Exam Identity and How to Use This Page
This Quick Reference supports candidates preparing for PMI’s PMI Risk Management Professional (PMI-RMP) exam, exam code PMI-RMP. It is independent review support and is not affiliated with PMI.
Use it to quickly reinforce:
- Risk process flow and decision logic
- Risk artifacts and ownership distinctions
- Qualitative and quantitative analysis tools
- Threat and opportunity response choices
- Common PMI-RMP exam traps around governance, escalation, reserves, and monitoring
PMI-RMP Risk Management Lens
| Concept | Exam-use meaning | Common trap |
|---|
| Project risk | Uncertain event or condition that can affect objectives | Treating every problem as a risk; an occurred risk is usually an issue |
| Threat | Negative risk | Only mitigating threats and ignoring avoidance, transfer, acceptance, escalation |
| Opportunity | Positive risk | Forgetting positive risk responses: exploit, enhance, share, accept, escalate |
| Overall project risk | Effect of uncertainty on the project as a whole | Confusing it with the sum of individual risks only |
| Individual project risk | A discrete uncertain event or condition | Managing only high-scoring individual risks while ignoring cumulative exposure |
| Risk appetite | General willingness to accept risk | Using it as a numeric trigger without tailoring |
| Risk tolerance | Degree of acceptable variation around objectives | Confusing tolerance with threshold |
| Risk threshold | Specific point at which action or escalation is required | Ignoring thresholds when deciding whether to escalate |
| Risk attitude | Stakeholder or organizational view of uncertainty | Assuming all stakeholders perceive risk the same way |
| Risk governance | Structures, roles, thresholds, reporting, escalation, and decision rights | Treating risk as only a project manager task |
| Tailoring | Adjusting risk processes to project context | Skipping tailoring on adaptive, regulated, complex, or high-uncertainty work |
Risk Management Process Flow
flowchart LR
A[Plan Risk Management] --> B[Identify Risks]
B --> C[Perform Qualitative Risk Analysis]
C --> D{Quantitative analysis needed?}
D -- Yes --> E[Perform Quantitative Risk Analysis]
D -- No --> F[Plan Risk Responses]
E --> F
F --> G[Implement Risk Responses]
G --> H[Monitor Risks]
H --> B
H --> C
H --> F
High-Yield Process Logic
| If the question says… | Think first |
|---|
| “How will risk be managed?” | Plan Risk Management |
| “New uncertain event discovered” | Identify and document the risk |
| “Which risks deserve attention first?” | Qualitative risk analysis |
| “What is the probabilistic cost or schedule exposure?” | Quantitative risk analysis |
| “What should be done about the risk?” | Plan risk responses |
| “The response owner has not acted” | Implement risk responses / follow up |
| “Risk indicators changed” | Monitor risks and reassess |
| “The risk occurred” | Manage as an issue; execute contingency or workaround as appropriate |
| “Risk exceeds authority or threshold” | Escalate using the risk management plan |
| “Baseline impact is required” | Follow integrated change control or applicable governance |
Core Artifacts
| Artifact | Purpose | Key contents | Exam distinction |
|---|
| Risk management plan | Defines how risk management will be performed | Methodology, roles, funding, timing, categories, probability/impact definitions, matrix, reporting, thresholds | It is a plan for the process, not the list of risks |
| Risk register | Detailed repository for individual risks | Risk statement, causes, impacts, owner, analysis results, responses, triggers, residual/secondary risks | Usually the primary artifact for tracking individual risks |
| Risk report | Summary view for stakeholders and governance | Overall project risk, major threats/opportunities, trends, response status, exposure | More executive and aggregate than the risk register |
| Issue log | Tracks current problems | Issue owner, due date, status, actions | Once a risk occurs, it may become an issue |
| Assumption log | Tracks assumptions and constraints | Assumption validity, risk implications | Invalid assumptions often become risks |
| Lessons learned register | Captures reusable learning | What worked, what failed, risk patterns | Update throughout the project, not only at the end |
| Stakeholder register | Identifies stakeholders and risk attitudes | Interest, influence, expectations, risk appetite | Supports risk communication and escalation planning |
