Try 115 free PMI-RMP questions across the exam domains, with answers and explanations, then continue in PM Mastery.
This free full-length PMI-RMP practice exam includes 115 original PM Mastery questions across the exam domains.
The questions are original PM Mastery practice questions aligned to the exam outline. They are not official exam questions and are not copied from any exam sponsor.
Count note: this page uses a 115-question full-length practice format for PMI-RMP preparation. Always confirm final exam-day timing, appointment rules, and candidate instructions directly with PMI before your scheduled exam.
Set a 150-minute timer and answer the 115 questions before reading explanations. Track misses by risk strategy, identification, analysis, response, monitoring, or closure.
Use this page as a diagnostic run, not as the only measure of readiness. The most useful result is not just the percentage score; it is the pattern behind the misses.
| Result pattern | What it usually means | Next step |
|---|---|---|
| Strong score and misses are scattered | Your broad readiness may be close. Review explanations, confirm timing, and avoid over-repeating recognized items. | |
| Strong score but repeated misses in one domain | The total score may hide a domain weakness. Drill that domain before another full-length run. | |
| Many strategy or planning misses | Review risk appetite, thresholds, roles, governance, and escalation rules before another mock. | |
| Many analysis misses | Focus on data quality, assumptions, qualitative and quantitative analysis, and decision-ready exposure information. | |
| Many response or monitoring misses | Review owners, triggers, residual risk, secondary risk, reporting, and closure logic. |
Use this worksheet immediately after the run, before you read too many explanations.
| Field | Record |
|---|---|
| Overall score | ___ / 115 questions |
| Timing result | Finished early / on time / rushed late |
| Highest-miss domain | Strategy / Identification / Analysis / Response / Monitor and Close |
| Most expensive mistake type | Weak risk statement / ignored threshold / wrong analysis method / weak response owner / missed trigger / other: ___ |
| Next focused page | Strategy / Identification / Analysis / Response / Monitor and Close / another full mixed set |
For concept review before or after this set, use the PMI-RMP guide on PMExams.com.
This static page is useful for one full diagnostic pass. PM Mastery is the better place for repeated practice because it gives you varied attempts and progress history instead of one page you can memorize.
| Need after this diagnostic | Use PM Mastery for… |
|---|---|
| New mixed attempts | Timed mocks and mixed sets that reduce answer-recognition bias. |
| Domain repair | Focused risk strategy, identification, analysis, response, monitoring, and closure drills. |
| Explanation review | Item-level explanations that help you classify mistake patterns. |
| Progress tracking | A single web/mobile account with practice history across sessions. |
| Final readiness checks | Varied timed attempts after weak domains have been repaired. |
For the cleanest diagnostic result, answer the questions under timed conditions before reading the explanations.
| Checkpoint | Approximate time budget | What to do |
|---|---|---|
| Questions 1-40 | 52 minutes | Keep risk statements, thresholds, and analysis cues clear. |
| Questions 41-80 | 104 minutes cumulative | Watch for fatigue in analysis and response-planning items. |
| Questions 81-115 | 150 minutes cumulative | Finish with enough time to resolve marked items deliberately. |
If you retake this free diagnostic, treat the second attempt as a reasoning check, not as a fresh score. Some stems and answers will be familiar, so the percentage can overstate readiness.
For readiness decisions, give more weight to varied timed attempts in PM Mastery than to repeating one static page. Use this page to diagnose; use the app to build durable speed, coverage, and mixed risk-judgment practice.
| Item | Detail |
|---|---|
| Issuer | PMI |
| Exam route | PMI-RMP |
| Official exam name | PMI Risk Management Professional (PMI-RMP) |
| Full-length set on this page | 115 questions |
| Exam time | 150 minutes |
| Topic areas represented | 5 |
| Topic | Approximate official weight | Questions used |
|---|---|---|
| Risk Strategy and Planning | 22% | 25 |
| Risk Identification | 23% | 27 |
| Risk Analysis | 23% | 26 |
| Risk Response | 13% | 15 |
| Monitor and Close Risks | 19% | 22 |
Topic: Risk Analysis
On a hybrid software rollout, the team has identified a risk that a data-conversion vendor may deliver mapping files late. The risk is logged, but the team disagrees on its qualitative rating. Lessons learned from three similar projects show this vendor type caused schedule delays in two projects and rework in one. The project’s probability-impact matrix is already approved, and no delivery date has been missed yet. What should the risk manager do next?
Best answer: A
What this tests: Risk Analysis
Explanation: The risk has already been identified, and the project has approved qualitative criteria. The next step is to use relevant lessons learned to calibrate probability and impact so the team can classify and prioritize the risk before choosing any response.
Historical information is a key input to qualitative risk analysis because it improves consistency and reduces purely subjective ratings. In this scenario, the uncertainty is already recorded, similar-project data is available, and the probability-impact matrix is approved. The best next step is to compare the current vendor situation with that historical evidence and assign an informed qualitative classification for probability and impact. That classification supports prioritization and later response planning. Moving straight to a backup plan skips analysis, treating the uncertainty as an issue is incorrect because the delay has not occurred, and closing the risk would stop monitoring before assessment is complete. Use historical evidence first to strengthen qualitative classification.
Historical information should now be used with the agreed qualitative criteria to classify the risk before response planning.
Topic: Risk Strategy and Planning
A hybrid customer portal project is entering planning. The risk manager has the charter, product roadmap, vendor contract, assumptions log, and lessons learned from a similar release, and the first cross-functional risk workshop is scheduled for next week. To make that workshop efficient and focused, what should the risk manager do first?
Best answer: C
What this tests: Risk Strategy and Planning
Explanation: Preliminary document analysis comes before active risk identification workshops. Reviewing existing artifacts helps the risk manager spot assumptions, dependencies, constraints, and prior lessons so the workshop is better targeted and more complete.
The core concept is sequencing: preliminary document review is a planning activity that prepares the team for active risk identification. In this scenario, the charter, roadmap, contract, assumptions log, and lessons learned can reveal likely sources of uncertainty such as vendor dependency, integration assumptions, schedule constraints, and prior failure patterns. Reviewing them first helps the risk manager build focused prompts and categories for the upcoming workshop, improving both efficiency and completeness. The workshop is still important, but it should build on that preparation rather than replace it. Assigning owners or funding contingencies before risks are identified and analyzed is premature. The key takeaway is that document analysis seeds the workshop; it does not follow it.
Preliminary document analysis should occur before active workshops so participants start with focused risk areas, assumptions, and dependency questions.
Topic: Risk Strategy and Planning
A project risk manager is preparing the risk approach for a hybrid ERP rollout. Before running identification workshops, she wants historical sources from similar completed projects that reveal prior threats, opportunities, assumptions, constraints, and the results of response actions. Which document set should she review first?
Best answer: A
What this tests: Risk Strategy and Planning
Explanation: For preliminary document analysis, the best sources are detailed historical records from similar projects. Archived risk registers show prior threats and opportunities, assumption logs capture assumptions and constraints, and lessons learned show whether past responses were effective.
In preliminary document analysis, the goal is to mine reliable historical evidence before defining or tailoring the project’s risk approach. Detailed records from similar completed projects are most useful because they show what uncertainties existed, what assumptions or constraints shaped them, and what happened after response actions were taken. Archived risk registers provide identified threats, opportunities, owners, triggers, and planned responses. Assumption logs capture assumptions and constraints that influenced exposure. Lessons learned add the missing outcome evidence by showing which responses worked, failed, or created follow-on effects. High-level summaries or current-project operational logs can support planning, but they do not provide the same complete historical view. The key distinction is detailed historical risk artifacts versus summary or current-status documents.
These historical records together show prior risks, underlying assumptions and constraints, and evidence of how well response actions worked.
Topic: Risk Analysis
On a hybrid ERP rollout, the risk manager runs a Monte Carlo schedule model before the first release gate. The sponsor has low appetite for missing the go-live date, but the sensitivity chart shows two new vendor integration tasks drive 68% of finish-date variance and both estimates are based only on expert judgment because no comparable historical data exists. The sponsor asks to use the model’s P80 date as a customer commitment. What is the best action?
Best answer: B
What this tests: Risk Analysis
Explanation: Quantitative outputs cannot be more reliable than the data feeding them. Because the main schedule drivers rely on weak estimates with no comparable history, the best action is to improve those inputs and communicate the result as a probabilistic range, not an exact commitment date.
The key concept is avoiding false precision in quantitative risk analysis. A Monte Carlo result may look exact, but its usefulness depends on the quality of the input assumptions. Here, the sensitivity chart already shows which activities matter most, and those activities have poor-quality estimates based only on expert judgment. The best action is to validate or refine those high-impact inputs first and then present the modeled result as a range or directional forecast.
More simulation iterations can make the model output numerically stable, but they do not correct weak assumptions. Low risk appetite may justify choosing a conservative planning date, yet it does not make an unvalidated P80 date suitable for an external commitment. The takeaway is to improve the highest-impact inputs before overinterpreting the model output.
The model is only decision-grade after the dominant inputs are validated, so its P80 result should be treated as a range rather than a promise.
Topic: Risk Identification
During risk identification for a hybrid customer-portal project, the team notes: “Because the vendor has a reusable, tested automation script, if approval is received next week, system testing may finish 8 days early and launch could move into the current sales window.” The sponsor has high appetite for schedule gains, the data comes from three similar releases, and no approval decision has been made yet. What is the best action for the risk manager?
Best answer: C
What this tests: Risk Identification
Explanation: The entry describes an uncertain future condition that could create a positive schedule outcome, so it belongs in the risk register as an opportunity. Because the event has not happened yet, it is not an issue, and its possible benefit means it is not a threat.
In risk register development, identified uncertainties are classified by their potential effect on project objectives. A threat could harm objectives, while an opportunity could improve them. Here, the reusable script may allow testing to finish 8 days early and improve the launch timing, which is a favorable outcome. The fact that approval has not yet been given means the event is still uncertain, so it should be managed as a risk rather than logged as an issue. Strong supporting data from similar releases makes it reasonable to record now, but data quality does not change the basic classification. An assumption is something accepted as true for planning, not a positive uncertainty that should be tracked and potentially exploited.
The closest distractor is the issue-log option, but nothing has occurred yet.
It is an uncertain future event that could improve a project objective, so it should be classified as an opportunity.
Topic: Monitor and Close Risks
On a hybrid ERP project, a risk was recorded that delayed vendor security approval could postpone the pilot. The trigger was “approval not received by June 10.” Monitoring shows approval was granted on June 3, the pilot started on June 12, the risk owner confirmed all related actions are complete, and no residual exposure remains. Project policy requires closure evidence in the risk register, and the sponsor has low tolerance for stale open risks. What should the project manager do next?
Best answer: A
What this tests: Monitor and Close Risks
Explanation: Monitoring results show the uncertainty is no longer active: the trigger window passed, the owner confirmed completion, and no residual exposure remains. The best next action is to update the risk register to close the risk with supporting evidence, because that is the controlling project document for individual risk status changes.
In risk monitoring and closure, the risk register is the authoritative record for each identified risk. Here, the trigger condition did not occur, the approval was received before the threshold date, the pilot has already started, the owner confirmed related actions are complete, and the stem states that no residual exposure remains. That means the risk is expired and should be closed in the risk register with the monitoring evidence and closure details.
The risk report may later reflect the lower overall exposure, but it does not replace the required update to the register. An issue log is used only when the event has actually occurred and needs active issue management. Keeping an expired risk open would distort current exposure and clutter monitoring.
The uncertainty has expired without occurring, so the risk register should be updated with closure status, evidence, and date.
Topic: Risk Response
A hybrid ERP rollout uses a weekly risk dashboard that tracks response due dates and residual exposure. A vendor-integration delay threat has remained above the agreed schedule-risk threshold for two reviews, but the delay has not occurred. Two approved mitigation actions are overdue because the integration lead and procurement lead each believe the other must execute and report them. The sponsor has low tolerance for schedule slip. What is the BEST action?
Best answer: A
What this tests: Risk Response
Explanation: The main problem is unclear response accountability, not missing analysis. A responsibility matrix is the best tool to separate risk ownership, action ownership, and metric reporting so the approved response can be executed and monitored.
In risk response, a responsibility matrix is useful when approved actions stall because roles are blurred. Here, the threat is still uncertain, so it remains a risk rather than an issue. The dashboard already provides metrics and shows the exposure is staying above threshold; the immediate gap is that no one is clearly assigned to execute and report the response actions.
A good responsibility matrix should clarify:
Once those duties are explicit, the team can execute the response plan and monitor residual exposure. More analysis or more reserve does not fix a response failure caused by unclear ownership.
A responsibility matrix directly removes ambiguous response ownership by clarifying who executes, reports, and escalates each approved action.
Topic: Risk Strategy and Planning
While developing the risk management plan for a hybrid billing-system upgrade, the sponsor states that any risk with a potential go-live delay of more than 5 days must be reported within 24 hours. Product owners want a weekly summary of lower-exposure sprint risks. What should the project manager define in the plan?
Best answer: D
What this tests: Risk Strategy and Planning
Explanation: The need here is to define how risk information will be communicated, not how each risk will be responded to. Because the sponsor and product owners need different information at different thresholds and cadences, the plan should specify audience, format, frequency, and escalation rules.
In the risk management plan, risk communication needs describe who receives risk information, what they receive, when they receive it, and what threshold triggers escalation. In this scenario, the sponsor requires urgent notification when a schedule threat exceeds the agreed threshold, while product owners need routine summaries of lower-level sprint risks. The best planning decision is therefore to document a communication approach or matrix that defines recipients, timing, format, and escalation criteria.
This is different from choosing a contingency, assigning response actions, or escalating every risk regardless of severity.
This documents stakeholder-specific risk communication needs by linking reporting and escalation to defined thresholds and timing.
Topic: Risk Identification
During assumption analysis, a team reviews the assumption that a supplier will deliver a prototype by June 1. The date is not yet confirmed, and a late prototype could delay system testing by three weeks. This result should become which project-risk record first?
Best answer: B
What this tests: Risk Identification
Explanation: Assumption analysis in Risk Identification tests whether key assumptions may fail and what that uncertainty could do to project objectives. When the uncertain condition has not happened yet, the result is an identified risk and should first be captured in the risk register.
The core concept is using assumption analysis to turn uncertain assumptions into explicit risks. Here, the supplier date is not yet confirmed, so the possible late delivery is still a future uncertainty rather than a current problem. That means the team should document it as a threat in the risk register, typically including the cause, risk event, and potential impact on testing.
Assumption analysis helps the team:
The closest distractor is the issue log, but that would apply only after the delay had actually occurred.
A challenged assumption that could affect objectives identifies a future threat, so it should first be documented in the risk register.
Topic: Risk Strategy and Planning
A project sponsor is willing to tolerate up to 5% cost growth, but the finance director wants escalation before cost risk exceeds 2%. The risk manager facilitates an agreement that any forecast above 3% requires a response review and sponsor decision. Which risk concept does this agreed limit represent?
Best answer: B
What this tests: Risk Strategy and Planning
Explanation: The agreed 3% boundary is a measurable limit for acceptable exposure, so it is a risk threshold. Thresholds help resolve stakeholder disagreement by converting broad preferences into a clear decision point for action.
Risk appetite is the general amount of uncertainty a stakeholder or organization is willing to accept, while a risk threshold is the specific point at which that exposure requires action, escalation, or a decision. In this scenario, the conflict is resolved by agreeing on a concrete cost-risk limit: if forecasts go above 3%, the team must review the response and involve the sponsor. That makes the concept a threshold, not a broad attitude toward risk.
The key distinction is that thresholds operationalize appetite. A trigger would be a warning sign that a risk may occur, and absorption capacity is how much impact the project or organization can absorb without unacceptable harm.
A risk threshold is the specific measurable boundary that defines when exposure becomes unacceptable and requires action or escalation.
Topic: Risk Analysis
A hybrid product launch has a fixed regulatory submission date. After quantifying uncertainty, the team already knows there is a 35% chance of missing the date. The sponsor now wants to know whether vendor lead time, defect discovery rate, or approval turnaround has the greatest effect on that objective. Which analysis method should the risk manager use?
Best answer: D
What this tests: Risk Analysis
Explanation: Sensitivity analysis is the right choice when the decision depends on identifying which variable most influences a project objective. In this scenario, the sponsor wants to know which uncertainty drives the submission-date risk the most, not just the overall chance of delay.
Sensitivity analysis is a quantitative risk analysis method used to determine which uncertain inputs have the greatest effect on an outcome such as cost, schedule, or performance. In this case, the key question is not the total probability of missing the regulatory date, because that is already known. The sponsor wants to know which variable most strongly drives that result so the team can focus responses where they matter most.
Sensitivity analysis typically varies one input at a time and compares the effect on the objective, often shown in a tornado diagram. That makes it the best method for ranking influence among variables like vendor lead time, defect discovery rate, and approval turnaround.
The main takeaway is that sensitivity analysis answers “what matters most,” while other methods answer different risk questions.
It shows which uncertain input has the largest effect on the target date by isolating and comparing each variable’s influence.
Topic: Risk Identification
A project manager is performing assumption analysis for a hybrid CRM rollout. The team has documented:
Which statement should be treated as an assumption rather than a confirmed project fact?
Best answer: C
What this tests: Risk Identification
Explanation: An assumption is something the team is currently treating as true for planning but has not yet verified. The statement about key-user availability in July depends on a future commitment, while the approval, signed contract term, and completed test result are already supported by evidence.
In assumption analysis, the team separates verified information from statements that are still uncertain. A confirmed fact is backed by current evidence, such as an approval already given, a contract already signed, or a test result already recorded. An assumption is different: it is a planning basis that may be true, but it still depends on future conditions or validation.
