PMI-RMP PMI Risk Management Professional (PMI-RMP) Exam Questions and Answers

Effective communication with sponsors and stakeholders about both primary and secondary risks is crucial. PMBOK® Guide states:

" Secondary risks... should be communicated to stakeholders and sponsors to ensure transparency and allow for appropriate responses. "

— PMBOK® Guide, 6th Edition, Section 11.5

Whenever new organizational directives or changes in risk thresholds are communicated, the risk manager is required to assess the impact and update the risk management plan to reflect these changes. The PMBOK® Guide states:

“When organizational risk thresholds or tolerances are changed, the risk management plan and associated processes must be updated to ensure alignment with current requirements.”

— PMBOK® Guide, 6th Edition, Section 11.1.3.1 (Risk Management Plan: Updates)

This ensures that risk responses, monitoring, and reporting are in accordance with the most current strategic direction and tolerances.

According to the PMBOK® Guide1, the risk management plan is a component of the project management plan that describes how risk management activities will be structured and performed. It provides guidance on how the project team will identify, analyze, respond, monitor, and control risks throughout the project life cycle. The risk management plan should be reviewed and updated whenever there are changes in the project scope, schedule, budget, or objectives, as these changes may introduce new risks or affect the existing ones. In this case, the organization’s decision to accelerate a key project is a significant change that may alter the risk profile of the project. Therefore, the first action for the project risk manager to take is to revise the risk management plan to reflect the new situation and ensure that the risk management processes are aligned with the project objectives and constraints. This is part of the Plan Risk Management process in the PMBOK® Guide1. References: 1: A Guide to the Project Management Body of Knowledge (PMBOK® Guide) – Sixth Edition

In agile projects, the risk burndown chart is used to monitor the reduction of project risk over time. If risk exposure is found to be increasing, it is essential to act immedi ately by selecting and implementing risk mitigation actions that can reduce exposure in upcoming iterations. The PMI “Agile Practice Guide” and the PMBOK® Guide state:

“In agile projects, risks are identified and managed continuously. When risk exposure is high, mitigation actions (often called ‘risk mitigation stories’) should be prioritized in the next iteration or sprint to bring exposure back to acceptable levels.”

— Agile Practice Guide, PMI, Section 5.7 (Responding to Risks in Agile Projects)

“Project teams may develop risk response actions as work items and prioritize these for execution in the backlog, particularly in iterative and incremental environments.”

— PMBOK® Guide, 6th Edition, Section 11.6.2.3

Therefore, prioritizing risk mitigation stories for the next sprint (Option C) is the most effective and officially recommended response.

When a risk manager needs to prioritize resources to respond to multiple identified risks, qualitative analysis is the most appropriate tool. Qualitative analysis helps in evaluating the likelihood and impact of each risk using subjective criteria, allowing the risk manager to prioritize which risks require more immediate attention or resources based on their potential impact on the project.

PMI ' s guidelines on risk management suggest that qualitative analysis is particularly useful in the initial stages of risk assessment, where risks are categorized and ranked based on their severity. This process helps in prioritizing risks that need immediate attention, thus optimizing the use of resources in a project​​.

Categorizing risks by their impact on project objectives ensures that risk response plans are aligned with project priorities. This helps in focusing on the most critical risks and their potential impact on the project ' s success.

 Categorizing risks by their impact to the project objectives is a way of aligning the risk management process with the project goals and stakeholder expectations. By doing so, the risk management professional can ensure that the risk response plans are focused on the most critical aspects of the project and that the project priorities are being considered in the decision making. This approach can also help to communicate the value of risk management to the project team and the stakeholders, as they can see how the risk management activities are contributing to the project success. Categorizing risks by their impact to the project objectives does not necessarily help to identify the specific causes of risks, determine the level of project leadership and organizational involvement, or assign risks and risk severities to functional disciplines and departments. These are other possible ways of categorizing risks, but they are not the main purpose of using the impact to the project objectives approach. References: PMI-RMP® Certification Handbook1, page 9; PMBOK® Guide, page 415.

Adding the identified risk to the risk register is the best action that the risk manager can take to address this risk. The risk register is a document that records the identified risks, their characteristics, their status, and their responses. By adding the risk to the risk register, the risk manager can ensure that the risk is not overlooked or ignored, and that it will be subjected to further probability and impact analysis to determine its priority and response strategy. Accepting the identified risk because other stakeholders feel that there are higher priority risks to address is not a good practice, as it may lead to overlooking a potentially significant risk that could affect the stakeholder’s team. Mitigating the identified risk in order to reduce the probability of impacting the stakeholder’s team is not advisable, as it may be a premature or unnecessary action without proper analysis of the risk probability and impact. Escalating the identified risk to the project sponsor and allowing them to determine the best course of action is not appropriate, as it may be an overreaction or a sign of lack of competence from the risk manager, who should be able to handle the risk identification and analysis process. References: PMI Risk Management Professional (PMI-RMP)® Exam Content Outline1, PMI Practice Standard for Project Risk Management2, Risk Management Professional (PMI-RMP)® Cert Guide3

sensitivity analysis is a technique that helps to determine which risks have the most potential impact on the project. It examines the extent to which the uncertainty of each project element affects the objective being examined when all other uncertain elements are held at their baseline values. Sensitivity analysis is often used to assess the risk exposure of the project schedule and cost, and to identify the critical risks that need to be managed. In this case, the risk manager needs to understand how the new risk resulting from the delay will affect the project deadline, which is the objective being examined. By performing sensitivity analysis, the risk manager can compare the relative importance and interaction of the new risk with other existing risks, and determine the worst-case scenarios for the project completion date. Sensitivity analysis can also help to prioritize risks for response planning and to develop contingency reserves. This is part of the Perform Quantitative Risk Analysis process in the PMBOK® Guide2. References: 1: PMI Risk Management Professional (PMI-RMP)® Examination Content Outline 2: A Guide to the Project Management Body of Knowledge (PMBOK® Guide) – Sixth Edition

To effectively inform the identification of resource requirements for individual risk responses, the risk manager should undertake the following actions:

1. Conduct Decision Tree Analysis: Collaborate with the project team to perform decision tree analysis for each risk or related set of risks. This technique involves mapping out different decision paths and their possible outcomes, including associated risks, probabilities, and impacts. By visualizing these scenarios, the team can evaluate the potential consequences of various decisions and choose the most effective risk response strategies.

2. Calculate Expected Monetary Value (EMV): Determine the EMV for each identified risk by multiplying the probability of occurrence by the potential financial impact. This quantitative analysis provides a monetary value representing the average expected loss or gain from a risk. Utilizing EMV calculations aids in justifying and allocating appropriate project reserves to address potential risks, ensuring that sufficient resources are available for effective risk management.

3. Prioritize High-Impact Risks: Allocate attention and resources primarily to risks that pose the highest potential impact on the project. By focusing on high-impact risks, the team ensures that critical threats are addressed promptly and effectively, optimizing the use of limited resources and enhancing the likelihood of project success.

PMI Risk Management Study Guide References:

The PMI-RMP Exam Content Outline emphasizes the importance of performing quantitative risk analysis, including techniques such as decision tree analysis and EMV calculations, to inform risk response planning and resource allocation.

Risks are dynamic and must be continuously monitored and updated throughout the project lifecycle, regardless of project size or duration. The PMBOK® Guide specifies that risk monitoring is an ongoing process:

" Risks are monitored throughout the project. The risk register should be updated as new risks are identified, existing risks change, or as risk responses are implemented. "

— PMBOK® Guide, 6th Edition, Section 11.7 (Monitor Risks)

Continuous review ensures that new risks are captured and previously identified risks are managed appropriately.

When a project requires detailed and exhaustive planning to ensure the product ' s characteristics and quality, a predictive approach (also known as a waterfall approach) is the most appropriate. This approach involves planning out the project in detail upfront, including the scope, schedule, and costs, which aligns with the need for thorough planning mentioned in the scenario. The predictive approach is best suited for projects where requirements are well-understood and unlikely to change, allowing for careful management of risks through detailed plans​.

According to the PMI Risk Management Professional (PMI-RMP)® Examination Content Outline1, one of the tasks in the domain of Risk Response is to recommend risk response strategies based on the risk appetite and tolerance of the organization and stakeholders1. One of the strategies for negative risks or threats is risk acceptance, which involves acknowledging the existence of a threat and making a conscious decision to accept it without taking any action2. In this scenario, the risk manager should recommend risk acceptance for the risk items that would be detrimental to project success, but the associated triggers cannot be managed by the organization and are unlikely to occur. Risk acceptance is appropriate when the risk exposure is low, the cost of other responses is high, or the risk response is outside the scope or influence of the project3. The risk manager should not recommend risk mitigation, which involves reducing the probability and/or impact of a threat2. The risk manager should not recommend risk enhancement, which is a strategy for positive risks or opportunities, not negative risks or threats2. The risk manager should not recommend risk exploitation, which is also a strategy for positive risks or opportunities, not negative risks or threats2. References: 1: PMI Risk Management Professional (PMI-RMP)® Examination Content Outline, page 102: A Guide to the Project Management Body of Knowledge (PMBOK® Guide) – Sixth Edition, page 4363: A Guide to the Project Management Body of Knowledge (PMBOK® Guide) – Sixth Edition, page 437.