| Change log | Tracks approved/declined changes | Change status, decision, implementation | Needed when risk responses change baselines |
| Risk breakdown structure | Hierarchical risk categories | Technical, external, organizational, management, commercial, etc. | Helps systematic identification |
| Probability and impact matrix | Defines qualitative scoring | Probability levels, impact scales, priority zones | Must be tailored and understood before scoring |
| Risk response plan | Selected strategies and actions | Response owner, action owner, budget, timing, triggers | Must be implementable and monitored |
| Contingency plan | Preplanned action if trigger/event occurs | Trigger, action, owner, reserve use | Different from fallback plan |
| Fallback plan | Backup if primary response fails | Secondary action path | Used when contingency is ineffective |
| Watchlist | Low-priority risks for monitoring | Owner or review cadence | Low priority does not mean ignored |
Roles and Ownership
| Role | Risk responsibility | Exam emphasis |
|---|
| Project manager | Ensures risk processes are planned, integrated, and monitored | Does not personally own every risk |
| Risk manager / PMI-RMP-type role | Facilitates risk strategy, analysis, governance, reporting, and response effectiveness | Helps decision quality; coordinates across stakeholders |
| Sponsor | Provides authority, escalation path, funding decisions, and tolerance guidance | Escalate when risk exceeds project authority |
| Risk owner | Accountable for managing an assigned risk | Owns the risk outcome and response oversight |
| Risk action owner | Performs a specific response action | Not necessarily accountable for the whole risk |
| Project team | Identifies risks, estimates impacts, implements responses | Team participation improves data quality |
| Stakeholders | Provide risk perception, requirements, constraints, and acceptance criteria | Risk attitudes may conflict |
| PMO / governance body | Sets standards, reporting expectations, escalation paths | Especially important in enterprise or portfolio risk contexts |
| Procurement / legal / contracts | Helps manage supplier, claims, liability, and contract risk | Transfer does not eliminate all project risk |
| Subject matter experts | Provide technical, market, regulatory, or domain insight | Expert judgment must still be tested for bias |
Risk Statement Reference
A strong risk statement connects cause, uncertain event, and effect.
| Element | Example |
|---|
| Cause | Because the supplier design is unproven |
| Risk event | the component may fail qualification testing |
| Effect | causing schedule delay and rework cost |
Preferred structure:
Because of cause, risk event may occur, leading to effect on objective.
Avoid vague entries such as “supplier risk” or “testing risk.” They are categories, not actionable risk statements.
Key Distinctions
| Distinction | Correct interpretation |
|---|
| Risk vs issue | Risk is uncertain; issue is happening or has happened |
| Cause vs risk | Cause exists now; risk may occur because of it |
| Trigger vs risk | Trigger is an early warning sign or condition |
| Impact vs response | Impact is the consequence; response is what you do |
| Residual risk vs secondary risk | Residual remains after response; secondary is created by the response |
| Contingency reserve vs management reserve | Contingency is for identified risks; management reserve is for unknown-unknowns or broader management control |
| Contingency plan vs workaround | Contingency is planned; workaround is unplanned response to an issue or unforeseen event |
| Risk owner vs action owner | Risk owner is accountable; action owner performs assigned tasks |
| Escalation vs transfer | Escalation moves ownership beyond project authority; transfer shifts some impact/accountability to a third party |
| Avoid vs mitigate | Avoid changes plan to remove threat; mitigate reduces probability and/or impact |
| Exploit vs enhance | Exploit seeks to ensure opportunity occurs; enhance increases probability and/or impact |
| Share vs transfer | Share is for opportunities; transfer is for threats |
Process Reference Table
| Process | Purpose | Typical tools | Main outputs | Exam traps |
|---|
| Plan Risk Management | Define risk approach before doing detailed risk work | Meetings, expert judgment, stakeholder analysis, tailoring | Risk management plan | Jumping into response planning before defining scales, roles, thresholds |