Here, the statement about key users being available in July is forward-looking and could change because of operational priorities, staffing limits, or schedule conflicts. That makes it an assumption and a potential source of risk if it proves false. The other statements describe events or evidence that already exist, so they should be treated as facts, not assumptions.
A useful check is simple: if the team can prove it now, it is a fact; if it still depends on something happening later, it is an assumption.
Key-user availability in July is a future condition not yet verified, so it should be logged as an assumption and monitored for related risk.
Topic: Risk Analysis
A team wants a quantitative cost forecast for a major system rollout. The only inputs are expert estimates based on conflicting assumptions, impact ranges captured in different formats, and no comparable historical data. Which Risk Analysis concept matches the judgment that these inputs are too weak for a reliable numeric conclusion?
Best answer: A
What this tests: Risk Analysis
Explanation: This description points to a risk data quality assessment. Before trusting a quantitative forecast, the team must judge whether the underlying estimates are complete, consistent, and credible enough to support reliable outputs.
In quantitative risk analysis, the quality of the output depends on the quality of the input data. When estimates are based on conflicting assumptions, recorded inconsistently, and unsupported by comparable history, the problem is not which model to run first; it is whether the data are good enough to justify a numeric conclusion at all. A risk data quality assessment checks the credibility, accuracy, completeness, consistency, and traceability of the inputs before the team relies on EMV, simulation, or other quantitative techniques. If the inputs are weak, the right conclusion is to improve or normalize the data, or acknowledge low confidence in the forecast. The closest distractors are analysis methods that use data, not methods for judging whether the data are dependable.
It evaluates whether input data are complete, consistent, and credible enough to support trustworthy quantitative results.
Topic: Risk Strategy and Planning
A hybrid project will hold weekly risk reviews with risk owners. The sponsor wants immediate notice only if total forecast schedule exposure exceeds 10 days, while workstream leads want detailed updates on warning signs for their own risks. Which entry best belongs in the risk management plan’s communication section?
Best answer: A
What this tests: Risk Strategy and Planning
Explanation: Risk communication needs in the risk management plan should specify who gets what information, how often, and when escalation occurs. Here, the 10-day limit is an escalation threshold for the sponsor, while risk owners need more detailed trigger-based updates.
The risk management plan defines how risk information will be communicated, including audience, cadence, content, format, and escalation criteria. In this scenario, the sponsor does not need every early warning sign; the sponsor wants immediate notice only when overall schedule exposure crosses the agreed 10-day limit. That limit is a threshold. Workstream leads, however, need detailed information about triggers for their assigned risks so they can respond early. A good communication entry therefore tailors the message to each stakeholder group and distinguishes thresholds from triggers.
Treating all stakeholders the same or shifting into analysis rules does not define communication needs effectively.
It defines stakeholder-specific risk information and escalation, and correctly treats 10 days as a threshold rather than a trigger.
Topic: Monitor and Close Risks
A hybrid project identified a threat that vendor interface defects could delay Release 3. The response was weekly joint demos and escalation if unresolved interface defects exceeded 10. Trend data over four iterations showed 14, 9, 5, and 2 unresolved defects, and Release 3 finished on time. The interface work is complete, so the risk is expired. Which lesson learned entry best reflects this response outcome?
Best answer: D
What this tests: Monitor and Close Risks
Explanation: Lessons learned should summarize what monitoring data proved about response effectiveness. Because the defect trend improved after weekly joint demos and a defined trigger, the best entry captures that this response reduced exposure and should be considered for similar vendor integrations.
Lessons learned should capture evidence about what a risk response achieved and where it should be reused. Here, trend analysis shows unresolved interface defects dropped each iteration after weekly joint demos and a clear escalation trigger were applied, and the release finished on time before the risk expired. That supports an evidence-based lesson that this response reduced exposure for this type of integration risk.
Simply noting closure or moving the data to another artifact misses the learning value.
It captures an evidence-based finding about response effectiveness and where it can be reused.
Topic: Risk Identification
A hybrid CRM rollout identifies a risk that the external data-cleansing vendor may miss the cutover rehearsal, delaying go-live by up to 10 days. The risk management plan says any risk above the 5-day schedule threshold needs one named owner with authority across internal and vendor workstreams; response actions may be assigned separately. The vendor lead can run recovery testing, and the project manager maintains the register, but only the client integration manager can resequence work and approve contingency use. What is the best action in the risk register?
Best answer: D
What this tests: Risk Identification
Explanation: Risk ownership should be assigned to one person with enough authority to monitor the risk, coordinate responses, and be accountable for the outcome. Because this risk exceeds the schedule threshold and spans vendor and internal work, the integration manager is the right single owner, while the vendor lead can still own response tasks.
In a risk register, the risk owner is the single person accountable for tracking the risk, watching triggers, and ensuring the agreed response is carried out. That owner should be assigned at the level needed to act across the affected scope. Here, the risk exceeds the stated schedule threshold and affects both vendor and internal workstreams, so ownership should sit with the person who can coordinate both sides and approve contingency use. The client integration manager has that authority; the vendor lead can support by owning specific response actions.
The key takeaway is to separate risk ownership from action ownership and avoid shared ownership that weakens accountability.
The integration manager has the required cross-workstream authority for accountability, while the vendor lead can own specific response actions.
Topic: Risk Strategy and Planning
During preliminary risk planning for a hybrid data center migration, the sponsor states that production outage must stay under 4 hours. A similar migration last year exceeded that threshold because the rollback trigger was set too late, and archived records include downtime data, post-project lessons learned, and industry benchmarks. What should the project manager do next?
Best answer: A
What this tests: Risk Strategy and Planning
Explanation: The best next step is to use similar-project lessons learned, historical data, and benchmarks to inform risk planning. Because the migration has not yet occurred, escalation, workaround use, and transfer decisions are premature without first analyzing the available evidence.
Preliminary document analysis should make risk planning evidence-based. In this case, the prior migration already shows a recurring threat, the response result, and why the old trigger failed. Reviewing lessons learned, historical downtime data, and relevant benchmarks helps the project manager define realistic trigger points, contingency actions, and planning assumptions for the 4-hour outage threshold.
Only after using those sources should the team decide whether escalation, transfer, or other response strategies are appropriate.
Those sources provide evidence for realistic outage triggers and contingency planning before selecting a response strategy.
Topic: Risk Analysis
A hybrid ERP rollout has finished initial risk identification. During qualitative analysis of cross-team dependencies, business, vendor, and operations stakeholders keep waiting for the project manager to point out every possible threat or opportunity. The risk management plan already includes risk categories and probability-impact criteria. What should the project manager do next?
Best answer: C
What this tests: Risk Analysis
Explanation: The project is still in risk analysis, and the criteria for evaluating risk are already defined. The best next step is to have stakeholders examine their own dependency areas so they can identify additional threats and opportunities before moving into ownership, issue management, or closure.
Threat and opportunity complexity analysis works best when the people closest to each interface examine how interactions in their own area could affect project objectives. In this scenario, the project already has categories and probability-impact criteria, so the missing step is stakeholder-led analysis, not more planning or response action. Asking stakeholders to review their own dependencies and record added threats and opportunities helps uncover cascading effects, hidden assumptions, and upside possibilities.
Assigning owners, escalating issues, or closing risks should come only after this analysis is completed.
This uses the agreed analysis framework to let stakeholders surface additional threats and opportunities before ownership or response decisions are made.
Topic: Risk Strategy and Planning
A hybrid payroll transformation must go live by January 1 to support a new tax law, and payroll integration cannot finish until the tax authority releases final interface specifications. The sponsor’s schedule threshold is no more than 1 week of slippage. During risk planning, which assumption should most influence the project’s risk strategy?
Assumptions log excerpt
- The tax authority will publish final interface specifications by July 1.
- About 70% of training materials can be reused.
- Department managers will attend monthly demos.
- The current test script template will remain adequate.
Best answer: B
What this tests: Risk Strategy and Planning
Explanation: The external publication of final interface specifications is the assumption that should shape the risk strategy. It is outside the team’s control, directly affects a critical dependency, and threatens a fixed go-live date with very low schedule tolerance.
In Risk Strategy and Planning, the assumptions that should influence the risk strategy are the ones that materially affect overall project exposure and the ability to meet business drivers. Here, the business driver is a January 1 go-live tied to a tax-law change, and the project can tolerate only 1 week of delay. Because integration cannot finish until the tax authority publishes final specifications, that assumption creates a major external dependency on the critical path.
This kind of assumption should shape the risk strategy by prompting actions such as:
The other assumptions may still create risks, but they are more local and less likely to define the overall risk approach.
This is the key external assumption on the critical path, so it should drive monitoring, triggers, escalation, and contingency planning.
Topic: Risk Identification
During risk identification for a hybrid point-of-sale rollout, the team debates how to classify several uncertainties. Which identified risk is best classified as context-dependent uncertainty?
Best answer: C
What this tests: Risk Identification
Explanation: Context-dependent uncertainty applies when the same uncertain event could help or hurt a project objective. Exchange-rate movement can either raise or lower procurement cost, while the other options describe only upside or only downside effects.
Risk classification depends on the direction of the possible effect on project objectives. A threat has only a negative effect, an opportunity has only a positive effect, and context-dependent uncertainty can produce either result depending on how the event unfolds. Here, exchange-rate movement before ordering imported scanners could increase cost or decrease cost, so the same uncertainty may harm or benefit the project’s cost objective.
The resource-availability option is a common distractor because it is uncertain, but its stated impact is only beneficial, so it remains an opportunity.
Because the same uncertainty could either increase or decrease procurement cost, it is not a pure threat or a pure opportunity.
Topic: Monitor and Close Risks
On a hybrid customer-portal project, the risk register includes a threat that vendor API instability could delay integration testing. The planned response is early interface mocks plus weekly vendor defect triage. The risk management plan states that if integration-test rework exceeds 8% of planned effort for two consecutive iterations, the risk owner must recommend further action. Reliable metrics show 9% and 12% rework variance in the last two iterations, and the sponsor has low tolerance for any launch delay. What is the BEST action?
Best answer: D
What this tests: Monitor and Close Risks
Explanation: Variance analysis compares actual results with the agreed trigger or threshold for a risk. Here, the threshold was exceeded in two consecutive iterations using reliable data, so the team should update risk information and adjust the response rather than wait, re-score first, or close the risk.
This is a risk monitoring decision driven by variance analysis. The project already defined a clear threshold: more than 8% rework variance for two consecutive iterations requires further action. Actual results of 9% and 12% show that exposure is trending above the accepted limit, and the sponsor’s low tolerance for launch delay makes passive monitoring inappropriate. The right step is to use that evidence to update the risk register and risk report, then work with the risk owner on an additional response or contingency.
Waiting for a milestone slip is too late because thresholds exist to prompt action before objectives are missed. Re-scoring in a workshop adds delay when high-quality performance data already supports a decision. Closing the risk would confuse completion of mitigation activities with proof that the response is effective. In monitoring, effectiveness matters more than activity completion.
The predefined variance threshold has been breached by reliable trend data, so monitoring should trigger escalation and an adjusted response.
Topic: Risk Strategy and Planning
Before any facilitated discussion, the risk manager reviews the charter, contracts, assumptions log, and prior lessons learned to note possible sources of uncertainty. Which risk management activity is this?
Best answer: D
What this tests: Risk Strategy and Planning
Explanation: This is preliminary document analysis because the risk manager is examining existing project records to prepare for later risk work. It is not a workshop, since no stakeholders are actively generating risks together in the scenario.
Preliminary document analysis is an early planning activity that uses available project information—such as the charter, contracts, assumptions log, and lessons learned—to understand context and spot possible sources of uncertainty. Its purpose is to prepare the risk approach and enter later identification activities with better insight.
A risk identification workshop is different because it is an active, facilitated session where participants collaboratively surface and discuss threats and opportunities. Qualitative analysis happens after risks are identified, and response planning happens after risks are assessed. The key distinction here is passive review of existing documents versus live, collaborative elicitation.
It describes reviewing existing project documents to surface possible uncertainties before collaborative identification begins.
Topic: Risk Response
A hybrid product-launch project has completed three iterations of threat responses. The team tracks total threat exposure in risk points; lower is better. The sponsor asks for the best interpretation of the current summaries to communicate response effectiveness.
Risk burndown
Iteration 5: 46
Iteration 6: 33
Iteration 7: 24
Dot plot summary of remaining threats
- Payment gateway certification: Medium probability / High impact
- Data migration defects: Low probability / Medium impact
- Training attendance shortfall: Low probability / Low impact
Which statement is best?
Best answer: A
What this tests: Risk Response
Explanation: The best interpretation combines trend and current position. The burndown shows the responses are lowering total exposure, but the dot plot shows one significant residual threat still needs attention.
To communicate response effectiveness, use a trend view and a current-state view together. The burndown shows whether total threat exposure is moving down over time, and here it drops from 46 to 24, which is evidence that the response actions are helping overall. The dot plot then shows whether any individual threat still sits in a concerning probability-impact position. In this case, payment gateway certification remains medium probability and high impact, so it is still a material residual risk.
A downward trend alone is not enough to justify closing risks when a significant threat still remains.
The burndown shows aggregate exposure decreasing, while the dot plot still highlights one medium-probability, high-impact residual threat.
Topic: Monitor and Close Risks
During a monthly review on a system rollout, the project manager must decide which threat record can be closed. The risk management plan says a record may be closed only when the planned response is complete, residual schedule exposure is at or below 3 days, and any secondary risk has its own record and owner. Which record is ready to close?
Best answer: D
What this tests: Monitor and Close Risks
Explanation: A risk record is ready to close only when the response is complete, the remaining exposure is acceptable, and any new risk created by the response is being managed separately. The scenario with finished mitigation, a 1-day residual delay, and a logged secondary risk meets all three conditions.
In risk closure, the project manager verifies that the original risk has been treated and that its remaining implications are understood and controlled. Residual risk is the exposure that remains after the response; secondary risk is a new risk caused by the response itself. Before closing the original record, confirm that the response has actually been implemented, the residual exposure is within the agreed threshold or otherwise accepted, and any secondary risk has been entered into the risk register with ownership.
If the residual delay is still above threshold, the original risk remains open. If the response is incomplete, the risk is still under treatment. If a secondary risk is only mentioned informally, it has not been addressed well enough for closure.
The closest distractor is the one with acceptable residual delay but only an informal note about the new risk.
This is the only case where the response is complete, the residual risk is within threshold, and the secondary risk is separately recorded and owned.
Topic: Monitor and Close Risks
Each month, the project manager compares aggregated cost and schedule risk exposure with the low/medium/high criteria and escalation thresholds defined in the risk management plan, then reports the result to the sponsor. Which Monitor and Close Risks action does this describe?
Best answer: B
What this tests: Monitor and Close Risks
Explanation: This describes assessing the current overall project risk level. The key clues are aggregated exposure, agreed low/medium/high criteria, and reporting the result to a sponsor rather than working on one specific risk.
In Monitor and Close Risks, the team periodically evaluates overall project risk exposure by comparing current risk data with agreed criteria such as thresholds, rating bands, or escalation rules defined in the risk management plan. The purpose is to determine the project’s present risk level and communicate that status to stakeholders in a usable form, such as low, medium, or high. This is a project-level view, not a review of one risk entry. Activities like reassessing a single risk, assigning owners, or closing expired risks may happen during monitoring, but they do not answer the bigger question of current project-wide exposure.
This compares aggregated exposure with agreed criteria to judge the project’s current overall risk condition.
Topic: Risk Strategy and Planning
A hybrid customer-data platform project is being planned to deliver cost savings this fiscal year. While drafting the risk management plan, the project manager sees a business-case assumption that a data residency waiver will be approved before integration testing; the request cannot be submitted for three weeks, and missing the waiver would delay benefits by one quarter. What should the project manager do next?
Best answer: D
What this tests: Risk Strategy and Planning
Explanation: The waiver approval is uncertain and directly affects benefit timing, so it is an assumption that should influence risk strategy during planning. The best next step is to validate that assumption with relevant stakeholders and reflect it in the risk management plan before jumping to response execution or issue escalation.
In Risk Strategy and Planning, assumptions from the business case should be examined when they create meaningful uncertainty around project objectives or expected benefits. Here, waiver approval is not guaranteed, it cannot even be requested yet, and a miss would delay benefit realization by a quarter. That makes it a planning assumption that should influence the project’s risk strategy. The project manager should confirm its uncertainty and impact with the appropriate stakeholders, then use that information to shape the risk management plan, such as monitoring approach, escalation thresholds, and ownership expectations. Specific response actions come later, once the risk approach is set and the uncertainty is analyzed more fully. Treating it as an issue or waiting until testing is near would weaken proactive risk planning.
A material, uncertain assumption that could delay benefits should shape the planned risk approach before responses are chosen.
Topic: Risk Identification
A hybrid product rollout will use predictive delivery for hardware installation and agile delivery for mobile app features. The risk management plan is approved, and the sponsor wants one project risk register. The hardware team has a baseline schedule and vendor contracts; the agile team has a prioritized backlog and starts two-week sprints next week. No risks have been identified yet. What is the best next step?
Best answer: B
What this tests: Risk Identification
Explanation: In a hybrid project, risk identification should match how uncertainty appears in each delivery approach. Predictive work is best served by an upfront facilitated review of plans and contracts, while agile work needs recurring iteration-level identification; both outputs can then feed one risk register.
