PMP Risk Management Questions: 25+ With Detailed Answers

Risk Management is, in my experience, one of the densest knowledge areas on the PMP exam. PMI tests not only the seven risk processes but also the response strategies, qualitative vs quantitative analysis, and the PMI mindset on dealing with uncertainty. The candidates I coach who internalise risk management cold reliably score 10-15 risk-related questions; the ones who treat risk superficially leave significant points on the table, and I have seen this be the difference between pass and fail.

In this guide I share 25+ PMP-style risk questions with full rationales mapped to PMBOK risk processes. I also cover the conceptual frameworks, the traps I tell candidates to watch for, and the patterns that, in my view, distinguish strong risk thinking from surface familiarity.

Six in planning, one in executing, one in monitoring. The exam tests each.

The processes are sequential during initial risk planning but iterative across the project. Risks are identified throughout; analysis and response planning happen as risks emerge; implementation happens when triggers are reached; monitoring is continuous.

For exam purposes, the candidate must recognise which process is implicated by a given scenario. “We just identified a new risk” -> Identify Risks. “We are scoring risks by probability and impact” -> Perform Qualitative Risk Analysis. “We are computing EMV” -> Perform Quantitative Risk Analysis.

Plus Escalate when the risk is outside the project’s authority.

The five threat strategies and five opportunity strategies are heavily tested. Memorise them. The exam often presents a scenario and asks which strategy is being applied; the candidate must match the action to the strategy name.

The PMI mindset on response selection: select the strategy whose cost is justified by the risk’s expected impact. Mitigation is most common because it balances cost and risk reduction. Avoidance is appropriate for high-impact risks that can be eliminated. Transfer applies when another party is better positioned to handle the risk. Acceptance applies when response cost would exceed the risk’s expected impact.

For opportunity strategies, the parallel logic applies: exploit guarantees the opportunity, share captures it with a partner, enhance increases probability or impact, accept takes the opportunity if it occurs without specific action.

Q1. During Identify Risks, which is least likely to surface new risks? A. Brainstorming B. SWOT analysis C. Risk register review from past projects D. Probability-impact matrix

Correct: D. The probability-impact matrix is for qualitative analysis, not identification. Brainstorming, SWOT, and prior risk registers all generate new risk candidates.

Q2. Qualitative risk analysis primarily produces: A. Numerical risk impact estimates B. Prioritised list of risks C. Final EAC D. Decision tree analysis

Correct: B. Qualitative analysis produces a prioritised list. Quantitative produces numbers. The prioritised list informs which risks deserve quantitative analysis.

Q3. A team uses Delphi technique. What is the primary characteristic? A. Anonymous expert input B. Group brainstorming C. SWOT analysis D. Probability scoring

Correct: A. Delphi technique uses anonymous expert input across rounds to converge on consensus. The anonymity prevents senior voices from dominating.

Q4. Which technique combines internal strengths and weaknesses with external opportunities and threats? A. Brainstorming B. SWOT C. Delphi D. Root cause analysis

Correct: B. SWOT explicitly combines all four. Other techniques touch one or two of these dimensions.

Q5. During risk identification, the team identifies a risk that another project has already mitigated successfully. What is the best action? A. Ignore it B. Add to the register and reuse the prior mitigation C. Identify a new mitigation D. Escalate

Correct: B. Reusing successful mitigations is efficient. Knowledge management across projects produces value precisely through this kind of reuse.

(Continue with Q6-Q10 covering brainstorming techniques, root cause analysis, assumption analysis, document analysis, prompt lists, SWIFT, probability/impact scales, and risk categorisation.)

Q11. A project has a risk that a key supplier may go out of business. The PM signs a contract with a backup supplier. This is: A. Avoid B. Transfer C. Mitigate D. Accept

Correct: C. Mitigate. The risk is reduced by having a backup. It is not eliminated (avoid) or moved to a third party (transfer).

Q12. The PM purchases insurance against a low-probability, high-impact natural disaster. This is: A. Avoid B. Transfer C. Mitigate D. Accept

Correct: B. Transfer. The financial impact moves to the insurer.

Q13. A team identifies an opportunity to deliver a feature early using a partner’s technology. The PM includes the partner in the project. This is: A. Exploit B. Share C. Enhance D. Accept

Correct: B. Share. The opportunity is shared with another party best positioned to capture it.

Q14. A risk is identified that the team’s deliverable may not meet regulatory requirements. The PM eliminates the affected feature from scope. This is: A. Avoid B. Transfer C. Mitigate D. Accept

Correct: A. Avoid. The risk is eliminated by removing the work that creates it.

Q15. The PM decides to maintain a contingency budget for an identified risk that may or may not materialise. This is: A. Avoid B. Transfer C. Mitigate D. Accept

Correct: D. Accept (specifically, active acceptance with contingency reserve). The risk is acknowledged; resources are set aside; no specific action is taken to reduce probability or impact.

(Continue with Q16-Q20 covering escalation, contingent response strategies, contingency reserves, management reserves, residual risks, secondary risks, and risk register updates.)

Q21. During execution, a risk in the register has not occurred and the trigger conditions have passed. The PM should: A. Remove the risk from the register B. Mark the risk as closed and document the lesson learned C. Continue monitoring D. Escalate to the sponsor

Correct: B. Closed risks remain in the register but are marked closed for lessons learned. Removing them entirely loses institutional knowledge.

Q22. A risk was previously mitigated. After mitigation, monitoring shows a new risk has emerged from the response. This is: A. A residual risk B. A secondary risk C. A trigger risk D. A workaround risk

Correct: B. Secondary risk. A risk that arises as a result of implementing a risk response. Residual risks are what remains after mitigation; secondary risks are new risks created by mitigation.

