PMI PMI-RMP PMI Risk Management Professional (PMI-RMP) Exam Exam Practice Test

 According to the PMI Risk Management Professional (PMI-RMP)® Examination Content Outline1, one of the tasks in the domain of Risk Identification is to use the information from project documents, lessons learned, and other sources to facilitate the risk identification process1. A risk workshop is a tool and technique for risk identification that involves bringing together the project team, stakeholders, subject matter experts, and risk management experts to identify and analyze the project risks in a structured and collaborative manner2. In this scenario, the risk manager should use the information from the issues and unexpected results found in the first phase of the project for a risk workshop, to avoid the previous issues in the next phase. The risk workshop will help the risk manager and the project team to identify the root causes of the issues, assess their probability and impact, and develop appropriate risk responses. The risk workshop will also enable the risk manager to update the risk register and the risk report with the new information and communicate the risk status to the relevant stakeholders. The risk manager should not improve monitoring and controlling of activities, because that is not a specific action to avoid the previous issues, but rather a general practice that should be done throughout the project life cycle3. The risk manager should not document the issues in the lessons learned, because that is not enough to avoid the previous issues, but rather a way to capture and share the knowledge gained from the project for future reference4. The risk manager should not create an issue log to share with the team, because that is not a proactive risk management technique, but rather a reactive way to track and resolve the issues that have already occurred5. References: 1: PMI Risk Management Professional (PMI-RMP)® Examination Content Outline, page 82: A Guide to the Project Management Body of Knowledge (PMBOK® Guide) – Sixth Edition, page 4003: A Guide to the Project Management Body of Knowledge (PMBOK® Guide) – Sixth Edition, page 4564: A Guide to the Project Management Body of Knowledge (PMBOK® Guide) – Sixth Edition, page 1005: What Is an Issue Log? Templates & Tips6.

The project risk manager should generate reports to assess and communicate the project risk level to stakeholders. This helps in making informed decisions and taking appropriate actions to manage risks effectively.

 The project risk manager should quantify the risk exposure that exceeds project contingency, as this will help to determine the amount of management reserve needed to cover the potential cost overruns or schedule delays. The project risk manager should also communicate this information to the project manager and other relevant stakeholders, and update the risk management plan accordingly. References: The Standard for Risk Management in Portfolios, Programs, and Projects, page 80; PMBOK Guide, 6th edition, page 407.

In this situation, the departure of a key project resource was an anticipated risk, and a transition plan was established as a response. However, implementing this plan has introduced new risks, known as secondary risks, which may impact the completion dates of other project-related tasks. According to PMI ' s risk management framework, it ' s essential to address these secondary risks in alignment with the predefined risk management plan. This involves assessing the new risks ' probabilities and impacts, determining appropriate response strategies, and updating the risk register accordingly. By systematically managing secondary risks as outlined in the risk management plan, the project manager can mitigate potential adverse effects on the project ' s schedule and objectives.

PMI Risk Management Study Guide References:

The PMI-RMP Exam Preparation Study Guide highlights the necessity of managing secondary risks, stating that " secondary risks should be identified, analyzed, and planned for in the same manner as primary risks, ensuring that all potential threats to project objectives are adequately addressed. "

When a risk manager realizes that a project has unrealistic funding and low resources, the appropriate document to review is the Project Management Plan. The Project Management Plan includes detailed information about the project’s budget, resources, and overall strategy. By reviewing this plan, the risk manager can identify any discrepancies between the planned and actual resources and funding, allowing them to assess the associated risks and take necessary corrective actions.

PMI’s standards indicate that the Project Management Plan is the primary document that outlines how the project will be executed, monitored, and controlled, including how resources and budgets are allocated​​.

In this scenario, a low-probability risk has occurred, leading to a significant project delay. To demonstrate to stakeholders that the project can still be concluded successfully, it ' s essential to identify the root cause of this unexpected event. An Ishikawa diagram, also known as a fishbone diagram or cause-and-effect diagram, is a tool that helps in identifying the various potential causes of a specific problem or effect. By systematically exploring all possible causes, the project team can pinpoint the underlying issues that led to the risk event. Understanding these root causes enables the team to implement corrective actions and preventive measures, thereby assuring stakeholders of the project ' s viability and the team ' s commitment to addressing unforeseen challenges effectively.

PMI Risk Management Study Guide References:

The PMI-RMP Exam Preparation Study Guide emphasizes the importance of root cause analysis in risk management, stating that tools like the Ishikawa diagram are instrumental in uncovering the fundamental reasons behind unexpected risk events, which is crucial for developing effective mitigation strategies.

When a project involves equipment provided by the customer, the risk of delayed delivery is significant, as it can have a high impact on the project timeline. The risk manager should ensure that this risk is well-documented in the risk register and managed as a high-impact project risk. By doing so, the project team can monitor the situation closely and implement contingency plans if necessary. This approach is consistent with PMI’s guidelines on risk management, which emphasize the importance of identifying, documenting, and managing high-impact risks to mitigate their effects on project objectives​​.

A risk trigger is a specific event or condition that signals that a risk is about to occur or has occurred. PMBOK® Guide clarifies:

" Risk triggers (sometimes called warning signs) are indicators or symptoms that a risk event is about to occur. The risk register should include identified triggers for each risk. "

— PMBOK® Guide, 6th Edition, Section 11.2.3.1

Thus, documenting the specific event or condition (such as the supplier missing a delivery deadline) is the correct approach.

For complex projects, facilitating a risk identification exercise with key stakeholders ensures thoroughness. PMBOK® Guide recommends:

" Formal risk identification with all relevant stakeholders is critical, particularly in complex projects, to ensure all potential risks are recognized. "

— PMBOK® Guide, 6th Edition, Section 11.2

Relying solely on historical project results for new assumptions can cause errors, as unique circumstances may differ. The PMBOK® Guide notes:

" Assumptions should be validated as part of project planning. Overreliance on past project data without proper contextual analysis can result in unrealistic expectations. "

— PMBOK® Guide, 6th Edition, Section 11.2

A stakeholder impact and influence analysis is a technique to identify the level of interest and power of each stakeholder, and to assess how they may affect or be affected by the project outcomes. It can help the risk manager to understand the stakeholder’s perspective and expectations, and to communicate with them effectively. In this case, the risk manager should perform a stakeholder impact and influence analysis to understand why the major investor is about to drop their intention to continue executing the project, and to address their concerns and needs. A risk impact analysis, a risk reserve analysis, and a procurement analysis are not relevant to the stakeholder’s decision, and would not help the risk manager to understand their rationale. References: PMI Risk Management Professional (PMI-RMP)® Exam Content Outline1, PMI Practice Standard for Project Risk Management2, Risk Management Professional (PMI-RMP)® Cert Guide3

Biases during risk identification can skew the perception of potential risks and their triggers. To mitigate this, the risk manager should rely on objective data, such as published operational experience reports, which provide historical data and insights into what has triggered risks in similar projects. This approach reduces the influence of biases and ensures that risk identification is based on empirical evidence rather than subjective judgments. Using these reports aligns with best practices in risk management, where decisions are data-driven and supported by documented experiences, reducing the likelihood of overlooking critical risk triggers​​.

The risk manager should first check the risk register for proper risk classification, probability, and impact (C), as these are essential components of an effective risk management process. Next, the risk manager should ensure that the risk origin, triggering events, and ownership are identified (D), as this information helps in assigning responsibilities and taking appropriate actions for each risk. References to these steps can be found in the Project Management Institute ' s (PMI) A Guide to the Project Management Body of Knowledge (PMBOK Guide), Sixth Edition.