The core concept is tailoring the risk identification exercise to the delivery approach. Because the risk management plan is already approved and no risks have been captured yet, the next step is identification, not ownership assignment, issue escalation, or qualitative analysis. For the predictive hardware stream, an upfront workshop using the schedule, dependencies, and contract information is appropriate because much of the uncertainty can be surfaced early. For the agile app stream, recurring sprint-level risk reviews are better because backlog details, technical uncertainty, and dependencies evolve as the team learns. After identifying risks from both streams, the team can record them in one project risk register, assign owners, and then analyze them.
The closest distractors all act too early or use the wrong flow for uncertainty.
This tailors risk identification to hybrid delivery by using document-driven workshops for predictive work and cadence-based reviews for agile work before ownership and analysis.
Topic: Monitor and Close Risks
On a hybrid product launch project, the vendor manager owns a risk that supplier test-environment instability could delay release integration. The response was nightly health checks, and the risk management plan says to escalate only if outages exceed 2 per week. Monitoring data for the last three weeks shows outages dropped from 5 per week to 1 per week, the schedule baseline remains on track, and release integration starts next month. What should the project manager do next?
Best answer: B
What this tests: Monitor and Close Risks
Explanation: The monitoring data shows the response is working, but the risk window is still open and the escalation threshold is not being exceeded. The next step is to update the risk register and risk report with the current trend, status, and remaining exposure.
In Monitor and Close Risks, performance data is used to compare actual results against thresholds and baseline status, then update risk artifacts accordingly. Here, outages fell from 5 per week to 1 per week, and the schedule baseline is still on track, so the response appears effective. However, the uncertain event can still occur because release integration has not started yet and outages have not dropped to zero. That means the risk is neither an active issue nor ready for closure. The project manager should update the risk register with the latest status, trend, and remaining exposure, and update the risk report so stakeholders see the changed overall risk picture. Closing it, escalating it as an issue, or delaying updates for ownership clarification would not match the current evidence.
Monitoring data shows the response reduced exposure without eliminating it, so the risk stays open and both risk artifacts should be updated.
Topic: Risk Identification
A hybrid billing-platform project must meet a regulatory go-live date in 5 months, and the sponsor will escalate any forecast slip over 10 days. The budget is capped for this quarter, only one approved vendor can perform data conversion, and historical conversion data are weak because this legacy platform has never been migrated before. During risk identification, what is the BEST action for the risk manager?
Best answer: C
What this tests: Risk Identification
Explanation: Constraint analysis is used during risk identification to turn project limits into specific risks. Here, the fixed date, capped budget, sole-source vendor, and weak historical data should trigger targeted identification and risk register entries now.
The core concept is to use analyzed constraints as direct inputs to risk identification. A fixed regulatory date, strict funding cap, and single approved vendor each create uncertainty that can affect schedule and cost objectives, especially when historical conversion data are weak. The best action is to conduct focused identification around those constraints and document each resulting risk in the risk register with a clear cause, event, and impact, plus useful details such as triggers or provisional ownership. Weak data may reduce confidence in later analysis, but it does not justify waiting to identify obvious risks. Jumping straight to response planning or only escalating summary concerns skips the formal identification output the team needs first. Convert the constraints into well-formed risk entries before moving on.
Constraint analysis should be converted into specific documented risks, not delayed or treated as response planning.
Topic: Risk Analysis
During qualitative analysis for a hybrid CRM rollout, different regional leads score the same data-migration risk from 2 to 5. The risk management plan already defines 1-5 probability and impact scales, including that a go-live delay of more than 10 business days is impact 4 or 5. The steering committee has low appetite for schedule delay, and only three pilot migrations provide mixed evidence. What is the best action?
Best answer: B
What this tests: Risk Analysis
Explanation: The best action is to recalibrate the group against the approved probability and impact criteria before finalizing the score. Transparent, shared scoring rules reduce the effect of personal experience and stakeholder pressure in qualitative prioritization.
Qualitative prioritization is reliable only when participants apply the same scoring logic. In this case, the project already has defined 1-5 scales and a stated schedule threshold, but stakeholders are rating the risk based on individual experience rather than common criteria. The risk manager should coach the group back to the approved definitions, use the pilot results as the shared evidence base, and require a brief rationale for the selected rating before rescoring. That approach aligns analysis with the committee’s low appetite for delay without allowing authority, recency bias, or inconsistency to drive priority.
Averaging or executive override can produce a number, but neither makes the prioritization more objective.
Using shared definitions, anchored examples, and explicit evidence makes the qualitative rating transparent and reduces personal bias.
Topic: Risk Analysis
A hospital compliance project identifies two uncertain events before release: new regulator reporting fields may expand scope and delay approval, and a vendor API update may arrive late, reducing test capacity and risking defects. The sponsor wants a fast comparison of likely effects on scope, schedule, cost, resources, quality, and stakeholder confidence. Historical numeric data are limited, but the risk management plan defines impact criteria for each objective. Which analysis approach is most appropriate?
Best answer: B
What this tests: Risk Analysis
Explanation: The team needs to compare uncertain events across several project objectives, but it does not have strong numeric data. That makes qualitative risk analysis the best fit, using predefined probability and impact criteria for scope, schedule, cost, resources, quality, and stakeholder or compliance effects.
This situation calls for qualitative risk analysis because the goal is to compare likely impacts across multiple project objectives, not just calculate a financial value. The events are still uncertain, and the project already has defined impact criteria, which is exactly what qualitative analysis uses to assess probability and effect consistently.
Quantitative methods such as EMV are useful when reliable numeric data exist and a monetary forecast is needed, but that is not the main need here.
Limited numeric data and defined impact scales make qualitative multi-objective assessment the best way to compare likely effects now.
Topic: Risk Identification
A hybrid payments project identifies a threat that an integration vendor may not complete security fixes before release. The team is reviewing project information to see which responses are actually feasible. Which detail is a project constraint that would directly limit the available risk responses?
Best answer: A
What this tests: Risk Identification
Explanation: A constraint is a limiting condition already imposed on the project. Here, the fixed regulatory release date narrows the feasible response set immediately, so the team cannot rely on schedule delay as a response.
In constraint analysis, the team separates facts that restrict choice from facts that describe uncertainty or decision rules. A fixed regulatory deadline is a project constraint because it already exists and reduces the number of feasible responses before the risk occurs. That means the team must choose responses compatible with the date, such as adding qualified support, adjusting scope, or preparing a fallback. By contrast, an expectation that defects will be resolved is an assumption, a defect count that starts fallback testing is a trigger, and a 5% cost-growth escalation point is a threshold. The key distinction is that constraints define what options are possible; they do not forecast the risk or signal when to act.
A fixed regulatory date is a hard constraint, so responses such as delaying the release are not available.
Topic: Risk Identification
During risk identification for a hybrid CRM rollout, the team drafts this risk register entry:
Senior vendor turnover may delay data-migration design and extend user acceptance testing by 3 weeks.
The entry has not yet been analyzed or assigned. What is the best next step?
Best answer: C
What this tests: Risk Identification
Explanation: Before analysis, the risk statement should be clarified. Separating the underlying cause from the uncertain event and resulting impact makes the risk understandable and supports consistent scoring, ownership, and response planning.
In risk identification, a combined sentence can blur what is creating uncertainty, what might happen, and why it matters. Here, vendor turnover is the cause, delay to data-migration design is the risk event, and a 3-week extension to user acceptance testing is the impact. The best next step is to record those elements separately in the risk register, or restate the risk in a clear cause-event-impact format, before any qualitative analysis.
Once the risk is clearly written, the team can assess probability, impact, triggers, and ownership more reliably. Scoring, responding, or escalating too early reduces risk-data quality and can lead to the wrong action.
A risk should be documented with its cause, uncertain event, and impact separated before analysis or response planning.
Topic: Risk Analysis
A hybrid project wants architects, testers, and business leads to independently spot and classify both threats and opportunities during release reviews. The team issues shared probability and impact definitions, with examples for upside and downside events, so each group can rate new uncertainties consistently. This is best described as which artifact?
Best answer: C
What this tests: Risk Analysis
Explanation: The best match is the probability-impact matrix because it provides agreed scoring criteria for likelihood and impact. That lets different stakeholders analyze emerging threats and opportunities on their own in a consistent way.
A probability-impact matrix is a qualitative risk analysis artifact used to rate and prioritize risks with shared definitions for probability and impact. In this scenario, the key clue is that stakeholders receive common scoring guidance and examples for both downside and upside events, allowing them to assess new uncertainties independently and consistently. That is exactly the purpose of a probability-impact matrix in threat and opportunity analysis.
A risk breakdown structure helps categorize sources of risk, but it does not provide the rating rules. A risk register stores identified risks and their analysis results after assessment. A risk report summarizes overall project risk exposure and trends for communication to stakeholders. The decisive point is that the described artifact enables decentralized qualitative analysis, not categorization, recording, or reporting.
It gives stakeholders common qualitative criteria to assess threats and opportunities consistently during risk analysis.
Topic: Risk Identification
During assumption analysis, the team records: “The data-migration vendor will provide complete test files by June 1.” The project manager sees this as uncertain and schedule-sensitive. Which option best rewrites the assumption as a risk statement?
Best answer: B
What this tests: Risk Identification
Explanation: A good risk statement turns an uncertain assumption into a possible future event with an effect on project objectives. The best choice clearly shows the condition and the potential schedule impact without treating it as an existing issue or jumping to a response.
In assumption analysis, a weak assumption becomes a risk when its failure is uncertain and could affect project objectives. A well-written risk statement describes the uncertain condition, the event that may occur, and the likely impact, such as late test files causing delayed integration testing and schedule slippage. This makes the exposure clear enough to record in the risk register and analyze further.
Simply restating the assumption does not identify the threat, and choosing a reserve is response planning rather than risk identification.
It converts the uncertain assumption into a threat statement with a condition, possible event, and schedule impact.
Topic: Monitor and Close Risks
On a hybrid product launch, the risk register shows a threat that vendor API defects may delay release. The sponsor has low appetite for schedule slippage and set a threshold of any forecast delay over 5 days. The latest milestone forecast is still on baseline, but defect-trend and test pass-rate data for the last two iterations are missing after a tool migration; the QA lead says exposure is “down.” What should the project manager do next?
Best answer: C
What this tests: Monitor and Close Risks
Explanation: The key monitoring question is whether there is enough valid performance data to support a conclusion. Even with an on-baseline forecast and a completed response action, missing recent defect and pass-rate data means the team cannot reliably show that exposure has decreased.
In risk monitoring, conclusions about exposure trend or response effectiveness should be based on current, reliable performance data compared with the baseline or stated thresholds. Here, the milestone forecast is still on baseline, but the most relevant evidence for this risk—recent defect trend and test pass rates—is missing. That makes the QA lead’s opinion insufficient for downgrading or closing the risk.
The best action is to restore or validate the missing data, then reassess the risk rating and reporting. Being on baseline today does not prove the defect threat is controlled, and implementing a response does not prove the response worked. When key performance data is incomplete, continue monitoring and avoid claiming reduced exposure without evidence.
A reliable monitoring conclusion requires current, relevant performance evidence, not just opinion or implementation status.
Topic: Monitor and Close Risks
A hybrid ERP project has a mitigation response for data-conversion rework risk. The response should keep the affected work package at a schedule variance of -5% or better after Sprint 2, and the risk management plan says to reassess the response if variance is worse than -5% for two consecutive sprints. Actual schedule variance is Sprint 3: -2%, Sprint 4: -6%, Sprint 5: -7%. What is the best risk monitoring decision?
Best answer: C
What this tests: Monitor and Close Risks
Explanation: Variance analysis compares actual results with the planned tolerance to judge response effectiveness. Here the work package breached the -5% limit in two consecutive sprints, which exactly matches the plan’s condition for reassessing the mitigation.
In risk monitoring, variance analysis is used to see whether a response is reducing exposure as intended. The deciding fact is not the average variance across all three sprints; it is the explicit rule in the risk management plan: if schedule variance is worse than -5% for two consecutive sprints, the response must be reassessed. Sprint 3 was within tolerance at -2%, but Sprint 4 and Sprint 5 were -6% and -7%, creating the required two-period adverse pattern. That is evidence the current mitigation is underperforming and should be reviewed and updated in the risk register and response plan.
A separate trigger or a new analysis method is unnecessary because the agreed monitoring threshold has already been met.
Two consecutive sprints were worse than the stated threshold, so variance analysis shows the mitigation is not performing as planned.
Topic: Monitor and Close Risks
A hybrid product-launch project defined a trigger for supplier-delay risk: if prototype parts arrive more than 3 days late, the team will switch to a qualified local supplier. The trigger occurs, and governance approves the switch. The new supplier raises cost and changes procurement oversight, but preserves the launch date. What should the project manager do next to keep project control aligned?
Best answer: B
What this tests: Monitor and Close Risks
Explanation: Because the approved contingency changes cost and procurement control, the project manager should update controlled project documents, not just risk records. The change log and relevant parts of the project management plan need to reflect the approved decision.
This is a monitoring and control action. Once a risk trigger occurs and an approved response changes how the project will be controlled, the project manager should update the change log and the affected components of the project management plan. In this case, the supplier switch affects cost and procurement oversight, so the control framework for the project has changed and must be documented in the controlled records.
Updating only the risk register is not enough because the risk register tracks the risk and its response, but it does not replace project control documents. Closing the risk immediately is premature because the response may still leave residual or secondary risk to monitor. Escalation is also unnecessary because governance has already approved the response. The key takeaway is that approved risk decisions that alter project control require formal document updates.
The approved risk decision changes project controls, so the change log and affected plan components must be updated promptly.
Topic: Monitor and Close Risks
A hybrid product rollout has completed its first regional release. Three integration risks are now closed, and the closure review shows the same pattern: external API dependency risks were identified late because the checklist missed them, and the triggers were too vague for early action. The sponsor has low tolerance for schedule slippage, and planning for the next release starts next week. What should the risk manager do first?
Best answer: B
What this tests: Monitor and Close Risks
Explanation: Risk closure should feed future risk work, not just finish past documentation. Because the closure findings reveal a repeatable identification and trigger weakness, the best action is to update planning inputs before the next release begins.
Using closure findings for organizational learning means converting what was learned from closed risks into better future risk identification and planning. In this scenario, the review shows two specific weaknesses: the team did not look explicitly for external API dependency risks, and the trigger definitions were not precise enough to prompt early response. Since the next release planning starts soon and the sponsor has low schedule tolerance, the most effective action is to update lessons learned and the artifacts that shape future risk work, such as the identification checklist, relevant RBS entries, and trigger criteria. Archiving the risks only preserves history, monitoring already closed risks confuses closure with ongoing exposure management, and adding contingency treats impact without fixing the upstream identification gap.
It uses closure evidence to improve how similar risks are identified and planned for in the next release.
Topic: Risk Response
A risk register entry states: if a supplier misses two consecutive interface test dates, the team will shift the work to a preapproved backup supplier. The second missed date occurs. Which response principle matches this situation?
Best answer: C
What this tests: Risk Response
Explanation: This describes contingency plan activation. The response and its trigger were defined in advance in the risk register, so when the second missed date occurred, the team should carry out that planned action immediately rather than improvise a new response or keep monitoring only.
A contingency plan is a preplanned risk response that is executed when a defined trigger or threshold is met. In this case, the team already identified both the trigger—two missed interface test dates—and the action—move work to the backup supplier. Once that condition occurs, the correct response action is to implement the contingency plan and update the risk status.
A fallback plan is different: it is used if a chosen response proves ineffective. A workaround is also different: it is an unplanned response to an issue when no predefined action exists. Ongoing residual risk monitoring matters, but not as a substitute for acting when the trigger has already been reached.
A predefined trigger was reached, so the team should implement the preplanned contingent response.
Topic: Monitor and Close Risks
A hybrid ERP project has a fixed regulatory go-live date. The risk management plan states that any critical-path schedule variance above 5% must be reported with its effect on overall risk exposure and recommended action. This month, verified data shows integration work moved from -2% to -6% after a vendor delay trigger occurred, and the sponsor has low appetite for date risk. What is the BEST action?
Best answer: D
What this tests: Monitor and Close Risks
Explanation: Variance is only useful for risk monitoring when its significance is explained. Here, the threshold is breached, the trigger is confirmed, and the sponsor is risk-averse about the date, so the report should connect the variance to increased schedule exposure and the response status.
In Monitor and Close Risks, variance is performance data, not the full risk message. When verified variance crosses a stated threshold, the risk manager should explain what that change means for project objectives, link it to the relevant risk, and show whether the current response is adequate. In this scenario, integration variance moved past the 5% limit, the vendor-delay trigger has occurred, and the sponsor has low tolerance for any threat to the regulatory go-live date. The best action is to update the risk report so stakeholders see the increased schedule exposure, the breached threshold, and the response-owner actions or escalation needed.
Sending variance without significance leaves governance to guess the risk impact.
A verified threshold breach with a known trigger must be reported in terms of changed risk exposure and required owner action, not as raw variance alone.
Topic: Risk Analysis
A hybrid project team uses these risk register fields for analysis: Exposure = probability d7 impact; Urgency = how soon action may be needed; Response cost = estimated cost of the planned response; Priority = final sequencing score after the team’s weighting rules are applied. Which statement best interprets the register excerpt?
Risk Exposure Urgency Response cost Priority
Vendor API instability 16 4 \$12,000 17
Regulatory review delay 25 1 \$4,000 16
Data migration defect 9 5 \$2,000 14
Test environment outage 8 3 \$1,000 12
Best answer: C
What this tests: Risk Analysis
Explanation: Risk priority is the final ranking the team uses to sequence response planning. Vendor API instability should be handled first because its priority score is 17, even though another risk has higher exposure, another is more urgent, and another is cheaper to address.
