## **Learning Outcomes**

After reading this article, you will be able to identify, explain, and select the key risk response strategies for both threats and opportunities on the PMP exam. You will know how to assign and monitor risk owners, recognize when to escalate risks, distinguish secondary and residual risks, and understand how risk response planning links to change management and project monitoring.

## **PMP Syllabus**

For PMP, you are required to understand how to manage project risks using appropriate response actions. This article covers key principles for responding to risks, including integrating risk handling with project change management and monitoring. Review the following syllabus points:

- Identify and distinguish between risk response strategies for negative risks (threats) and positive risks (opportunities).
- Decide when to escalate, transfer, mitigate, share, exploit, accept, or avoid risks.
- Assign risk owners who are responsible for response actions.
- Recognize and manage secondary and residual risks after response.
- Integrate risk responses with project plans and change management.
- Monitor and document risk responses and lessons learned.

## **Test Your Knowledge**

_Attempt these questions before reading this article. If you find some difficult or cannot remember the answers, remember to look more closely at that area during your revision._

1. Which risk response strategy is used when a threat is outside the authority or scope of the project manager?
   a) Transfer
   b) Escalate
   c) Accept
   d) Mitigate

2. Which approach is most appropriate when an opportunity exceeds the project's ability to exploit but aligns with the program's goals?
   a) Share
   b) Accept
   c) Exploit
   d) Escalate

3. Which statement is correct about residual risks?
   a) They are always ignored after initial response.
   b) They are addressed with secondary plans only.
   c) They remain after response strategies and must be monitored.
   d) They only apply to threats, not opportunities.

## **Introduction**

Project risk management goes beyond just identifying or analyzing risks. To control uncertainty and achieve objectives, you must match each risk with a suitable response strategy, assign responsibility, and plan for ongoing monitoring and change.

### Core Risk Response Strategies

PMI differentiates between strategies for threats (negative risks) and opportunities (positive risks). Understanding and correctly applying these strategies is a frequent source of PMP exam questions.

> **Key Term: Risk Response Strategy**
> A proactive or reactive action or approach selected to address an identified project risk, aiming to minimize threats and maximize opportunities.

### Threat Response Strategies

Negative risks (threats) can derail performance, deadlines, or budget. The following are commonly used responses for threats:

- **Avoid:** Adjust the project plan, scope, or approach so the threat cannot occur (e.g., remove a risky activity).
- **Mitigate:** Take action to reduce the probability or the negative impact (e.g., use proven methods, add more tests).
- **Transfer:** Shift ownership and consequences to a third party (such as through a fixed-price contract or insurance).
- **Accept:** Take no proactive action apart from monitoring; may involve setting aside a contingency reserve.
- **Escalate:** Refer the risk to program, portfolio, or upper management when it is beyond the project manager’s authority or control.

> **Key Term: Threat**
> A risk that could have a negative effect on at least one project objective if it occurs.

### Opportunity Response Strategies

Positive risks (opportunities) can create extra benefits. Use the following strategies:

- **Exploit:** Alter plans to ensure the opportunity happens (e.g., assign the best resources to a process that may lead to a major win).
- **Improve:** Increase the probability or impact (e.g., add features that may improve user adoption).
- **Share:** Allocate some or all responsibility for capturing the opportunity to a specialist or partner (joint venture, strategic alliance).
- **Accept:** No planned action; take advantage if it arises.
- **Escalate:** Refer the opportunity upward if it cannot be realized within project constraints but can benefit a broader business goal.

> **Key Term: Opportunity**
> A risk that could have a positive effect on at least one project objective if it occurs.

### Assigning Risk Owners

For every major risk requiring a response, a named risk owner must be responsible for implementing and monitoring risk actions.

> **Key Term: Risk Owner**
> The person or entity responsible for ensuring the risk response is carried out and for monitoring the risk’s status during the project.

### Monitoring for Secondary and Residual Risks

Not all risks end after response. Implemented responses can create new risks—secondary risks. Some risk exposure remains—residual risks.

> **Key Term: Secondary Risk**
> A risk that arises as a direct result of implementing a risk response.
>
> **Key Term: Residual Risk**
> A risk that remains after response strategies have been applied.

All active, secondary, and residual risks must be tracked in the risk register and periodically reviewed.

### Proactive Versus Reactive Actions

Most risk responses are planned and assigned during project planning, but not all risks can be anticipated. If an unplanned event occurs, a workaround is a reactive, on-the-fly solution. Planned responses are generally more effective and less disruptive than workarounds.

### Linking Risk Responses to Change Management

Significant risk responses may require adjustments to schedules, budgets, work packages, contracts, or project scope. Such changes must be managed through the project’s integrated change control process. Good practice is to document all decided-upon changes and lessons learned for future projects.

### **Worked Example 1.1**

A data center migration project identifies that regulatory changes may force additional security requirements, exceeding both the project's budget and authority. What should the project manager do?

> **Answer:** This risk should be escalated to program or portfolio management, as it exceeds project control. The project manager ensures it is documented and communicates the impact to those responsible.

### **Worked Example 1.2**

A mobile app project discovers an external provider may discontinue a critical service. The project can absorb a 2-week delay if it happens.

**Which response strategy is most appropriate?**

> **Answer:** Accept. Take no specific action, but document and monitor the risk. If the discontinuation occurs, use a contingency plan within the schedule buffer. Assign a risk owner to ensure this is tracked.

### **Worked Example 1.3**

A construction project finds that using an innovative new material could reduce cost by 25%, but the technology is unfamiliar and may delay the schedule if it fails.

**Which strategies can address the threat and the opportunity?**

> **Answer:** Mitigate the threat by limiting use of the new material to a test section first and exploit the opportunity if results are positive. Alternatively, accept either outcome if the risk is minimal or within tolerances.

### **Exam Warning**

> Many candidates mistakenly believe "accept" means to ignore the risk. "Accept" means you recognize the risk but do not proactively act unless a trigger or event occurs. You may still prepare a fallback plan or set aside reserves.

### **Revision Tip**

> On the PMP exam, practice quickly matching risk scenarios to the correct strategy: threats (avoid, mitigate, transfer, accept, escalate); opportunities (exploit, improve, share, accept, escalate). Remember that escalation is used when risks fall outside project boundaries.

## **Summary**

Choosing and assigning the right risk response strategies for threats and opportunities improves project predictability and value. Every significant risk must have an assigned owner, proactive monitoring, and documented follow-up. Risk responses may require formal change management. Always monitor for new, secondary, or unresolved risks, and record outcomes for future learning.

## **Key Point Checklist**

_This article has covered the following key knowledge points:_

- Response strategies differ for threats and opportunities.
- Escalate is used when risks fall outside project control or authority.
- Each key risk must have an assigned owner and monitored response.
- Planned responses are proactive; reactive workarounds manage unforeseen risks.
- Risk responses may trigger change control updates and secondary or residual risks.
- All risk actions and their results must be documented and reviewed.

## **Key Terms and Concepts**

- Risk Response Strategy
- Threat
- Opportunity
- Risk Owner
- Secondary Risk
- Residual Risk


Risk and change management - Risk response strategies