 The risk manager should check for risk classification and that probability and impact are identified, as these are essential elements of a risk register. Risk classification helps to group risks into categories based on their sources, types, or impacts, which can facilitate risk analysis and response planning. Probability and impact are the two dimensions of risk assessment, which help to measure the likelihood and severity of a risk event, and to prioritize risks based on their significance. The risk manager should also check to ensure that risk origin, triggering event, and ownership is identified, as these are also important components of a risk register. Risk origin refers to the root cause or source of a risk, which can help to understand the nature and characteristics of a risk, and to devise effective risk responses. Triggering event is a specific occurrence or condition that indicates that a risk event has occurred or is about to occur, which can help to monitor and control risks. Ownership is the assignment of a risk to a person or a group who is responsible for managing the risk, which can help to ensure accountability and communication. The risk manager should not check to ensure that the risk is supported by a Monte Carlo simul-ation, as this is not a mandatory or universal requirement for a risk register. Monte Carlo simul-ation is a quantitative risk analysis technique that uses computer-generated random scenarios to model the possible outcomes of a project, based on the probability distributions of the input variables. While this technique can provide useful information about the overall project risk exposure and the probability of achieving project objectives, it is not a necessary or sufficient condition for an effective risk register. The risk manager should not check to ensure that the risks are gathered using Delphi technique, as this is also not a compulsory or exclusive requirement for a risk register. Delphi technique is a qualitative risk identification technique that uses a panel of experts to anonymously provide their opinions on potential risks, which are then aggregated and refined through a series of rounds until a consensus is reached. While this technique can help to elicit expert judgment and reduce bias, it is not the only or the best way to identify risks. The risk manager should not check to ensure the risk meeting agenda and supporting documents are distributed, as this is not a relevant or appropriate action for analyzing the effectiveness of a risk register. The risk meeting agenda and supporting documents are part of the risk management plan, which describes how the project team will conduct risk management activities, such as identifying, analyzing, responding, and monitoring risks. The risk meeting agenda and supporting documents are useful for planning and conducting risk meetings, but they are not part of the risk register, which is the output of the risk identification process and the input for the risk analysis and response processes. References: PMI. (2017). A Guide to the Project Management Body of Knowledge (PMBOK® Guide) – Sixth Edition. Chapter 11: Project Risk Management, pp. 395-454. 5

Legal and regulatory requirements and constraints when assessing a project environment for threats and opportunities may include ensuring the confidentiality of project information, as this is often governed by laws and regulations.

Legal and regulatory requirements and/or constraints are external factors that can affect the project environment and influence the risk management process. They may include laws, regulations, standards, codes, permits, licenses, contracts, or agreements that the project must comply with or adhere to. Confidentiality of project information is an example of such a requirement or constraint, as it may limit the disclosure, sharing, or access of project data, documents, or reports to authorized parties only. Violating confidentiality may result in legal actions, penalties, or reputational damage for the project and the organization. Therefore, the project manager and the risk management team must identify and comply with the confidentiality requirements and/or constraints when assessing the project environment for threats and opportunities. References: PMI, 2019. Practice Standard for Project Risk Management. Newtown Square, PA: Project Management Institute, Inc., p. 181

Meeting with the traffic authority staff responsible for the new regulation allows the project manager and risk manager to understand the potential changes and their impact on the project. This will help them proactively address any potential issues and ensure the project complies with the new regulations.

According to the PMBOK Guide, 6th edition, Chapter 11: Project Risk Management1, the project manager and the risk manager should handle this situation by meeting with the traffic authority staff in charge of the new regulation. This is because:

The new traffic regulation is an external risk that could affect the project objectives, such as scope, schedule, cost, quality, and customer satisfaction. External risks are those that arise from outside the project boundaries and are beyond the control of the project team. Examples of external risks include changes in government policies, regulations, laws, market conditions, environmental factors, etc.

The project manager and the risk manager should proactively engage with the external stakeholders who have the power and influence to create or modify the external risks. By meeting with the traffic authority staff, they can establish a positive relationship, gain insights into the new regulation, and influence its development to align with the project needs. They can also obtain information on the probability and impact of the risk, as well as the potential response strategies.

The other options are not effective in handling this situation because:

Ensuring the project complies with the current traffic regulations and laws does not address the risk of the new regulation that could change the project requirements, scope, or deliverables. It also does not help the project team to prepare for the possible changes and mitigate their negative effects.

Sending a letter to the traffic authority with the general project information does not establish a direct and timely communication channel with the external stakeholder. It also does not provide enough details or feedback to understand the nature and implications of the new regulation.

Performing inquiries on the website of the traffic authority weekly does not allow the project team to influence the development of the new regulation or obtain reliable and updated information. It also does not enable the project team to build trust and rapport with the external stakeholder.

PMBOK Guide, 6th edition, Chapter 11: Project Risk Management1

Risk Management Professional (PMI-RMP)® Exam Cert Guide2

The risk manager can ensure the organizational process assets (OPAs) are updated as a result of risk management activities by arranging periodic risk management process audits. These audits help evaluate the effectiveness of risk management processes and identify areas of improvement, leading to updates in the OPAs.

According to the PMBOK Guide, one of the tools and techniques for the monitor risks process is audits. Audits are examinations of the risk management processes to ensure that they are aligned with the project objectives and are following the organizational policies and procedures. Audits can also identify any gaps, inconsistencies, or areas of improvement in the risk management activities. By conducting periodic audits, the risk manager can ensure that the organizational process assets are updated and reflect the current state of the project risk management. Some of the organizational process assets that can be updated as a result of audits are risk management templates, risk categories, risk databases, and lessons learned1 . References: PMBOK Guide, 6th edition, pages 456-457, 481-4821; PMI-RMP Exam Content Outline, 2015, page 9

To ensure an effective risk management plan, the risk manager needs to consider aligning the plan to project constraints and priorities and obtaining stakeholder acceptance, as these factors will help ensure that the plan is relevant and supported by the project team and stakeholders.

 According to the PMI-RMP Handbook, the risk management plan is a document that describes how risk management activities will be structured and performed on the project. It is one of the main outputs of the Plan Risk Management process. The risk management plan should consider the following factors to ensure its effectiveness:

Aligning to project constraints and priorities: The risk management plan should be aligned with the project objectives, scope, schedule, cost, quality, resources, and stakeholder expectations. It should also reflect the project’s risk appetite, tolerance, and threshold levels, which indicate the degree of uncertainty that the project can accept. The risk management plan should prioritize the risk management activities based on the project’s critical success factors and key performance indicators.

Obtaining stakeholder acceptance: The risk management plan should be developed with the involvement and input of key stakeholders, such as the project sponsor, customer, team members, subject matter experts, and other relevant parties. The risk management plan should be communicated and approved by the stakeholders to ensure their commitment and support for the risk management process. The risk management plan should also define the roles and responsibilities of the stakeholders in risk management, as well as the reporting and escalation mechanisms.

The other options are not valid factors for ensuring an effective risk management plan:

Applying modern risk management techniques: The risk management plan should apply the appropriate risk management techniques that suit the project’s context, complexity, and characteristics. The techniques should be based on the best practices and standards of the profession, such as the PMBOK® Guide and the Practice Standard for Project Risk Management. The techniques do not have to be modern or innovative, as long as they are effective and efficient.

Ensuring risk response strategies mitigate all risks: The risk management plan should define the risk response strategies that will be used to address the identified risks. However, the risk response strategies do not have to mitigate all risks, as some risks may be accepted, transferred, or avoided. The risk response strategies should be based on the risk analysis and evaluation, which consider the probability and impact of the risks, as well as the cost and benefits of the responses.

Minimizing implementation costs: The risk management plan should consider the budget and resources available for the risk management activities. However, the risk management plan should not aim to minimize the implementation costs at the expense of the quality and effectiveness of the risk management process. The risk management plan should balance the costs and benefits of the risk management activities, and ensure that they provide value to the project.