Sensitivity analysis is a quantitative risk analysis technique used to determine how variations in individual project risks affect project objectives, such as cost, schedule, or performance. By analyzing the sensitivity of these variables, the project team can identify which risks have the most significant potential impact on the project. This information is crucial for prioritizing risk responses and allocating resources effectively.

PMI Risk Management Study Guide References:

The PMI-RMP Exam Content Outline includes sensitivity analysis as a key technique in performing quantitative risk analysis, aiding in the identification of high-impact risks that require focused attention.

Once the contingency plan has been executed (e.g., the backup resource has shadowed the experienced developer), it is crucial to continuously monitor and manage any residual or secondary risks that may arise. These risks could include the backup resource ' s ability to perform effectively or the potential impact of the original developer ' s absence on project timelines. By updating the risk register and maintaining communication with the project team, the risk manager ensures that the project remains on track and that any new risks are promptly addressed, in alignment with PMI’s best practices for ongoing risk management​.

When there is confusion among risk action owners about when to initiate risk responses, it suggests that the risk thresholds and triggers may not be well-defined or understood. Revisiting and clarifying these thresholds and triggers can help ensure that everyone involved understands the specific conditions under which a risk response should be initiated. This will reduce confusion and ensure that risk responses are executed consistently and appropriately.

PMI’s risk management practices emphasize the importance of clearly defined risk thresholds and triggers to guide the timely and effective implementation of risk responses​​.

A risk trigger is a specific event or condition that signals that a risk is about to occur or has occurred. PMBOK® Guide clarifies:

" Risk triggers (sometimes called warning signs) are indicators or symptoms that a risk event is about to occur. The risk register should include identified triggers for each risk. "

— PMBOK® Guide, 6th Edition, Section 11.2.3.1

Thus, documenting the specific event or condition (such as the supplier missing a delivery deadline) is the correct approach.

The team is documenting all the checkpoints along the way that might indicate delays on critical deliverables, which is an example of risk triggers. Risk triggers are events or conditions that indicate a risk may be about to occur or has already occurred, helping the project team to monitor and respond to risks effectively.

 Risk triggers are indicators or warning signs that a risk event is about to occur or has occurred. They help to monitor the status of risks and initiate risk responses when needed. Documenting risk triggers is part of the Plan Risk Responses process, which aims to develop options and actions to enhance opportunities and reduce threats to project objectives. References: The Standard for Risk Management in Portfolios, Programs, and Projects, page 78; PMBOK Guide, 6th edition, page 402.

When describing the causes of a risk, it is critical for the risk manager to ensure that the causes represent actual conditions, as this will help in the accurate identification and assessment of the.

According to the PMBOK® Guide, a risk is defined as “an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives” (page 720). A risk can be described by its causes, effects, and probability of occurrence. The causes are the factors or circumstances that give rise to the risk, and they should represent the actual conditions that exist or may exist in the project environment. The causes should not be based on assumptions, opinions, or speculations, but on facts, evidence, or data. Therefore, option C is the correct answer.

Option A is incorrect because not every cause has a degree of uncertainty. Some causes may be certain or deterministic, such as contractual obligations, regulatory requirements, or physical laws. Uncertainty is a characteristic of the risk itself, not the cause.

Option B is incorrect because not every cause has a well-defined owner. The owner is the person or entity who is assigned the responsibility and authority to manage the risk, not the cause. The owner should be identified after the risk is analyzed and prioritized, not before.

Option D is incorrect because the causes do not need to be validated by the risk owner. The risk owner is the person or entity who is accountable for the risk response, not the risk identification. The causes should be validated by the risk manager or the risk identification team, who are responsible for collecting and documenting the risk information.

When a project comprises multiple tasks, each with varying probable durations, determining the overall project ' s expected duration necessitates an analytical approach that accounts for this variability. Monte Carlo simul-ation is a robust technique that performs this function effectively. By running numerous simul-ations, it models the probability of different outcomes in processes that involve random variables, such as task durations. This method provides a comprehensive view of possible project completion times and their associated probabilities, enabling more informed decision-making.

PMI Risk Management Study Guide References:

The PMI-RMP Exam Preparation Study Guide emphasizes the utility of Monte Carlo simul-ations in project scheduling, stating that they " allow project managers to assess the impact of risk and uncertainty on project timelines by simulating various scenarios and their probabilities. "

The correct answer is D. Update the project stakeholders and seek their input on the resulting secondary risk.

This question describes a secondary risk , which is a new risk that arises as a direct result of implementing a risk response. The original equipment-failure risk was successfully mitigated, but the use of alternative machinery introduced another issue. In standard risk management practice, once a secondary risk is identified, it must be documented, assessed, communicated, and managed through the normal risk process. Because this new risk can affect project objectives and may require additional response planning, relevant stakeholders should be informed and involved in determining the best course of action.

Option D is the best answer because secondary risks should not be ignored or delayed unnecessarily. Stakeholder input is important to evaluate the impact of the new issue, determine acceptable response options, and align decisions with project priorities and risk thresholds.

Why the other options are incorrect:

A. Assign a risk owner and develop the risk mitigations at the next scheduled risk meeting. Assigning an owner and planning mitigation are valid activities, but waiting until the next scheduled meeting may delay needed action. The question asks what the risk manager should do now after identifying the secondary risk. Immediate stakeholder communication is more appropriate.

B. Continue with the project as the risk identified is inconsequential. The scenario does not support the conclusion that the secondary risk is insignificant. Assuming it is inconsequential without analysis would be poor risk practice.

C. Assign risk responsibility to the project manager to determine how to proceed. Risk responsibility should be assigned to the most appropriate owner, not automatically to the project manager. Also, the correct first step is broader communication and engagement around the newly emerged secondary risk.

Best-practice reasoning:

Secondary risks are a recognized output of risk response actions. They should be captured and processed like any other identified risk. Transparent stakeholder communication is especially important when a response action creates new uncertainty.

Reference-aligned basis:

This answer is consistent with standard risk management guidance that emphasizes:

risk responses can generate secondary risks,

newly identified risks should be communicated and assessed,

stakeholders should be engaged when new risks emerge from implemented responses.

Centralizing the risk management function enables the organization to have a consistent approach to reporting risks and their impacts. This allows for better monitoring of the impact against the overall project risk exposure, which helps in making informed decisions and allocating resources effectively.

According to the PMI-RMP Exam Content Outline1, one of the tasks in the domain of risk governance is to “establish and maintain a centralized risk management function to support the project and organizational objectives”. A centralized risk management function can help resolve the problem of inconsistent risk reporting by providing a common framework, methodology, and standards for risk management across the organization. One of the benefits of centralizing the risk management function is that it allows monitoring the impact of individual project risks against the overall project risk exposure, as well as the organizational risk appetite and tolerance. This can help the CEO and other senior management to make informed decisions and allocate resources accordingly. Therefore, the best answer is B.

If the project manager realizes that some risks have not been updated recently, they should review the risk register to check for new risks and ensure that all risks are accurately documented and updated.

The risk register is a document that contains information about the identified risks, their analysis, and their response plans. It is updated throughout the project life cycle as new risks emerge, existing risks change, or risks are closed. The project manager should review the risk register regularly to ensure that the project data is accurate and reflects the current risk situation. Reviewing the risk register also helps the project manager to identify any new risks that may have occurred since the last update, and to plan appropriate responses for them. References: PMI, Project Risk Management, 2nd edition, 2019, p. 67-681

The overall goal of selecting strategies during the Plan Risk Response activity is to choose those strategies that have the greatest overall positive influence on the project, considering factors such as cost, schedule, and resources.

According to the PMI Risk Management Professional (PMI-RMP)® Examination Content Outline1, one of the tasks in the domain of Risk Response is to select risk response strategies based on the risk appetite and tolerance of the organization and stakeholders1. The overall goal of selecting risk response strategies is to select the strategies with the greatest overall positive influence on the project objectives, such as scope, schedule, cost, quality, etc. The risk response strategies should aim to enhance the opportunities and reduce the threats to the project, while considering the cost-benefit analysis, the feasibility, and the alignment with the project goals and stakeholder expectations2. The risk response strategies should not be selected based on the least overall impact to resources, because that may not be the most effective or efficient way to address the risks, and it may ignore the potential benefits of some strategies that may require more resources but also deliver more value3. The risk response strategies should not be selected based on the least financial impact, because that may not be the most relevant or comprehensive criterion to evaluate the risks, and it may overlook other aspects of the project, such as quality, customer satisfaction, reputation, etc. that may also be affected by the risks4. The risk response strategies should not be selected based on the greatest benefit to stakeholders, because that may not be the most realistic or achievable goal, and it may create conflicts or trade-offs among different stakeholder groups that may have different or competing interests, needs, and expectations5. References: 1: PMI Risk Management Professional (PMI-RMP)® Examination Content Outline, page 102: A Guide to the Project Management Body of Knowledge (PMBOK® Guide) – Sixth Edition, page 4403: A Guide to the Project Management Body of Knowledge (PMBOK® Guide) – Sixth Edition, page 4414: A Guide to the Project Management Body of Knowledge (PMBOK® Guide) – Sixth Edition, page 4425: A Guide to the Project Management Body of Knowledge (PMBOK® Guide) – Sixth Edition, page 518.

The correct answer is B. Conduct a retrospective meeting with stakeholders and inquire about what went well and what could be improved on future projects.