Risk priority is not the same thing as risk exposure, urgency, or response cost. Exposure estimates the size of a risk based on probability and impact. Urgency shows how quickly the team may need to act. Response cost estimates what it will take to implement a response. Priority is the project’s final weighted ranking for deciding which risk to plan for first.
In this register, the team has already applied its weighting rules, so the correct interpretation is to use the highest Priority value. Vendor API instability ranks first with a priority of 17. Regulatory review delay has the highest exposure, data migration defect has the highest urgency, and test environment outage has the lowest response cost, but none of those fields replaces the stated priority score.
When the project defines a final priority metric, that metric drives sequencing.
The register says response sequencing uses priority, and vendor API instability has the highest priority score at 17.
Topic: Monitor and Close Risks
A hybrid infrastructure project reviews schedule-threat exposure monthly. The risk management plan requires steering committee escalation if either total EMV of open schedule threats exceeds $250,000 or the total rises by more than 15% over any two monthly review cycles.
Month 1 EMV: \$180,000
Month 2 EMV: \$205,000
Month 3 EMV: \$242,000
Note: A key vendor-risk response did not reduce probability.
What is the best interpretation of these monitoring results?
Best answer: C
What this tests: Monitor and Close Risks
Explanation: The correct interpretation uses the exposure trend, not only the current EMV value. Total open-threat EMV rose from $180,000 to $242,000 over two review cycles, so the reporting threshold tied to trend has been breached and overall exposure should be escalated in the risk report.
In Monitor and Close Risks, monitoring data are compared with the thresholds defined in the risk management plan and then communicated through the appropriate artifact. Here, the project has not crossed the absolute EMV ceiling of $250,000, but it has crossed the separate trend threshold: \( (242{,}000 - 180{,}000) / 180{,}000 \approx 34\% \) over two review cycles. That means management reporting is required now because the project’s overall exposure is worsening. The risk register should still be updated with the specific vendor risk and the ineffective response result, but leadership needs the summary view in the risk report. Waiting for an actual schedule delay would confuse a monitored risk trend with an issue that has already occurred.
The two-cycle increase from $180,000 to $242,000 exceeds the 15% threshold, so overall exposure must be reported and escalated now.
Topic: Risk Analysis
A medical-device launch project has an organizational strategic objective to enter a new market this quarter without any regulatory citation that could jeopardize future approvals. Its project compliance objective requires an approved local labeling package before release. The risk management plan says to escalate if that package is under 70% complete two sprints before go-live; today it is 40% complete. What should the project risk manager recommend?
Best answer: A
What this tests: Risk Analysis
Explanation: The trigger in the risk management plan has been met, so the proper action is escalation and reevaluation. The organization’s strategy is not just speed to market; it is compliant market entry without regulatory damage to future approvals.
This tests compliance impact analysis against organizational strategy. When a stated trigger is reached and the potential effect breaches the project’s risk threshold, the team should not treat schedule pressure as the dominant objective. Here, the strategic objective explicitly includes avoiding regulatory citations that could harm future approvals, so the compliance objective directly supports strategy rather than competing with it.
The best response is to escalate and reevaluate release options based on both objectives:
The closest distractors focus on keeping the date, but they ignore that regulatory exposure remains with the organization and already requires escalation.
The trigger has been hit and the risk exceeds the stated threshold, so escalation and reevaluation are required to protect the strategy of compliant market entry.
Topic: Risk Response
A hybrid billing-system release includes a cutover risk: if data conversion fails, rollback may delay customer billing. The sponsor has low tolerance for service interruption and approved a threshold of no more than 30 minutes. The team previously chose risk acceptance because rehearsal data suggested rollback would take 15 minutes, but a new end-to-end rehearsal produced reliable data showing rollback would take 2 hours. The regulatory go-live date cannot move. What is the BEST action?
Best answer: A
What this tests: Risk Response
Explanation: When reliable new information shows a previously accepted threat now exceeds the sponsor’s risk threshold, the response strategy should be reassessed immediately. The team should replace acceptance with a response that fits the current exposure and fixed go-live constraint.
Risk response selection is not permanent; it should be revisited when the assumptions behind a response change. Here, the original acceptance decision depended on a 15-minute rollback, but reliable rehearsal data now indicates a 2-hour interruption, which is above the sponsor’s 30-minute threshold. Because the threat is still uncertain, the right action is to reassess the response and choose a strategy that reduces exposure to an acceptable level before go-live.
Waiting with the old strategy confuses monitoring with response selection.
Reliable new data shows the accepted exposure now exceeds the sponsor’s threshold, so the strategy must be changed.
Topic: Risk Strategy and Planning
A hybrid ERP project is drafting its risk management plan. The business case says approved benefits depend on going live by October 1 and reaching 75% user adoption within 3 months; below 60% adoption, the ROI case fails. The team has already listed several schedule and adoption uncertainties, but no benefit-based risk appetite or thresholds have been set. What should the risk manager do next?
Best answer: B
What this tests: Risk Strategy and Planning
Explanation: When benefit materialization depends on specific timing and adoption results, those conditions must shape risk appetite and thresholds during risk planning. Before the team prioritizes or responds to risks, it needs explicit criteria for what level of benefit shortfall is acceptable and when escalation is required.
The key concept is that risk appetite and thresholds should be derived from the project’s business drivers and expected benefits. In this scenario, the business case already shows which outcomes matter most: timely go-live and sufficient user adoption. Because the project stops meeting its ROI case below 60% adoption, the risk manager should next work with the sponsor to translate that benefit dependency into explicit risk appetite and measurable thresholds in the risk management plan or related criteria. Those thresholds then guide later qualitative analysis, prioritization, escalation, and response planning. Until that is done, using generic criteria may misstate exposure, and treating the uncertainty as an issue would be incorrect because the benefit shortfall has not happened yet. The best next step is to set the decision rules before further risk work proceeds.
Risk planning should first align appetite and thresholds to the benefit case so later analysis and responses use the right decision criteria.
Topic: Risk Response
A software project could reach the market two months earlier if a cloud provider contributes automation capabilities the team lacks. The project manager proposes a partnership agreement so both organizations benefit from the accelerated release. Which opportunity response strategy is this?
Best answer: D
What this tests: Risk Response
Explanation: Sharing is appropriate when a third party is best positioned to help realize an opportunity and both parties will benefit. The proposed partnership agreement is the key clue that ownership of the upside is being allocated jointly.
For positive risks, the response strategy should match how the team intends to capture the benefit. Share is used when an external party is best able to realize the opportunity and a partnership, joint venture, or similar agreement is created so both sides gain from the outcome. That fits this scenario because the project needs the cloud provider’s specialized capability to accelerate release, and the benefit is intentionally mutual. Exploit would mean taking direct action to make the opportunity happen with as much certainty as possible. Enhance would mean increasing the probability or impact of the opportunity. Accept would mean no proactive action beyond acknowledging or monitoring it. The decisive clue here is the formal third-party partnership.
This is sharing because a third party is engaged through a formal arrangement to help realize the upside and benefit from it.
Topic: Risk Analysis
A hybrid payments project has added 16 newly identified risks to the risk register and already rated each one on the agreed probability and impact scales. The risk management plan defines qualitative categories as environment, organization, project management, technical, and other. Before selecting responses, the project manager wants to see where risks are clustering. What should the team do next?
Best answer: B
What this tests: Risk Analysis
Explanation: The risks have already been identified and rated, but they have not yet been grouped by category. The best next step is nominal classification, which shows whether exposure is concentrated in environmental, organizational, project management, or technical areas before response planning continues.
Nominal classification is a qualitative risk analysis technique that groups risks into agreed, nonnumeric categories. In this scenario, the project already has a defined category scheme and has completed basic probability-impact rating, so the next step is to classify each risk accordingly in the risk register. This helps the team detect patterns in exposure, decide where deeper analysis is needed, and involve the right specialists. For example, clustering in technical risks may require architecture review, while clustering in environmental risks may require more external monitoring. Assigning response owners comes after analysis supports a response approach, an issue log is for events that have already occurred, and closing risks without evidence they are no longer relevant is premature.
Nominal classification is the next qualitative analysis step when the team needs to group risks by agreed categories to reveal concentration patterns.
Topic: Risk Strategy and Planning
A hybrid product launch project has a supplier-delay threat with a trigger at a forecasted 5-day slip. The contingency plan starts only if the delay is confirmed to exceed 10 days, but recent reviews show marketing, engineering, and procurement applying those rules differently. What should the project risk manager do next?
Best answer: B
What this tests: Risk Strategy and Planning
Explanation: The main problem is inconsistent stakeholder understanding, not a missing response. Coaching stakeholders on the agreed trigger, threshold, and contingency rules creates the common risk language needed for correct monitoring, escalation, and response use.
In Risk Strategy and Planning, stakeholder-led risk planning includes educating stakeholders so they apply the same risk principles and processes. Here, the supplier-delay threat already has a defined trigger and a defined contingency threshold, but stakeholders are interpreting them differently. The best next step is to coach the affected groups so they share the same understanding of when to monitor, when to escalate, and when to activate contingency.
Once stakeholders use the same rules, response decisions become consistent and risk reporting becomes reliable. Escalating or acting early before the stated criteria are met addresses the symptom, not the cause.
Shared understanding of trigger, threshold, and contingency criteria is needed before stakeholders can respond consistently.
Topic: Risk Strategy and Planning
During planning for a hybrid product launch, the sponsor says the organization has a “moderate appetite” for market-timing risk. The marketing lead says even a one-week delay is unacceptable, while finance says the business case can absorb up to $200,000 in extra cost. The workshop stalls because participants keep using appetite and threshold as if they mean the same thing. What should the risk manager do next?
Best answer: D
What this tests: Risk Strategy and Planning
Explanation: The discussion is stalled because stakeholders are confusing a broad risk appetite statement with project-specific risk thresholds. The best next step is to facilitate agreement on measurable delay and cost limits that fit the project’s stated absorption capacity.
This is a risk appetite versus risk threshold problem. Risk appetite is the organization’s general willingness to accept uncertainty, while a risk threshold is the specific level of exposure that becomes unacceptable or requires action on this project. Absorption capacity adds a practical limit on how much impact the business can absorb. In the scenario, “moderate appetite” is too broad to guide analysis by itself, so the facilitator should help stakeholders translate it into explicit schedule and cost thresholds that everyone can apply consistently.
Triggers and quantitative forecasts can support later monitoring and analysis, but they do not resolve unclear acceptance criteria.
This separates a general willingness to accept uncertainty from the measurable project limits needed for prioritization and escalation.
Topic: Risk Strategy and Planning
A digital enrollment project delivers most of its expected business benefit only if it goes live before the annual renewal window. During planning, stakeholders say they can accept some extra cost to protect that date, but not more than a one-week delay. Which Risk Strategy and Planning action best reflects this benefits context?
Best answer: B
What this tests: Risk Strategy and Planning
Explanation: When benefits depend on hitting a specific date, stakeholder willingness to accept uncertainty must be translated into risk appetite and explicit thresholds during planning. That guidance belongs in the risk management plan, where risk rules are defined before detailed analysis and response work.
Benefit materialization is a key business driver in Risk Strategy and Planning. If most value is lost when the project misses a time window, schedule uncertainty should be treated more conservatively than cost uncertainty. In this case, stakeholders are signaling a relatively low appetite for schedule risk and a specific boundary of no more than one week of delay. Those decisions should be documented in the risk management plan so later identification, analysis, escalation, and response decisions use the same risk rules.
The closest distractor confuses a planning limit with a trigger for an individual risk.
Because the project’s value depends on timing, planning should convert stakeholder benefit sensitivity into explicit schedule appetite and threshold guidance.
Topic: Risk Identification
A hybrid product launch project set the schedule risk threshold during planning: delays of up to 10 days were acceptable. Two months later, a regulator moves its filing window earlier, and business stakeholders say even a 3-day slip could jeopardize market entry. Which analysis approach should the risk manager use first to help stakeholders challenge the current threshold?
Best answer: D
What this tests: Risk Identification
Explanation: The best first step is to revisit the qualitative impact criteria with stakeholders. A probability-impact reassessment lets them challenge whether a 10-day schedule threshold still reflects project reality after the regulatory change.
Risk thresholds express what level of exposure stakeholders consider acceptable, so when the context changes, the first need is to recalibrate those criteria. In this case, the key question is not which risk source is largest or what the exact monetary exposure is; it is whether the existing schedule impact threshold is still valid. A qualitative probability-impact reassessment updates the impact bands and related ratings so stakeholders can compare the new consequences of delay against current tolerance.
Once the threshold is redefined, the team can update the risk register, reprioritize affected risks, and decide whether deeper quantitative analysis is needed. Sensitivity analysis or EMV may be useful later, but they do not directly empower stakeholders to challenge the threshold itself.
This directly tests whether the old delay threshold still matches stakeholder tolerance under the changed context.
Topic: Risk Response
A project avoids a delivery threat by moving all critical work to one strategic supplier. The risk manager asks the PMO to assess whether this response increases supplier-concentration exposure across other projects. Which risk response principle is being applied?
Best answer: D
What this tests: Risk Response
Explanation: The planned response lowers one project risk but may increase exposure elsewhere in the organization. In that situation, the correct principle is to reevaluate organizational risk exposure before treating the response as sufficient.
When a risk response affects exposure beyond the project boundary, PMI-RMP practice is to reassess the broader organizational impact. In the stem, using one strategic supplier may reduce the project’s delivery threat, but it could also increase concentration risk across other projects. That makes this more than a project-only update to the risk register. The key distinction is scope: project-level follow-on risks are secondary or residual risks, while organizational risk reevaluation looks at wider exposure created by the chosen response. This broader check often involves governance or support functions such as the PMO. A project-only action is too narrow here.
Because the response changes exposure beyond the project, the right principle is to reassess organizational-level risk, not just project-level effects.
Topic: Risk Response
A hybrid data-migration project has this analyzed threat:
Probability: 20%
Impact if it occurs: 3-week go-live delay
Schedule threshold: 1 week
Cause: tax authority may publish a new mandatory file layout
Trigger: formal bulletin announcing the new layout
Prepared script can limit delay to 3 days if activated
Building support for all possible layouts now adds 4 weeks
Go-live date cannot move
Which response approach best fits this analysis?
Best answer: B
What this tests: Risk Response
Explanation: A contingency plan is best when a threat is uncertain, a trigger is known, and a planned response can be activated only if the event happens. Here, that approach reduces the possible delay below the threshold without creating the certain 4-week impact of a broader proactive change.
This scenario points to a contingent response rather than pure mitigation, acceptance, or avoidance. The threat is external and cannot be prevented directly, but the team has a clear trigger and a prepared action that can reduce the impact from 3 weeks to 3 days if the event occurs. That makes contingency planning the best fit: define the trigger, assign owners, prepare the script, and execute only if the bulletin is issued.
Acceptance is too weak because the untreated impact exceeds the sponsor’s 1-week threshold. Avoidance is not feasible because go-live cannot move and the mandatory authority file remains part of the scope. Full mitigation by building every possible layout now creates a certain 4-week penalty to address a 20% threat, so it is less appropriate than a trigger-based contingent response.
A contingency plan fits because the threat is uncertain, externally driven, has a clear trigger, and a predefined action can contain impact if it occurs.
Topic: Monitor and Close Risks
A hybrid project uses a 1-5 qualitative scale, where score = probability \(\times\) impact.
A response to a hardware-delay threat added a backup supplier. At the next review, the residual risk score is 8, but the secondary risk “integration defects between suppliers” scores 16 and threatens a fixed regulatory release. What is the best interpretation?
Best answer: A
What this tests: Monitor and Close Risks
Explanation: Residual and secondary risks must be assessed separately against the project’s thresholds. Here, the residual exposure is only 8, but the secondary risk is 16, which falls in the escalation band and requires its own response.
Residual risk is the exposure left after a response, while secondary risk is new exposure created by that response. In monitoring, each current risk is compared to the approved thresholds, not just the original threat. Here, the hardware-delay residual risk scores 8, so it remains under normal monitoring. The secondary risk scores 16, which is already in the escalation range, so it needs formal escalation and a separate response plan.
The key mistake would be focusing on the reduced original threat and ignoring the higher exposure introduced by the response.
The secondary risk exceeds the escalation threshold, so it must be managed as a new active risk with its own response.
Topic: Risk Identification
In a hybrid CRM rollout, a risk identification workshop produced 28 entries. The sponsor has low tolerance for any go-live delay beyond 2 weeks, and qualitative analysis is scheduled for tomorrow. Review of the workshop output shows that 11 entries lack a clear cause or impact, and 3 entries are defects already found in system testing. What is the best action for the risk manager?
Best answer: A
What this tests: Risk Identification
Explanation: Before qualitative analysis, the output of risk identification must contain valid risk statements and enough detail to assess them consistently. Here, the list mixes current issues with uncertain events and has incomplete entries, so it needs validation and cleanup first.
The core concept is validating risk identification results for both correctness and completeness before using them in later risk processes. In this scenario, the defects found in testing are current issues, so they should be managed through the issue log rather than treated as risks. The entries missing cause or impact are also not ready for qualitative analysis because the team cannot assess probability, impact, timing, or ownership reliably.
Schedule pressure and stakeholder risk tolerance do not justify analyzing an invalid or incomplete list.
Risk identification results must be complete and valid, and items that have already occurred are issues, not risks.
Topic: Risk Identification
On a hybrid claims-platform project, a team member logs this risk: “Vendor API documentation may arrive late and delay integration testing, causing the November release to miss the regulatory window.” The sponsor’s schedule threshold is 10 business days, the PMO risk register has separate fields for cause, event, impact, and trigger, and the vendor has not yet missed any committed delivery date. Before qualitative analysis, what is the best action?