| Identify Risks | Find individual risks and sources of overall risk | Brainstorming, interviews, checklists, RBS, SWOT, assumptions analysis, prompt lists | Risk register, risk report updates | Identifying only threats; excluding stakeholders |
| Perform Qualitative Risk Analysis | Prioritize risks for further action | Probability/impact matrix, data quality assessment, urgency, proximity, expert judgment | Updated risk register and priorities | Treating qualitative score as precise math |
| Perform Quantitative Risk Analysis | Numerically analyze exposure and uncertainty | Monte Carlo, decision tree, EMV, sensitivity/tornado, simulations | Probabilistic forecasts, contingency needs | Doing expensive quant analysis when not warranted or data is poor |
| Plan Risk Responses | Select strategies and actions | Threat/opportunity strategies, cost-benefit analysis, decision analysis | Response plans, owners, reserves, change requests if needed | Selecting a response without an owner or trigger |
| Implement Risk Responses | Execute agreed responses | Status reviews, action tracking, team coordination | Implemented actions, updates | Planning responses but failing to execute them |
| Monitor Risks | Track risks, responses, residual risk, new risks, and overall exposure | Audits, reassessment, variance/trend analysis, technical performance analysis | Updates, change requests, lessons learned | Closing risk management too early |
| Tool | Best when | Watch for |
|---|
| Brainstorming | Need broad team input quickly | Dominant voices and groupthink |
| Interviews | Need detailed expert or stakeholder insight | Interviewer bias and incomplete stakeholder coverage |
| Delphi technique | Need anonymous expert consensus | Time and facilitation effort |
| Checklists | Similar past projects exist | Checklist blindness; missing novel risks |
| Risk breakdown structure | Need systematic category coverage | Categories must be tailored |
| SWOT analysis | Need internal/external and positive/negative view | Can remain too high-level |
| Assumptions and constraints analysis | Major uncertainty lies in planning assumptions | Assumptions may be politically sensitive |
| Root cause analysis | Repeated or systemic risk patterns appear | Do not confuse symptoms with causes |
| Document review | Plans, contracts, estimates, requirements exist | Poor documents may hide risk |
| Lessons learned review | Organization has historical project data | Past data may not fit current context |
| Prompt lists | Need structured risk prompts | Prompts are aids, not full analysis |
| Diagramming | Need causal relationships | Can imply false precision |
| Product or technical analysis | Complex design or engineering uncertainty | Requires qualified SMEs |
| External scanning | Market, regulatory, geopolitical, weather, or supplier uncertainty | Do not invent certainty from weak signals |
Qualitative Risk Analysis
Qualitative Scoring Reference
| Factor | Meaning | Why it matters |
|---|
| Probability | Likelihood of occurrence | Helps rank likelihood |
| Impact | Effect on objectives if it occurs | May vary by cost, schedule, scope, quality, safety, reputation, benefits |
| Urgency | How soon action is needed | A near-term moderate risk may outrank a distant one |
| Proximity | How soon the risk might affect the project | Supports timing of responses |
| Dormancy | Time between occurrence and impact | Useful for early warning planning |
| Manageability | Ability to influence the risk | Low manageability may require escalation or reserves |
| Controllability | Degree project team can control causes or responses | Helps choose response strategy |
| Detectability | Ability to detect trigger or occurrence | Low detectability increases concern |
| Connectivity | Relationship to other risks | Highly connected risks may drive systemic exposure |
| Data quality | Reliability of the data behind the rating | Poor data weakens the ranking |
| Strategic impact | Effect on business value, benefits, or reputation | Can elevate priority beyond project metrics |
Qualitative Risk Score
Use the organization’s defined scale. A simple conceptual score is:
\[
\text{Risk Score} = \text{Probability Rating} \times \text{Impact Rating}
\]
Do not treat this as universally precise. The exam often tests whether the candidate recognizes that scoring scales, thresholds, and definitions must be established in the risk management plan.