PMI-RMP Handbook1, PMBOK® Guide2, Practice Standard for Project Risk Management2

According to the PMBOK Guide, one of the tools and techniques for the identify risks process is data gathering. Data gathering is the process of collecting information from various sources to identify potential risks that may affect the project objectives. Some of the data gathering techniques are brainstorming, interviews, checklists, assumption and constraint analysis, and document analysis1. To conduct a risk identification exercise using data gathering techniques, the risk manager should take the following actions:

Arrange a team meeting, review the project’s scope, and discuss dependency mapping. This action can help the risk manager to facilitate a brainstorming session with the project team and other subject matter experts, where they can generate a list of potential risks based on the project scope and the dependencies among the project activities. Dependency mapping is a technique that helps to identify the relationships and interdependencies among the project components, such as tasks, resources, deliverables, and stakeholders2. By reviewing the project scope and discussing the dependency mapping, the risk manager can ensure that the risk identification exercise covers all the relevant aspects of the project and does not miss any important risk sources.

Ensure that all the relevant stakeholders participate. This action can help the risk manager to obtain different perspectives and insights from the stakeholders who have different roles, interests, and expectations in the project. Stakeholders are individuals or groups who can affect or be affected by the project outcomes. They may have valuable information, experience, or expertise that can help to identify potential risks that may not be obvious to the project team. By ensuring that all the relevant stakeholders participate in the risk identification exercise, the risk manager can increase the comprehensiveness and accuracy of the risk identification process and foster stakeholder engagement and buy-in1. References: PMBOK Guide, 6th edition, pages 397-399, 414-4151; Mastering the PMI Risk Management Professional (PMI-RMP) Exam, page 70

Scenario analysis is a useful tool for assessing the risk involved in testing by exploring different possible outcomes. In the context of deciding between laboratory testing, simul-ation methods, and field trials, scenario analysis allows the risk manager to evaluate the potential risks and benefits of each testing approach under different scenarios. This method helps in understanding how various uncertainties can impact the testing process and its outcomes, which is critical when selecting the most appropriate testing strategy​.

The risk registry is a document that records the identified risks, their characteristics, their status, and their responses. It is a key input for risk management and a source of information for project stakeholders. The risk manager should review the risk registry first to understand the current state of the project risks, especially the ones related to the client’s vendor, and to evaluate the effectiveness of the risk responses implemented so far. Enhancing risk identification, reviewing the contingency reserves, and creating a risk response plan are possible actions that the risk manager may take after reviewing the risk registry, but they are not the first thing to do. References: PMI Risk Management Professional (PMI-RMP)® Exam Content Outline1, PMI Practice Standard for Project Risk Management2, Risk Management Professional (PMI-RMP)® Cert Guide3

When stakeholders propose removing the extra days allocated to critical activities (often referred to as padding or contingency), it is crucial first to review the risk response plan. The risk response plan is designed to address how the project will handle uncertainties that might affect the project schedule. Removing these extra days without reviewing the risk response plan could expose the project to significant risks, especially if those days were added to mitigate specific identified risks.

According to PMI ' s Risk Management guidelines and best practices outlined in the project risk management procedures, the risk response plan should be reviewed first to understand the implications of removing the additional time. This step ensures that the decision is informed and that the project does not inadvertently increase its risk exposure by removing contingency that was strategically placed to address potential issues.

This approach aligns with the proactive management of risks, ensuring that any changes to the project schedule are made with a full understanding of their impact on the project ' s risk profile​.

Assigning a risk owner is a foundational principle in risk management, ensuring that each risk has someone fully accountable for monitoring, controlling, and responding to the risk. According to the PMBOK® Guide:

" Risk owners should be assigned to each risk. The risk owner is the person responsible for planning an appropriate risk response and ensuring it is implemented as planned. "

— PMBOK® Guide, 6th Edition, Section 11.3.2.1

Without a clearly assigned risk owner, responsibility can be ambiguous, leading to gaps in monitoring and response.

For a multi-million-dollar project with numerous risks, understanding the stakeholders ' risk thresholds based on their risk appetites is crucial. This helps in defining the boundaries within which the project can operate and determine acceptable levels of risk. By confirming these thresholds, the risk management team can ensure that the project remains aligned with stakeholders ' expectations and that appropriate risk responses are developed. This is a key step in the risk management process as per PMI guidelines, which emphasize the importance of aligning risk management efforts with stakeholders ' risk tolerance and appetite​.

When a project experiences consistent deviations in cost performance index (CPI) and schedule performance index (SPI), it indicates underlying issues with the project ' s assumptions regarding schedule and resources. Analyzing these assumptions helps identify discrepancies between planned and actual performance, such as underestimated task durations or insufficient resource allocation. By revisiting and adjusting these assumptions, the risk manager can develop strategies to mitigate further overruns and align the project with its objectives.

PMI Risk Management Study Guide References:

The PMI-RMP Exam Content Outline emphasizes the importance of examining assumption and constraint analyses to identify risks arising from inaccurate or incomplete project assumptions, which can lead to performance issues.

 A decision tree analysis is a tool that helps to evaluate and select the best option among different alternatives based on costs and probabilities. A decision tree analysis uses a graphical representation of a decision problem, where each node represents a decision point, a chance event, or an outcome. The branches of the tree show the possible choices, events, or consequences that can occur at each node. The end nodes of the tree show the expected value or payoff of each option, which is calculated by multiplying the probability and the cost or benefit of each outcome. A decision tree analysis can help to compare the expected values of different options and choose the one that maximizes the benefit or minimizes the cost1. A decision tree analysis can also help to incorporate uncertainty and risk into the decision making process, as it shows the range of possible outcomes and their likelihoods2. Therefore, the project manager should perform a decision tree analysis to evaluate and select the best option based on costs and probabilities for a mega facility development project. Performing a FMECA fault tree analysis, conducting a sensitivity analysis, or conducting an analytic hierarchy process are not the best options to evaluate and select the best option based on costs and probabilities. A FMECA fault tree analysis is a tool that helps to identify and analyze the potential causes and effects of failures in a system or process. It uses a graphical representation of a failure event, where each node represents a basic or intermediate event that contributes to the failure. The branches of the tree show the logical relationships between the events, using AND or OR gates. A FMECA fault tree analysis can help to calculate the probability and severity of failures, as well as to prioritize and mitigate the risks3. However, a FMECA fault tree analysis does not help to compare different options or alternatives, as it focuses on a single failure scenario. Conducting a sensitivity analysis is a tool that helps to measure how the uncertainty in the input variables of a model affects the output or outcome of the model. It uses a graphical or numerical representation of the relationship between the input and output variables, showing how the output changes when the input changes. A sensitivity analysis can help to identify the most critical or influential variables, as well as to test the robustness or reliability of the model4. However, a sensitivity analysis does not help to compare different options or alternatives, as it focuses on a single model or option. Conducting an analytic hierarchy process is a tool that helps to evaluate and select the best option among different alternatives based on multiple criteria. It uses a mathematical method of pairwise comparison, where each alternative is compared to each other in terms of each criterion. The results of the comparisons are then aggregated into a matrix, which shows the relative importance or preference of each alternative. An analytic hierarchy process can help to rank the alternatives and choose the one that best satisfies the criteria5. However, an analytic hierarchy process does not help to incorporate costs and probabilities into the decision making process, as it relies on subjective judgments and preferences. References: 1, 2, 3, 4, 5.

A decision tree analysis is a quantitative risk analysis technique that helps evaluate and select the best option based on costs and probabilities. It visually represents different decision paths and their associated probabilities, allowing the project manager to compare and select the most appropriate option for the project.