Best answer: C
What this tests: Risk Identification
Explanation: The best action is to improve the risk statement before scoring it. In PMI-RMP risk identification, the cause, uncertain event, impact, and trigger should be documented separately so analysis and later responses are based on clear information.
A well-formed risk statement separates what creates the uncertainty from what might happen and what effect it could have. In this scenario, late vendor documentation is the cause, delayed integration testing is the risk event, and missing the regulatory release window is the impact. Because the vendor has not yet missed a commitment, this is still a risk rather than an issue. The sponsor’s 10-day threshold matters later for prioritization and escalation, but it does not replace proper documentation. Recording the trigger separately, such as a missed documentation milestone, also improves monitoring. Clear separation in the risk register supports better qualitative analysis, ownership, and response planning.
A usable risk entry separates the underlying cause, the uncertain event, and the effect on objectives so later analysis and response planning are accurate.
Topic: Risk Response
To reduce the threat of a single-supplier delay, a hybrid project splits a critical package between two vendors. After this response is implemented, the team identifies a new uncertainty: interface mismatches between vendor outputs could cause rework during integration. The project has no historical data for this setup, but the risk management plan requires newly identified risks to be prioritized on a 1-5 matrix before more actions are chosen. Which analysis approach is best now?
Best answer: B
What this tests: Risk Response
Explanation: This is a secondary risk because it was created by implementing the original response. With no historical data and a defined 1-5 scoring method in the risk management plan, a qualitative probability-impact assessment is the most appropriate way to evaluate and prioritize it now.
A secondary risk is a new risk caused by a response action. In this case, splitting work across two vendors reduced one threat but introduced another: integration mismatch and rework. Because the team lacks historical data for the new setup, the most suitable evaluation method is the qualitative probability-impact matrix already defined in the risk management plan. That approach lets the team estimate likelihood and impact consistently, compare the new secondary risk with other risks, and decide whether additional response is needed.
RBS classification only tells where the risk belongs, not how significant it is. Monte Carlo is better for aggregate quantitative uncertainty when a modeled data set exists. Variance review comes later, after performance data exist, and is used to monitor actual results rather than evaluate a newly identified uncertainty.
This is the best immediate way to evaluate a newly introduced secondary risk when the plan already defines a qualitative 1-5 prioritization method and detailed quantitative data are unavailable.
Topic: Monitor and Close Risks
A predictive hospital-lab upgrade project has a risk that delayed regulator approval may postpone equipment installation. The risk management plan states that any single risk forecasting more than 10 days of schedule variance, or worsening for two consecutive reviews after response implementation, must be escalated to the sponsor; the sponsor has no tolerance for missing the mandated go-live date. The regulatory liaison completed the planned response actions, but the forecast impact has worsened from 6 to 9 to 12 days over the last three weekly reviews. What is the best action?
Best answer: C
What this tests: Monitor and Close Risks
Explanation: The risk has crossed the defined escalation threshold and its exposure trend is worsening even after planned responses were carried out. That is the point where monitoring should trigger formal escalation and a check on whether the current response is still effective.
In risk monitoring, variance data are not just for reporting; they are used to decide when governance action is needed. Here, the project has two clear signals: the forecast schedule impact exceeded the stated 10-day threshold, and the exposure worsened over consecutive reviews after the response was implemented. That means the current response is not adequately containing the risk.
The best action is to follow the risk management plan by escalating to the sponsor and reevaluating the response with the risk owner. Low sponsor tolerance for missing the mandated go-live date makes prompt escalation even more important. Simply documenting the change or waiting for the next routine review would ignore agreed escalation criteria and evidence of declining response effectiveness.
The agreed threshold is breached and exposure is still worsening after responses, so escalation and response reevaluation are required.
Topic: Risk Response
During a hybrid CRM rollout, the team identifies a threat that the vendor API may not be stable by final release testing. Data from the last three releases show a 30% chance of late defects, and any launch-weekend outage would exceed the sponsor’s threshold; the sponsor has very low tolerance for customer-facing disruption. A contract change would take a month, so the project team must own the immediate response. Which action best addresses both the risk’s probability and impact?
Best answer: B
What this tests: Risk Response
Explanation: The best choice is the only response that reduces the likelihood of the threat and limits damage if it still happens. That fits the low risk tolerance, the threshold breach, and the fact that the team must act now without waiting for a contract change.
A threat response can target probability, impact, or both. In this scenario, the risk is credible because recent release data shows a repeat pattern, and the sponsor’s threshold would be breached by a launch outage. An early API spike is a probability-focused mitigation action because it exposes integration problems sooner and increases the chance they are fixed before final testing. A manual fallback is an impact-focused action because it reduces customer disruption if the API is still unstable at launch. Using both together is the strongest response because it lowers the chance of occurrence and softens the consequence. Options that only add contingency, transfer cost, or delay review fail to address the full exposure under the stated constraints.
This combines probability reduction through early validation with impact reduction through a planned fallback if the threat still occurs.
Topic: Risk Identification
A hybrid project will run risk identification during release planning, before major procurements, and at each monthly governance review. Which artifact should define this timing so it aligns with the project’s overall risk approach?
Best answer: C
What this tests: Risk Identification
Explanation: The risk management plan sets the approach, timing, and cadence for risk work across the project. Because the question asks where identification timing is defined in alignment with the overall risk approach, the planning artifact is the correct match.
Timing for risk identification is a planning decision. In PMI-RMP terms, the risk management plan describes how risk management will be conducted, including methods, roles, and when key activities such as identification will occur. If a team wants identification at release planning, procurement gates, and governance reviews, that cadence should be defined there so everyone uses a consistent approach.
The other artifacts serve later or different purposes. The risk register captures specific identified risks, the risk report summarizes overall exposure and trends, and lessons learned capture improvement insights. The key point is that identification timing is designed as part of the overall risk management approach, not documented as an outcome of identification.
It defines how and when risk management activities, including identification exercises, will be performed.
Topic: Risk Analysis
During a risk workshop, team members rate the same vendor delay differently. The facilitator refers to the risk management plan, which defines high probability as above 70% and medium schedule impact as a 3-10 day delay. What practice is the facilitator using?
Best answer: A
What this tests: Risk Analysis
Explanation: The facilitator is using agreed rating criteria to standardize how probability and impact are interpreted. This is a core qualitative risk analysis practice because it makes risk scoring more consistent across participants before prioritization.
In qualitative risk analysis, teams need common definitions for probability and impact so that ratings mean the same thing to everyone. When the risk management plan defines ranges such as above 70% for high probability or 3-10 days for medium schedule impact, it is providing calibration rules for qualitative assessment. Those agreed criteria reduce personal bias, improve comparability across risks, and make the probability-impact matrix more reliable.
This is different from monitoring triggers, assigning owners, or running quantitative models. The key idea is consistency in how risks are rated, not what response will be used later or how aggregate exposure will be calculated.
Predefined probability and impact criteria calibrate judgments so different participants rate risks consistently during qualitative analysis.
Topic: Risk Strategy and Planning
An organization uses a lightweight risk template for small internal projects. A new hybrid program involves three vendors, novel technology, and uncertain regulatory changes, so the risk manager adds detailed categories, review cadences, escalation rules, and criteria for quantitative analysis. Which Risk Strategy and Planning principle does this illustrate?
Best answer: A
What this tests: Risk Strategy and Planning
Explanation: The description is about tailoring the risk management approach before detailed risk work begins. When project complexity and uncertainty increase, PMI-RMP practice calls for deeper planning, clearer governance, and more robust analysis criteria.
The core concept is tailoring the risk management plan to the project environment. A simple, low-uncertainty project may need a lighter approach, but a hybrid effort with multiple vendors, new technology, and changing external conditions requires more planning rigor. That added rigor can include more detailed risk categories, more frequent reviews, clearer escalation paths, stronger communication rules, and defined criteria for when deeper analysis is needed. Those decisions belong to Risk Strategy and Planning because they determine how risk management will be performed. By contrast, documenting specific risks, assigning response action owners, and tracking residual exposure are later activities. The key takeaway is that risk planning depth should scale with the project’s complexity, uncertainty, and delivery context.
Higher complexity and uncertainty justify a more detailed risk management plan with stronger review, escalation, and analysis rules.
Topic: Risk Analysis
During qualitative risk analysis for a hybrid ERP rollout, the same vendor-integration risk is rated high by operations and low by the development lead. The approved probability-impact matrix was used, but the team did not explain the basis for the scores. What should the project manager do next?
Best answer: C
What this tests: Risk Analysis
Explanation: When stakeholders rate the same risk differently, the next step is calibration. Asking them to explain their assumptions reveals whether they are judging different triggers, timeframes, or impact bases, which is necessary before the team finalizes the rating.
In risk analysis, differing scores often come from different assumptions rather than from careless scoring. The project manager should coach stakeholders to explain what conditions they assumed when judging probability and impact, such as timing, dependencies, trigger conditions, and affected objectives. That creates a common basis for comparison and allows the team to apply the matrix consistently.
If the team skips that discussion, the final rating may look precise but still be unreliable. Response planning should follow a calibrated rating, not replace it. And the item remains a risk unless the uncertain event has already happened. The key takeaway is to improve rating quality by making stakeholder assumptions explicit before moving forward.
Different scores should be reconciled by surfacing their underlying assumptions before finalizing the risk rating.
Topic: Risk Analysis
During a qualitative risk analysis workshop for a hybrid project, the team reviews a supplier-delay threat. The risk management plan states that any threat with probability above 50% and schedule impact above 10 days is rated high and sent for quantitative analysis. Historical data shows a 60% chance of a 15-day delay, but the procurement manager wants to rate it medium to avoid alarming the steering committee. What should the project risk lead do?
Best answer: D
What this tests: Risk Analysis
Explanation: The best action is to coach the stakeholder through the agreed probability-impact criteria and supporting data, then keep the rating produced by that standard. This preserves engagement without weakening analysis quality or bypassing the threshold for quantitative analysis.
In risk analysis, stakeholder calibration means helping participants apply the agreed scoring rules consistently, not changing the rules to fit a preferred outcome. Here, the risk management plan already defines what qualifies as a high threat, and the evidence places the supplier-delay risk above that threshold. The project risk lead should review the criteria and data with the procurement manager, document the rationale, and retain the threshold-based result. If the recalibrated score remains high, the risk should proceed to quantitative analysis as planned. Lowering the rating to avoid attention weakens analysis integrity, while excluding the stakeholder damages future participation and trust. Reopening thresholds is unnecessary unless project governance formally changes them.
This keeps the stakeholder involved while applying the approved analysis standard and threshold correctly.
Topic: Risk Identification
During identification input analysis for a hybrid CRM project, the team reviews an assumption that a vendor will deliver final API specifications by May 10. A vendor note says the specifications are still in draft and may slip by up to 3 weeks. Integration testing cannot begin until the final specifications are received, and the procurement lead manages vendor commitments. Which risk register entry is best refined from this evidence?
Best answer: A
What this tests: Risk Identification
Explanation: The evidence shows a future threat, not a current issue. The best entry uses the draft vendor specifications as the cause, the possible miss of the May 10 delivery as the event, the testing and release delay as the impact, and assigns the procurement lead because that role manages vendor commitments.
Risk identification evidence should refine a risk into a clear cause-event-impact statement and assign a risk owner who can monitor and manage the exposure. Here, the vendor note does not prove the deadline has already been missed, so this remains a risk rather than an issue. The strongest entry is:
The weaker choices either reverse cause and impact, misclassify the uncertainty as an issue, or misuse an assumption as if it were the risk statement itself.
This option correctly states a future threat with a clear cause, event, impact, and accountable risk owner.
Topic: Monitor and Close Risks
A hybrid CRM rollout uses these agreed monthly reporting criteria for overall project risk:
Last month the overall exposure score was 17. This month it is 22 after two vendor dependency risks increased in urgency. What risk level should be reported to the steering committee?
Best answer: B
What this tests: Monitor and Close Risks
Explanation: The agreed criteria use both current exposure and trend. Because the score rose from 17 to 22, the project is in the 15-24 range with a worsening trend, which maps to high risk.
In Monitor and Close Risks, the current project risk level should be assessed using the predefined reporting rules, not ad hoc judgment. Here, the exposure score is 22, which falls in the 15-24 range. That range is only moderate when the trend is stable or improving. The score increased from 17 last month to 22 this month, and the stem states that two dependency risks became more urgent, so the trend is clearly worsening. Under the agreed criteria, that makes the current overall project risk level high.
A common mistake is to rate only by the current score and ignore the trend rule. Another is to delay reporting even though the agreed thresholds already provide enough information for a current assessment.
A score of 22 is in the 15-24 band, and the increase from 17 to 22 makes the trend worsening under the agreed criteria.
Topic: Risk Strategy and Planning
A project manager is preparing stakeholders for a risk workshop on a hybrid CRM implementation. Preliminary review of the business case, draft vendor contract, lessons learned, and assumption log shows recurring uncertainty around vendor interfaces, data conversion, regulatory approvals, and training readiness. Which analysis approach would best use these findings to prepare stakeholders for a more complete risk identification effort?
Best answer: A
What this tests: Risk Strategy and Planning
Explanation: The goal here is to prepare stakeholders for fuller risk identification, not to quantify exposure yet. Building an initial RBS is the best qualitative approach because it organizes early document clues into categories that guide workshop discussion.
In preliminary document analysis, the main purpose is to turn early signals from project documents into a structure that helps stakeholders identify risks thoroughly. An initial risk breakdown structure (RBS) is well suited to this stage because it groups findings such as vendor, technical, regulatory, and organizational uncertainties into categories that can be used as prompts during the workshop.
By contrast, ranking, EMV, and Monte Carlo are better after specific risks or modeled uncertainty data are available.
An initial RBS turns scattered document findings into clear risk categories that help stakeholders identify risks more completely and consistently.
Topic: Risk Identification
A hybrid implementation project depends on a vendor-built test environment due in six weeks. The sponsor has low appetite for schedule slippage, and the risk management plan states that any delay greater than 5 working days must be escalated. Vendor milestone data is updated twice a week, and the procurement lead owns this risk. What is the best action to support later monitoring decisions?
Best answer: C
What this tests: Risk Identification
Explanation: The best action is to document both observable triggers and the stated threshold now. Because reliable vendor milestone data exists and escalation is required beyond 5 working days, capturing that information in the risk register makes later monitoring objective and timely.
Triggers are early warning signs, while thresholds define the point at which a monitoring decision changes, such as escalation or response activation. In this scenario, the project already has three things needed for effective later monitoring: reliable vendor milestone data, a named risk owner, and a defined escalation threshold of more than 5 working days. The strongest action is therefore to record specific trigger information and the threshold in the risk register during risk identification.
Simply labeling the risk as important or delaying trigger definition makes later monitoring less consistent and less actionable.
This creates objective early-warning indicators and a clear action point for the owner during later monitoring.
Topic: Monitor and Close Risks
A hybrid product rollout is tracking risk R-31: vendor API changes might cause interface defects during launch. The risk register says this risk can be closed after two consecutive release cycles with zero unresolved interface defects and after the product owner confirms any residual manual rework is within tolerance. The last two cycles met that defect condition, and the product owner has given that confirmation. Which approach best supports closing this risk?
Best answer: B
What this tests: Monitor and Close Risks
Explanation: Risk closure should be based on evidence, not assumption. Here, the monitored defect trend meets the predefined closure rule, and the product owner confirms the remaining exposure is within tolerance, so trend-based interpretation plus stakeholder context is the best support for closure.
The key concept is that a risk should be closed only when monitoring data show the closure criteria have been met and relevant stakeholders agree that any remaining exposure is acceptable. In this scenario, the risk register already defines the closure rule: two consecutive release cycles with zero unresolved interface defects, plus product owner confirmation about residual manual rework. The recent monitoring results satisfy the data requirement, and the product owner provides the stakeholder context needed to confirm closure.
Methods such as Monte Carlo, EMV, or RBS review may be useful in other situations, but they do not provide stronger closure evidence for this specific risk.
It directly compares monitored defect results to the defined closure criteria and includes stakeholder confirmation that residual exposure is acceptable.
Topic: Risk Strategy and Planning
A newly authorized hybrid implementation project is preparing its first risk planning workshop. During preliminary document analysis, the risk manager wants to retain only records that directly inform how project risk should be planned and framed. Which document set is most relevant to keep as planning inputs?
Best answer: D
What this tests: Risk Strategy and Planning
Explanation: The best planning inputs are the documents that define the project context before detailed risk work starts. The project charter, stakeholder register, assumptions log, and prior lessons learned help establish objectives, constraints, stakeholder perspectives, and likely sources of uncertainty.
In preliminary document analysis, the goal is to retain documents that help shape the project risk process, not documents that mainly report execution results or operational details. The most useful planning inputs are records that clarify project objectives, high-level constraints, assumptions, stakeholder interests, and historical risk patterns. That is why the combination of the project charter, stakeholder register, assumptions log, and prior lessons learned is strongest: it supports tailoring the risk management approach and prepares the team for effective risk identification.
Documents such as defect logs, variance reports, burn charts, and support manuals can be useful later for issue management, monitoring, or transition work, but they are not the best primary inputs for establishing the risk process at the start. The key distinction is whether the document helps frame risk planning versus report ongoing performance.
These documents provide objectives, constraints, stakeholder context, assumptions, and historical risk information needed to shape the risk approach.
Topic: Risk Analysis
During a hybrid EHR rollout, the clinical sponsor asks the risk lead to run Monte Carlo analysis on a newly identified vendor interface risk because steering committee members are worried about the go-live date. The risk management plan says new risks must first be calibrated with the agreed probability-impact matrix, and quantitative analysis is reserved for top risks with reliable data; only rough estimates exist so far. What should the risk lead do?
