Try 10 focused PMI-RMP questions on Risk Response, with answers and explanations, then continue with PM Mastery.
| Field | Detail |
|---|---|
| Exam route | PMI-RMP |
| Topic area | Risk Response |
| Blueprint weight | 13% |
| Page purpose | Focused sample questions before returning to mixed practice |
Use this page to isolate Risk Response for PMI-RMP. Work through the 10 questions first, then review the explanations and return to mixed practice in PM Mastery.
| Pass | What to do | What to record |
|---|---|---|
| First attempt | Answer without checking the explanation first. | The fact, rule, calculation, or judgment point that controlled your answer. |
| Review | Read the explanation even when you were correct. | Why the best answer is stronger than the closest distractor. |
| Repair | Repeat only missed or uncertain items after a short break. | The pattern behind misses, not the answer letter. |
| Transfer | Return to mixed practice once the topic feels stable. | Whether the same skill holds up when the topic is no longer obvious. |
Blueprint context: 13% of the practice outline. A focused topic score can overstate readiness if you recognize the pattern too quickly, so use it as repair work before timed mixed sets.
These questions are original PM Mastery practice items aligned to this topic area. They are designed for self-assessment and are not official exam questions.
Topic: Risk Response
A hybrid project planned to mitigate the risk that a key vendor might ship hardware late by holding weekly status checks and reserving a backup deployment window. Midway through the project, the vendor confirms the shipment will miss the committed date by 12 days, and the next release will slip unless the team replans immediately. Which interpretation best shows whether the current response strategy is still appropriate?
Best answer: A
What this tests: Risk Response
Explanation: The key distinction is risk versus issue. Once the vendor confirms the missed date, the uncertainty has become an actual problem, so the team should shift from the planned mitigation response to immediate workaround or recovery actions.
Risk response strategies such as mitigate, avoid, transfer, or accept are chosen for uncertain future events. In this scenario, late delivery is no longer uncertain because the vendor has confirmed the miss, so the team must reassess the earlier strategy and move into issue management, such as replanning the release, executing a workaround, or applying recovery actions.
A trigger is an early warning that tells the team when to act before or as a risk is materializing; it is not the same as the event already occurring. Residual risk is the exposure that remains after a response, and secondary risk is a new risk created by the response itself. Those concepts may still matter later, but the first decision here is recognizing that the threat has become an active issue.
Because the uncertain event has already occurred, the team must manage an active issue rather than rely on the original mitigation plan.
Topic: Risk Response
A project team selected a mitigation strategy for a vendor-capacity risk by prequalifying a backup supplier. One month later, the risk owner reviews actual lead-time data and compares the remaining schedule exposure with the project’s risk threshold to determine whether the strategy worked as intended. Which concept does this describe?
Best answer: D
What this tests: Risk Response
Explanation: This is assessment of response effectiveness because the risk owner is checking evidence that the mitigation changed exposure as intended. Comparing actual lead-time results with the risk threshold goes beyond action completion and tests whether the strategy is working.
In PMI-RMP terms, assessing response effectiveness means evaluating whether an implemented response produced the expected change in risk exposure. A mitigation response is not considered effective just because the action was performed; it must show evidence that the threat’s probability, impact, or overall exposure was reduced to an acceptable level or improved as planned. In the stem, the risk owner uses actual lead-time data and compares the remaining schedule exposure with the stated threshold, which is exactly how effectiveness should be judged.
Simply reporting status or watching for triggers does not by itself prove the response worked.
This evaluates whether the implemented mitigation reduced residual exposure in line with the intended strategy and threshold.
Topic: Risk Response
A hybrid project mitigated a supplier-delay threat by qualifying a second component vendor. During response implementation, the quality lead finds that the backup vendor uses a different test protocol that may increase integration rework in the next release, and this new exposure has not been assessed. What should the project manager do next?
Best answer: C
What this tests: Risk Response
Explanation: The testing difference is a new uncertainty created by the chosen response, so it is a secondary risk. The next step is to capture it in the risk register, assign ownership, and evaluate its probability and impact before deciding any additional action.
A secondary risk is a new risk introduced by implementing a response to another risk. In this case, adding a backup vendor reduced the original delay threat but created a possible future integration-rework threat because of different test protocols. Since the rework has not happened yet, the project manager should treat it as a risk, not an issue.
The correct sequence is to:
Immediate corrective action skips evaluation, issue escalation misclassifies an uncertainty, and closing the original risk is premature until response effectiveness and resulting exposure are understood.
A risk created by a response should be documented, assigned, and analyzed before any further response is chosen.