The question focuses on a completed project and asks what the risk manager should do after the executive sponsor requests a deep review of what went wrong for the benefit of future projects. This is a classic lessons learned and risk closure activity. A retrospective with stakeholders is the most complete and effective approach because it captures multiple perspectives on what happened, what worked, what failed, and what should be improved in future similar initiatives.

A retrospective goes beyond reviewing documents. It helps uncover root causes, process gaps, missed warning signs, ineffective responses, communication failures, and organizational learning opportunities. Because the company plans to develop more web applications, the objective is not only to analyze the past but also to improve future risk management and delivery performance.

Why the other options are incorrect:

A. Gather the project ' s status reports and meeting minutes to determine when issues occurred and how quickly the issues were addressed. These documents may support the review, but they are not enough by themselves for a full deep-dive. They provide historical evidence but not the richer insight gained from stakeholder reflection.

C. Work with the project manager to determine if additional resources could have prevented or mitigated the issues that arose on the project. This is too narrow. The project may have suffered from many causes beyond resource limitations, including planning weaknesses, requirements issues, inadequate risk responses, vendor problems, or governance gaps.

D. Review the project ' s risk register and determine how comprehensive and effective each risk and issue response was. Reviewing the risk register is useful, but it is still narrower than a full retrospective. Some realized issues may never have been captured properly in the register, and the sponsor requested a broader deep-dive into what went wrong overall.

Best-practice reasoning:

At project closure, organizations should capture lessons learned through structured review with relevant stakeholders. This supports continuous improvement, improves future risk identification and response planning, and strengthens organizational process assets.

Reference-aligned basis:

This answer is consistent with standard risk management guidance that emphasizes:

lessons learned and retrospective reviews at project or phase closure,

stakeholder participation in evaluating what worked and what did not,

updating organizational knowledge for future projects.

Adding correlation to the model accounts for the relationship between activities, which can result in increased variability in the model ' s outcomes. This will increase the standard deviation, which is a measure of the uncertainty in the model.

 According to the PMBOK Guide, 6th edition, Chapter 11: Project Risk Management1, an effect of adding the correlation to the Monte Carlo schedule risk analysis model is that it increases the standard deviation of the model. This is because:

Correlation is the statistical relationship between two or more variables. In a schedule risk analysis, correlation can be used to model the dependency between the durations of different activities. For example, if two activities are positively correlated, it means that if one activity takes longer than expected, the other activity is also likely to take longer than expected. Conversely, if two activities are negatively correlated, it means that if one activity takes longer than expected, the other activity is likely to take shorter than expected.

A Monte Carlo schedule risk analysis is a simul-ation technique that uses random values for uncertain variables, such as activity durations, to generate possible outcomes for the project schedule. The simul-ation is repeated many times to produce a probability distribution of the project completion date and duration. The standard deviation is a measure of the variability or dispersion of the distribution. A higher standard deviation means that the distribution is more spread out and less predictable.

Adding correlation to the Monte Carlo schedule risk analysis model increases the standard deviation of the model because it introduces more variability and uncertainty to the simul-ation. Correlated activities can have a cumulative effect on the project schedule, either positively or negatively, depending on the direction and strength of the correlation. This can result in more extreme outcomes for the project completion date and duration, which increase the spread of the distribution and the standard deviation.

PMBOK Guide, 6th edition, Chapter 11: Project Risk Management1

Risk Management Professional (PMI-RMP)® Exam Cert Guide2

Documenting the results of the risk monitoring and controlling process is important for creating lessons learned. This helps future projects by providing a reference for risk management practices and experiences.

The documentation of the results of monitoring and controlling risks is a valuable source of information for lessons learned. Lessons learned are the documented information that reflects both the positive and negative experiences of a project. They represent the organization’s commitment to project management excellence and the project manager’s opportunity to learn from the actual experiences of others. By documenting the results of monitoring and controlling risks, the project team can capture the effectiveness of the risk responses, the changes in the risk exposure, the root causes of the risks, the best practices and the lessons learned for future projects. This documentation can help to improve the risk management process, enhance the project performance, and increase the organizational knowledge base. References: PMI Risk Management Professional (PMI-RMP) Examination Content Outline and Specifications1, page 10; A Guide to the Project Management Body of Knowledge (PMBOK® Guide) – Sixth Edition, page 406; Lessons learned - PMI.

The stakeholders should prepare a risk-adjusted backlog when making decisions on how to respond to known and new risks. A risk-adjusted backlog helps prioritize work items based on their risk level and potential impact on the project.

 A risk-adjusted backlog is an artifact that reflects the prioritization of the product backlog items based on their risk exposure. It is used to plan for the execution phase of an agile project, where the stakeholders can decide how to respond to known and new risks by selecting the most valuable and least risky items to deliver. A risk-adjusted backlog can help the stakeholders to optimize the value delivery and reduce the uncertainty of the project outcomes. References: PMI, The Standard for Risk Management in Portfolios, Programs, and Projects, 2019, p. 113; PMI, Agile Practice Guide, 2017, p. 54.

The project manager should escalate this initiative to project decision makers and sponsors, as they have the authority to approve changes in budget and scope. They can evaluate the potential benefits and associated with the new technology and make an informed decision on whether to proceed.

 According to the PMBOK® Guide1, an opportunity is a risk that would have a positive effect on one or more project objectives if it occurs. Opportunities are uncertain events or conditions that can enhance or facilitate the achievement of project goals, such as cost savings, schedule acceleration, quality improvement, or scope expansion. A project manager should take advantage of opportunities by implementing risk responses that seek to maximize their probability and/or positive impact. In this case, the project manager wants to introduce a new technology to improve the project’s performance, which is an opportunity for the project. The project manager should take advantage of this opportunity by planning and executing appropriate risk responses, such as exploiting, enhancing, sharing, or accepting the opportunity. This is part of the Plan Risk Responses and Implement Risk Responses processes in the PMBOK® Guide1. References: 1: A Guide to the Project Management Body of Knowledge (PMBOK® Guide) – Sixth Edition.

The risk manager should have their team review the scope of work and requirements to ensure they understand the project ' s objectives and deliverables. Additionally, reviewing the risk management plan will help the team understand the risk management process, roles, and responsibilities, and prepare for the risk identification workshop.

According to the PMBOK® Guide – Sixth Edition1, the scope of work and requirements are key inputs for the risk identification process, as they define the project boundaries, deliverables, assumptions, and constraints. The risk management plan is also an essential input, as it provides the guidelines and framework for how risk management will be performed throughout the project. The other options are not relevant for risk identification, as they are either related to other processes (such as Monte Carlo analysis for quantitative risk analysis) or not directly related to the project risks (such as the list of pre-approved contractors or the organization chart for city permit department). References: PMBOK® Guide – Sixth Edition, pages 397-398.

Risk management exercises —such as workshops, brainstorming, or facilitated sessions—are the correct approach to proactively identify and address risks, especially early in the project. The PMBOK® Guide states:

" Risk identification should be performed using systematic exercises and techniques such as facilitated workshops, interviews, and checklists to ensure all potential risks are considered. "

— PMBOK® Guide, 6th Edition, Section 11.2

Best practice in risk management is to immediately assess the impact of identified risks and develop appropriate response plans. The PMBOK® Guide confirms:

" When a risk is identified, its impact and likelihood should be assessed as soon as possible, and risk response strategies developed and agreed upon. "

— PMBOK® Guide, 6th Edition, Section 11.5

This is especially important for critical dependencies such as vendor deliverables.

The project manager should consult or review project contracts, lessons learned registers from analogous projects, and the risk management plan to develop an effective risk planning for the project.

According to the PMBOK® Guide, the risk management plan is one of the key inputs for the plan risk management process, which is the first process in the project risk management knowledge area. The risk management plan describes how risk management activities will be structured and performed throughout the project. It includes information such as the methodology, roles and responsibilities, budget, timing, risk categories, definitions of risk probability and impact, probability and impact matrix, revised stakeholders’ risk tolerances, reporting formats, and tracking (page 409). Therefore, option D is the correct answer.

The project contracts are also an important input for the plan risk management process, as they may contain terms and conditions that can create or affect various project risks. For example, contracts may include clauses related to penalties, incentives, warranties, intellectual property rights, termination, force majeure, arbitration, indemnification, etc. The project manager should review the project contracts to identify any potential sources of risk and plan appropriate responses (page 410). Therefore, option A is the correct answer.

The lessons learned registers from analogous projects are another valuable input for the plan risk management process, as they provide historical information and knowledge that can help the project manager identify and analyze risks, as well as plan risk responses. The lessons learned registers may contain information such as the risks that occurred, the root causes of the risks, the risk triggers, the effectiveness of the risk responses, the residual and secondary risks, the risk owners, the risk ratings, the risk trends, etc. The project manager should consult the lessons learned registers from similar or comparable projects to learn from past experiences and avoid repeating mistakes (page 411). Therefore, option B is the correct answer.

The risk register is not an input for the plan risk management process, but an output. The risk register is a document that contains the list of identified risks, their causes, potential responses, and other relevant information. The risk register is created during the identify risks process, which is the second process in the project risk management knowledge area. The risk register is then updated and refined throughout the project as more information becomes available and new risks emerge (page 414). Therefore, option C is incorrect.

