Assess and Manage Risks
Đánh giá và Quản lý Rủi ro
Risk management là một trong những task được kiểm tra nhiều nhất trong PMP. Bao gồm threats (rủi ro tiêu cực) VÀ opportunities (rủi ro tích cực). PM chuyên nghiệp luôn proactive về risk.
📖 Lý thuyết / Theory
🇺🇸 English
Risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on project objectives. Risk ≠ Issue. Risk is potential (future); Issue is actual (happening now).
Risk management process: Plan → Identify → Analyze (Qualitative + Quantitative) → Plan Responses → Implement Responses → Monitor
Risk appetite vs tolerance: Appetite = how much risk the org is willing to accept. Tolerance = acceptable variance from the target.
Reference: PMI — Risk Management Process
🇻🇳 Tiếng Việt
Rủi ro là sự kiện hoặc điều kiện không chắc chắn mà nếu xảy ra có tác động tích cực hoặc tiêu cực đến mục tiêu dự án. Rủi ro ≠ Vấn đề. Rủi ro là tiềm năng (tương lai); Vấn đề là thực tế (đang xảy ra).
Quy trình quản lý rủi ro: Lập kế hoạch → Xác định → Phân tích (Định tính + Định lượng) → Lập kế hoạch Phản hồi → Thực hiện Phản hồi → Giám sát
⚡ Risk Response Strategies — Critical for Exam
| For THREATS (Negative Risks) | Description | Example |
|---|---|---|
| Avoid — Tránh né | Eliminate the risk entirely by changing plan | Use proven technology instead of experimental one |
| Transfer — Chuyển giao | Shift risk to third party (doesn't eliminate) | Buy cyber insurance; outsource high-risk module to vendor with SLA |
| Mitigate — Giảm thiểu | Reduce probability or impact | Add automated testing to reduce defect risk; extra capacity for key developer |
| Accept — Chấp nhận | Acknowledge, either passively (do nothing) or actively (set contingency reserve) | Minor UX bugs: accept and fix in next sprint; reserve 10% budget for unknowns |
| Escalate — Leo thang | Risk is outside PM's authority; needs sponsor/org decision | Regulatory change affecting entire org strategy |
| For OPPORTUNITIES (Positive Risks) | Description | Example |
|---|---|---|
| Exploit — Khai thác | Ensure the opportunity definitely occurs | Assign best team to high-value feature to guarantee delivery |
| Share — Chia sẻ | Partner with another party to maximize the opportunity | Joint development with partner for shared benefit |
| Enhance — Tăng cường | Increase probability or positive impact | Add more resources to high-impact feature to speed delivery |
| Accept | Take advantage if it occurs, but don't invest to make it happen | Market opportunity: if it comes, great; if not, no loss |
| Escalate | Opportunity beyond PM's authority | Strategic market expansion opportunity |
Exam Tips — Risk Management
- Risk vs Issue: Risk = future, may happen. Issue = present, already happening. Know the difference!
- Risk includes opportunities — not just threats. "The team may finish early" is a positive risk.
- Most tests ask about THREATS — but know opportunity strategies too (Exploit/Enhance/Share)
- Residual risk = risk remaining after response. Secondary risk = new risk created by the response.
- Risk Register is LIVING document — updated throughout project, not just at planning
- EMV = Probability × Impact (monetary) — used in decision tree analysis
- Qualitative (quick, subjective) → shortlist. Quantitative (detailed, numerical) → prioritized list.