Best answer: B
What this tests: Risk Analysis
Explanation: The key distinction is qualitative versus quantitative analysis. Because this is a newly identified risk with only rough estimates, the team should first use the agreed qualitative criteria with stakeholders, then decide whether deeper quantitative analysis is justified.
In PMI-RMP practice, stakeholder engagement should support analysis discipline, not replace it. Here, the risk management plan already defines the standard: newly identified risks are first assessed qualitatively with the agreed probability-impact matrix, and quantitative analysis is used only for selected high-priority risks with reliable inputs. The best action is to involve the sponsor and relevant stakeholders in that calibration so their concern is heard while the project keeps comparable, defensible risk ratings. If the calibrated result shows high exposure and better data becomes available, quantitative analysis can follow. Jumping straight to Monte Carlo would create false precision and bypass the agreed analysis approach.
This keeps stakeholders involved while following the agreed standard that qualitative analysis comes before quantitative modeling.
Topic: Risk Strategy and Planning
During risk planning for a hybrid billing-system rollout, stakeholder analysis shows the sponsor is willing to accept moderate budget uncertainty to protect the regulatory deadline. The operations manager states that any cutover outage longer than 30 minutes is unacceptable and must be escalated. Which interpretation should the project manager use when planning stakeholder risk engagement?
Best answer: A
What this tests: Risk Strategy and Planning
Explanation: Stakeholder analysis helps the team plan risk engagement by identifying both stakeholder attitudes and stakeholder limits. Here, the sponsor expresses a general willingness to accept uncertainty, while the operations manager sets a specific unacceptable limit.
The core concept is distinguishing risk appetite from risk threshold when using stakeholder analysis to plan risk engagement. Risk appetite is a stakeholder’s overall willingness to accept uncertainty in pursuit of objectives. In this scenario, the sponsor accepts some budget uncertainty to protect the regulatory date, which reflects appetite. A risk threshold is the specific level of risk exposure or impact that becomes unacceptable or requires action. The operations manager’s 30-minute outage limit is a threshold because it defines a clear escalation boundary.
Using this distinction improves the risk engagement approach by tailoring communication, escalation rules, and risk reviews to each stakeholder’s needs. A trigger would be a warning sign that a risk response should start, and an assumption would be an uncertain planning premise, so neither fits these statements. The key takeaway is that stakeholder analysis should capture both tolerance patterns and explicit escalation limits.
It correctly separates a stakeholder’s general willingness to accept uncertainty from a specific limit that requires attention or escalation.
Topic: Risk Analysis
During qualitative risk analysis for a hybrid claims-platform project, the team agreed to classify risks by source as environment, organization, project management, or technical. Which risk-category match is correct?
Best answer: A
What this tests: Risk Analysis
Explanation: Nominal classification groups risks by their source, not by the objective they might affect. A delay caused by an enterprise approval board comes from organizational governance, so it belongs in the organization category.
In qualitative risk classification, the key question is where the uncertainty originates. Internal governance structures, shared services, reporting lines, or decision forums are organizational sources. External factors such as regulation, market conditions, or weather are environmental. Planning, estimating, scheduling, coordination, and control weaknesses are project management sources. Requirements, design, integration, performance, or technology uncertainty are technical sources.
Here, the approval cadence of the enterprise architecture board is an internal governance condition, so organization is the best fit. The common trap is to classify by impact and choose project management because the schedule may slip, but nominal categories follow the source of the risk, not the affected objective.
This risk originates in internal governance outside the project team, so it is classified as organizational.
Topic: Monitor and Close Risks
A risk review shows a threat has moved beyond the project’s approved tolerance, and only the steering committee can approve the extra reserve needed. Which Monitor and Close Risks action best matches this situation?
Best answer: B
What this tests: Monitor and Close Risks
Explanation: This situation calls for risk escalation, not routine reporting. The threat has exceeded tolerance and the needed response requires authority held by the steering committee, so the risk information must be elevated for decision.
In Monitor and Close Risks, escalation is the correct action when a risk exceeds agreed thresholds or when the response requires approval from someone outside the project team’s authority. Here, the project already knows the threat is beyond tolerance, and only the steering committee can authorize the additional reserve. That means the key need is not just visibility, but a decision from stakeholders who hold the right authority. Updating the risk report or register may still happen, but those are supporting communications and records. Reassigning ownership does not create approval authority, and lessons learned are captured after resolution or closure. The key distinction is between informing stakeholders and escalating to them for a required decision.
When the required response approval sits outside project authority, the correct action is to escalate the risk through governance.
Topic: Risk Identification
During a risk identification workshop for a hybrid ERP rollout, the project manager reviews four proposed entries before updating the risk register. Which proposal is the most valid risk statement to record?
Best answer: A
What this tests: Risk Identification
Explanation: A valid risk register entry must describe a future uncertainty clearly enough to analyze and monitor. The statement about a possible API change causing rework and release delay is the only option that states an uncertain event with a specific impact.
Before adding or updating a risk register entry, confirm that the item is actually a risk: an uncertain future event or condition that could affect objectives. A strong risk statement is specific enough to support ownership, qualitative analysis, triggers, and response planning. Here, the possible API change is still uncertain and the effect on the release schedule is clear, so it is a valid risk entry.
Useful validity checks are:
If the event already happened, it belongs in issue management; if it is just a vague concern, it is not ready for meaningful analysis.
It describes an uncertain future event and a concrete project impact, making it suitable for risk analysis and entry in the risk register.
Topic: Monitor and Close Risks
On a hybrid ERP project, the response to vendor API instability was to build a test simulator. After two sprints, failed interface calls dropped from 18% to 6%. The risk management plan says any residual technical risk above 3% must stay open with a named owner, and the sponsor has low schedule-risk appetite before regulatory go-live. What is the best action?
Best answer: A
What this tests: Monitor and Close Risks
Explanation: The response reduced exposure, but it did not reduce it enough. Because the residual risk is still above the stated 3% threshold, it must remain open and be documented in the risk register with updated monitoring details.
Residual risk is the exposure that remains after a response has been implemented. Monitoring response results means using actual performance data to judge response effectiveness and then updating risk documentation based on what remains. Here, failed calls improved from 18% to 6%, so the response helped, but the remaining exposure still exceeds the 3% threshold and sits poorly with the sponsor’s low schedule-risk appetite before go-live. The correct action is to keep the risk open and update the risk register with the revised residual exposure, owner, triggers or metrics, and next review plan. The risk report may summarize the trend for management, but it does not replace the detailed register entry for an active residual risk. Improvement is not the same as closure.
The remaining 6% failure rate exceeds the 3% threshold, so the risk stays open and its residual exposure must be documented in the risk register.
Topic: Risk Response
A predictive data-center project needs an imported network switch for cutover. The team has identified the threat that customs delays could hold the switch for up to 20 days; qualitative analysis rates it high, the schedule threshold is 10 days, and the procurement lead is the assigned risk owner. An in-country backup supplier can be secured now, which would make late delivery less likely and limit any delay to 5 days if customs still slows the primary shipment. What should the project manager do next?
Best answer: C
What this tests: Risk Response
Explanation: The next step is to select and document the mitigation response that best reduces exposure. Securing the backup supplier acts before the threat occurs, lowers the chance that customs delay affects cutover, and limits any remaining delay to 5 days, which fits the 10-day threshold.
In response strategy selection, the project manager should use the analyzed exposure and threshold to choose a response that changes the threat before it occurs. Here, the risk is still uncertain, the owner is already assigned, and securing the backup supplier can be done now. That makes it a mitigation response, not issue management. It addresses both dimensions of exposure because it lowers the probability that customs delay will affect cutover and reduces the impact by capping any remaining delay at 5 days, within the 10-day threshold.
The key takeaway is to select and document the proactive response when it can reduce both likelihood and consequence.
This is the best next step because it proactively reduces both the probability of delay and the schedule impact if the threat occurs.
Topic: Risk Identification
In a hybrid product launch, the team identifies a threat that a specialized vendor may deliver test hardware too late for system integration. The risk owner agrees to prepare the fallback plan if the shipment slips beyond the agreed threshold of 5 business days. Which statement should be documented in the risk register as the trigger for this risk?
Best answer: D
What this tests: Risk Identification
Explanation: A risk trigger is a specific, observable condition that indicates a risk may be happening. Here, the shipment exceeding the 5-business-day threshold is the measurable signal that tells the risk owner when to act.
A risk trigger is an early warning sign recorded in the risk register so the risk owner knows when a risk may be occurring or is about to occur. The best trigger is specific, observable, and tied to an agreed threshold. In this scenario, the shipment being more than 5 business days late directly signals that the vendor-delay threat is materializing.
The statement about a launch delay is tempting, but it describes a consequence, not the warning sign that should be monitored.
This is the observable, measurable condition that signals the identified vendor-delay risk may be occurring.
Topic: Risk Identification
Before a risk identification workshop for a hospital system rollout, the project manager invites the clinical lead, data migration architect, procurement specialist, and service desk manager to join the core team because each understands a major source of uncertainty. Which Risk Identification task does this planning action best represent?
Best answer: D
What this tests: Risk Identification
Explanation: This scenario is about designing a risk identification exercise with the right people in the room. Selecting relevant stakeholders and SMEs is a core Risk Identification practice because it improves the completeness and quality of identified risks.
In Risk Identification, the quality of the output depends heavily on who participates. When planning a workshop, interview, or review session, the project manager should include stakeholders and SMEs whose knowledge matches the main uncertainty sources in the work. Here, the invited participants cover clinical use, data migration, vendor/procurement dependency, and operational support, so the exercise is being tailored to uncover risks across those areas.
This is different from assigning risk or action owners, which happens after specific risks and responses exist. It is also different from setting probability-impact scales for analysis or summarizing exposure in a risk report. The key idea is that good identification starts with deliberate participant selection.
The participants were chosen for their domain knowledge so the identification exercise can surface risks across key uncertainty areas.
Topic: Risk Analysis
A hybrid ERP rollout team completes a SWOT workshop and wants to add the next item to the risk register for opportunity analysis. Which finding should the team treat as an opportunity?
Best answer: B
What this tests: Risk Analysis
Explanation: SWOT separates internal factors from external uncertainties. The possible free cutover support is external, uncertain, and beneficial to project objectives, so it belongs in opportunity analysis. The other findings are a strength, a weakness, and a threat.
In SWOT-based risk analysis, strengths and weaknesses are internal conditions, while opportunities and threats are external uncertainties that can affect project objectives. For risk-register analysis, an opportunity is a future event or condition with a potentially beneficial impact. Possible free cutover support from the vendor is external to the project, not guaranteed, and could reduce implementation effort or schedule pressure, so it should be analyzed as an opportunity. Strong migration skill is simply a current strength. Having only one knowledgeable tester is a weakness and a source of exposure, but it is not a positive uncertainty. A possible finance approval delay is a threat because the likely impact is negative. The deciding distinction is positive uncertain external benefit versus internal factor or negative risk.
It is an uncertain external condition that could positively affect project objectives, so it is an opportunity.
Topic: Monitor and Close Risks
After a testing risk was triggered, the team used a workaround that limited schedule impact. When the risk is closed, they document the trigger, the response outcome, and recommendations for future projects. Which artifact should be updated?
Best answer: B
What this tests: Monitor and Close Risks
Explanation: This description matches a lessons learned update. The team is recording risk-management findings and response outcomes for future reuse, not just tracking the risk’s current status or summarizing overall exposure.
The key concept is updating project knowledge during risk closure. A lessons learned register is used to capture what was observed from the risk event, including triggers, response actions, effectiveness, residual effects, and recommendations for future work. In the scenario, the team wants to preserve experience from an actual triggered risk so future projects or later phases can benefit from it.
A risk register would still be updated to reflect status and closure, but its main purpose is to track identified risks and their current details. A risk report summarizes overall risk exposure and major trends for stakeholders. A risk management plan defines how risk management will be performed, so it is not the main place for recording outcomes from a closed risk.
When the focus is “what happened and what should we do next time,” think lessons learned.
It captures what happened, how the response performed, and recommendations for improving future risk practice.
Topic: Risk Strategy and Planning
A project manager is compiling the risk management plan for a hybrid ERP rollout. The sponsor says any schedule slip over 10 days must be escalated, but operations will accept extra cost if it protects the go-live date. Which artifact or resource is most important to use now to document risk thresholds and escalation rules?
Best answer: D
What this tests: Risk Strategy and Planning
Explanation: The risk management plan defines how risk will be managed, including thresholds and escalation rules. Those elements should come from current stakeholder risk appetite and threshold information, not from issue tracking or from records of individual risks.
This question tests which input is needed to compile a risk management plan. When the team needs to define risk thresholds, tolerances, and escalation rules, the most important source is current stakeholder information about risk appetite and thresholds. Those inputs shape how much variation is acceptable, when escalation is required, and how risks will be governed.
The other artifacts serve different purposes:
A good check is simple: if the question is about how risk will be managed, think risk management plan inputs, especially stakeholder thresholds and governance expectations.
Thresholds and escalation rules in the risk management plan should be based on current stakeholders’ risk appetite and tolerance information.
Topic: Risk Analysis
A project risk analyst has a schedule model with uncertain inputs such as vendor lead time, team productivity, and defect rework. The team wants to know which input has the greatest effect on the planned release date so it can focus responses on the main driver. Which method best fits this need?
Best answer: A
What this tests: Risk Analysis
Explanation: Sensitivity analysis is used to determine which uncertain variables have the largest influence on a project objective such as cost or schedule. Here, the team is not asking for the full range of possible release dates; it wants to identify the main driver.
Sensitivity analysis is the quantitative risk analysis method used when the goal is to identify the inputs that most affect an objective. In this case, the schedule model already exists, and the team needs to know whether vendor lead time, productivity, or defect rework drives the release date the most. By varying inputs and observing the change in the outcome, sensitivity analysis highlights the strongest drivers and helps prioritize response planning, data refinement, and management attention. Results are often displayed in a tornado diagram. The key distinction is that the team wants variable influence, not just a forecast of possible outcomes.
Sensitivity analysis identifies which uncertain input variable has the strongest effect on the objective, often shown with a tornado diagram.
Topic: Risk Analysis
On a hybrid product launch project, identified threats have been assessed for probability, impact, and urgency, but the risk register has not yet assigned overall priority. The risk management plan says priority must be derived from the project’s approved weighting criteria before any response is selected. Some stakeholders want to act first on the highest-exposure risk, the most urgent risk, or the cheapest response. What should the risk manager do next?
Best answer: C
What this tests: Risk Analysis
Explanation: The next step is to determine overall risk priority using the method defined in the risk management plan. Risk exposure and urgency can inform that ranking, but they do not replace it, and response cost belongs to later response selection.
In risk analysis, the team should now convert the assessed attributes into an overall priority ranking using the method defined in the risk management plan. Risk exposure may be derived from probability and impact, and urgency may affect how quickly attention is needed, but neither one automatically becomes the final priority unless the approved weighting rules say so. Response cost is a response-selection consideration, not the basis for risk priority.
The closest trap is jumping directly to the highest-exposure risk, which skips the required prioritization step.
Priority must be assigned first using the approved weighting criteria; exposure, urgency, and response cost are not substitutes for the project’s priority ranking.
Topic: Risk Identification
A hybrid project’s risk workshops are led by the sponsor and lead architect. In recent sessions, junior team members stayed silent and the same risks were repeated, even though several dependencies changed. The risk manager wants an identification approach that reduces social pressure and surfaces dissenting views before group discussion. Which approach is best?
Best answer: A
What this tests: Risk Identification
Explanation: When hierarchy and repeated consensus are silencing stakeholders, the main design goal is to separate idea generation from social pressure. Anonymous Delphi rounds do this by collecting independent risk inputs first and only then bringing the group together to compare themes.
In risk identification, the key design concern here is groupthink caused by dominant voices and power distance. A structured anonymous technique such as Delphi is most appropriate because participants submit risks independently, the facilitator summarizes the results, and later rounds refine differences without forcing early conformity.
Methods that start with a senior leader’s list, require managers to pre-filter views, or push immediate public voting encourage early convergence. Those approaches may feel efficient, but they reduce challenge and can miss important risks. When suppressed dissent is the problem, independence before consensus is the best exercise design.
Anonymous Delphi rounds gather independent input without hierarchy pressure, then allow controlled convergence on the risk list.
Topic: Risk Analysis
During qualitative risk analysis for a hybrid billing-platform project, the sponsor rates a vendor-integration threat as high impact because she assumes only one release window remains. The technical lead rates it medium impact because he assumes one interface can move to the next increment. The project already has an approved probability-impact matrix. What should the risk manager do next?
Best answer: C
What this tests: Risk Analysis
Explanation: This is a qualitative calibration problem, not a categorization or quantitative modeling problem. The best next step is to use the approved probability-impact matrix and have stakeholders explain the assumptions driving their ratings so the team can agree on a defensible score.
When stakeholders give different risk ratings, the difference often comes from hidden assumptions rather than from the risk itself. Here, one person assumes a fixed release window and another assumes scope can shift to a later increment. The right analysis approach is a facilitated qualitative calibration using the approved probability-impact matrix, with stakeholders stating the basis for their ratings before the team finalizes the score.
A good calibration step is to:
Averaging scores hides disagreement. RBS classification organizes risks by source, but it does not resolve conflicting impact assumptions. EMV is premature when the immediate problem is inconsistent qualitative judgment.
Calibration using the approved matrix works only when stakeholders explain and reconcile the assumptions behind their different ratings.