The code of regulations is not an input for the plan risk management process, but a type of enterprise environmental factor. Enterprise environmental factors are the conditions, not under the control of the project team, that influence, constrain, or direct the project. The code of regulations refers to the rules and standards that govern the project’s industry, domain, or sector. The code of regulations may affect the project’s scope, schedule, cost, quality, resources, communications, procurement, and risk management. The project manager should consider the code of regulations when planning risk management activities, but it is not an artifact that needs to be reviewed or consulted (page 38). Therefore, option E is incorrect.

 According to the PMBOK Guide, one of the tools and techniques for the identify risks process is data gathering. Data gathering is the process of collecting information from various sources to identify potential risks that may affect the project objectives. One of the data gathering techniques is document analysis, which involves reviewing and analyzing available project documents and other information sources to identify potential risks1.

Two of the artifacts that will help the risk manager conduct the initial risk assessment for a six month initiative are the work breakdown structure (WBS) and the project organizational chart. These are two of the project documents that can be analyzed for potential risks in the project.

The work breakdown structure (WBS) is a hierarchical decomposition of the total scope of work to be carried out by the project team to accomplish the project objectives and create the required deliverables. The WBS represents the work defined in the current approved project scope statement and provides the framework for detailed cost estimating, resource planning, and risk management. By reviewing the WBS, the risk manager can identify potential risks that are associated with each work package, deliverable, or scope element, such as technical complexity, quality requirements, dependencies, assumptions, constraints, and uncertainties1.

The project organizational chart is a graphical representation of the project team members and their reporting relationships. The project organizational chart depicts the roles and responsibilities of the project team, as well as the communication channels and authority levels among the team members and other stakeholders. By reviewing the project organizational chart, the risk manager can identify potential risks that are related to the project team structure, such as resource availability, skill gaps, team dynamics, stakeholder expectations, and conflict resolution1.

Some of the other options are not relevant or appropriate for the question scenario:

The configuration management plan is a component of the project management plan that describes how the project team will manage the configuration of the project’s deliverables and documentation. The configuration management plan defines the processes, tools, and methods for identifying, controlling, tracking, and auditing the changes to the project’s baselines. The configuration management plan is not an artifact that will help the risk manager conduct the initial risk assessment, as it does not provide information on the potential risks that may affect the project objectives or scope1.

Brainstorming is a technique for the identify risks process that involves generating a list of potential risks through a group discussion. Brainstorming is not an artifact, but rather a tool and technique for identifying risks. Brainstorming can help the risk manager conduct the initial risk assessment, but only after reviewing and analyzing the available project documents and information sources1.

Monte Carlo analysis is a technique for the perform quantitative risk analysis process that involves simulating the combined effect of individual project risks and other sources of uncertainty on the project objectives, such as cost or schedule. Monte Carlo analysis is not an artifact, but rather a tool and technique for analyzing risks. Monte Carlo analysis can help the risk manager conduct the initial risk assessment, but only after identifying and prioritizing the individual project risks and their probability and impact1.

PMBOK Guide, 6th edition, pages 397-399, 414-415, 431-432, 441-442, 156-157, 168-169, 89-901; PMI-RMP Exam Content Outline, 2015, page 7.

To address the lack of risk management buy-in from the project team, the risk manager should organize risk engagement activities, such as workshops. These activities can help create awareness of the importance of risk management and motivate the team to take their risk management responsibilities seriously.

 Risk engagement is the process of involving stakeholders in risk management activities, such as identifying, analyzing, prioritizing, and responding to risks. Risk engagement activities are designed to motivate and influence the project team and other stakeholders to take their risk management responsibilities seriously and to understand the benefits of risk management for the project’s success. Risk engagement activities can include workshops, games, simul-ations, brainstorming sessions, surveys, interviews, and other interactive methods. Risk engagement activities can help to create a positive risk culture, improve communication and collaboration, increase risk awareness and ownership, and enhance risk management skills and knowledge. References: PMI Risk Management Professional (PMI-RMP) Examination Content Outline and Specifications1, page 9; Mastering PMI-RMP Domains, Tasks, and Enablers for Effective Risk2

After verifying the effectiveness of the risk responses, the next step is to close out the risk response actions and communicate the results to relevant stakeholders. This ensures that the project team and stakeholders are aware of how risks have been managed and that any lessons learned can be applied to future projects. This aligns with PMI ' s emphasis on communication and documentation in risk management to ensure transparency and continuous improvement​.

Since the project manager cannot avoid, transfer, or mitigate the risk, the only remaining option is to accept the risk and develop a contingency plan to handle it if it occurs.

According to the PMI-RMP Exam Content Outline1, one of the tools and techniques for risk response planning is risk response strategies. These are the actions that the project manager and the project team take to address the identified risks, either positive or negative. For negative risks or threats, the PMI-RMP Exam Content Outline1 lists four possible strategies: avoid, transfer, mitigate, and accept.

Avoid risk means changing the project plan to eliminate the threat or its impact2. For example, changing the scope, schedule, or budget to avoid a risk.

Transfer risk means shifting the impact of a threat to a third party, such as a contractor, vendor, or insurer2. For example, buying insurance, outsourcing, or using performance bonds to transfer a risk.

Mitigate risk means reducing the probability and/or impact of a threat2. For example, conducting more tests, adopting best practices, or providing training to mitigate a risk.

Accept risk means acknowledging the existence of a threat and being willing to deal with its consequences2. For example, doing nothing, establishing a contingency reserve, or developing a contingency plan to accept a risk.

In this question, the project manager has determined that they cannot outsource work (transfer) nor eliminate the scope (avoid). They also discover that they cannot buy insurance (transfer) or mitigate the risk. Therefore, the only remaining option is to accept the risk. Accepting the risk does not mean ignoring the risk, but rather recognizing it and preparing for its potential occurrence and impact. Therefore, the best answer is D.

The project manager should monitor and control secondary and residual risks in the risk register. This will ensure that any new risks identified during the implementation of the risk response plan are captured and managed effectively. Monitoring and controlling risks is a continuous process that helps in identifying, analyzing, and planning for new risks as well as updating the risk register as needed.

 According to the PMI Risk Management Professional (PMI-RMP)® Examination Content Outline, one of the tasks under the domain of Risk Response Planning is to “identify and assess the effectiveness of alternative strategies to reduce threats or enhance opportunities, such as mitigation, transference, avoidance, and acceptance” 1. This implies that the project manager should also consider the potential secondary or residual risks that may arise from implementing the chosen risk response strategy. Secondary risks are new risks that are created as a direct result of implementing a risk response, while residual risks are those that remain after the risk response has been executed 2. Both types of risks should be identified and assessed for their impact and probability, and added to the risk register for further monitoring and control. Therefore, the correct answer is A.

Tailoring risk management processes is mainly based on the size and duration (complexity) of the project. The PMBOK® Guide confirms:

" The size, complexity, and duration of the project are primary considerations when tailoring risk management activities. Larger or longer projects require more rigorous processes. "

— PMBOK® Guide, 6th Edition, Section 11.1

The risk manager is responsible for ensuring that all risks, including secondary risks, are identified and addressed during the risk response planning process. If key secondary risks were missed, the risk manager should be held accountable. (Reference: Project Management Institute. A Guide to the Project Management Body of Knowledge (PMBOK® Guide) – Sixth Edition, Section 11.5)

The risk manager is responsible for identifying and analyzing risks, as well as planning and implementing risk responses. Secondary risks are those risks that arise as a direct result of implementing a risk response to a specific risk. The risk manager should have considered the potential secondary risks during the risk response planning and updated the risk register accordingly. The project manager should hold the risk manager accountable for missing the secondary risks and ensure that they are properly addressed12

 1: PMI Risk Management Professional (PMI-RMP)® Handbook, page 10 2: A Guide to the Project Management Body of Knowledge (PMBOK® Guide) – Seventh Edition, page 11.2.2.1

The risk manager should review the agreed-upon risk tolerance to determine the correct limit for continuing construction based on the chance of rain. Risk tolerance is the level of risk an organization is willing to accept and should be established during the risk management planning process.

 Risk tolerance is the degree of uncertainty that a stakeholder is willing to accept in respect to a negative outcome on a project objective. Risk tolerance can be expressed as a percentage, a range, a value, or a qualitative statement. Risk tolerance should be agreed upon by the project team and the stakeholders at the beginning of the project, and documented in the risk management plan. The risk manager should review the agreed-upon risk tolerance to find out the correct limit for the rain probability that would affect the construction activity. This would help to resolve the conflicting opinions of the stakeholders and ensure that the risk management decisions are aligned with the project objectives and expectations. Reviewing the agreed-upon risk tolerance is the best option among the choices given, as it is the most relevant and reliable source of information for the risk manager. Performing a sensitivity analysis, finding out the stakeholders’ risk appetite, or using industry standard risk thresholds are not as effective or appropriate ways of finding out the correct limit, as they do not reflect the specific agreement and context of the project. References: PMI-RMP® Certification Handbook1, page 9; PMBOK® Guide, pages 414-415.

Mitigation involves taking proactive steps to reduce the probability or impact of a risk event. In this scenario, the facilitator anticipates the risk of attendees not receiving the product brochure due to spam filters. By advising participants to check their spam folders, the facilitator addresses the issue before it escalates, thereby reducing the likelihood of miscommunication or information loss. This preemptive action exemplifies a mitigation strategy, aiming to lessen the potential negative impact on the workshop ' s effectiveness.