Probability and Impact Matrix Traps
| Trap | Better exam answer |
|---|
| Use generic scales without stakeholder agreement | Define and tailor probability/impact scales |
| Rank risks with poor data | assess data quality and gather better information |
| Ignore positive risks | Include opportunity scoring and response planning |
| Automatically quantify every risk | Quantify when value, complexity, exposure, or governance need justifies it |
| Score once and stop | Reassess as conditions change |
| Treat matrix score as final decision | Consider urgency, proximity, thresholds, and stakeholder risk attitude |
Quantitative Risk Analysis
When Quantitative Analysis Is Most Useful
| Use quantitative analysis when… | Reason |
|---|
| Major cost or schedule exposure exists | Need probabilistic forecast, not single-point estimate |
| Management asks for confidence level | Supports probability-based commitments |
| Large contingency decisions are needed | Helps justify reserves |
| Many risks interact | Simulation can model combined uncertainty |
| Competing response options exist | Decision trees and EMV support comparison |
| High-stakes go/no-go decision is pending | Quantitative exposure improves governance decisions |
| Contract or procurement risk is significant | Can model financial exposure and allocation |
| Tool | Best for | Output | Trap |
|---|
| Expected monetary value | Comparing alternatives with probabilities and monetary impacts | Expected value | Average outcome may not represent worst-case exposure |
| Decision tree | Sequential decisions and chance events | Path EMV | Probabilities must be credible |
| Monte Carlo simulation | Combined uncertainty in cost/schedule models | Probability distribution, confidence ranges | Garbage in, garbage out |
| Sensitivity analysis | Finding variables with biggest effect | Tornado chart | Correlation may be ignored |
| Three-point estimating | Estimating uncertain durations/costs | Expected estimate and range | Do not confuse triangular and beta/PERT |
| Scenario analysis | Testing plausible futures | Scenario impacts | Scenarios are not probabilities unless quantified |
| Influence diagrams | Showing relationships among decisions, uncertainties, outcomes | Decision model | Can oversimplify dependencies |
| Fault tree / event tree | Analyzing failure pathways or event progression | Probability or causal structure | Requires reliable technical data |
| Criticality analysis | Identifying schedule activities likely to be critical | Criticality index | Not the same as total float alone |
Expected Monetary Value
\[
\text{EMV} = \text{Probability} \times \text{Impact}
\]
For multiple independent risk events:
\[
\text{Total EMV} = \sum_{i=1}^{n} \left(P_i \times I_i\right)
\]
Use positive values for opportunities and negative values for threats if the model is set up that way. Be consistent.
Decision Tree Expected Value
\[
\text{Expected Value of Decision} = \sum \left(\text{Probability of Outcome} \times \text{Value of Outcome}\right) - \text{Cost of Decision}
\]
Choose the option with the best expected value only after considering thresholds, nonfinancial impacts, stakeholder risk appetite, and feasibility.
Three-Point Estimates
Triangular mean:
\[
\text{Triangular Mean} = \frac{O + M + P}{3}
\]
Beta / PERT mean:
\[
\text{PERT Mean} = \frac{O + 4M + P}{6}
\]
PERT standard deviation:
\[
\sigma = \frac{P - O}{6}
\]
Where:
| Symbol | Meaning |
|---|
| O | Optimistic estimate |
| M | Most likely estimate |
| P | Pessimistic estimate |
| sigma | Standard deviation |
Contingency Reserve Concept
For identified risk exposure, contingency reserve may be based on analysis such as EMV, simulation, or risk response cost.
\[
\text{Contingency Reserve} \approx \sum \text{Expected Exposure of Accepted or Residual Risks}
\]
Exam caution: contingency reserve is not a substitute for risk responses. It is planned capacity to handle identified uncertainty.
Earned value metrics are not risk processes by themselves, but they help monitor performance trends that may indicate risk exposure.