Topic: Risk Response
On a hybrid system rollout, the project manager reviews this risk register entry:
Risk: External data-conversion vendor may miss the test-load date
Risk owner: Procurement manager
Trigger: Vendor setup is more than 5 days late
Contingency: Internal integration team performs the test load
Status: Trigger met
The internal integration lead has the required technical skills. What is the best responsibility allocation for executing this contingency?
Best answer: A
What this tests: Risk Response
Explanation: The best choice keeps accountability for the vendor risk with the existing risk owner and assigns execution to the person best able to perform the contingency. When a trigger is met, PMI-RMP practice separates risk ownership from action execution.
The core concept is the distinction between risk ownership and action ownership. The procurement manager should remain accountable for the vendor-related risk because that role already owns the underlying uncertainty and its monitoring. Once the trigger is met, the contingency should be executed by the person with the technical capability and authority to perform it, which is the internal integration lead.
A good responsibility allocation for contingencies or workarounds is:
Reassigning the entire risk to the technical lead confuses accountability, while sponsor ownership or shared ownership weakens execution clarity. The closest distractor is transferring the whole risk, but execution skill does not automatically change who owns the risk.
The risk owner stays accountable for the vendor risk, while the technically capable integration lead should own the contingency action.
Topic: Risk Response
On a hybrid CRM project, the response owner completed mitigation actions for the risk that vendor API defects would delay the next release. After two iterations, defect escape rate dropped from 14% to 5%, the threat rating fell from high to medium, and a residual risk remains if the vendor changes the interface again. The steering committee wants to know whether overall release exposure has improved, while the delivery team asks which triggers and fallback actions still apply. What should the project risk manager do next?
Best answer: B
What this tests: Risk Response
Explanation: The mitigation has already been implemented and measured, so the next step is to communicate response-effectiveness results appropriately. Executives need a summary of changed exposure and residual risk, while the delivery team needs detailed triggers, actions, and fallback information.
This question is about communicating risk response effectiveness at the right level of detail. The response has been executed, and monitoring data shows the threat has been reduced but not eliminated, so the project risk manager should update the risk artifacts and report the results based on stakeholder needs. The steering committee needs a management-level view of whether overall release exposure has improved and what residual risk remains. The delivery team needs operational detail such as triggers, fallback actions, and ongoing monitoring expectations. A reduced rating is not the same as risk closure, and nothing in the scenario shows that the uncertain event has already occurred as an issue. The key takeaway is to communicate evidence of response effectiveness in a stakeholder-appropriate way while continuing to monitor residual risk.
This uses measured response-effectiveness results to communicate summary exposure to management and detailed residual-risk information to the team.
Topic: Risk Response
On a hybrid product rollout, the risk register notes that a vendor sandbox update may be delayed and affect system testing. The planned response does not fit the current sprint, but the product owner and technical lead are empowered to resequence backlog items if release impact stays within the agreed 3-day threshold. A quick analysis shows that swapping two stories would limit the impact to 1 day. What should the project manager do next?
Best answer: D
What this tests: Risk Response
Explanation: Improvisation is appropriate here because authority is already delegated and analysis shows the response stays within the project’s risk threshold. The best next step is to act, then document the improvised response and any residual risk for continued monitoring.
In risk response implementation, improvisation is appropriate when the situation has been analyzed, the people taking action are within delegated authority, and the expected impact stays inside agreed thresholds. Those conditions are present here, so waiting for escalation would slow response without improving decision quality. After implementing the adjusted response, the project manager should update the risk register to reflect what was done, confirm ongoing ownership, and monitor for residual or secondary risk. This should remain in risk management because the vendor delay is still uncertain rather than an event that has already occurred. The closest trap is unnecessary escalation, but escalation is reserved for actions outside authority or beyond tolerance.
The team has delegated authority and the analyzed impact is within threshold, so the improvised response should be implemented and documented.
Topic: Risk Response
A hybrid healthcare project must implement a patient-records update before a new privacy law takes effect in 4 months. A new cloud module could fail certification and delay go-live by 6 weeks; using the currently certified module would meet the compliance deadline but add some manual work. The project’s risk threshold allows no more than 1 week delay on compliance milestones, and the sponsor has very low appetite for compliance risk. Which response strategy is most appropriate?
Best answer: A
What this tests: Risk Response
Explanation: The threat could delay a compliance milestone by 6 weeks, far beyond the 1-week threshold. Because a feasible alternative removes the uncertainty and still meets the project’s primary objective, the best response is to avoid the risk by using the certified module for this release.