PMI Risk Management Study Guide References:

The PMI-RMP Exam Preparation Study Guide defines risk mitigation as " the process of implementing actions to reduce the likelihood or impact of a risk to acceptable levels, " highlighting the importance of proactive measures in risk management.

According to the PMI Risk Management Professional (PMI-RMP)® Examination Content Outline1, one of the tasks in the domain of Risk Response is to call for a project team meeting to review risk strategies and make required adjustments, as needed, based on risk monitoring and reporting1. In this scenario, the risk manager should do this to address the situation of the availability of experts, which is a key risk for the project. The project team meeting will help the risk manager and the project team to evaluate the effectiveness of the current risk response plan, identify any new risks or changes in existing risks, and develop alternative risk strategies and actions to deal with the staffing issue. The project team meeting will also facilitate the communication and collaboration among the project team members and other stakeholders, and ensure that the project objectives and expectations are aligned. The risk manager should not implement a disciplined tracking method and report to stakeholders accordingly, because that is not a proactive risk response strategy, but rather a passive risk monitoring and reporting technique2. The risk manager should not escalate the staffing topic to the sponsor and request more budget for contingencies, because that is not a feasible or appropriate risk response strategy, as it does not address the root cause of the risk or provide a solution to the problem3. The risk manager should not revisit the project charter for scope adjustments and sign them off with the customer, because that is not a risk response strategy, but rather a scope management process that may have negative impacts on the project quality, cost, and schedule, and may violate the contractual agreement with the customer4. References: 1: PMI Risk Management Professional (PMI-RMP)® Examination Content Outline, page 102: A Guide to the Project Management Body of Knowledge (PMBOK® Guide) – Sixth Edition, page 4563: A Guide to the Project Management Body of Knowledge (PMBOK® Guide) – Sixth Edition, page 4364: A Guide to the Project Management Body of Knowledge (PMBOK® Guide) – Sixth Edition, page 133.

The correct answer is D. Use a qualitative or quantitative analysis to analyze identified risks.

An influence diagram is useful for showing relationships among decisions, uncertainties, and outcomes, but it is not usually sufficient by itself for a complete risk analysis on a critical and complex project. Once risks are identified and their relationships are understood, the risk manager should perform qualitative and, where needed, quantitative analysis to assess probability, impact, priority, and potential effect on project objectives.

This makes option D the best answer because it directly strengthens the depth and rigor of the project’s risk analysis. Qualitative analysis helps prioritize risks based on relative importance, while quantitative analysis can estimate numeric effects on cost, schedule, or performance for the most significant risks.

Why the other options are incorrect:

A. Use brainstorming to identify more possible risks. Brainstorming is mainly a risk identification technique, not the best answer for improving the quality of analysis after risks and relationships are already being examined.

B. Use a Monte Carlo simulation to identify risks. Monte Carlo simulation is not used to identify risks. It is a quantitative analysis technique used after risks and uncertainty inputs have already been identified.

C. Use a work breakdown structure (WBS) to help analyze risks. A WBS can help organize project work and may support identification by revealing areas of uncertainty, but it is not the strongest answer for enhancing the actual quality of risk analysis.

Best-practice reasoning:

For important and complex projects, risk analysis should move beyond simple diagramming techniques and include formal qualitative and quantitative methods. This creates a more reliable basis for prioritization, response planning, and decision-making.

Reference-aligned basis:

This answer is consistent with standard risk management guidance that emphasizes:

qualitative and quantitative techniques for deeper risk assessment,

the use of analytical methods after risk identification,

improved decision quality through structured analysis of uncertainty.

In a company undergoing significant cultural and organizational change, it ' s essential for the risk manager to engage with the appropriate stakeholders when planning risk management activities. Leveraging the project manager ' s stakeholder analysis provides a comprehensive understanding of individuals and groups affected by or capable of influencing the project. This analysis identifies stakeholders ' interests, influence, and potential impact on project success, enabling the risk manager to tailor risk management activities effectively. Collaborating with the project manager ensures alignment in stakeholder engagement strategies, fostering a cohesive approach to managing risks associated with organizational changes.

PMI Risk Management Study Guide References:

The PMI-RMP Exam Preparation Study Guide emphasizes the importance of stakeholder analysis in risk management, highlighting how understanding stakeholder interests and influences is crucial for effective risk planning and response.

Once a risk has been successfully managed, residual risks addressed, and there are no secondary risks, the next step according to risk management best practices is to formally close the expired risk and update all relevant project documentation. The PMBOK® Guide states:

" Once the risk responses have been implemented, and the risk is no longer a threat or opportunity, the risk should be closed out in the risk register and the results should be documented as part of project records and lessons learned. "

— PMBOK® Guide, 6th Edition, Section 11.7.3.2

Closing the risk ensures transparency and supports organizational learning through updated project records.

The correct answer is B. The new technology ' s impact on existing controls.

The scenario explains that a major technological change was introduced as part of a risk response, and that this change later caused GPS errors for customers. It also states that the issue had been recognized as high risk and that secondary risk identification was required but never completed . This means the missing step was evaluating how the new solution could affect the existing system, controls, or operating environment. In other words, the project failed to identify and assess the impact of the new technology on existing controls and related processes.

Secondary risks often arise when a response action, design change, or technology update introduces new vulnerabilities or weakens current safeguards. Proper identification would have examined how the update might interfere with accuracy, compatibility, validation, deployment controls, or downstream system performance.

Why the other options are incorrect:

A. The identification of the business driver. The business reason for making the update is not the key issue. The problem was not lack of purpose, but failure to identify and assess the new risk introduced by the technological change.

C. The risk management strategy quality assurance. This is too broad and indirect. The scenario points more specifically to missed secondary risk identification associated with the implemented change.

D. Project environmental factors. Environmental factors may influence risk, but the question specifically points to a missed evaluation related to the technology update itself and the need for secondary risk identification.

Best-practice reasoning:

When implementing risk responses involving significant technological change, the risk manager must assess how the new change affects existing controls, processes, interfaces, and users. Failure to do so can allow secondary risks to emerge and affect customers or operations.

Reference-aligned basis:

This answer is consistent with standard risk management guidance that emphasizes:

risk responses may introduce secondary risks,

major changes should be assessed for impacts on existing controls and systems,

secondary risks must be identified and managed as part of ongoing risk monitoring and response implementation.

The risk manager should recommend that the project manager review the plans for the key activity, as this will help identify potential issues and opportunities to improve the activity ' s performance and reduce its impact on the critical path.

The risk manager should recommend the project manager to review the plans for the key activity, which is now on the critical path according to the Monte Carlo simul-ation. The critical path is the sequence of activities that determines the minimum possible duration of the project. Any delay on the critical path will affect the project completion date. Therefore, it is important to review the plans for the key activity and identify any potential risks, issues, or opportunities that may affect its performance. The risk manager and the project manager should also evaluate the feasibility and effectiveness of any risk response strategies for the key activity, such as fast-tracking, crashing, or resource optimization. The other options are not appropriate recommendations for the risk manager to make. Adding more float to the key activity is not possible, since the critical path has zero float by definition. Adding more contingency to the project may not address the specific risks or issues related to the key activity. Increasing the budget for the key activity may not improve its duration or quality, and may also increase the project cost baseline unnecessarily. References: PMI Risk Management Professional (PMI-RMP) Examination Content Outline and Specifications, page 91. A Guide to the Project Management Body of Knowledge (PMBOK® Guide) – Sixth Edition, pages 215-2162. Project Critical Path Analysis Using Monte Carlo simul-ation3.

In a complex program, it is crucial for team members to assume ownership of risks before these are delegated. Encouraging the program team to assume risk ownership ensures that they are fully engaged and responsible for managing the risks assigned to them. This approach promotes accountability and helps ensure that risks are actively managed throughout the program’s lifecycle.

PMI’s guidelines on risk management emphasize the importance of assigning clear ownership of risks to ensure that they are effectively managed and that responsibilities are clearly understood by all team members​​.

Contingency plans are predefined actions that the project team will take if an identified risk event occurs. They are designed to reduce the impact or probability of the risk, or to restore the project to its original objectives. Contingency plans are part of the risk response planning process, and they should be documented in the risk register. In this case, the risk manager should execute the contingency plans to deal with the delays caused by the weather, as they cannot be avoided or mitigated. Performing time recovery actions, executing prevention plans, or performing change management are not appropriate responses for this risk, as they are either reactive, proactive, or corrective measures that do not address the risk directly. References: = PMBOK Guide, 6th edition, page 443; The Standard for Risk Management in Portfolios, Programs, and Projects, page 75.

Scenario analysis is a useful tool for assessing the risk involved in testing by exploring different possible outcomes. In the context of deciding between laboratory testing, simul-ation methods, and field trials, scenario analysis allows the risk manager to evaluate the potential risks and benefits of each testing approach under different scenarios. This method helps in understanding how various uncertainties can impact the testing process and its outcomes, which is critical when selecting the most appropriate testing strategy​.

The process of assessing the likelihood and impact of each identified risk is part of the Perform Qualitative Risk Analysis process. This process helps prioritize risks based on their probability and impact, allowing the project team to focus on the most significant risks. By doing so, the project manager and team can allocate resources and effort to address the risks that pose the greatest threat or opportunity to the project.