| Metric | Plain formula | Meaning |
|---|
| Cost variance | CV = EV - AC | Positive is favorable |
| Schedule variance | SV = EV - PV | Positive is favorable |
| Cost performance index | CPI = EV / AC | Above 1 is favorable |
| Schedule performance index | SPI = EV / PV | Above 1 is favorable |
| Estimate at completion | EAC = BAC / CPI | Simple forecast if current cost performance continues |
| Estimate to complete | ETC = EAC - AC | Remaining expected cost |
| Variance at completion | VAC = BAC - EAC | Positive is favorable |
| If trend shows… | Risk interpretation |
|---|
| CPI declining | Cost overrun risk increasing |
| SPI declining | Schedule delay risk increasing |
| Rework increasing | Quality or requirements risk may be materializing |
| Milestone slippage | Trigger thresholds may be crossed |
| Burn rate faster than progress | Funding or scope risk may require escalation |
| Technical performance below planned value | Technical risk may be increasing even before schedule impact appears |
Threat Response Strategies
| Strategy | Use when | Example | Trap |
|---|
| Avoid | You can eliminate the threat or protect objective from it | Change design to remove risky technology | Avoidance may change scope, schedule, or cost baseline |
| Mitigate | You can reduce probability and/or impact | Add prototype, extra testing, training | Mitigation does not remove all residual risk |
| Transfer | Another party can better bear some impact | Insurance, warranty, fixed-price contract | Transfer often creates secondary risks and does not remove responsibility to manage |
| Accept, active | Response cost is not justified, but contingency is planned | Reserve and trigger-based action | Active acceptance needs owner, trigger, and reserve |
| Accept, passive | No proactive action beyond monitoring | Watchlist low-priority threat | Passive acceptance is not ignoring |
| Escalate | Threat is outside project authority or should be managed at higher level | Strategic, portfolio, legal, enterprise risk | Escalated risk still needs tracking until accepted by the higher authority |
Opportunity Response Strategies
| Strategy | Use when | Example | Trap |
|---|
| Exploit | You want to ensure the opportunity happens | Assign top talent to capture early delivery bonus | Requires active commitment |
| Enhance | You want to increase probability and/or impact | Add resources to improve chance of earlier finish | Not the same as exploit |
| Share | Another party can help capture opportunity | Joint venture, incentive partnership | Benefits and ownership must be clear |
| Accept, active | Benefit is possible but not worth major proactive action | Prepare to use savings if they occur | Still monitor triggers |
| Accept, passive | No action unless opportunity occurs | Low-value upside | Do not spend more than value |
| Escalate | Opportunity is outside project authority | Enterprise-level market opportunity | Needs higher-level ownership |
Response Planning Decision Table
| Situation | Best response direction |
|---|
| Threat can be fully removed by changing approach | Avoid |
| Threat probability can be reduced through preventive action | Mitigate |
| Threat impact can be contractually shifted | Transfer |
| Threat is low priority and response cost exceeds expected exposure | Accept |
| Threat exceeds project manager authority | Escalate |
| Opportunity can be guaranteed through action | Exploit |
| Opportunity can be made more likely or valuable | Enhance |
| Opportunity needs partner capability | Share |
| Opportunity exceeds project scope or authority | Escalate |
| Response introduces new uncertainty | Identify secondary risk |
| Response leaves remaining exposure | Document residual risk |
| Primary response may fail | Create fallback plan |
| Risk has warning signs | Define triggers and monitoring method |
| Response affects baseline | Submit change request through governance |
“What Should the Risk Manager Do Next?” Reference
| Exam scenario | Strong next step |
|---|
| A new risk is identified in a meeting | Clarify cause-event-impact, document in risk register, assign for analysis |
| A risk owner is missing | Assign an accountable risk owner before relying on the response |
| A response action is overdue | Follow up with action owner; update status; escalate if thresholds or commitments are at risk |
| A risk has occurred | Treat as issue, execute contingency if planned, update risk and issue records |
| No contingency plan exists for an occurred risk | Develop workaround, document, assess change impacts |
| Risk response requires extra budget or schedule change | Submit change request per governance |
| Stakeholders disagree on risk priority | Refer to agreed probability/impact definitions, thresholds, and risk appetite; facilitate alignment |
| Data quality is poor | Improve data, use expert judgment carefully, document uncertainty |
| Quantitative model gives unrealistic result | Check assumptions, distributions, correlations, and input quality |
| Risk exceeds project threshold | Escalate according to the risk management plan |
| New regulation or market condition appears | Identify new risks, analyze impact, update risk report |
| Supplier misses early milestone | Check triggers, reassess procurement risk, execute response or contingency |
| Response creates another threat | Add secondary risk and assign owner |
| Residual risk remains high | Reanalyze and consider additional response, reserve, or escalation |
| A high opportunity appears | Analyze like any risk; choose exploit, enhance, share, accept, or escalate |