Q23. A risk audit is most useful for: A. Identifying new risks B. Evaluating effectiveness of risk responses and the risk management process C. Computing EMV D. Closing the project

Correct: B. Risk audits evaluate the effectiveness of risk responses and the overall risk management process. They are not primarily for identification.

(Continue with Q24-Q25+ covering risk reassessment, contingency reserve drawdown, and trend analysis.)

• Risk responses must be cost-effective. Do not over-respond.
• Always prefer proactive over reactive (workarounds are a last resort).
• Document everything. Risk management is also about institutional learning.
• Escalate when a risk is outside the project’s authority. Do not absorb it.
• Treat opportunities with the same discipline as threats.

The PMI mindset on risk is fundamentally proactive. Risks are managed before they materialise; issues are managed after they materialise. The discipline is identifying risks early and responding when the cost of response is low relative to the cost of impact.

For exam questions about risk priority, the PMI mindset weights probability times impact (expected value). High-probability low-impact risks may rank similarly to low-probability high-impact risks if the products are similar.

The escalation discipline is also tested. When a risk is outside the project’s authority (e.g., regulatory changes affecting the entire enterprise), the PM escalates rather than tries to handle it in-project.

Risks and issues are different:

• Risk: an uncertain event that may occur. Has a probability and an impact.
• Issue: a problem that has occurred. Has actual impact requiring response.

A risk that materialises becomes an issue. The transition matters because the management approach changes - risk management is proactive (planning, response strategies); issue management is reactive (workarounds, problem solving).

For exam questions, the distinction often determines the right answer. “We have a risk that vendor will be late” -> apply risk response strategies. “Vendor is late” -> issue management, find a workaround.

The risk register and issue log are separate artefacts. Both are maintained throughout the project. Risks that materialise move from the risk register (as closed) to the issue log (as new issues).

Contingency reserves and management reserves serve different purposes:

Contingency reserves: for known-unknowns (identified risks). Allocated within the project budget. Drawn down as identified risks materialise. PM has authority over contingency reserves.

Management reserves: for unknown-unknowns (unidentified risks). Held outside the project budget at the organisational level. Drawn down when unforeseen issues emerge. Sponsor or executive approval required.

The exam tests the distinction. Questions about budget allocation for known risks reference contingency reserves. Questions about budget for emergencies reference management reserves.

The aggregate budget includes both: BAC + contingency reserves + management reserves = total budget. EVM math typically uses BAC alone, not the reserves.

For PMs, the discipline of explicit contingency reserves prevents project budgets from being eroded by unplanned costs. The reserves should be sized based on risk register expected impact.

Quantitative risk analysis goes beyond qualitative scoring to numerical estimates. Techniques include:

Expected Monetary Value (EMV): Probability × Impact. Used in decision tree analysis. Common exam calculation.

A worked example: a risk has 30% probability and $50,000 impact. EMV = 0.30 × $50,000 = $15,000. This represents the expected cost contribution to the project from this risk.

Decision tree analysis: maps decision points and their EMVs. Used when multiple sequential decisions interact.

Monte Carlo simulation: runs thousands of synthetic project scenarios using probability distributions for inputs. Produces probability distributions for project outcomes (cost, schedule).

Sensitivity analysis: identifies which inputs have the largest effect on outputs. Tornado diagrams visualise sensitivity.

Three-point estimating (PERT): combines optimistic, most-likely, and pessimistic estimates. PERT mean = (O + 4M + P) / 6.

The exam tests recognition of these techniques and basic calculations. Memorise the formulas; understand when each technique applies.

Risk management adapts across approaches:

Predictive projects: classic seven-process risk management with risk register and detailed response plans.

Agile projects: risk management integrates into sprint cadence. Risk identification happens in retrospectives, planning, and standup. Response often manifests as backlog priority adjustments.

Common Risk Question Traps combine both. Project-level risks use classic management; sprint-level risks use agile cadence.

The PMI mindset across approaches is consistent: identify early, respond proactively, monitor continuously. The mechanics differ; the philosophy holds.

For exam questions about risk in different contexts, the right answer typically reflects the appropriate framework for the described methodology.

• Confusing avoid with mitigate: avoid eliminates the risk; mitigate reduces probability or impact.
• Confusing transfer with share: transfer is for threats; share is for opportunities.
• Confusing residual with secondary: residual remains after response; secondary is created by response.
• Confusing contingency with management reserves: contingency for known risks; management for unknowns.
• EMV sign errors: threats have negative EMV; opportunities have positive. Decision tree branches must combine correctly.
• Forgetting escalation: escalation is the fifth response strategy and is tested specifically.
• Treating opportunities as optional: PMI tests opportunities as rigorously as threats. Both deserve response strategies.
• The pattern: risk question traps reward careful reading. The exam often hinges on a single word (“eliminate” -> avoid; “reduce” -> mitigate). Slow reading prevents the traps.

Risk fluency develops through deliberate practice:

• Week 1: memorise the seven processes and the response strategies. Write them daily.
• Week 2: 10 risk questions per day with full rationale review.
• Week 3-4: 15 questions per day. Track domain accuracy.
• Week 5+: integrate risk questions into mock exams.

Total practice questions on risk: 100-200 across the prep period. This volume produces reliable accuracy.

For candidates who score weakly on risk in mocks, the focused practice approach helps. Doing 30 risk-only questions in a single sitting builds pattern recognition faster than mixed practice.

The discipline that distinguishes strong risk candidates from weak: explicit identification of which process and which strategy each question tests. The labelling discipline forces precise application.