The process of assessing the likelihood and impact of each risk is part of the Perform Qualitative Risk Analysis process, which is the process of prioritizing individual project risks for further analysis or action by assessing their probability of occurrence and impact as well as other characteristics. This process helps the project manager and the team to focus on the high-priority risks that have the most influence on achieving the project objectives. The other processes are not relevant to the question scenario. Plan Risk Management is the process of defining how to conduct risk management activities for a project. Perform Quantitative Risk Analysis is the process of numerically analyzing the effect of identified risks on overall project objectives. Monitor and Control Risk is the process of implementing risk response plans, tracking identified risks, monitoring residual risks, identifying new risks, and evaluating risk process effectiveness throughout the project. References: PMI Risk Management Professional (PMI-RMP) Examination Content Outline and Specifications, page 71. A Guide to the Project Management Body of Knowledge (PMBOK® Guide) – Sixth Edition, pages 397-3982.

A stakeholder impact and influence analysis is a technique to identify the level of interest and power of each stakeholder, and to assess how they may affect or be affected by the project outcomes. It can help the risk manager to understand the stakeholder’s perspective and expectations, and to communicate with them effectively. In this case, the risk manager should perform a stakeholder impact and influence analysis to understand why the major investor is about to drop their intention to continue executing the project, and to address their concerns and needs. A risk impact analysis, a risk reserve analysis, and a procurement analysis are not relevant to the stakeholder’s decision, and would not help the risk manager to understand their rationale. References: PMI Risk Management Professional (PMI-RMP)® Exam Content Outline1, PMI Practice Standard for Project Risk Management2, Risk Management Professional (PMI-RMP)® Cert Guide3

The correct answer is B. Perform sensitivity analysis.

Sensitivity analysis is used to determine which individual risks or uncertainties have the greatest effect on overall project outcomes . It helps the risk manager understand which variables or risks matter most and therefore where response efforts are most critical. In this question, the risk manager wants to know which risk will have an impact on the project outcome and to assess the effectiveness of response planning by understanding impact drivers. Sensitivity analysis is the best fit for that purpose.

This technique is commonly used in quantitative risk analysis to identify which uncertainties most influence objectives such as cost, schedule, or performance. It often supports prioritization of risk responses by showing where management attention will produce the greatest benefit.

Why the other options are incorrect:

A. Perform Pareto analysis. Pareto analysis helps identify the most significant contributors among a group of causes or issues, but it is not the primary risk analysis technique used to determine which uncertainties most affect project outcomes in a structured risk context.

C. Perform contingency analysis. Contingency analysis is not the standard technique for identifying which risks most influence project outcomes. Contingency reserves may be determined from risk analysis results, but this option does not directly answer the question.

D. Perform qualitative analysis. Qualitative analysis assesses probability, impact, urgency, and other relative characteristics, but it does not specifically show how much each risk affects the final project outcome compared with others. Sensitivity analysis provides that deeper insight.

Best-practice reasoning:

When a project team needs to identify the risks with the greatest influence on outcomes, sensitivity analysis is the preferred method because it isolates the variables that drive uncertainty and highlights where response plans matter most.

Reference-aligned basis:

This answer is consistent with standard risk management guidance that emphasizes:

sensitivity analysis as a method to determine which risks have the greatest potential effect on project results,

use of analysis outputs to focus response planning and management attention,

support for quantitative understanding of outcome drivers.

When a project is delayed, and all contingency reserves have been exhausted, the next step is to escalate the situation to upper management. This escalation allows for additional resources or support to be considered and for strategic decisions to be made at a higher level. According to PMI’s risk management practices, escalation is a key strategy when risks exceed the project ' s control, requiring input or intervention from senior management to resolve​.

Top of Form

Bottom of Form

The Delphi technique allows the project risk manager to gather opinions from all stakeholders anonymously. This method would enable stakeholders to express their concerns without feeling uncomfortable in front of the influential stakeholder.

 The Delphi technique is a tool used to make quick decisions with consensus. This technique consists of sending several sets of anonymous questions to each expert. This is followed by a group discussion after every round. The Delphi technique can help the project risk manager to identify risks by soliciting the opinions of all stakeholders without revealing their identities. This way, the stakeholders can express their views freely and honestly, without being influenced or intimidated by the influential stakeholder. The Delphi technique can also reduce personal bias, ego, or emotional conflict among the participants. The project risk manager can use the results of the Delphi technique to create a list of potential risks and their causes, effects, and probabilities. References: 3, 2, 5

The analysis currently being used is qualitative risk analysis. Qualitative risk analysis involves assessing risks based on their likelihood of occurrence and their potential impact on the project. This type of analysis can help identify biases that may be impacting how team members perceive risks.

Qualitative risk analysis is the process of prioritizing individual project risks for further analysis or action by assessing their probability of occurrence and impact as well as other characteristics. Qualitative risk analysis helps to identify the most significant risks that require attention and response planning. One of the tools and techniques used in qualitative risk analysis is risk data quality assessment, which evaluates the degree to which the data about individual project risks is useful for risk management. Risk data quality assessment considers various aspects of data quality, such as reliability, accuracy, integrity, precision, and bias. Bias is the tendency of human judgment to be influenced by personal or organizational preferences, assumptions, beliefs, or emotions, rather than by objective facts or evidence. Bias can affect how project team members perceive and assess risks, leading to inaccurate or incomplete risk analysis results. Therefore, the risk manager who realizes the project team members have biases impacting how they perceive risks is currently using qualitative risk analysis to prioritize the risks and assess the quality of risk data. References: PMI, Practice Standard for Project Risk Management, 2009, p. 37-38, 41-42.

The project manager should reassess the risks and analyze the reserve to determine if any adjustments can be made to accommodate the expected additional work. This will help in identifying potential budget-saving measures and making informed decisions on how to proceed.

According to the PMI Risk Management Professional (PMI-RMP) Reference Materials, risk reassessment is the process of reanalyzing existing project risks and identifying new risks throughout the project life cycle1. Reserve analysis is the process of estimating the amount of contingency reserve and management reserve needed to account for the uncertainty and variability of the project2. In this case, the project manager should conduct a risk reassessment and reserve analysis as the next step, because the budget overruns during execution have changed the risk profile of the project and reduced the available funds to handle future risks. By conducting a risk reassessment, the project manager can update the risk register and the risk response plan with the current status of the project risks and the effectiveness of the risk responses. By conducting a reserve analysis, the project manager can determine if the remaining contingency reserve and management reserve are sufficient to cover the potential impact of the project risks, and request additional funds if needed.

Legal and regulatory requirements and constraints when assessing a project environment for threats and opportunities may include ensuring the confidentiality of project information, as this is often governed by laws and regulations.

Legal and regulatory requirements and/or constraints are external factors that can affect the project environment and influence the risk management process. They may include laws, regulations, standards, codes, permits, licenses, contracts, or agreements that the project must comply with or adhere to. Confidentiality of project information is an example of such a requirement or constraint, as it may limit the disclosure, sharing, or access of project data, documents, or reports to authorized parties only. Violating confidentiality may result in legal actions, penalties, or reputational damage for the project and the organization. Therefore, the project manager and the risk management team must identify and comply with the confidentiality requirements and/or constraints when assessing the project environment for threats and opportunities. References: PMI, 2019. Practice Standard for Project Risk Management. Newtown Square, PA: Project Management Institute, Inc., p. 181

 According to the PMBOK® Guide1, risk identification is the process of determining which risks may affect the project and documenting their characteristics. It involves the use of various techniques to gather information from different sources and perspectives, such as stakeholders, experts, historical data, assumptions, and environmental factors. Some of the common techniques for risk identification are meetings, facilitated workshops, interviews, brainstorming, checklists, questionnaires, SWOT analysis, and root cause analysis. These techniques help to elicit the knowledge and opinions of the participants, and to generate a comprehensive list of potential risks that can be further analyzed and prioritized. In this case, the risk management expert should recommend the agency to conduct meetings, facilitated workshops, and interviews with stakeholders to identify potential risks and develop the handbook. This will help to understand the context and objectives of the agency, the expectations and concerns of the farmers and landlords, the challenges and opportunities in the agriculture sector, and the possible sources and impacts of uncertainty. The risk management expert can then use the information gathered from these techniques to create a risk register and a risk management plan, which can form the basis of the handbook. This is part of the Identify Risks process in the PMBOK® Guide1. References: 1: A Guide to the Project Management Body of Knowledge (PMBOK® Guide) – Sixth Edition

Engaging stakeholders through meetings, workshops, and interviews is crucial for risk identification, as it allows the agency to gather diverse perspectives and insights on potential risks. This approach is more effective than relying solely on standard tools or hiring an expert.

The best practice is to log the risk and the associated response strategies in the risk register to ensure it is monitored, analyzed, and managed throughout the project. The PMBOK® Guide states:

" All identified risks and their planned responses should be recorded in the risk register to facilitate ongoing monitoring and management. "

— PMBOK® Guide, 6th Edition, Section 11.2.3.1

Ignoring or treating these as mere assumptions could result in unmanaged risks and potential project failure.

Comprehensive and Detailed In-Depth Explanation:

When there is confusion among stakeholders regarding agile concepts, the best course of action is to provide training to ensure all stakeholders have a common understanding of agile principles and terminology.

