PMP Risk Management — Practice Quiz

Explanation — Correct answer: C The PMP philosophy is clear: a good project manager prevents problems rather than managing them after they occur. If the supplier failure could have been anticipated (which it likely could), it should have been on the risk register with a planned response. Recovering quickly is better than not recovering, but the real question is why there was no plan in the first place. Resilience is not a substitute for proper risk management.

Explanation — Correct answer: B A risk is any uncertain event that could positively or negatively affect project objectives. Opportunities are positive risks. They belong in the risk register and deserve planned responses — exploit (ensure it happens), enhance (increase the probability or impact), or share. Ignoring opportunities means missing potential value. The PMP exam tests opportunities as frequently as threats.

Explanation — Correct answer: D Risk appetite is a general description of acceptable risk levels — in this case, the sponsor is broadly comfortable with up to 15% cost overruns. Risk threshold is a specific, defined point beyond which risk becomes unacceptable — 10 days is the hard limit. Both concepts vary by stakeholder, by constraint, and by project context.

Explanation — Correct answer: A The correct order is PIQQRIM: Plan-Identify-Qualitative-Quantitative-Responses-Implement-Monitor. A key rule: qualitative always comes before quantitative (the letter L in quaLitative comes before N in quaNtitative in the alphabet). Plan Risk Management must come first — you cannot identify or analyze risks without defining how risk management will be conducted.

Explanation — Correct answer: C On the PMP exam, when asked who should participate in risk identification, the answer is always 'everyone.' Each stakeholder group — customers, suppliers, team members, sponsors, subject matter experts — sees different aspects of the project and can identify risks others would overlook. Limiting participation guarantees blind spots in the risk register.

Explanation — Correct answer: B The risk register contains different information at different stages. After Identify Risks, it includes identified risks, potential responses, and risk owners. Selected (finalized) response plans are only added after the Plan Risk Responses process. This distinction is deliberately tested on the exam — reading the question carefully to identify where in the process the scenario sits is essential.

Explanation — Correct answer: A Qualitative risk analysis uses subjective, relative scales — ratings like High/Medium/Low or 1-5 that the team defines together. Quantitative risk analysis uses objective, measurable values — actual probabilities (72%) and monetary impacts ($45,000). The key distinction: subjectivity vs. objectivity, relative scale vs. real money and time.

Explanation — Correct answer: C EMV calculations: Risk A = 40% × $30,000 = $12,000 (threat, add). Risk B = 25% × $20,000 = $5,000 (threat, add). Risk C = 30% × $15,000 = $4,500 (opportunity, subtract). Contingency reserve = $12,000 + $5,000 − $4,500 = $12,500. Opportunities reduce the reserve needed because they save time or money if they occur. Never simply add all EMVs — subtract opportunities.

Explanation — Correct answer: B Build: $80,000 + (20% × $100,000) = $80,000 + $20,000 = $100,000. Buy: $50,000 + (60% × $70,000) = $50,000 + $42,000 = $92,000. Buy is the better option at $92,000 total expected cost. This is a classic decision tree analysis: base cost plus expected cost of risk events. The option with the lowest EMV total is preferred.

Explanation — Correct answer: D Securing a backup resource does not eliminate the threat (the key resource may still be reassigned), but it reduces the impact if it occurs. This is mitigation — reducing the probability and/or impact without eliminating the cause. Avoid would mean preventing the reassignment from happening at all (e.g., negotiating to block the reassignment). Accept (active) would involve setting aside a time/cost reserve without preparing a specific response.

Explanation — Correct answer: A Adding a dedicated testing phase designed to eliminate the failure risk before it can occur is avoidance — the threat is being removed, not just reduced. Mitigation would reduce the probability or impact without fully eliminating the cause. On the exam, the distinction between Avoid and Mitigate depends on whether the response eliminates the threat entirely (Avoid) or reduces it (Mitigate).

Explanation — Correct answer: B Exploit means taking deliberate action to ensure the opportunity occurs — it is the opposite of Avoid. Here, hiring the expert is specifically intended to make the early delivery happen. Enhance would increase the probability without guaranteeing it (e.g., providing additional training to existing staff). Exploit is the strongest response to an opportunity.

Explanation — Correct answer: C A secondary risk is a new risk created by the implementation of a risk response. Transferring work to a vendor introduced the risk of vendor failure — this is a secondary risk. A residual risk is what remains of the original risk after the response (e.g., some integration issues may still occur even with the vendor). Secondary risks must be analyzed and may require their own response plans.

Explanation — Correct answer: B Contingency reserves are set aside for identified risks ('known unknowns') and are included in the cost baseline. The project manager can use them at their discretion when the associated risk occurs — no external approval is needed. Management reserves cover unidentified risks ('unknown unknowns') and are NOT part of the cost baseline — they require formal management approval through the change control process.

Explanation — Correct answer: B Equipment failure on a project is a foreseeable risk. A well-prepared project manager would have identified it during risk planning, assessed its probability and impact, and developed a contingency plan. Holding an emergency brainstorming session is a workaround — the response to a risk that was not properly planned for. On the exam, when a major problem occurs with no plan in place, it signals a risk management failure, not normal project management.

Explanation — Correct answer: D After Plan Risk Responses, the risk register contains: selected response strategies (not just potential ones), contingency plans (what to do if the risk occurs), fallback plans (what to do if contingency plans fail), risk owners (who manages each risk), triggers (early warning signals), secondary risks (created by the responses), and residual risks. The register grows richer at each step of the risk process.

Explanation — Correct answer: C The watch list contains risks with low current priority but that could escalate. When a watch-listed risk shows signs of increasing probability, it must be reassessed. If its new ranking puts it above the threshold requiring a response, a response plan must be developed. Risk management is iterative — the project manager continuously reviews, reassesses, and updates. Simply noting the change without acting is insufficient.

Explanation — Correct answer: B A risk spike is a short iteration specifically dedicated to exploring or testing a risky technology or approach before dependent development begins. It is designed to provoke 'fast failure' — discovering problems early when they are cheap to fix. This is the most appropriate tool for managing technology uncertainty in agile environments. Accepting and proceeding (A) delays discovery and increases the cost of failure.

Explanation — Correct answer: C Escalate is the appropriate strategy when a risk is beyond the project's scope or authority. Once escalated, the risk is accepted by a program or portfolio manager and is no longer monitored at the project level. Mitigation (A) and acceptance (B) assume the project manager can handle the risk — but the scenario explicitly states the impact exceeds their authority. Escalation is frequently underused in practice but regularly tested on the exam.

Explanation — Correct answer: A A workaround is an unplanned response developed on the spot when an unanticipated risk occurs. It is the opposite of a contingency plan (which is planned in advance). Frequent workarounds signal that risk identification was incomplete during planning. On the exam, workarounds are not desirable — they indicate reactive management. The goal of risk management is to minimize the need for workarounds by anticipating as many threats as possible.