🔧 Risk Register Template — Full
Risk Register Template — Full (Project Alpha, FinTech Company X)
── COLUMNS: ID | Description | Category | Prob% | Impact | Score(P×I) | Strategy | Action Plan | Owner | Trigger | Status ──
R001 Partner API delay External 30% High 0.6
Bank Partner A sandbox Mitigate Build mock server; escalate to partner PM
API unavailable before if sandbox not ready by Sprint 3 start
integration sprint Owner: PM Trigger: API not available by week 4
Status: Active
R002 Key dev resignation Resource 15% High 0.3
Key backend developer Mitigate Cross-training plan; knowledge docs for
resigns during project all modules; document all ADRs
Owner: Tech Lead Trigger: Resignation notice received
Status: Active
R003 Regulatory change PH Compliance 10% V.High 0.4
Regulatory change in PH Monitor Monthly regulatory review; legal team
market affects compliance + Accept alert; contingency budget reserved
Owner: PM + Legal Trigger: Regulatory announcement
Status: Monitoring
R004 Opportunity: early delivery Opportunity 40% High+ +0.8
Early MVP delivery may allow Enhance Add resources in Sprint 6 if ahead of
onboarding 2 extra partners schedule; pre-warm relationship with
Owner: PM + BD partners C & D
Trigger: Sprint 5 velocity > forecast
Status: Active
── RISK SCORE KEY ──────────────────────────────────
Score = Probability × Impact (scale 0–1)
>0.5 = High priority | 0.2–0.5 = Medium | <0.2 = Low
Positive scores = opportunities (treat as +value)
| ID | Risk Description | Category | Probability | Impact | Score | Response Strategy | Action Plan | Owner | Status |
|---|---|---|---|---|---|---|---|---|---|
| R001 | Bank Partner A sandbox API unavailable before integration sprint | External | Medium (30%) | High | 0.6 | Mitigate | Build mock server; escalate to partner PM if sandbox not ready by Sprint 3 start | PM | Active |
| R002 | Key backend developer resigns during project | Resource | Low (15%) | High | 0.3 | Mitigate | Knowledge docs for all modules; cross-training plan; document all ADRs | Tech Lead | Active |
| R003 | Regulatory change in PH market affects product compliance | Compliance | Low (10%) | Very High | 0.3 | Monitor + Accept | Monthly regulatory review; legal team alert; contingency budget reserved | PM + Legal | Monitoring |
| R004 🟢 | Opportunity: Early delivery of MVP may allow onboarding 2 extra partners | Opportunity | Medium (40%) | High + | +0.8 | Enhance | Add resources in Sprint 6 if ahead of schedule; pre-warm relationship with partners C & D | PM + BD | Active |
💼 Thực chiến / Scenario
FinTech Company X — Risk Identification in Project Alpha
Tình huống: Kickoff sprint 1 của Project Alpha. PM tổ chức Risk Identification Workshop với tech lead, QA lead, PO và compliance officer.
Risks identified: Technical: integration complexity với legacy EVO; Data migration risks; Performance at scale. External: Partner API changes; Regulatory changes in PH; Third-party vendor delivery delays. Resource: Key developer travel conflicts; Skills gap for new PH members. Opportunities: Early delivery may capture additional market; New platform capability may attract new partners.
Process: Risk log created in Confluence. Top 5 risks analyzed in detail (Qualitative). R001 (Partner API) → Mock server approach; weekly follow-up. R002 (Key developer) → Pair programming, ADR requirement. All risks reviewed in sprint retrospective.
PMP principle: Risk management là continuous — không phải one-time activity. Review risk register mỗi sprint, add new risks khi discovered. Early identification = much cheaper to address.
✏️ Practice Questions
Question 1
A risk response to transfer the risk of a data breach to a cyber insurance company creates a new risk: the insurance company may not cover all costs. This new risk is called a:
- A. Residual risk
- B. Secondary risk
- C. Opportunity
- D. Known unknown
✅ Answer: B — Secondary risk is a new risk created as a direct result of implementing a risk response. Residual risk (A) is the remaining risk after the response is implemented. The insurance not covering everything is a new risk created BY the transfer action, making it secondary.
Question 2
The project team discovers mid-project that if they complete Module A two weeks early, they could onboard two additional clients and significantly increase revenue. This is a:
- A. Scope change that needs Change Control
- B. Risk that should be avoided
- C. Positive risk (opportunity) that should be Exploited or Enhanced
- D. Issue that needs to be logged
✅ Answer: C — An uncertain future event that would have a positive impact is a positive risk (opportunity). The PM should use Exploit (ensure it definitely happens) or Enhance (increase probability) strategies. This is not a scope change (no new work required), not a risk to avoid (it's positive!), and not a current issue.
Question 3
A PM identifies a risk that, if it occurs, will cost $200,000 in damages but has only a 5% probability. Using EMV, what is the risk's monetary value, and should it be actively managed?
