when an opportunity exceeds the project's ability to exploit but aligns with the program's goals?
    1. Share
    2. Accept
    3. Exploit
    4. Escalate
  3. Which statement is correct about residual risks?
    1. They are always ignored after initial response.
    2. They are addressed with secondary plans only.
    3. They remain after response strategies and must be monitored.
    4. They only apply to threats, not opportunities.

Introduction

Project risk management goes beyond just identifying or analyzing risks. To control uncertainty and achieve objectives, you must match each risk with a suitable response strategy, assign responsibility, and plan for ongoing monitoring and change.

Core Risk Response Strategies

PMI differentiates between strategies for threats (negative risks) and opportunities (positive risks). Understanding and correctly applying these strategies is a frequent source of PMP exam questions.

Key Term: Risk Response Strategy A proactive or reactive action or approach selected to address an identified project risk, aiming to minimize threats and maximize opportunities.

Threat Response Strategies

Negative risks (threats) can derail performance, deadlines, or budget. The following are commonly used responses for threats:

  • Avoid: Adjust the project plan, scope, or approach so the threat cannot occur (e.g., remove a risky activity).
  • Mitigate: Take action to reduce the probability or the negative impact (e.g., use proven methods, add more tests).
  • Transfer: Shift ownership and consequences to a third party (such as through a fixed-price contract or insurance).
  • Accept: Take no proactive action apart from monitoring; may involve setting aside a contingency reserve.
  • Escalate: Refer the risk to program, portfolio, or upper management when it is beyond the project manager’s authority or control.

Key Term: Threat A risk that could have a negative effect on at least one project objective if it occurs.

Opportunity Response Strategies

Positive risks (opportunities) can create extra benefits. Use the following strategies:

  • Exploit: Alter plans to ensure the opportunity happens (e.g., assign the best resources to a process that may lead to a major win).
  • Improve: Increase the probability or impact (e.g., add features that may improve user adoption).
  • Share: Allocate some or all responsibility for capturing the opportunity to a specialist or partner (joint venture, strategic alliance).
  • Accept: No planned action; take advantage if it arises.
  • Escalate: Refer the opportunity upward if it cannot be realized within project constraints but can benefit a broader business goal.

Key Term: Opportunity A risk that could have a positive effect on at least one project objective if it occurs.

Assigning Risk Owners

For every major risk requiring a response, a named risk owner must be responsible for implementing and monitoring risk actions.

Key Term: Risk Owner The person or entity responsible for ensuring the risk response is carried out and for monitoring the risk’s status during the project.

Monitoring for Secondary and Residual Risks

Not all risks end after response. Implemented responses can create new risks—secondary risks. Some risk exposure remains—residual risks.

Key Term: Secondary Risk A risk that arises as a direct result of implementing a risk response.

Key Term: Residual Risk A risk that remains after response strategies have been applied.

All active, secondary, and residual risks must be tracked in the risk register and periodically reviewed.

Proactive Versus Reactive Actions

Most risk responses are planned and assigned during project planning, but not all risks can be anticipated. If an unplanned event occurs, a workaround is a reactive, on-the-fly solution. Planned responses are generally more effective and less disruptive than workarounds.

Linking Risk Responses to Change Management

Significant risk responses may require adjustments to schedules, budgets, work packages, contracts, or project scope. Such changes must be managed through the project’s integrated change control process. Good practice is to document all decided-upon changes and lessons learned for future projects.

Worked Example 1.1

A data center migration project identifies that regulatory changes may force additional security requirements, exceeding both the project's budget and authority. What should the project manager do?

Answer: This risk should be escalated to program or portfolio management, as it exceeds project control. The project manager ensures it is documented and communicates the impact to those responsible.

Worked Example 1.2

A mobile app project discovers an external provider may discontinue a critical service. The project can absorb a 2-week delay if it happens.

Which response strategy is most appropriate?

Answer: Accept. Take no specific action, but document and monitor the risk. If the discontinuation occurs, use a contingency plan within the schedule buffer. Assign a risk owner to ensure this is tracked.

Worked Example 1.3

A construction project finds that using an innovative new material could reduce cost by 25%, but the technology is unfamiliar and may delay the schedule if it fails.

Which strategies can address the threat and the opportunity?