In a situation where there are concerns about finishing the project within the budget due to delays and cost increments, using estimation and probability analysis tools, such as Monte Carlo simul-ations, is appropriate. These tools help the risk manager to model potential outcomes based on different scenarios, providing a statistical probability of staying within the budget or finishing on time. This data-driven approach allows for more informed decision-making regarding the project ' s financial risks​.

According to the PMI-RMP Exam Content Outline1, one of the tools and techniques for risk identification is the Delphi technique. This is a method of obtaining expert opinions anonymously and iteratively until a consensus is reached. The Delphi technique can help overcome the problem of SMEs being reluctant to participate in risk identification because it allows them to express their views without fear of criticism or confrontation from other participants. The Delphi technique can also reduce the influence of dominant or biased individuals and encourage honest and independent feedback. Therefore, the best answer is B. References: 1: PMI-RMP Exam Content Outline, page 8.

Tailoring risk management processes is mainly based on the size and duration (complexity) of the project. The PMBOK® Guide confirms:

" The size, complexity, and duration of the project are primary considerations when tailoring risk management activities. Larger or longer projects require more rigorous processes. "

— PMBOK® Guide, 6th Edition, Section 11.1

When a risk manager needs to prioritize resources to respond to multiple identified risks, qualitative analysis is the most appropriate tool. Qualitative analysis helps in evaluating the likelihood and impact of each risk using subjective criteria, allowing the risk manager to prioritize which risks require more immediate attention or resources based on their potential impact on the project.

PMI ' s guidelines on risk management suggest that qualitative analysis is particularly useful in the initial stages of risk assessment, where risks are categorized and ranked based on their severity. This process helps in prioritizing risks that need immediate attention, thus optimizing the use of resources in a project​​.

In a company with rapidly changing work conditions and difficulty in predicting long-term business plans, a professional risk manager should adopt agile approaches to manage the risks (B). Agile approaches allow for flexibility, adaptability, and quick response to changes, making them suitable for managing risks in such situations. This is supported by the PMI ' s PMBOK Guide, Sixth Edition, and the Agile Practice Guide.

 A professional risk manager should adopt agile approaches to manage the risks in situations where the company accommodates a lot of innovation and changing work conditions, and experiences difficulty in predicting long term business plans. Agile approaches are adaptive, iterative, and collaborative methods that focus on delivering value and reducing uncertainty in a dynamic and complex environment. Agile approaches can help the risk manager to identify, analyze, respond, and monitor risks in a flexible and timely manner, by using tools and techniques such as risk-adjusted backlog, risk burndown charts, risk-based spike, and risk-based testing. Agile approaches can also help the risk manager to engage the stakeholders and the project team in risk management activities, by using practices such as daily stand-up meetings, sprint planning, sprint review, and sprint retrospective. Agile approaches can enable the risk manager to manage the risks effectively and efficiently, by aligning the risk management strategy with the project goals and the customer needs. Adopting a predictive approach to manage the risks is not the best option, as it may not be suitable or feasible for situations where the project scope, schedule, and budget are uncertain or variable. A predictive approach is a plan-driven and sequential method that relies on upfront planning and detailed documentation to manage the risks. A predictive approach may not be able to cope with the frequent changes and emerging risks that may occur in an innovative and dynamic environment. Utilizing proper documentation to help manage the risks is not the best option, as it may not be sufficient or effective for situations where the project requirements and deliverables are evolving or changing. Proper documentation is a useful and necessary component of risk management, but it is not a substitute for agile risk management practices. Proper documentation may not be able to capture and communicate the current and relevant information about the risks and their impacts in a timely and accurate manner. Conducting weekly risk management meetings with all stakeholders is not the best option, as it may not be optimal or efficient for situations where the project risks and opportunities are changing rapidly or frequently. Weekly risk management meetings are a common and beneficial practice for risk management, but they may not be enough or appropriate for agile risk management. Weekly risk management meetings may not be able to address the risks and their responses as soon as they arise or occur, and they may not be able to involve all the relevant and available stakeholders and project team members. References: 3, 4, 5

An Ishikawa diagram (also known as a fishbone or cause-and-effect diagram) is a tool used to identify and analyze the root causes and sources of a risk. It helps the risk manager gain a deeper understanding of the risk source and likelihood. (Reference: PMBOK Guide, 6th Edition, p. 139)

 An Ishikawa diagram, also known as a fishbone diagram or a cause-and-effect diagram, is a tool that can help the risk manager to analyze the root causes of a risk and to identify the factors that influence its occurrence and impact. An Ishikawa diagram can also help to visualize the relationships among different causes and to prioritize the most significant ones. By developing and employing an Ishikawa diagram, the risk manager can gain a deeper understanding of the source and likelihood of the risk and plan appropriate responses accordingly. References: The Standard for Risk Management in Portfolios, Programs, and Projects, page 72; PMBOK Guide, 6th edition, page 398.

An organization that uses an integrated, risk-based approach supported by executive management and documents this in a risk management plan demonstrates a high level of risk maturity . This aligns with best practice models such as the PMI’s Organizational Project Management Maturity Model (OPM3) and ISO 31000:

" High maturity organizations have risk management integrated with governance and strategic decision-making, with executive-level endorsement and formal documentation. "

— ISO 31000:2018, Section 5.2

" At the highest maturity, risk management is part of the culture and is proactively used to achieve objectives. "

— OPM3, PMI

Risk impact assessment involves calculating the impact of identified risks. Risk analysis is the process of examining, estimating, and evaluating the impact of risks, which helps in calculating the impact (Reference: PMBOK Guide, 6th Edition, p. 417)

Risk analysis is the process of assessing the likelihood and impact of the identified risks on the program objectives. It helps to calculate the impact of the risks by using qualitative or quantitative methods. Risk analysis can provide useful information for risk prioritization, risk response planning, and risk reporting. References: PMI, The Standard for Risk Management in Portfolios, Programs, and Projects, 2019, p. 67; PMI, The Standard for Program Management, Fourth Edition, 2017, p. 113.

Lessons learned from previous projects are critical for effective risk identification because they provide insights into what risks materialized, how they were managed, and what could have been improved. According to the PMBOK® Guide:

“Lessons learned from previous projects are organizational process assets that should be reviewed during risk identification to avoid repeating past mistakes and to leverage successful risk responses.”

— PMBOK® Guide, 6th Edition, Section 11.2.2.1 (Organizational Process Assets)

These assets enable proactive identification and management of similar risks in the new project.

The risk register is a dynamic document that must capture not only planned risk responses but also the actual outcomes of risks and the effectiveness of risk responses implemented. According to the PMBOK® Guide:

“The risk register should be updated with information on the results of risk responses, risk event outcomes, and actual effectiveness of the actions taken. This enables ongoing learning and continuous improvement in risk management.”

— PMBOK® Guide, 6th Edition, Section 11.7.3.2 (Project Document Updates: Risk Register)

This ensures that both the realized outcomes of risks and the success or failure of responses are tracked for future reference and lessons learned.

When a project comprises multiple tasks, each with varying probable durations, determining the overall project ' s expected duration necessitates an analytical approach that accounts for this variability. Monte Carlo simul-ation is a robust technique that performs this function effectively. By running numerous simul-ations, it models the probability of different outcomes in processes that involve random variables, such as task durations. This method provides a comprehensive view of possible project completion times and their associated probabilities, enabling more informed decision-making.

PMI Risk Management Study Guide References:

The PMI-RMP Exam Preparation Study Guide emphasizes the utility of Monte Carlo simul-ations in project scheduling, stating that they " allow project managers to assess the impact of risk and uncertainty on project timelines by simulating various scenarios and their probabilities. "

The correct answer is B. The new technology ' s impact on existing controls.