- A. EMV = $10,000; may not justify expensive mitigation — decision depends on cost of mitigation vs EMV
- B. EMV = $200,000; always requires full mitigation regardless of probability
- C. EMV = $1,000; ignore it entirely
- D. EMV cannot be calculated without more information
✅ Answer: A — EMV = Probability × Impact = 0.05 × $200,000 = $10,000. Whether to actively mitigate depends on the cost of the mitigation response vs the EMV. If mitigation costs $2,000, it's clearly worth it. If it costs $50,000, it may not be — you might accept or transfer instead. EMV is a tool for prioritization and decision-making, not an automatic trigger for full mitigation.
🤖 AI Tools for PMs
How AI Augments This Process
AI helps PMs brainstorm risks systematically, generate risk response strategies, draft risk register entries, and identify blind spots in risk coverage.
Sample Claude Prompts
Risk brainstorming session
Help me identify risks for my project using structured brainstorming.
Project: [name and brief description]
Project type: [software / infrastructure / process change / product launch]
Industry/context: [fintech / healthcare / retail / etc.]
Project phase: [planning / early execution / mid-execution]
Known constraints: [budget / timeline / regulatory / technology]
Team and stakeholder complexity: [distributed / cross-functional / external vendors]
Generate a risk register with at least 15 risks across these categories:
1. Technical risks (architecture, integration, technology choice)
2. Schedule risks (dependencies, resource availability, external delays)
3. Scope risks (requirements volatility, gold-plating, scope creep)
4. Resource risks (key person dependency, skill gaps, team availability)
5. External risks (regulatory, vendor, market, partner)
6. Organizational risks (sponsorship, priority changes, politics)
For each risk: Risk ID, description, category, probability (H/M/L), impact (H/M/L), risk score, initial response strategy, owner.
Risk response strategy development
I have a high-priority risk that needs a response strategy.
Risk: [specific risk description]
Probability: [High / Medium / Low with brief rationale]
Impact: [High — describe what happens if it occurs]
Risk type: [Threat or Opportunity]
If THREAT — develop response strategy using ATMES framework:
A - Avoid: Can we eliminate the risk by changing the approach? How?
T - Transfer: Can we shift responsibility to a third party? (insurance, contract, outsourcing)
M - Mitigate: How do we reduce probability and/or impact? Specific actions.
E - Escalate: Should this go to sponsor/PMO? Why?
S - Accept: If we accept, is it active (contingency plan) or passive?
If OPPORTUNITY — develop response strategy using ESEA:
Exploit / Share / Enhance / Accept
Recommend the best strategy for this specific risk with implementation steps.
Risk register review and gap analysis
Review my current risk register and identify gaps.
Current risks registered: [paste your risk list or describe the top 10]
Project context: [phase, complexity, stakeholder environment]
Recent events that may have changed the risk landscape: [describe]
Analyze the risk register and:
1. Identify risk categories that appear under-covered
2. Flag any risks that may be outdated or no longer relevant
3. Identify "risk interdependencies" — risks that could compound each other
4. Suggest 3-5 new risks to add based on the project context
5. Review risk owners — are they the right people?
6. Assess if the risk responses are specific enough (vague responses = no real mitigation)
Jira / Confluence Template
Jira — Risk Issue with Labels
── JIRA: RISK REGISTER ENTRY ─────────────────────────────
Issue Type: Risk
Summary: [RISK-001] [Category] — [Short description]
Priority: Critical (High/High) / High (High/Med or Med/High) / Medium / Low
Labels: risk | category:[technical/schedule/resource/external/scope]
── RISK DESCRIPTION ──────────────────────────────────────
Risk Statement: There is a risk that [event] may occur, resulting in [impact]
Probability: High / Medium / Low | Score: [1-5]
Impact: High / Medium / Low | Score: [1-5]
Risk Score: [P × I = score] | Threshold for escalation: >12
Risk Owner: [Name / role]
Response Strategy: Avoid / Transfer / Mitigate / Accept / Escalate
Response Actions:
1. [Specific action — Owner — Due date]
2. [Specific action — Owner — Due date]
Trigger: [What event signals this risk is materializing]
Contingency: [What we do if the risk occurs despite mitigation]
Status: Open | Last reviewed: [date] | Next review: [date]