Topic: Risk Response
In a hybrid product launch, the risk register shows a threat that an external API may not be ready for final integration. The response plan is to build a mock service, secure an early vendor test slot, and add focused defect reviews. The trigger has occurred twice, the release is four weeks away, the sponsor’s schedule threshold is no more than one sprint slip, and the integration manager is already the risk owner. No action owners are assigned. What should the project manager do next?
Best answer: B
What this tests: Risk Response
Explanation: When a response plan includes several distinct tasks, each task needs an action owner with authority to perform it. Here the trigger has already recurred and schedule tolerance is tight, so the project manager should assign specific action owners now while the integration manager stays accountable for the overall risk.
PMI-RMP distinguishes the risk owner from action owners. The risk owner monitors the threat, tracks triggers, and ensures the response remains appropriate. Action owners carry out the specific response tasks.
In this scenario, the planned responses span different work areas: development, vendor coordination, and quality review. Because the trigger has already occurred twice and only four weeks remain before release, delaying assignment or placing every task under one person weakens execution. The best action is to assign each response activity to the role that controls the required work, resources, and timing, and capture those assignments in the risk register.
Low schedule tolerance supports prompt, clear execution responsibility; it does not mean the sponsor should perform operational response work.
Response actions should be owned by the people who can directly execute them, while the integration manager remains the overall risk owner.
Topic: Monitor and Close Risks
After a mitigation response is implemented, some schedule uncertainty still remains and is above the project’s approved risk threshold. The team keeps the risk open and continues tracking that remaining exposure. What is this monitoring action?
Best answer: D
What this tests: Monitor and Close Risks
Explanation: This describes residual risk monitoring. A response was implemented, but material exposure still remains above threshold, so the risk should stay open and be monitored rather than closed.
This situation is residual risk monitoring. Residual risk is the part of the original uncertainty that remains after a response is planned or implemented. If that remaining exposure is still material or above the project’s agreed threshold, PMI-RMP practice is to keep the risk active in monitoring and update its status, ownership, and next actions in the risk register. Implementing a response does not by itself justify closure.
The key distinction is that closure is appropriate only when the risk has expired or the remaining exposure is acceptable and managed.
Remaining exposure after a response is residual risk, so it stays open until that exposure is acceptable or otherwise managed.
Topic: Risk Strategy and Planning
A company is delivering a hybrid project: site equipment installation follows a predictive schedule, while customer-facing software is built in two-week sprints. The sponsor’s risk threshold is any threat that could delay regulatory go-live by more than 10 business days must be escalated within 24 hours. Which risk process should the project manager establish?
Best answer: D
What this tests: Risk Strategy and Planning
Explanation: The best choice tailors risk activities to the hybrid environment while keeping common governance rules. Agile and predictive work need different review cadences, but the escalation threshold must stay consistent so major exposure is visible quickly.
The core concept is tailoring the risk management process to the project environment and delivery approach. In a hybrid project, software teams need frequent risk reviews that fit sprint planning and reviews, while installation work often fits a weekly or milestone-based cadence. Using one shared escalation threshold and common risk register keeps risk information comparable and ensures threats to the regulatory go-live date are raised within the sponsor’s tolerance.
A good fit usually includes:
A single monthly review is too slow for fast-moving sprint risks, while separate unmanaged methods reduce consistency and delay escalation.
This tailors risk work to each delivery approach while preserving a common threshold and escalation path for project-level governance.
Topic: Risk Identification
A hybrid customer portal project has an approved risk management plan and is holding its first risk identification workshop. Two senior architects dominate the discussion, and the team lists only technical threats. Before moving to qualitative analysis, the sponsor asks the risk manager to ensure both threats and opportunities are surfaced. What should the risk manager do next?
Best answer: A
What this tests: Risk Identification
Explanation: The team is still in risk identification, and the current workshop method is producing a biased, incomplete list. The best next step is to change the facilitation technique so participants can surface both threats and opportunities before moving into analysis or response work.
This item tests risk identification exercise design. When a workshop is dominated by a few voices and produces only threat-focused output, the facilitator should adjust the method, not move ahead in the process. A structured technique such as silent brainstorming followed by round-robin sharing helps broaden participation, while separate prompts for downside and upside uncertainty help uncover both threats and opportunities tied to project objectives.
After the fuller set of risks is identified, the team can document them in the risk register, assign ownership as appropriate, and then perform qualitative analysis. Moving directly to scoring or response planning would skip an incomplete identification step. Waiting until monitoring would also be too late, because monitoring is for tracking known risks and emerging changes, not for compensating for a poorly run identification exercise.
This resets the facilitation approach so the team can identify a balanced set of downside and upside risks before analysis begins.
Topic: Risk Response
A hybrid product launch project has three triggered threat risks, but the team can execute only one approved response this week. The risk management plan states: “When capacity is limited, prioritize triggered risks by urgency. The assigned action owner executes the approved response.”
Exhibit:
1) Regulatory review delay
PI score: 12/25
Urgency: Submission update due in 2 days
Risk owner: Project manager
Action owner: Compliance lead
2) Supplier packaging defect
PI score: 16/25
Urgency: Safety stock covers 3 weeks
Risk owner: Procurement manager
Action owner: Supplier quality engineer
3) User training shortfall
PI score: 10/25
Urgency: Next training wave starts in 4 weeks
Risk owner: Change manager
Action owner: Training lead
Which action should the project manager take now?
Best answer: B
What this tests: Risk Response
Explanation: The plan already defines how to execute triggered responses: use urgency to decide which approved action starts first, and have the named action owner perform it. The regulatory review delay is most urgent because action is needed within 2 days, so that response should start now with the compliance lead.
This item is about executing a response plan according to the agreed decision rules and ownership model. When multiple triggered risks compete for limited capacity, the risk management plan says urgency is the deciding qualitative analysis factor. That makes the regulatory review delay the priority, because its response must be implemented within 2 days, while the supplier issue has 3 weeks of safety stock and the training risk has 4 weeks before impact.
The project manager should coordinate implementation, but the assigned action owner carries out the response. Here, that is the compliance lead, not the project manager as risk owner. Repeating analysis is unnecessary because the triggers have already occurred and the prioritization rule is explicit.
The key takeaway is to follow the predefined urgency rule and the action-owner assignment during response execution.
Urgency is the stated prioritization method, and the action owner—not the risk owner—executes the approved response.
Topic: Risk Identification
During constraint analysis for a hybrid claims-platform project, the team identifies a threat that a vendor may deliver a payment API late and delay integration testing. Constraints are a regulator-mandated launch date, no additional budget, and a contract that prohibits adding another supplier. Any testing delay over 3 days exceeds the sponsor’s risk threshold. Which response is most appropriate?
Best answer: D
What this tests: Risk Identification
Explanation: Constraint analysis helps rule out responses that are not actually available. With a fixed launch date, no extra budget, and no option to add another supplier, the practical choice is to mitigate the threat using internal means before the 3-day threshold is breached.
Constraints identified during risk identification shape which responses remain realistic. Here, the launch date cannot move, the budget cannot increase, and the contract prevents bringing in a second supplier. Those facts rule out avoidance through schedule delay and transfer through a backup vendor. The 3-day threshold also makes passive acceptance weak, because the team already knows that a delay of that size is outside tolerance. A mitigation response that reduces reliance on the late deliverable, such as using an internal simulator for early integration testing, fits the constraints and lowers the probability or impact of the threat. The best response must be both appropriate in theory and executable within actual project limits.
Mitigation is feasible within the fixed date, budget, and contract constraints while reducing the threat before it exceeds threshold.
Topic: Risk Strategy and Planning
A project manager is preparing the first risk identification workshop for a hybrid product launch. Before meeting the team, she reviews the charter, draft vendor agreement, assumptions log, lessons learned, and release roadmap. A team lead asks why this preliminary document analysis is done before risk identification begins.
What is the best answer?
Best answer: B
What this tests: Risk Strategy and Planning
Explanation: Preliminary document analysis is performed first to understand the project context before the team starts naming risks. Reviewing key documents helps uncover assumptions, constraints, dependencies, objectives, and historical trouble spots so risk identification is more complete and relevant.
The core concept is preparation for effective risk identification. Before the team can identify meaningful threats and opportunities, it needs a grounded view of the project environment, including objectives, assumptions, constraints, dependencies, contractual conditions, and lessons from similar work. Preliminary document analysis provides that context and highlights where uncertainty is most likely to exist.
This step improves the quality of the first identification session by helping the team:
Options about contingency use, issue handling, and residual risk belong later, after specific risks have been identified and usually analyzed. The key takeaway is that preliminary document analysis prepares the team to identify risks well; it does not manage already-defined risks.
Preliminary document analysis provides project context and reveals potential sources of uncertainty so risk identification starts focused and complete.
Topic: Risk Analysis
A hybrid payroll implementation can perform detailed analysis on only one newly identified threat this week. The risk management plan defines weighted priority as Score = (Probability × 4) + (Impact × 3) + 2 if the trigger is within the next two sprints; otherwise +0.
Risk 1: Data migration script may fail; Probability 3, Impact 5, trigger next sprint
Risk 2: Vendor may delay interface specs; Probability 4, Impact 4, trigger in 3 months
Risk 3: Compliance reviewer may request rework; Probability 2, Impact 5, trigger this sprint
What should the risk manager do next?
Best answer: A
What this tests: Risk Analysis
Explanation: Applying the weighting rule gives scores of 29, 28, and 25. The data migration script risk is therefore the highest priority, so it is the best candidate for the team’s next detailed analysis step.
Risk weighting combines multiple factors into one comparable priority score so limited analysis effort goes to the most significant exposure. Here, calculate each score before deciding the next step:
3 × 4 + 5 × 3 + 2 = 294 × 4 + 4 × 3 + 0 = 282 × 4 + 5 × 3 + 2 = 25Because 29 is the highest score, the data migration script risk should move forward first for detailed analysis. A near trigger increases urgency, but it does not make a risk an issue unless the event has already occurred. Likewise, lower priority does not justify automatic closure; the risk remains in the register and continues to be monitored.
Its weighted score is highest at 29, so it should receive the next analysis effort first.
Topic: Risk Strategy and Planning
A public-sector project will replace a permit system using a hybrid approach: predictive work for infrastructure and agile sprints for citizen-facing features. Eight agencies must approve interfaces, policy rules are still changing, the sponsor has low risk appetite for service interruption, and historical data is limited because the cloud platform is new to the organization. The project manager suggests using the standard one-page risk plan from routine upgrades. What is the best action?
Best answer: C
What this tests: Risk Strategy and Planning
Explanation: This project has both high complexity and high uncertainty: hybrid delivery, many dependencies, changing rules, low tolerance for disruption, and weak historical data. Those conditions call for a deeper, tailored risk management plan upfront rather than a routine lightweight approach.
The key concept is tailoring the depth of risk planning to the project environment. When a project has multiple dependencies, mixed delivery approaches, changing requirements, and a low stakeholder tolerance for failure, the risk management plan should be more detailed. That means defining clear risk thresholds, review cadence, roles, escalation paths, and methods appropriate to the available data.
Limited historical data does not justify shallow planning. It means the team should strengthen planning discipline and rely on fit-for-purpose methods, such as structured qualitative assessment and frequent reassessment, until better data emerges. In this scenario, a routine upgrade template is too thin because it would not adequately support coordination across agencies, predictive and agile work, and strict service-continuity expectations.
The closest distractor is reusing the lightweight plan for now, but waiting reduces clarity at the point when uncertainty is already high.
High complexity, high uncertainty, hybrid delivery, and low risk appetite require deeper, tailored risk planning from the start.
Topic: Risk Analysis
On a hybrid ERP project, the risk management plan says a threat is ranked High if its probability-impact score is 12 or more, or if its trigger could occur within 10 days. In a risk review, the team confirms these ratings: data migration risk probability 2, impact 4, trigger in 30 days; interface vendor delay risk probability 3, impact 4, trigger in 5 days. The sponsor still wants the data migration risk ranked highest because it “feels more dangerous.” What should the project manager do?
Best answer: D
What this tests: Risk Analysis
Explanation: The project manager should apply the approved probability-impact and urgency criteria exactly as defined in the risk management plan. The interface vendor delay risk meets the High threshold, while the data migration risk does not, so preference should not change the ranking.
Risk ranking should follow the criteria defined in the risk management plan, not a stakeholder’s personal preference. Here, the interface vendor delay risk has a score of 12 and a trigger within 5 days, so it meets the project’s High-priority criteria. The data migration risk scores 8 and has no near-term trigger, so it should rank lower unless new evidence changes its assessed probability, impact, or urgency. A sponsor can request a reassessment if facts were missed, but cannot simply override the agreed matrix because a risk feels worse. Quantitative analysis or contingency activation is unnecessary at this point because the approved qualitative criteria already support the ranking. The key is consistent use of established thresholds so priorities are comparable and defensible.
It meets the approved High criteria through both score and near-term trigger, so ranking should follow the plan.
Topic: Risk Response
On a hybrid ERP rollout, the team identified a risk that a key vendor interface may not be ready before integration testing. The risk register includes the cause, event, impact, trigger, and assigned risk owner, and the vendor still says delivery is on track. The risk management plan defines probability-impact criteria and escalation thresholds, but this risk has not yet been analyzed. The sponsor asks which response strategy should be chosen next. What should the project manager do?
Best answer: A
What this tests: Risk Response
Explanation: The risk has been identified and assigned, but it has not yet been analyzed against the project’s criteria. The best next step is to assess its probability and impact before selecting avoid, mitigate, transfer, or accept.
In PMI-RMP practice, response strategy selection comes after enough risk analysis to support a sound decision. In this scenario, the event is still uncertain, so it remains a risk rather than an issue. Because the project already has defined probability-impact criteria and thresholds, the next step is to apply those criteria, document the result in the risk register, and then decide whether a response strategy or deeper analysis is warranted. Choosing transfer immediately would skip the evidence needed to justify that strategy, and vendor confidence alone is not proof that the uncertainty is gone. The key takeaway is simple: analyze first, then select the response that matches the assessed exposure.
Response strategy selection should follow analysis so the team chooses a treatment based on assessed exposure, not assumption.
Topic: Risk Response
A hybrid payments project is 4 weeks from the end of Sprint 5. The risk register shows:
Risk: Vendor API certification may be delayed
Strategy: Mitigate
Trigger: >5 critical sandbox defects open 10 business days before Sprint 5 ends
Owner: Integration lead
The next steering review is in 3 weeks. Which response action best fits this strategy?
Best answer: D
What this tests: Risk Response
Explanation: The selected strategy is mitigate, so the response should be a scheduled preventive action that lowers the chance of delayed certification before the trigger is reached. A defect workshop next week directly targets the defect indicator and uses the named risk owner.
A time-bound response action turns a chosen strategy into a specific plan: who will act, what they will do, and when they will do it. Because the strategy is mitigate, the action should reduce the probability or impact of the threat before exposure increases. Here, the trigger is defect count 10 business days before Sprint 5 ends, and the next steering review is later than that. The best response is therefore an immediate action by the integration lead to drive the defect count down before the trigger date.
The other choices either wait too long or switch to a different response strategy.
This is a preventive, time-bound mitigation action owned by the risk owner and scheduled before the trigger.
Topic: Risk Analysis
In a hybrid ERP rollout, the risk manager runs a Monte Carlo schedule simulation. The three-point estimates for several vendor tasks are based on rough expert judgment because the organization has no comparable historical data. The model shows a 78.4% chance of meeting the November 1 go-live and identifies interface testing as the largest schedule driver. Which interpretation is BEST?
Best answer: B
What this tests: Risk Analysis
Explanation: Quantitative model outputs are only as reliable as their inputs. Here, rough expert-based estimates with no historical calibration make the 78.4% forecast too precise for a firm commitment, but the model still provides useful directional insight about the main schedule driver.
In sensitivity and modeling methods, the key principle is that precision in the output does not overcome poor input quality. A Monte Carlo result such as 78.4% looks exact, but when duration ranges come from rough judgment and there is no comparable historical data, that probability should be treated as approximate rather than commitment-grade evidence. The useful part of the analysis is the directional insight: interface testing appears to be a major source of schedule exposure and deserves deeper estimating, response planning, or contingency review.
The closest trap is rejecting quantitative analysis entirely; the real problem is overinterpreting weak-input results, not using modeling itself.
The model can highlight the main driver, but rough uncalibrated inputs do not support a firm commitment from an exact-looking probability.
Topic: Risk Strategy and Planning
Before the first risk identification workshop for a hospital system upgrade, the risk manager reviews the project charter, vendor contract, assumptions log, stakeholder register, and lessons learned from similar projects. A team lead asks why this preliminary document analysis is done before the workshop begins. What is the best explanation?
Best answer: B
What this tests: Risk Strategy and Planning
Explanation: Preliminary document analysis prepares the team for risk identification; it does not perform later risk work. By reviewing key artifacts and prior lessons, the team can spot assumptions, constraints, dependencies, and recurring uncertainty sources before the workshop starts.
Preliminary document analysis is performed before risk identification so the team understands the project context and has better prompts for finding risks. Reviewing items such as the charter, contracts, assumptions log, stakeholder information, and lessons learned can reveal likely sources of uncertainty: external dependencies, restrictive terms, requirement gaps, stakeholder sensitivities, and historical patterns. That improves the completeness and quality of the upcoming identification session and helps build a stronger risk register. This step is still preparation for identification, not qualitative analysis, quantitative analysis, or response planning. The key distinction is that the team is looking for potential sources and areas of uncertainty, not yet scoring risks, choosing responses, or managing issues that have already happened.
Preliminary document analysis gives the team context and likely sources of uncertainty so risk identification is more complete and focused.