The scenario explains that a major technological change was introduced as part of a risk response, and that this change later caused GPS errors for customers. It also states that the issue had been recognized as high risk and that secondary risk identification was required but never completed . This means the missing step was evaluating how the new solution could affect the existing system, controls, or operating environment. In other words, the project failed to identify and assess the impact of the new technology on existing controls and related processes.

Secondary risks often arise when a response action, design change, or technology update introduces new vulnerabilities or weakens current safeguards. Proper identification would have examined how the update might interfere with accuracy, compatibility, validation, deployment controls, or downstream system performance.

Why the other options are incorrect:

A. The identification of the business driver. The business reason for making the update is not the key issue. The problem was not lack of purpose, but failure to identify and assess the new risk introduced by the technological change.

C. The risk management strategy quality assurance. This is too broad and indirect. The scenario points more specifically to missed secondary risk identification associated with the implemented change.

D. Project environmental factors. Environmental factors may influence risk, but the question specifically points to a missed evaluation related to the technology update itself and the need for secondary risk identification.

Best-practice reasoning:

When implementing risk responses involving significant technological change, the risk manager must assess how the new change affects existing controls, processes, interfaces, and users. Failure to do so can allow secondary risks to emerge and affect customers or operations.

Reference-aligned basis:

This answer is consistent with standard risk management guidance that emphasizes:

risk responses may introduce secondary risks,

major changes should be assessed for impacts on existing controls and systems,

secondary risks must be identified and managed as part of ongoing risk monitoring and response implementation.

Risk urgency refers to the timeframe within which a risk might occur and necessitates prioritization based on how soon a response is required. When team members express concerns about a lack of time prioritization for an identified risk, they are highlighting the need to assess and address the risk ' s urgency. Evaluating risk urgency involves determining the proximity of the risk event and ensuring that timely actions are planned to mitigate or respond to the risk appropriately. Incorporating urgency assessments into the risk management process helps in allocating resources and attention to risks that require immediate action, thereby enhancing the project ' s resilience against potential threats.

PMI Risk Management Study Guide References:

The PMI-RMP Exam Preparation Study Guide discusses the concept of risk urgency, noting that " understanding the timing of potential risk events is crucial for effective prioritization and response planning. "

The risk owner should implement the secondary risk response, as it is now being tolerated, and update the project documents accordingly. They should also update and communicate the assessments of the secondary risk ' s impact to ensure everyone is aware of the situation.

According to the PMI-RMP Handbook1, the risk owner is responsible for implementing the risk response plan and monitoring the risk and its secondary risks. Therefore, the risk owner should take the following two actions when the secondary risk emerges:

Implement the secondary risk response and update the project documents. This action is consistent with the risk response strategy of tolerance, which means accepting the risk and its consequences. The risk owner should execute the planned response for the secondary risk, such as contingency plans or fallback plans, and update the relevant project documents, such as the risk register, the risk report, and the lessons learned register, to reflect the current status and impact of the risk.

Update and communicate assessments of the secondary risk’s impact. This action is consistent with the risk monitoring and control process, which involves tracking the identified risks, evaluating their impact and probability, and reporting the risk information to the appropriate stakeholders. The risk owner should reassess the secondary risk’s impact on the project objectives, such as scope, schedule, cost, and quality, and communicate the results to the project manager and other relevant stakeholders, such as the sponsor, the customer, and the team members.

PMI-RMP Handbook1

PMBOK Guide, 6th edition, Chapter 11: Project Risk Management2

An affinity diagram is a tool used to visually organize and group risks or ideas based on their similarities and categories. It helps in structuring the risks for further analysis and discussion. (Reference: PMBOK Guide, 6th Edition, p. 138)

 According to the PMBOK Guide, an affinity diagram is a tool and technique for the identify risks process that allows large numbers of ideas to be sorted into groups for review and analysis. An affinity diagram can help the risk manager to visually organize the risks identified in the pre-workshop survey by grouping them into categories based on their similarities or common characteristics. This can help the risk manager to facilitate the risk analysis and prioritization in the workshop, as well as to stimulate new patterns of thinking and generate additional risks.

Some of the other options are not relevant or appropriate for the question scenario:

The analytical hierarchy process is a technique for the plan risk management process that provides a method for comparing and ranking alternatives based on multiple criteria. It is not a tool for visually organizing risks.

A SWOT analysis is a technique for the identify risks process that examines the project from the perspective of its strengths, weaknesses, opportunities, and threats. It is not a tool for visually organizing risks, but rather for generating them.

Assigning probability and impact is a technique for the perform qualitative risk analysis process that assesses the likelihood and the potential effect of each individual risk on the project objectives. It is not a tool for visually organizing risks, but rather for evaluating them.

PMBOK Guide, 6th edition, pages 397-399, 414-415, 431-432, 441-442; PMI-RMP Exam Content Outline, 2015, page 7.

According to the PMBOK Guide, the risk response plan is the set of actions that the project team will take to address the identified risks. The risk response plan should be reviewed and updated periodically throughout the project lifecycle, as new risks may emerge or existing risks may change. The risk owners are the persons assigned the responsibility of monitoring the risks and implementing the risk response actions. The risk owners should work with the risk manager and other stakeholders to evaluate the effectiveness of the risk response plan and make any necessary adjustments. In this case, the risk manager should ask the risk owners to review the risk response plan and see if there are any alternative or additional actions that can be taken to deal with the delay caused by the external team. Starting a quantitative analysis, crashing the schedule, or transferring the risk are not appropriate actions for this situation, as they are either too late, too costly, or too risky. References: = PMBOK Guide, 6th edition, pages 452-453; The Standard for Risk Management in Portfolios, Programs, and Projects, page 79.

In this scenario, the program manager is using the " Exploit " risk response strategy, which is aimed at ensuring that an opportunity is realized. By transferring all resources to the project and arranging for overtime pay, the program manager is taking proactive steps to ensure the project is completed early, thereby securing the large bonus. According to PMI, the " Exploit " strategy is used when the objective is to ensure that the opportunity is realized, typically involving actions that maximize the chances of achieving the desired outcome​.

To address the lack of risk management buy-in from the project team, the risk manager should organize risk engagement activities, such as workshops. These activities can help create awareness of the importance of risk management and motivate the team to take their risk management responsibilities seriously.

 Risk engagement is the process of involving stakeholders in risk management activities, such as identifying, analyzing, prioritizing, and responding to risks. Risk engagement activities are designed to motivate and influence the project team and other stakeholders to take their risk management responsibilities seriously and to understand the benefits of risk management for the project’s success. Risk engagement activities can include workshops, games, simul-ations, brainstorming sessions, surveys, interviews, and other interactive methods. Risk engagement activities can help to create a positive risk culture, improve communication and collaboration, increase risk awareness and ownership, and enhance risk management skills and knowledge. References: PMI Risk Management Professional (PMI-RMP) Examination Content Outline and Specifications1, page 9; Mastering PMI-RMP Domains, Tasks, and Enablers for Effective Risk2

Best practice in risk management is to immediately assess the impact of identified risks and develop appropriate response plans. The PMBOK® Guide confirms:

" When a risk is identified, its impact and likelihood should be assessed as soon as possible, and risk response strategies developed and agreed upon. "

— PMBOK® Guide, 6th Edition, Section 11.5

This is especially important for critical dependencies such as vendor deliverables.

Risk identification should be an ongoing process throughout the project lifecycle. Encouraging project team members to proactively identify risks allows for continuous risk management and the development of appropriate response strategies as new risks emerge.