| Team wants to skip risk reviews | Reinforce planned cadence and explain monitoring value |
Monitoring and Control Reference
| Monitoring activity | What it detects | Typical action |
|---|
| Risk reassessment | New, changed, obsolete risks | Update register and priorities |
| Risk audit | Effectiveness of risk process and responses | Improve process or response execution |
| Variance analysis | Deviation from baselines | Investigate risk causes and triggers |
| Trend analysis | Direction of performance | Forecast worsening exposure |
| Technical performance analysis | Product performance against targets | Identify emerging technical threats |
| Reserve analysis | Adequacy of contingency | Adjust forecasts or request changes |
| Status meetings | Response progress and new risk signals | Update owners, actions, dates |
| Trigger tracking | Early warning signs | Execute contingency or response action |
| Issue review | Realized risks and current problems | Link lessons back to risk planning |
| Lessons learned | Process improvement | Update organizational knowledge |
Risk Reporting: Register vs Report
| Need | Use primarily |
|---|
| Detailed risk owner/action owner tracking | Risk register |
| Executive summary of top exposure | Risk report |
| Overall project risk trend | Risk report |
| Individual trigger status | Risk register |
| Governance escalation | Risk report plus supporting register detail |
| Response due dates | Risk register |
| Portfolio or program visibility | Risk report |
| Historical lessons and patterns | Lessons learned plus risk records |
Good risk reporting is tailored by audience. Executives usually need exposure, trend, threshold breaches, decisions required, and confidence level. Risk owners need detailed actions, dates, and triggers.
Agile, Adaptive, and Hybrid Risk Reference
| Context | Risk management emphasis |
|---|
| Predictive project | Upfront planning, baselines, formal change control, scheduled risk reviews |
| Agile project | Continuous risk identification, backlog refinement, short feedback loops, visible impediments |
| Hybrid project | Coordinate formal governance with iterative discovery |
| High uncertainty product work | Use spikes, prototypes, experiments, incremental delivery |
| Fixed regulatory or contract environment | Maintain traceability, escalation, compliance risks, and change discipline |
| Rapidly changing stakeholder needs | Frequent reprioritization and communication |
| Complex technical architecture | Early validation and technical risk burn-down |
| Distributed team | Communication, cultural, time-zone, and dependency risks |
Agile Risk Patterns
| Pattern | Risk benefit |
|---|
| Short iterations | Reduces time between risk signal and response |
| Product backlog refinement | Surfaces requirement and priority risks |
| Definition of done | Reduces quality and completeness ambiguity |
| Sprint reviews | Validates product direction and stakeholder expectations |
| Retrospectives | Improves process risk response |
| Spikes | Reduce technical or estimation uncertainty |
| Information radiators | Improve transparency of blockers and trends |
| Incremental delivery | Reduces late discovery of value and integration risk |
Exam trap: agile does not eliminate risk management. It changes cadence, visibility, and response mechanisms.
Governance, Escalation, and Change Control
| Situation | Governance response |
|---|
| Risk is within project authority and reserve | Manage through planned response |
| Risk exceeds threshold | Escalate to defined authority |
| Response changes scope, schedule, cost, quality, or contract baseline | Use change control |
| Enterprise-level risk appears | Escalate outside project governance |
| Sponsor decision is required | Present options, exposure, recommendation, and impact |
| Stakeholder risk appetite conflicts | Facilitate decision using documented thresholds and objectives |
| Risk response requires procurement action | Involve procurement/contracts early |
| Compliance or safety impact appears | Follow applicable governance and escalation paths |
A PMI-RMP candidate should distinguish informing, escalating, and requesting a change:
| Action | Use when |
|---|
| Inform | Stakeholders need awareness, but no decision is required |
| Escalate | Authority, threshold, or ownership exceeds the project level |
| Change request | Approved baseline, contract, or plan must change |
| Update records | Risk status, analysis, owner, or response detail changes |
| Implement response | Planned and approved action can be executed within authority |
Procurement and Contract Risk
| Contract / commercial feature | Risk implication |
|---|
| Fixed-price contract | More cost risk may shift to seller, but buyer retains scope, quality, change, and relationship risk |
| Cost-reimbursable contract | Buyer may retain more cost exposure; seller has lower cost risk |
| Time and materials | Flexibility with potential cost growth risk |
| Incentives | Align behavior if metrics are clear |
| Liquidated damages or penalties | May transfer some financial impact but can create relationship or claims risk |
| Warranty | Transfers certain defect costs but not all operational impact |
| Insurance | Transfers defined financial exposure, subject to terms |
| Single-source supplier | Dependency and continuity risk |
| Long-lead items | Schedule and supply chain risk |
| Ambiguous requirements | Claims, rework, and acceptance risk |
Transfer is rarely “set and forget.” Monitor supplier performance, contract assumptions, interfaces, and secondary risks.