Topic: Risk Strategy and Planning
A hybrid project is defining its qualitative risk analysis rules. The sponsor states that the organization has very low appetite for missing the regulatory go-live date: any delay beyond 2 days must be escalated. The organization can absorb up to a 3% cost overrun without escalation. Which approach best aligns the project’s risk thresholds with this appetite?
Best answer: B
What this tests: Risk Strategy and Planning
Explanation: Risk thresholds should operationalize organizational risk appetite. Because the organization has much lower tolerance for schedule slippage than for cost growth, the qualitative analysis criteria should use different threshold levels for each objective rather than one uniform scale.
The key concept is that risk appetite is translated into project-level risk thresholds. In this scenario, the organization will tolerate some cost variance but has almost no tolerance for delay to the regulatory date, so the qualitative analysis approach should use objective-specific thresholds in the probability-impact matrix or related escalation rules. That allows a relatively small schedule impact to be rated and escalated sooner than a similar cost impact. RBS classification helps group risks, and EMV helps compare monetary exposure, but neither method sets thresholds that reflect differing appetite by objective. A single common impact scale would blur the difference between low schedule appetite and higher cost absorption capacity. Align thresholds by objective, not by convenience.
Different objective-specific thresholds translate the organization’s low schedule appetite and higher cost absorption into usable risk criteria.
Topic: Risk Identification
On a hybrid medical-device project, risk planning is complete. The project manager receives sprint retrospective transcripts showing repeated interface rework, endurance-test telemetry showing battery drain above forecast, and a supplier call transcript noting a possible chip allocation delay. None has yet affected scope, schedule, or cost. What should the project manager do next?
Best answer: A
What this tests: Risk Identification
Explanation: Once risk planning is complete, project data such as transcripts and telemetry should be used as identification inputs. Because these are still uncertain future conditions, the next step is to identify and document risks in the risk register before assigning responses or treating them as issues.
This is a risk identification input analysis decision. After the risk management plan is in place, the team should examine available project data, including transcripts, test telemetry, and supplier discussions, for signals of uncertain future events or conditions. Those signals should then be converted into clear risk statements and recorded in the risk register so they can later receive owners, qualitative analysis, and response planning.
The weaker choices either jump ahead to response work, misclassify risks as issues, or delay identification until the threat has already materialized.
These transcripts and telemetry are valid risk identification inputs, so they should be analyzed and translated into risk register entries before analysis or response planning.
Topic: Monitor and Close Risks
A project risk manager compares six weekly overall risk exposure scores. Week 4 shows a spike, but Weeks 5 and 6 return to the earlier range. The manager is using the pattern over time to judge whether the spike was temporary or the start of worsening exposure. Which monitoring method best matches this activity?
Best answer: D
What this tests: Monitor and Close Risks
Explanation: This describes trend analysis. The key clue is the use of multiple reporting periods to decide whether a spike is just noise or evidence that project risk exposure is deteriorating.
In Monitor and Close Risks, a single high exposure value does not by itself show worsening risk conditions. Trend analysis looks at direction and persistence across several periods to determine whether exposure is stabilizing, improving, or getting worse. Here, the manager compares six weekly exposure scores and uses the return to the earlier range to judge that the spike may be temporary rather than a sustained deterioration.
The closest distractor is variance analysis, which compares current results with a baseline or expected value at a point in time. That can show deviation, but trend analysis is what helps distinguish a one-time exception from a worsening pattern over time.
Trend analysis reviews exposure data over multiple periods to tell whether a deviation is temporary or part of a sustained worsening pattern.
Topic: Risk Identification
A hybrid hospital e-prescribing project is preparing for a pilot release. The sponsor will not accept more than a 3% cost overrun, the pilot date is fixed by a board commitment, and the lead integration architect is available only 8 hours per week. During risk identification, the team learns that a new state rule must be met before any patient data can be used. What is the best action?
Best answer: A
What this tests: Risk Identification
Explanation: Constraint analysis classifies a constraint by its source, not by every objective it may influence. Because the requirement comes from a state rule, it should be captured as a regulatory constraint and used to identify related compliance risks.
In constraint analysis, the key question is where the limitation comes from. An externally imposed law, rule, or mandated standard is a regulatory constraint, even when it creates technical work, consumes scarce resources, or threatens a fixed date. Recording it by source improves risk identification because similar compliance-driven risks can be grouped, assigned owners, and monitored with the right triggers.
The fixed pilot date is a separate schedule constraint, and the architect’s limited availability is a separate resource constraint. Those effects matter, but they do not change the origin of the new requirement. Classifying the rule by impact instead of source weakens the quality of the risk register.
The rule originates from an external legal requirement, so its source is regulatory even if it also affects schedule, design, or staffing.
Topic: Risk Identification
During risk identification for a hybrid CRM rollout, the team records: “Interfaces may delay go-live.” Review of prior project logs shows delays were caused by late changes to a vendor pricing API, and if repeated, system integration testing would start 2 weeks late. The team is unsure whether the integration lead or procurement lead should own the risk. Which analysis approach should the risk manager use first to refine the risk’s cause, event, impact, and ownership in the risk register?
Best answer: C
What this tests: Risk Identification
Explanation: The best first step is to classify the identified risk by source so the team can rewrite it clearly and assign ownership appropriately. An RBS helps turn a vague statement into a specific vendor-dependency risk with a defined cause, event, impact, and likely owner.
This item is about improving identification quality before deeper analysis. The evidence already points to a likely source: late changes from an external vendor API. Using an RBS helps classify the risk by origin, such as external dependency or supplier risk, which supports rewriting the entry into a proper cause-event-impact format and assigning ownership to the role best positioned to monitor that source and its triggers.
Probability-impact scoring, EMV, and Monte Carlo are useful later, but they mainly measure exposure or uncertainty after the risk has been clearly identified. Here, the immediate gap is not the size of the risk; it is the quality of the risk statement and the clarity of ownership.
First refine and classify the risk, then analyze how large it is.
RBS classification organizes the evidence by risk source, which helps sharpen the cause-event-impact statement and identify the owner closest to that source.
Topic: Risk Identification
In a hybrid implementation project, the risk management plan states that newly identified risks must be entered in the risk register before qualitative analysis and response planning. During release planning, the team notes that the cloud vendor may retire a required API next quarter, which could delay integration testing by 3 weeks if no replacement is ready. What is the best next step?
Best answer: B
What this tests: Risk Identification
Explanation: This is still a risk because the vendor change has not happened yet. The best next step is to update the risk register with enough detail to support later analysis, ownership, response planning, and monitoring.
The core concept is proper sequencing for a newly identified risk. Because the vendor may retire the API in the future, this is an uncertain threat, not an active issue. The risk register is the living artifact that should first capture the risk statement and key details such as cause, impact, trigger, and an initial risk owner. Once entered, the team can perform qualitative analysis, decide on an appropriate response, and continue updating the same record during monitoring as status, actions, residual risk, and outcomes change.
Acting before the risk is registered and analyzed can create wasted effort, unclear accountability, and poor use of reserves. Treating it as an issue or closing it now breaks the risk flow and weakens traceability.
A newly identified uncertain event should first be documented in the risk register so it can be analyzed, assigned, and managed.
Topic: Risk Analysis
A risk analyst must compare two delivery approaches. Each approach has several possible outcomes with stated probabilities and cost impacts, and management wants a visual model to evaluate the best overall choice under uncertainty. Which risk analysis method best fits this need?
Best answer: C
What this tests: Risk Analysis
Explanation: Decision tree analysis is used when a team must compare discrete alternatives that lead to different uncertain outcomes. It visually lays out choices, chance events, and associated impacts so the team can judge which option is preferable.
The key clue is the need to compare alternative courses of action under uncertainty using a visual model with probabilities and impacts. Decision tree analysis is designed for exactly that purpose: it shows each decision path, the possible chance outcomes on each path, and the resulting values so alternatives can be compared consistently.
Sensitivity analysis is used to identify which variables most affect project outcomes, not to map branching choices. Monte Carlo simulation models the range and likelihood of overall outcomes across many iterations, but it is not primarily a branch-by-branch comparison of discrete options. A probability-impact matrix is a qualitative prioritization tool, not a quantitative choice model.
When the question is about choosing among alternatives with uncertain branches, decision tree analysis is the best match.
It compares alternatives by mapping decision branches, uncertain outcomes, and their probabilities to support the best choice under uncertainty.
Topic: Risk Identification
A hybrid electronic health record rollout is entering release planning. The sponsor’s risk appetite for clinical-service disruption is very low, and the approved risk threshold for unplanned downtime is 15 minutes. The initial risk workshop included only the vendor and IT team; the operations lead and nurse supervisor were absent, and the draft risk register assumes a 2-hour cutover outage. What should the project manager do next?
Best answer: D
What this tests: Risk Identification
Explanation: The identification inputs are incomplete because critical operational stakeholders were absent and the current outage assumption conflicts with the project’s downtime threshold. With very low appetite for disruption, the team should get those stakeholders’ input and update the risk register before moving on.
This is a risk identification input-quality problem, not yet an analysis or approval decision. The vendor and IT team produced a draft risk list, but the absent operations lead and nurse supervisor are the stakeholders most likely to know the real workflow constraints and service tolerance. Their missing input is material because the draft assumption of a 2-hour cutover outage directly conflicts with the approved 15-minute threshold and the sponsor’s very low appetite for disruption. The best action is to hold a focused stakeholder review, validate assumptions and constraints, identify any missing threats or opportunities, and then update the risk register. Only after the identification inputs are complete should the team score, prioritize, or seek approval for the identified risks. Scoring early would create false confidence in an incomplete risk picture.
Key operational stakeholders are missing, so risk identification inputs must be completed before further analysis or approval.
Topic: Risk Analysis
A hospital is deploying a new patient-records platform. The risk owner and analyst have completed analysis of a pending privacy-rule change: 40% probability, possible 4-week delay, and a compliance breach if unmanaged. The sponsor has zero tolerance for avoidable violations. What should the risk manager do next?
Best answer: D
What this tests: Risk Analysis
Explanation: Once a risk has been analyzed, stakeholders need the impact information in a form that supports a defensible decision. Because the exposure threatens compliance and exceeds the sponsor’s tolerance, the next step is to communicate the analyzed impact through formal risk reporting and briefing.
In risk analysis, the purpose of the work is not just to score a risk but to provide decision-quality information about its effect on project objectives. Here, probability and impact are already analyzed, the exposure affects schedule and compliance, and the sponsor’s threshold is effectively zero for avoidable violations. That means the next step is to communicate the analyzed impact to the appropriate stakeholders so they can decide on escalation, funding, and response direction.
Treating the item as an issue, implementing a response immediately, or closing it would bypass proper risk-governance flow.
Analysis is complete, so the next step is to communicate the objective impact to decision makers before response selection or funding.
Topic: Risk Strategy and Planning
During planning for a bank’s weekend billing-system cutover, the sponsor says the organization has a very low appetite for incorrect customer charges. In the workshop, a team lead writes, “If mock-conversion reconciliation errors exceed 0.5%, initiate rollback,” and labels that statement as the project’s risk appetite. Before finalizing the risk management plan, what should the risk manager do next?
Best answer: C
What this tests: Risk Strategy and Planning
Explanation: Risk appetite is the stakeholder’s overall willingness to accept uncertainty, while a threshold or trigger is a specific measurable point that prompts action. Here, the sponsor’s low tolerance for billing errors is the appetite, and the 0.5% error rate is the threshold/trigger for the conversion risk.
This item tests the distinction between a broad risk attitude and a specific monitoring limit. Risk appetite expresses how much uncertainty a stakeholder or organization is willing to accept in pursuit of objectives. A threshold or trigger is a defined condition for a particular risk that tells the team when to escalate or implement a planned response.
In this scenario, “very low appetite for incorrect customer charges” is the governing attitude that should inform planning. The statement about reconciliation errors exceeding 0.5% is not appetite; it is a project-level threshold/trigger tied to the conversion risk and the rollback response. The best next step is to document these separately in the proper risk artifacts so the team can plan and monitor consistently. Defining a trigger does not mean the risk has already occurred, and it certainly does not justify closing it.
The sponsor’s statement is risk appetite, while 0.5% is a measurable threshold/trigger for one specific risk.
Topic: Monitor and Close Risks
On a hybrid ERP rollout, the risk register lists: “Data migration defects may delay cutover.” The approved mitigation is extra mock-load testing, owned by the migration lead. The risk management plan says to escalate and reevaluate the response if forecast delay from this risk exceeds 10 days or response effectiveness is rated below 3/5 in two consecutive reviews; use the contingency plan only if a mock cutover fails. In the last two weekly reviews, forecast delay rose to 12 days, effectiveness was 2/5 both times, and the latest mock cutover passed. What should the project manager do next?
Best answer: A
What this tests: Monitor and Close Risks
Explanation: The risk has crossed the predefined escalation and reevaluation criteria, so the project manager should follow the risk management plan. Because the contingency trigger has not occurred and the event remains uncertain, this is still a risk-monitoring and response-reevaluation decision, not issue handling or closure.
In risk monitoring, predefined thresholds tell the team when normal tracking is no longer enough. Here, both escalation conditions were met: the forecast delay exceeded 10 days, and response effectiveness stayed below 3/5 for two reviews. That means the current mitigation is no longer performing within tolerance, so the next step is to escalate through the agreed governance path and reassess the response with the named risk owner. The contingency plan should not be activated yet because its specific trigger, a failed mock cutover, has not happened. The item also should not be moved to issue management because the uncertain event has not occurred, and it should not be closed while exposure is rising. The key point is that variance beyond threshold drives escalation and response reevaluation.
The variance and effectiveness thresholds were breached, so the next step is escalation and response reevaluation with the current risk owner.
Topic: Risk Analysis
A hybrid product launch project has 12 significant uncertainties across five interdependent work packages. Several threats and opportunities may affect the same schedule path, and each affected activity already has three-point duration estimates. The sponsor wants to know the probability of meeting the committed release date and the main drivers of schedule exposure. Which analysis approach is most appropriate?
Best answer: A
What this tests: Risk Analysis
Explanation: Monte Carlo simulation is the best fit when risk complexity comes from multiple interdependent uncertainties affecting the schedule at the same time. It uses the existing three-point estimates to quantify the likelihood of meeting the target date and can identify the biggest contributors to schedule variation.
The key is to match the analysis method to the complexity of the uncertainty. This scenario is not just about ranking individual risks; it involves several interacting uncertainties across an integrated schedule, plus a need to estimate confidence in a specific release date. Monte Carlo simulation is designed for that level of complexity because it uses three-point estimates to model many possible schedule outcomes and reports the probability of finishing by the target date. It also supports sensitivity-style output that highlights which activities or uncertainties drive most of the schedule exposure. Simpler qualitative tools help prioritize risks, but they do not quantify overall date confidence. For complex, combined schedule uncertainty, use a method that models the full range of outcomes.
It models combined uncertainty across interdependent activities and can show both target-date probability and the main schedule drivers.
Topic: Risk Strategy and Planning
A program manager is tailoring risk management for two business units in a hybrid transformation. Unit A has no shared risk vocabulary, managers treat raised risks as blame, and there is no reliable historical data. Unit B routinely discusses uncertainty, uses common probability-impact criteria, and has reliable schedule and cost risk data. Which tailoring decision is most appropriate?
Best answer: D
What this tests: Risk Strategy and Planning
Explanation: Risk-management practices should match the organization’s risk culture maturity and available data. Unit A needs simple, psychologically safe qualitative methods to build participation, while Unit B can credibly support selective quantitative analysis because it already has common criteria and reliable data.
Risk culture maturity is a key environmental factor when tailoring risk-management practices. A low-maturity culture usually shows weak shared vocabulary, fear of blame, and poor data quality, so the best approach is to start with lightweight, structured qualitative practices that encourage participation and consistency. A higher-maturity culture can support more advanced analysis because people discuss uncertainty openly and the inputs are credible.
The main takeaway is to scale rigor to culture and capability, not to force one method on unlike environments.
This matches the sophistication of the practice to each unit’s risk culture maturity and data quality.
Topic: Risk Response
On a hybrid ERP project, a threat has been analyzed: the vendor may deliver migration scripts late, delaying the first release by 3 weeks. The team proposes weekly vendor checkpoints and an internal fallback script for critical tables, and both the risk owner and response action owner are assigned. Before approving the response budget, the sponsor asks whether this plan reduces probability, impact, or both. What should the project manager do next?
Best answer: C
What this tests: Risk Response
Explanation: The risk is still uncertain, and ownership is already assigned, so the next step is to evaluate the proposed response’s expected effect on exposure. Reassessing probability and impact separately shows whether the response lowers likelihood, consequence, or both, and provides a sound basis for approval and communication.
In PMI-RMP practice, a proposed response should be evaluated against the specific dimensions of the risk before it is treated as effective. The project manager should work with the risk owner to estimate residual probability and residual impact after the planned actions. Preventive actions, such as tighter vendor checkpoints, often reduce the chance that the event occurs, while fallback or contingency actions, such as an internal backup script, often reduce the effect if it does occur. Some response packages reduce both. Documenting that reassessment in the risk register and summarizing it in the risk report supports approval, communication, and later monitoring of residual exposure. Implementing first skips this decision point, moving the item to the issue log is incorrect because the event has not happened, and approval of funding does not justify closing the risk.
This determines whether the checkpoints reduce likelihood, the fallback reduces consequence, or the combined response reduces both.
Use the PMI-RMP Practice Test page for the full PM Mastery route, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.
Read the PMI-RMP guide on PMExams.com for concept review, then return here for PM Mastery practice.