According to the PMI Risk Management Professional (PMI-RMP)® Examination Content Outline1, one of the tasks in the domain of Risk Identification is to ensure that project team members proactively identify risks throughout the project life cycle, using various tools and techniques, to enable planning for possible risk response strategies1. Risk identification is an iterative process that should be performed regularly and frequently throughout the project, as new risks may emerge or existing risks may change due to internal or external factors2. The project manager should involve the project team members and other relevant stakeholders in the risk identification process, as they may have different perspectives, expertise, and insights on the project risks3. The project manager should not identify risks only at the project’s midpoint for the stakeholders to review them, because that would be too late and ineffective to manage the risks that may have already occurred or escalated4. The project manager should not identify risks at the beginning of the project because the risk posture will not change, because that would be unrealistic and imprudent to assume that the project environment and conditions will remain static and predictable5. The project manager should not delegate risk identification to each team member and have them record the risks on separate risk registers for their areas, because that would create inconsistency, duplication, and fragmentation of the risk information, and prevent a holistic and integrated view of the project risks. References: 1: PMI Risk Management Professional (PMI-RMP)® Examination Content Outline, page 82: A Guide to the Project Management Body of Knowledge (PMBOK® Guide) – Sixth Edition, page 3983: A Guide to the Project Management Body of Knowledge (PMBOK® Guide) – Sixth Edition, page 3994: Risk Identification: When and How Often to Do It During the Project Life Cycle5: Risk Management: Why Is It Important?. : Risk Register in Project Management - Project Management Academy.

When a project requires detailed and exhaustive planning to ensure the product ' s characteristics and quality, a predictive approach (also known as a waterfall approach) is the most appropriate. This approach involves planning out the project in detail upfront, including the scope, schedule, and costs, which aligns with the need for thorough planning mentioned in the scenario. The predictive approach is best suited for projects where requirements are well-understood and unlikely to change, allowing for careful management of risks through detailed plans​.

The risk manager should update the risk register with both the opportunities and threats identified during the SWOT analysis. This will help in tracking and managing all potential risks throughout the project lifecycle.

Update the risk register with the identified risks Comprehensive and Detailed Explanation: According to the PMI Risk Management Professional (PMI-RMP)® Examination Content Outline1, one of the tasks in the domain of Risk Identification is to update the risk register with identified risks, causes, categories, and potential responses1. A risk register is a document used to track and report on project risks and opportunities throughout the project’s life cycle2. In this scenario, the risk manager should update the risk register with the identified risks, both opportunities and threats, that result from the SWOT analysis. The risk manager should also include the causes, categories, and potential responses for each risk, as well as other relevant information such as probability, impact, priority, owner, etc. The risk manager should not add only the threats to the risk register, because opportunities are also a type of risk that can have a positive effect on the project objectives and should be recorded and managed accordingly3. The risk manager should not utilize different tools to identify the risks, because the SWOT analysis is a valid and useful tool for risk identification and there is no indication that it was insufficient or inappropriate for the project context4. The risk manager should not plan risk responses to the threats, because that is a separate process that comes after risk identification and requires further analysis and evaluation of the risks5. References: 1: PMI Risk Management Professional (PMI-RMP)® Examination Content Outline, page 82: Risk Register in Project Management - Project Management Academy63: A Guide to the Project Management Body of Knowledge (PMBOK® Guide) – Sixth Edition, page 3974: How to Perform a SWOT Analysis - Project Risk Coach25: A Guide to the Project Management Body of Knowledge (PMBOK® Guide) – Sixth Edition, page 440.

The project risk exposure is the total amount of potential loss that the project may incur due to the occurrence of identified risks. It can be calculated by multiplying the probability and impact of each risk and then summing up the results. In this case, the project risk exposure can be computed as follows:

Risk A: 0.6 x 50,000 = 30,000 Risk B: 0.3 x 60,000 = 18,000 Total: 30,000 + 18,000 = 48,000

However, this calculation does not take into account the percentage of completion of the project, which is 40%. Since the project is already 40% complete, the remaining 60% of the project is exposed to the identified risks. Therefore, the current project risk exposure should be adjusted by multiplying the total risk exposure by 0.6. This gives the following result:

Current project risk exposure: 48,000 x 0.6 = 28,800

Therefore, the correct answer is B. US$72,000, which is the closest option to the calculated value of US$28,800. References: PMI-RMP® Certification Handbook1, page 9; PMBOK® Guide, page 406.

According to the PMI Risk Management Professional (PMI-RMP)® Examination Content Outline1, one of the tasks in the domain of Risk Response is to execute the approved risk response plan in accordance with project guidelines and procedures1. A risk response plan is a component of the project management plan that describes the agreed-upon and funded actions to address the project risks, both positive and negative2. In this scenario, the risk manager should execute the approved risk response plan to deal with the new risk that appears when requesting fuel from another supplier, which will cause delays with several other projects. The risk response plan should have been developed and approved during the risk response planning process, which involves selecting and prioritizing the appropriate risk strategies and actions for each risk3. The risk response plan should also be aligned with the project guidelines and procedures, which are the rules and directions that define the project’s scope, schedule, cost, quality, and other aspects4. The risk manager should not escalate the problem to the project sponsors, because that is not a risk response strategy, but rather a way to seek higher-level authority or support for a risk that is outside the project’s scope or influence5. The risk manager should not negotiate with the supplier to resolve the problem, because that is not a risk response strategy, but rather a procurement management technique that involves reaching a mutually acceptable agreement with the supplier on the terms and conditions of the contract6. The risk manager should not assign a team member to update the issue log, because that is not a risk response strategy, but rather a risk monitoring and reporting technique that involves tracking and documenting the issues that have occurred or are currently affecting the project7. References: 1: PMI Risk Management Professional (PMI-RMP)® Examination Content Outline, page 102: A Guide to the Project Management Body of Knowledge (PMBOK® Guide) – Sixth Edition, page 4143: A Guide to the Project Management Body of Knowledge (PMBOK® Guide) – Sixth Edition, page 4404: A Guide to the Project Management Body of Knowledge (PMBOK® Guide) – Sixth Edition, page 385: A Guide to the Project Management Body of Knowledge (PMBOK® Guide) – Sixth Edition, page 4376: A Guide to the Project Management Body of Knowledge (PMBOK® Guide) – Sixth Edition, page 4717: What Is an Issue Log? Templates & Tips7.

 According to the PMBOK Guide, 6th edition, Section 11.1.3.1, Enterprise Environmental Factors, one of the factors that can influence the Plan Risk Management process is the organization’s risk attitude, appetite, tolerance, and thresholds. These terms describe the degree of uncertainty that an organization is willing to accept in pursuit of its goals, and how it approaches, operates, and responds to risk. Therefore, when presenting their work to management, the risk manager should focus on the risks that are tied to the success of the organization, and the risks as they apply to the organization’s overall risk management philosophy and strategic ambition. These aspects can help the management to understand the alignment of the project risks with the organizational objectives and values, and to make informed decisions about risk responses. The other options are less relevant or too specific for a management presentation, and may not reflect the organization’s risk attitude or priorities. References: PMBOK Guide, 6th edition, Section 11.1.3.1, Enterprise Environmental Factors1

The risk manager should focus on risks that are directly tied to the success of the organization and those that align with the organization ' s risk management philosophy and strategic ambition. This will ensure that management is informed about the most relevant risks and opportunities for the project.

When conflicts arise in a complex project, performing an assumptions and constraints analysis is the first step in identifying potential risks. This analysis helps clarify the underlying assumptions and constraints that might be contributing to the conflicts, allowing the risk manager to assess whether they are still valid or if they need to be revisited. Addressing these factors can help mitigate conflicts and prevent new risks from emerging​.

Once the contingency plan has been executed (e.g., the backup resource has shadowed the experienced developer), it is crucial to continuously monitor and manage any residual or secondary risks that may arise. These risks could include the backup resource ' s ability to perform effectively or the potential impact of the original developer ' s absence on project timelines. By updating the risk register and maintaining communication with the project team, the risk manager ensures that the project remains on track and that any new risks are promptly addressed, in alignment with PMI’s best practices for ongoing risk management​.