Stakeholder and Communication Risk
| Risk source | Practical response |
|---|
| Unclear stakeholder expectations | Define success criteria and acceptance thresholds |
| Conflicting risk appetite | Facilitate explicit trade-off decisions |
| Low stakeholder engagement | Tailor communications and involve decision makers |
| Hidden opposition | Analyze influence and interests; monitor sentiment |
| Overly optimistic sponsor expectations | Use data, ranges, confidence levels, and scenarios |
| Technical team underreports risk | Create psychologically safe reporting channels |
| Distributed stakeholders | Use clear cadence, records, and escalation paths |
| Executive wants one deterministic date | Explain confidence ranges and assumptions |
Common PMI-RMP Exam Traps
| Trap | Better answer |
|---|
| Jumping straight to action | First identify, analyze, assign, and plan unless immediate action is required |
| Ignoring the risk management plan | Use it for roles, thresholds, definitions, reporting, and escalation |
| Treating risk as only negative | Include opportunities |
| Confusing risk and issue | Occurred risks are handled as issues while records are updated |
| Selecting transfer to eliminate responsibility | Transferred risks still require monitoring |
| Accepting high risks without approval | Check thresholds and authority |
| Planning responses without owners | Every significant response needs ownership |
| Forgetting residual and secondary risks | Document and analyze both |
| Using quantitative tools with weak data | Validate assumptions and data quality |
| Treating simulation as certainty | Simulation provides probability-based forecasts |
| Ignoring stakeholder risk attitude | Risk priority depends partly on tolerance and thresholds |
| Failing to implement responses | Monitoring should verify response execution |
| Not updating lessons learned | Risk process improvement is continuous |
| Escalating everything | Escalate only when authority, threshold, or ownership requires it |
| Using reserves as a response strategy | Reserves support responses; they are not the whole response |
| Topic | Formula in plain text |
|---|
| Qualitative score | Probability rating x Impact rating |
| EMV | Probability x Impact |
| Total EMV | Sum of all probability x impact values |
| Triangular mean | (Optimistic + Most likely + Pessimistic) / 3 |
| PERT mean | (Optimistic + 4 x Most likely + Pessimistic) / 6 |
| PERT standard deviation | (Pessimistic - Optimistic) / 6 |
| Cost variance | EV - AC |
| Schedule variance | EV - PV |
| CPI | EV / AC |
| SPI | EV / PV |
| Simple EAC | BAC / CPI |
| ETC | EAC - AC |
| VAC | BAC - EAC |
Final Review Checklist
Before exam day, make sure you can quickly answer:
- What artifact defines the risk process?
- What artifact tracks individual risks?
- When does a risk become an issue?
- Who owns a risk versus a response action?
- When should a risk be escalated?
- Which response strategies apply to threats?
- Which response strategies apply to opportunities?
- What is the difference between residual and secondary risk?
- When is qualitative analysis enough?
- When is quantitative analysis justified?
- What does EMV actually represent?
- Why does data quality matter before scoring or modeling?
- How do triggers, contingency plans, and fallback plans relate?
- When does a risk response require change control?
- How do agile practices change risk cadence without eliminating risk management?
Practical Next Step
Use this Quick Reference to drill scenario questions: for each practice item, identify the process, artifact, owner, threshold, and best next action before looking at the answer. Then review any missed questions against the tables above and continue with full-length PMI-RMP practice sets.