When a threat exceeds a stated threshold and stakeholders have very low appetite for that type of exposure, the preferred response is the one that brings exposure back within tolerance while preserving the project objective. Here, the main objective is meeting the legal compliance date. Replacing the uncertified module with the already certified one removes the certification uncertainty from this release, so it is an avoid response.
Mitigation through extra testing may reduce probability, but it still leaves open the possibility of a delay far beyond the 1-week threshold. Transfer through vendor penalties shifts some financial impact, but it does not protect the compliance milestone. Acceptance with a fallback plan is too weak when the exposure is clearly outside appetite and a practical avoid option exists.
The key takeaway is to match the response not just to the risk type, but also to the stated threshold and business objective.
This avoids the threat by removing the uncertified module from the release and keeping the compliance milestone within the stated threshold.
Topic: Risk Response
A hybrid product launch project identifies an opportunity: a specialist vendor can provide a proven automation module that could shorten testing by 3 weeks, which is above the sponsor’s opportunity threshold of 2 weeks. The team does not have the skills to configure the module alone, and the sponsor is willing to share added cost and benefits with an external partner. What is the best risk response?
Best answer: C
What this tests: Risk Response
Explanation: The opportunity is worth pursuing because it exceeds the sponsor’s threshold, but the project team cannot realize it independently. A share response is best when an external party has the capability needed to help capture the upside.
For opportunity risks, the response strategy should match both the size of the upside and the project’s ability to realize it. Here, the potential benefit is material because it exceeds the sponsor’s 2-week threshold, but the team lacks the specialist capability to configure the automation module alone. That makes a share response the best fit: involve the vendor formally so both parties contribute to capturing the opportunity and align cost, responsibility, and benefit.
Exploit would be appropriate only if the project could make the opportunity happen directly under its own control. Enhance could improve the likelihood or impact of the opportunity, but it does not solve the capability gap. Accept is too passive because the opportunity is significant and stakeholders are willing to act.
The key is to match the response to who can actually deliver the upside.
Sharing fits because the opportunity exceeds the threshold but depends on external expertise the team does not control.
Topic: Risk Response
A vendor integration risk occurs during a hybrid release. To keep deployment moving, the team uses a manual data transfer for two weeks. The risk owner then records the workaround, updates the risk register and response plan, and reassesses any new exposure. Which risk response principle is being applied?
Best answer: C
What this tests: Risk Response
Explanation: The key principle is that a workaround is an immediate practical action, not a substitute for disciplined risk management. After using one, the team should update the risk register and response plan, then evaluate residual or secondary risk created by the action.
In PMI-RMP terms, a workaround is typically an unplanned response used when a risk occurs or when an issue must be handled quickly. It helps maintain progress, but it does not eliminate the need for formal risk documentation. The risk register should be updated with the event status, action taken, ownership, and any residual or secondary risks. The response plan should also be updated so future handling, governance reporting, and stakeholder communication stay accurate.
The common mistake is assuming that because delivery resumed, the risk-management work is finished.
Workarounds are interim actions, so the team must still update risk artifacts and assess residual or secondary risk.
Topic: Risk Response
A hybrid infrastructure project implemented two full cutover rehearsals and rollback scripts to reduce migration downtime risk. After the response, the risk owner estimates the residual risk as a 20% chance of a 6-hour outage and a 5% chance of an 18-hour outage. The sponsor requires escalation when expected residual downtime exceeds 2 hours. Which analysis approach best evaluates whether this residual risk is acceptable?
Best answer: B
What this tests: Risk Response
Explanation: After a response is implemented, the remaining exposure should be reassessed against the stated threshold. Because the residual outcomes and probabilities are given, probability-weighted expected downtime is the best way to evaluate whether the response reduced the risk enough.
The core concept is residual risk evaluation after response implementation. Here, the response has already been applied, so the next step is to measure the uncertainty that remains and compare it with the sponsor’s threshold.
\[ \begin{aligned} \text{Expected downtime} &= 0.20 \times 6 \\ &\quad + 0.05 \times 18 \\ &= 1.2 + 0.9 \\ &= 2.1\text{ hours} \end{aligned} \]Because 2.1 hours exceeds the 2-hour threshold, the residual risk is still above tolerance and should be escalated or given further response consideration. A categorization or urgency-only view does not test acceptability, and variance analysis would apply after actual performance occurs, not to remaining uncertainty.
This directly quantifies the remaining exposure after the response and allows comparison to the 2-hour threshold.
Use the PMI-RMP Practice Test page for the full PM Mastery route, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.
Read the PMI-RMP guide on PMExams.com, then return to PM Mastery for timed practice.