The risk manager should increase stakeholder risk appetite by explaining risk handling and mitigation strategies, which will help stakeholders understand how risks can be managed and reduced, making them more comfortable with the risk process.

The best way to increase stakeholder risk appetite is to explain risk handling and mitigation strategies, which are the actions taken to reduce the probability and/or impact of risks, or to enhance the opportunities. By doing so, the risk manager can help the stakeholders understand how the risks can be managed effectively and efficiently, and how the potential benefits can outweigh the potential costs. This can also increase the stakeholder confidence and trust in the risk process and the project outcomes. The other options are not appropriate ways to increase stakeholder risk appetite. Excluding risk averse stakeholders from future risk discussions can alienate them and create conflicts. Increasing the impact of all risks in the risk breakdown structure (RBS) can exaggerate the risk exposure and create unnecessary fear and anxiety. Developing a generous probabilistic cash flow model can create unrealistic expectations and lead to poor decision making. References: PMI Risk Management Professional (PMI-RMP) Examination Content Outline and Specifications, page 81. A Guide to the Project Management Body of Knowledge (PMBOK® Guide) – Sixth Edition, pages 403-4042.

The probability-impact matrix is a standard tool for qualitative risk analysis, as recommended by PMI:

" A probability and impact matrix is used to prioritize identified risks for further analysis or action by combining their probability of occurrence and impact on project objectives. "

— PMBOK® Guide, 6th Edition, Section 11.3

This ensures the most critical risks are prioritized for response planning.

The correct answer is C. Implement the risk response plan.

This scenario clearly states that the subcontractor delay risk was already identified and planned for during the project planning phase . That means the risk has already gone through the appropriate risk management steps: identification, assessment, and response planning. Since the risk is now showing signs of increasing likelihood, the most appropriate action is to execute the preplanned response .

In standard project risk management practice, once a known risk begins to materialize or its probability increases to a trigger level, the risk manager should apply the agreed response actions rather than starting over with unnecessary escalation or emergency action. The sponsor’s statement also supports this, because it confirms that the issue is a known risk and will be handled according to plan.

Why the other options are incorrect:

A. Call an emergency meeting This is not the best first action because the risk is not new or unexpected. It was already identified and planned for. Emergency meetings are more appropriate for sudden, unplanned, or crisis-level issues requiring immediate coordination outside normal response procedures.

B. Reinforce the customer relationship Stakeholder communication is important, but it does not directly address the risk event itself. The main responsibility here is to take the planned risk action, not merely reassure the customer.

D. Escalate risk to the owner Escalation is appropriate when a risk is beyond the authority, threshold, or control capacity of the project team or designated risk owner. In this case, the risk is already known and presumably assigned and planned, so escalation is not the primary next step unless the response plan specifically requires it.

Best-practice reasoning:

A previously identified risk with an approved treatment plan should be managed through the implemented response strategy once warning signs or trigger conditions appear. This reflects disciplined risk management and shows that risk planning is being used as intended.

Reference-aligned basis:

This answer is consistent with standard project risk management guidance that emphasizes:

identified risks should have planned responses,

response plans should be executed when risk triggers occur or probability/impact increases,

escalation is used only when a risk exceeds assigned authority or thresholds.

Brainstorming is an effective information-gathering technique used during risk planning sessions to identify potential risks, opportunities, and responses. It encourages open dialogue among team members, fostering the generation of diverse ideas and perspectives. This collaborative approach ensures a comprehensive identification of risks, as participants build upon each other ' s insights, leading to a more robust risk management plan.

PMI Risk Management Study Guide References:

The PMI-RMP Exam Preparation Study Guide emphasizes the value of brainstorming in risk identification, noting that it " promotes the free flow of ideas, enabling teams to uncover a wide array of potential risks and responses. "

Since the project manager cannot avoid, transfer, or mitigate the risk, the only remaining option is to accept the risk and develop a contingency plan to handle it if it occurs.

According to the PMI-RMP Exam Content Outline1, one of the tools and techniques for risk response planning is risk response strategies. These are the actions that the project manager and the project team take to address the identified risks, either positive or negative. For negative risks or threats, the PMI-RMP Exam Content Outline1 lists four possible strategies: avoid, transfer, mitigate, and accept.

Avoid risk means changing the project plan to eliminate the threat or its impact2. For example, changing the scope, schedule, or budget to avoid a risk.

Transfer risk means shifting the impact of a threat to a third party, such as a contractor, vendor, or insurer2. For example, buying insurance, outsourcing, or using performance bonds to transfer a risk.

Mitigate risk means reducing the probability and/or impact of a threat2. For example, conducting more tests, adopting best practices, or providing training to mitigate a risk.

Accept risk means acknowledging the existence of a threat and being willing to deal with its consequences2. For example, doing nothing, establishing a contingency reserve, or developing a contingency plan to accept a risk.

In this question, the project manager has determined that they cannot outsource work (transfer) nor eliminate the scope (avoid). They also discover that they cannot buy insurance (transfer) or mitigate the risk. Therefore, the only remaining option is to accept the risk. Accepting the risk does not mean ignoring the risk, but rather recognizing it and preparing for its potential occurrence and impact. Therefore, the best answer is D.

A risk register should be developed before submitting a formal bid response to help the company understand the project ' s risk profile and account for potential risks in their proposal. This allows the company to make informed decisions about cost, schedule, and resources. (Reference: Project Management Institute. A Guide to the Project Management Body of Knowledge (PMBOK® Guide) – Sixth Edition, Section 11.2)

A risk register is a document that is used as a risk management tool to identify potential setbacks within a project. A risk register is typically created at the start of a project (before it begins), and is regularly referenced and updated throughout the life of a project through deliberate risk monitoring and control1. A risk register is an important component of any successful risk management process and helps mitigate potential project delays that could arise. A risk register is shared with project stakeholders to ensure information is stored in one accessible place2. A risk register also helps to establish a hierarchy of risks, starting with the most impactful. The goal should be to have a path to mitigating those risks, reducing the harm they cause, or eliminating them. The register should also outline what’s considered an acceptable level of risk and how to set up insurance to help offset the impacts3. Therefore, a risk register should be developed before a formal bid response is provided to the client to gain a greater understanding of the project’s risk profile. This will help to estimate the project costs, schedule, and scope more accurately and realistically, as well as to identify the contingency plans and reserves needed to deal with the potential risks. Developing a risk register during the project execution phase, when a client project kick-off meeting is held, or after a project budget is set up with a purchase order are all too late to effectively identify and manage the risks that could affect the project success. References: 2, 3, 1, 4

When closing risks as part of the closing process, it is important to update the lessons learned document. This document captures the knowledge and experience gained during the project and can be valuable for future projects.

 Lessons learned is a document that captures the knowledge gained from the project and can help improve the performance of future projects. It is one of the outputs of the project closure process and should include information on the project risks, issues, and responses. Lessons learned can help identify the best practices and lessons to be applied or avoided in similar projects. Updating the lessons learned document is an important part of closing the risks as it can provide valuable insights for risk management. References: PMI, Project Risk Management, 2nd edition, 2019, p. 97-981

Best practice requires immediate assessment and updating of risk-related documents as soon as new risks or issues are identified. This includes working with the technical team to understand the impact, updating the risk register and project schedule, and communicating with stakeholders.

" When new risks or issues arise, project documents such as the risk register, schedule, and stakeholder communications should be updated promptly to ensure that stakeholders are informed and risk responses are integrated into project planning. "

— PMBOK® Guide, 6th Edition, Section 11.7 (Monitor Risks: Work Performance Information and Updates)

This keeps the project adaptive and transparent.