Option A: Organize training sessions to create awareness around the agile values for stakeholders (Correct Answer).

Training sessions help bridge knowledge gaps by ensuring that stakeholders understand agile principles, frameworks (Scrum, Kanban, XP), and terminology.

The PMI-RMP Guide highlights that effective stakeholder engagement requires education and alignment on risk management strategies, which applies here as well (PMI Risk Management in Portfolios, Programs, and Projects – A Practice Guide, 2022, p. 78).

Educating stakeholders reduces resistance to change and promotes informed decision-making.

PMI’s Agile Practice Guide emphasizes that “a shared understanding of agile principles across all levels of an organization increases agility and reduces friction during decision-making” (PMI & Agile Alliance, 2017, p. 44).

Option B: Facilitate a face-to-face discussion and have stakeholders agree to shift to agile for future projects (Incorrect).

Forcing a decision before stakeholders fully understand agile methodologies could lead to resistance and ineffective implementation.

The decision should be based on business needs rather than prematurely committing to agile.

Option C: Recommend an external facilitator as no one in the organization is able to eliminate this roadblock (Incorrect).

While an external facilitator can help in some situations, the Scrum Master is already responsible for coaching the organization on Scrum and Agile methodologies (Scrum Guide, 2020).

The Scrum Master should take the lead in educating stakeholders before escalating the issue externally.

Option D: Allow stakeholders to discuss without the Scrum Master’s intervention (Incorrect).

Without proper guidance, discussions could lead to further misinterpretations and delays.

The Scrum Master is responsible for educating and guiding stakeholders in understanding agile (Scrum Guide, 2020).

Final Verdict:

The correct answer is A (Organize training sessions to create awareness around agile values for stakeholders) because training ensures a common understanding, reduces resistance, and promotes effective decision-making.

The risk register is a dynamic document that must capture not only planned risk responses but also the actual outcomes of risks and the effectiveness of risk responses implemented. According to the PMBOK® Guide:

“The risk register should be updated with information on the results of risk responses, risk event outcomes, and actual effectiveness of the actions taken. This enables ongoing learning and continuous improvement in risk management.”

— PMBOK® Guide, 6th Edition, Section 11.7.3.2 (Project Document Updates: Risk Register)

This ensures that both the realized outcomes of risks and the success or failure of responses are tracked for future reference and lessons learned.

In this scenario, the risk manager is considering a response that could lead to a significant residual risk—excessive additional costs due to overtime. Before proceeding, it is crucial to confirm that the project sponsor is comfortable with the risk appetite for this potential outcome. This step is essential to ensure that the decision to allow overtime aligns with the sponsor ' s tolerance for additional costs and the overall project risk management strategy. According to the Risk Management Procedure, understanding and aligning with the sponsor ' s risk appetite is a critical step before implementing risk responses that could impact the project ' s financials​. This approach ensures that all stakeholders are aware of and agree to the potential consequences of the chosen risk response strategy.

Assumptions made during planning need to be reviewed to understand deviations in actual results. PMBOK® Guide states:

" Reviewing project assumptions is key to understanding variances between planned and actual performance, as invalid or changed assumptions often cause project deviations. "

— PMBOK® Guide, 6th Edition, Section 11.2

The risk management plan is a document that describes how risk management activities will be structured and performed on a project. It defines the roles and responsibilities, risk categories, risk appetite and thresholds, risk identification and analysis methods, risk response strategies, risk monitoring and reporting mechanisms, and risk governance mechanisms1. The risk management plan should be aligned with the project management plan, which defines the project scope, schedule, cost, quality, and other aspects2. When an organization decides to accelerate a key project, it means that the project objectives, assumptions, constraints, and environment have changed. This will affect the risk exposure and profile of the project, as well as the risk management approach and resources. Therefore, the first action for the project risk manager to take is to revise the risk management plan to reflect the new situation and ensure that the risk management process is still effective and efficient. Revising the risk management plan may involve updating the risk categories, risk appetite and thresholds, risk identification and analysis methods, risk response strategies, risk monitoring and reporting mechanisms, and risk governance mechanisms to suit the accelerated project. The project risk manager should also communicate the revised risk management plan to the relevant stakeholders and obtain their approval and support1. Ensuring sufficient resources are available, updating the risk register, and meeting with the project’s stakeholders are all important actions to take when accelerating a project, but they are not the first action. These actions should be done after revising the risk management plan, as they depend on the updated risk management approach and process. For example, the project risk manager may need to allocate more resources to risk management activities, identify and analyze new or changed risks, implement new or modified risk responses, and report the risk status and performance to the stakeholders based on the revised risk management plan1. References: 2, 1.

When a project is accelerated, the risk landscape changes. The project risk manager should first revise the risk management plan to address the new timeline and its potential impacts on the project. This will help in identifying new risks, reassessing existing risks, and updating risk responses.

When closing risks as part of the closing process, it is important to update the lessons learned document. This document captures the knowledge and experience gained during the project and can be valuable for future projects.

 Lessons learned is a document that captures the knowledge gained from the project and can help improve the performance of future projects. It is one of the outputs of the project closure process and should include information on the project risks, issues, and responses. Lessons learned can help identify the best practices and lessons to be applied or avoided in similar projects. Updating the lessons learned document is an important part of closing the risks as it can provide valuable insights for risk management. References: PMI, Project Risk Management, 2nd edition, 2019, p. 97-981

The correct answer is B. Analyze the risks and add them to the risk register to continue the process.

In project risk management, risks include both threats and opportunities . Positive risks are legitimate project risks because they can create beneficial outcomes if properly understood and managed. Once these positive risks are identified, the next step is not to isolate them from the normal process, but to document them in the risk register and continue analysis and management activities just as with negative risks.

This answer is correct because it reflects the normal risk management flow:

identify risks, including opportunities and threats,

document them in the risk register,

analyze and prioritize them,

develop suitable response strategies.

Why the other options are incorrect:

A. Prioritize opportunities as they are likely to bring benefits to the project. Opportunities should certainly be evaluated and prioritized, but first they must be formally captured and analyzed within the project’s risk management process. The broader and more correct next step is to analyze and record them in the risk register.

C. Create a separate project to exclusively manage positive risks and threats. This is unnecessary and contrary to normal practice. Positive and negative risks are managed within the same project risk framework.

D. Assign separate stakeholder groups for positive risks and negative risks. Separate stakeholder groups are not required simply because risks are positive or negative. Risk ownership should be based on relevance, authority, and capability, not on whether the risk is an opportunity or a threat.

Best-practice reasoning:

A mature risk management process treats opportunities and threats as part of the same structured system. Both should be identified, documented, analyzed, monitored, and responded to in alignment with project objectives.

Reference-aligned basis:

This answer is consistent with standard risk management guidance that emphasizes:

risks may be positive or negative,

all identified risks should be recorded in the risk register,

analysis continues after identification for both opportunities and threats.

Risks are dynamic and their priorities change throughout the project lifecycle. The PMBOK® Guide and ISO 31000 emphasize continuous risk monitoring and updating the risk register to reflect changing risk priorities:

" Monitoring risks is an ongoing process... Risks, their status, and their priorities must be reassessed regularly, and the risk register updated accordingly. "

— PMBOK® Guide, 6th Edition, Section 11.7

" Risk management should be a continual process of risk identification, assessment, and review. "

— ISO 31000:2018, Section 6.7

Quantitative risk analysis helps determine the minimum acceptable level of exposure and impact for each risk. It also helps to understand if the maximum level of exposure has been reached before escalating the risk. (Reference: PMBOK Guide, 6th Edition, p. 423)

The team should perform quantitative risk analysis, which is the process of numerically analyzing the effect of identified risks on overall project objectives. Quantitative risk analysis can help the team to establish the minimum acceptable level of exposure and impact for each risk, as well as the maximum level of exposure before escalation. Quantitative risk analysis can also provide probabilistic estimates of project outcomes, such as cost and schedule, and support risk prioritization and decision making. References: PMI, A Guide to the Project Management Body of Knowledge (PMBOK® Guide), Sixth Edition, 2017, p. 399; PMI, The Standard for Risk Management in Portfolios, Programs, and Projects, 2019, p. 69.

The probability-impact matrix is a standard tool for qualitative risk analysis, as recommended by PMI:

" A probability and impact matrix is used to prioritize identified risks for further analysis or action by combining their probability of occurrence and impact on project objectives. "

— PMBOK® Guide, 6th Edition, Section 11.3

This ensures the most critical risks are prioritized for response planning.

Risk handling strategies should be reviewed and revised periodically to ensure they remain effective and relevant as the project progresses. This allows the project manager to adapt to changing circumstances and minimize the impact of risks on the project.

According to the PMBOK® Guide, risk handling strategies are the specific actions that are taken to implement the risk response plan. The risk response plan is the output of the Plan Risk Responses process, which describes how the project team intends to address the identified risks. The risk handling strategies should be aligned with the risk response strategies, which are the general approaches to deal with the risks, such as avoid, transfer, mitigate, accept, exploit, share, enhance, or accept.

The project manager should work with the risk handling strategies by reviewing and revising them periodically. This is because the project risks are not static, but dynamic and uncertain. They may change over time due to various factors, such as changes in the project scope, schedule, cost, quality, resources, stakeholder expectations, assumptions, constraints, etc. Therefore, the project manager should monitor and control the risk handling strategies to ensure that they are still effective and appropriate for the current risk situation. The project manager should also update the risk register and the risk report with the results of the risk handling strategies, such as the residual risks, secondary risks, and risk triggers.