Answer: Mitigate the threat by limiting use of the new material to a test section first and exploit the opportunity if results are positive. Alternatively, accept either outcome if the risk is minimal or within tolerances.

Exam Warning

Many candidates mistakenly believe "accept" means to ignore the risk. "Accept" means you recognize the risk but do not proactively act unless a trigger or event occurs. You may still prepare a fallback plan or set aside reserves.

Revision Tip

On the PMP exam, practice quickly matching risk scenarios to the correct strategy: threats (avoid, mitigate, transfer, accept, escalate); opportunities (exploit, improve, share, accept, escalate). Remember that escalation is used when risks fall outside project boundaries.

Summary

Choosing and assigning the right risk response strategies for threats and opportunities improves project predictability and value. Every significant risk must have an assigned owner, proactive monitoring, and documented follow-up. Risk responses may require formal change management. Always monitor for new, secondary, or unresolved risks, and record outcomes for future learning.

Key Point Checklist

This article has covered the following key knowledge points:

  • Response strategies differ for threats and opportunities.
  • Escalate is used when risks fall outside project control or authority.
  • Each key risk must have an assigned owner and monitored response.
  • Planned responses are proactive; reactive workarounds manage unforeseen risks.
  • Risk responses may trigger change control updates and secondary or residual risks.
  • All risk actions and their results must be documented and reviewed.

Key Terms and Concepts

  • Risk Response Strategy
  • Threat
  • Opportunity
  • Risk Owner
  • Secondary Risk
  • Residual Risk
The answers, solutions, explanations, and written content provided on this page represent PastPaperHero's interpretation of academic material and potential responses to given questions. These are not guaranteed to be the only correct or definitive answers or explanations. Alternative valid responses, interpretations, or approaches may exist. If you believe any content is incorrect, outdated, or could be improved, please get in touch with us and we will review and make necessary amendments if we deem it appropriate. As per our terms and conditions, PastPaperHero shall not be held liable or responsible for any consequences arising. This includes, but is not limited to, incorrect answers in assignments, exams, or any form of testing administered by educational institutions or examination boards, as well as any misunderstandings or misapplications of concepts explained in our written content. Users are responsible for verifying that the methods, procedures, and explanations presented align with those taught in their respective educational settings and with current academic standards. While we strive to provide high-quality, accurate, and up-to-date content, PastPaperHero does not guarantee the completeness or accuracy of our written explanations, nor any specific outcomes in academic understanding or testing, whether formal or informal.
No resources available.

Job & Test Prep on a Budget

Compare PastPaperHero's subscription offering to the wider market

PastPaperHero
Monthly Plan
$10
4PM Training Insti...
One-time Fee
$1,990-2,090
Assessment Day
One-time Fee
$20-39
Job Test Prep
One-time Fee
$90-350
Simplilearn
One-time Fee
$649
StarAgile
One-time Fee
$449

Note the above prices are approximate and based on prices listed on the respective websites as of May 2025. Prices may vary based on location, currency exchange rates, and other factors.

Get unlimited access to thousands of practice questions, flashcards, and detailed explanations. Save over 90% compared to one-time courses while maintaining the flexibility to learn at your own pace.

All-in-one Learning Platform

Everything you need to master your assessments and job tests in one place

  • Comprehensive Content

    Access thousands of fully explained questions and cases across multiple subjects

  • Visual Learning

    Understand complex concepts with intuitive diagrams and flowcharts

  • Focused Practice

    Prepare for assessments with targeted practice materials and expert guidance

  • Personalized Learning

    Track your progress and focus on areas where you need improvement

  • Affordable Access

    Get quality educational resources at a fraction of traditional costs

Tell Us What You Think

Help us improve our resources by sharing your experience

Pleased to share that I have successfully passed the SQE1 exam on 1st attempt. With SQE2 exempted, I’m now one step closer to getting enrolled as a Solicitor of England and Wales! Would like to thank my seniors, colleagues, mentors and friends for all the support during this grueling journey. This is one of the most difficult bar exams in the world to undertake, especially alongside a full time job! So happy to help out any aspirant who may be reading this message! I had prepared from the University of Law SQE Manuals and the AI powered MCQ bank from PastPaperHero.

Saptarshi Chatterjee

Saptarshi Chatterjee

Senior Associate at Trilegal