The other options are not valid for how the project manager should work with the risk handling strategies:

Implement the strategies after completing the risk analysis: This is not a valid option because the risk analysis is not the final step in the risk management process. The risk analysis is part of the Perform Qualitative Risk Analysis and Perform Quantitative Risk Analysis processes, which come after the Identify Risks process and before the Plan Risk Responses process. The risk analysis helps the project manager to prioritize and evaluate the risks, but it does not provide the specific actions to address them. The risk handling strategies are developed in the Plan Risk Responses process, which comes after the risk analysis.

Implement the strategies immediately: This is not a valid option because the risk handling strategies should not be implemented without proper planning and approval. The risk handling strategies should be documented in the risk response plan, which should be communicated and approved by the project sponsor, customer, and other relevant stakeholders. The risk handling strategies should also be integrated with the other project management plans, such as the scope, schedule, cost, quality, resource, communication, procurement, and stakeholder management plans. The risk handling strategies should be implemented only when the risk triggers or conditions occur, or when the project manager decides to do so based on the risk analysis and evaluation.

Ensure the strategies are approved by the stakeholders: This is not a valid option because the approval of the risk handling strategies is not the only thing that the project manager should do with them. The approval of the risk handling strategies is part of the Plan Risk Responses process, which comes before the Implement Risk Responses and Monitor Risks processes. The project manager should also implement, monitor, and control the risk handling strategies to ensure that they are effective and appropriate for the current risk situation.

PMBOK® Guide1, Risk Management Professional (PMI-RMP)® Cert Guide1

The Project Evaluation and Review Technique (PERT) is a statistical tool used in project management to estimate the duration of tasks by considering uncertainty and variability. PERT employs a weighted average of three time estimates:

Optimistic (O): The shortest time in which the task can be completed (3 hours).

Most Likely (M): The best estimate of the time required under normal conditions (5 hours).

Pessimistic (P): The longest time the task might take, assuming potential issues (7 hours).

PMI Risk Management Study Guide References:

The PMI-RMP Exam Preparation Study Guide outlines the PERT formula and its application in estimating task durations, highlighting its effectiveness in incorporating uncertainty into project schedules.

When a project experiences consistent deviations in cost performance index (CPI) and schedule performance index (SPI), it indicates underlying issues with the project ' s assumptions regarding schedule and resources. Analyzing these assumptions helps identify discrepancies between planned and actual performance, such as underestimated task durations or insufficient resource allocation. By revisiting and adjusting these assumptions, the risk manager can develop strategies to mitigate further overruns and align the project with its objectives.

PMI Risk Management Study Guide References:

The PMI-RMP Exam Content Outline emphasizes the importance of examining assumption and constraint analyses to identify risks arising from inaccurate or incomplete project assumptions, which can lead to performance issues.

In a company with rapidly changing work conditions and difficulty in predicting long-term business plans, a professional risk manager should adopt agile approaches to manage the risks (B). Agile approaches allow for flexibility, adaptability, and quick response to changes, making them suitable for managing risks in such situations. This is supported by the PMI ' s PMBOK Guide, Sixth Edition, and the Agile Practice Guide.

 A professional risk manager should adopt agile approaches to manage the risks in situations where the company accommodates a lot of innovation and changing work conditions, and experiences difficulty in predicting long term business plans. Agile approaches are adaptive, iterative, and collaborative methods that focus on delivering value and reducing uncertainty in a dynamic and complex environment. Agile approaches can help the risk manager to identify, analyze, respond, and monitor risks in a flexible and timely manner, by using tools and techniques such as risk-adjusted backlog, risk burndown charts, risk-based spike, and risk-based testing. Agile approaches can also help the risk manager to engage the stakeholders and the project team in risk management activities, by using practices such as daily stand-up meetings, sprint planning, sprint review, and sprint retrospective. Agile approaches can enable the risk manager to manage the risks effectively and efficiently, by aligning the risk management strategy with the project goals and the customer needs. Adopting a predictive approach to manage the risks is not the best option, as it may not be suitable or feasible for situations where the project scope, schedule, and budget are uncertain or variable. A predictive approach is a plan-driven and sequential method that relies on upfront planning and detailed documentation to manage the risks. A predictive approach may not be able to cope with the frequent changes and emerging risks that may occur in an innovative and dynamic environment. Utilizing proper documentation to help manage the risks is not the best option, as it may not be sufficient or effective for situations where the project requirements and deliverables are evolving or changing. Proper documentation is a useful and necessary component of risk management, but it is not a substitute for agile risk management practices. Proper documentation may not be able to capture and communicate the current and relevant information about the risks and their impacts in a timely and accurate manner. Conducting weekly risk management meetings with all stakeholders is not the best option, as it may not be optimal or efficient for situations where the project risks and opportunities are changing rapidly or frequently. Weekly risk management meetings are a common and beneficial practice for risk management, but they may not be enough or appropriate for agile risk management. Weekly risk management meetings may not be able to address the risks and their responses as soon as they arise or occur, and they may not be able to involve all the relevant and available stakeholders and project team members. References: 3, 4, 5

If client ' s experts express discomfort with some activities at a critical stage, the first step for the risk manager is to conduct a risk assessment process for that stage. This assessment will help identify the specific risks associated with the activities in question, evaluate their potential impact, and develop appropriate mitigation strategies. This ensures that the project plan is robust and that all stakeholders are confident in its execution​.

To avoid overspending due to the unanticipated increase in material costs, the project team should have properly documented the triggers and actions for the risk. By identifying and documenting triggers—such as market conditions that could lead to price increases—the team could have monitored these triggers more closely and taken preemptive action, such as locking in prices or adjusting the budget accordingly.

PMI recommends that triggers for risks be identified and documented during the planning phase so that appropriate monitoring and responses can be implemented as part of the risk management plan​​.

 A decision tree analysis is a tool that helps to evaluate and select the best option among different alternatives based on costs and probabilities. A decision tree analysis uses a graphical representation of a decision problem, where each node represents a decision point, a chance event, or an outcome. The branches of the tree show the possible choices, events, or consequences that can occur at each node. The end nodes of the tree show the expected value or payoff of each option, which is calculated by multiplying the probability and the cost or benefit of each outcome. A decision tree analysis can help to compare the expected values of different options and choose the one that maximizes the benefit or minimizes the cost1. A decision tree analysis can also help to incorporate uncertainty and risk into the decision making process, as it shows the range of possible outcomes and their likelihoods2. Therefore, the project manager should perform a decision tree analysis to evaluate and select the best option based on costs and probabilities for a mega facility development project. Performing a FMECA fault tree analysis, conducting a sensitivity analysis, or conducting an analytic hierarchy process are not the best options to evaluate and select the best option based on costs and probabilities. A FMECA fault tree analysis is a tool that helps to identify and analyze the potential causes and effects of failures in a system or process. It uses a graphical representation of a failure event, where each node represents a basic or intermediate event that contributes to the failure. The branches of the tree show the logical relationships between the events, using AND or OR gates. A FMECA fault tree analysis can help to calculate the probability and severity of failures, as well as to prioritize and mitigate the risks3. However, a FMECA fault tree analysis does not help to compare different options or alternatives, as it focuses on a single failure scenario. Conducting a sensitivity analysis is a tool that helps to measure how the uncertainty in the input variables of a model affects the output or outcome of the model. It uses a graphical or numerical representation of the relationship between the input and output variables, showing how the output changes when the input changes. A sensitivity analysis can help to identify the most critical or influential variables, as well as to test the robustness or reliability of the model4. However, a sensitivity analysis does not help to compare different options or alternatives, as it focuses on a single model or option. Conducting an analytic hierarchy process is a tool that helps to evaluate and select the best option among different alternatives based on multiple criteria. It uses a mathematical method of pairwise comparison, where each alternative is compared to each other in terms of each criterion. The results of the comparisons are then aggregated into a matrix, which shows the relative importance or preference of each alternative. An analytic hierarchy process can help to rank the alternatives and choose the one that best satisfies the criteria5. However, an analytic hierarchy process does not help to incorporate costs and probabilities into the decision making process, as it relies on subjective judgments and preferences. References: 1, 2, 3, 4, 5.

A decision tree analysis is a quantitative risk analysis technique that helps evaluate and select the best option based on costs and probabilities. It visually represents different decision paths and their associated probabilities, allowing the project manager to compare and select the most appropriate option for the project.

When a potential change request arises that could impact the project, the first step should be to document it as a risk in the risk register. This ensures that the risk is formally recognized and tracked. Gathering information about the probability and impact allows the project team to assess the risk thoroughly and develop an appropriate response. This approach follows PMI’s risk management process, which emphasizes the importance of systematically identifying, documenting, and analyzing risks​.

Top of Form

Bottom of Form

In this scenario, the program manager is using the " Exploit " risk response strategy, which is aimed at ensuring that an opportunity is realized. By transferring all resources to the project and arranging for overtime pay, the program manager is taking proactive steps to ensure the project is completed early, thereby securing the large bonus. According to PMI, the " Exploit " strategy is used when the objective is to ensure that the opportunity is realized, typically involving actions that maximize the chances of achieving the desired outcome​.