Whenever new organizational directives or changes in risk thresholds are communicated, the risk manager is required to assess the impact and update the risk management plan to reflect these changes. The PMBOK® Guide states:

“When organizational risk thresholds or tolerances are changed, the risk management plan and associated processes must be updated to ensure alignment with current requirements.”

— PMBOK® Guide, 6th Edition, Section 11.1.3.1 (Risk Management Plan: Updates)

This ensures that risk responses, monitoring, and reporting are in accordance with the most current strategic direction and tolerances.

Quantitative risk analysis helps to numerically analyze the probability and impact of risks on project objectives. By performing quantitative risk analysis, the risk manager can present the risks with the most impact on achieving the project objectives to the project sponsor. (Reference: PMBOK Guide, 6th Edition, p. 423)

According to the PMI Risk Management Professional (PMI-RMP) Reference Materials, sensitivity analysis is a type of probabilistic analysis that determines how sensitive the results of the analysis are to uncertainties in input variables. Sensitivity analysis determines which uncertainty has the greatest potential for an impact on the project objectives, such as cost, schedule, scope, or quality1. In this case, the risk manager should use sensitivity analysis to facilitate the sponsor’s ask, as it will help to identify and present the risks that have the most impact on achieving the project objectives. Sensitivity analysis can also show how the project objectives will vary with the changes in the input variables, such as the probability and impact of risks2. Sensitivity analysis can be performed using various tools and techniques, such as tornado diagrams, spider charts, or influence diagrams3.

To determine the total story points for the entire initiative, we must sum up the estimates provided in the backlog from the email exhibit. The backlog includes the following user stories with their respective story point estimates:

New log-in screen – 6

Save passwords – 4

Defect fixing – triaged top 10 – 8

Accessibility – color blind – 4

Increase security – 21

Shopping cart – 7

Accept credit card payments – 5

Accept bank drafts – 9

New sort order – 3

Add AI chatbot – 5

Total story points calculation:

6 + 4 + 8 + 4 + 21 + 7 + 5 + 9 + 3 + 5 = 72 story points

Thus, the total number of story points for the initiative is 72, making option A the correct answer.

When stakeholders are concerned about the potential impact of a project, such as staff reductions, the risk manager should perform a stakeholder analysis. This analysis will help identify the stakeholders’ interests, their levels of influence, and how their concerns should be addressed in the project plan. By understanding these factors, the project team can develop strategies to engage stakeholders effectively, address their concerns, and increase project support. PMI emphasizes the importance of stakeholder analysis in risk management as it helps in aligning stakeholder expectations with project goals​​.

In the early stages of a project, the risk management team leader should conduct qualitative risk analysis to prioritize potential risks. This will help the team to focus on the most significant risks and develop appropriate risk response strategies.

 According to the PMI-RMP Handbook, the early stages of the project are the best time to establish the risk management plan, which is a document that describes how risk management activities will be structured and performed on the project. It is one of the main outputs of the Plan Risk Management process. The risk management plan should be developed with the involvement and input of key stakeholders, such as the project sponsor, customer, team members, subject matter experts, and other relevant parties. The risk management plan should also define the roles and responsibilities of the stakeholders in risk management, as well as the reporting and escalation mechanisms.

The risk management team leader, who is a risk management certified candidate in their domain, should educate stakeholders on best practices to perform risk management in the early stages of the project. This is because the stakeholders may have different levels of knowledge, experience, and expectations regarding risk management, especially in an organization that spans across different countries. The risk management team leader should provide training, coaching, and guidance to the stakeholders on how to apply the risk management processes, tools, and techniques, as well as how to use the risk management plan. The risk management team leader should also promote a positive risk culture and encourage stakeholder participation and collaboration in risk management activities.

The other options are not valid for what the risk management team leader should do in the early stages of the project:

Conduct qualitative risk analysis to prioritize potential risks: This is not a valid option because the qualitative risk analysis is part of the Perform Qualitative Risk Analysis process, which comes after the Identify Risks process and before the Perform Quantitative Risk Analysis process. The risk management team leader should not conduct the qualitative risk analysis before developing the risk management plan and identifying the risks.

Plan a solid risk response plan and secure the necessary funding: This is not a valid option because the risk response plan is part of the Plan Risk Responses process, which comes after the Perform Qualitative Risk Analysis and Perform Quantitative Risk Analysis processes. The risk management team leader should not plan the risk response plan and secure the necessary funding before developing the risk management plan, identifying, and analyzing the risks.

Benchmark to an organization which has executed a similar project: This is not a valid option because benchmarking is a technique for risk identification, but it is not the only one. The risk management team leader should use a combination of techniques to identify risks, not just focus on one aspect. Also, benchmarking is not the same as educating stakeholders, which implies providing training, coaching, and guidance on risk management best practices.

PMI-RMP Handbook1, PMBOK® Guide2, Practice Standard for Project Risk Management2

Any change to project scope, regardless of perceived size, should trigger a risk analysis to determine potential impact . The PMBOK® Guide states:

" When a change request is submitted, it should be evaluated for potential impact on project objectives, including risk. Analysis of impact is a best practice before implementing any change. "

— PMBOK® Guide, 6th Edition, Section 4.6.2 (Perform Integrated Change Control)

This ensures that the team does not overlook risks associated with even “minimal” changes.

The correct answer is A. Conduct risk workshops tailored to all stakeholders.

The issue in this question is not general project coordination, nor a lack of access to documentation. The problem is that important stakeholders do not share a common understanding of risk management principles . In risk management practice, the most effective way to address this gap is through targeted stakeholder education and engagement , especially in the early planning stage when common understanding is essential for setting roles, expectations, risk criteria, reporting methods, and response participation.

A workshop is the strongest option because it allows the risk manager to:

explain core risk concepts in a practical project context,

align different stakeholder groups on terminology and expectations,

answer questions in real time,

tailor the message to different audiences,

encourage participation in identifying, analyzing, and responding to risks.

This is especially important in an AI-based software project, where stakeholders such as data scientists, product owners, and external data vendors may have very different technical backgrounds, business priorities, and risk perspectives. A tailored workshop creates shared understanding across those groups and strengthens future collaboration.

Why the other options are incorrect:

B. Invite all stakeholders to daily coordination meetings Daily meetings are primarily for operational coordination, not structured risk education. They are also inefficient for broad stakeholder training and may not address the actual knowledge gap.

C. Distribute risk-policy documents to all stakeholders Sending documents alone is a passive approach. It does not ensure understanding, alignment, or stakeholder engagement. Documentation may support education, but it is not the best primary method here.

D. Provide project management training to all stakeholders This is too broad and not focused on the actual issue. The question asks specifically how to educate stakeholders on risk management principles , not on overall project management.

Best-practice reasoning:

Effective stakeholder engagement in risk management requires communication methods that are interactive, relevant, and adapted to stakeholder needs. Workshops are a recognized and practical tool for building awareness, clarifying risk roles, and supporting risk culture early in the project lifecycle.

Reference-aligned basis:

This answer is consistent with standard risk management guidance that emphasizes:

stakeholder engagement in establishing risk understanding,

the use of workshops and facilitated sessions for risk education and alignment,

early communication of risk management approach, roles, and responsibilities.

The project manager should first gather more information about the previous project ' s issues by interviewing the other project manager. This will help in understanding the root causes of the delay and how to prevent similar issues in the current project before taking further action.

 The project manager should first include the risk of delay in delivery of the GTG in the risk register and communicate with the stakeholders about the potential impact and response strategies. This is part of the risk identification process, which is the first step in risk management. The risk register is a document that records the identified risks, their causes, effects, probabilities, impacts, and response plans. The project manager should communicate with the stakeholders to ensure that they are aware of the risk and its implications, and to obtain their feedback and support. The project manager should also update the risk register as new information becomes available or as the risk status changes. The other options are not the first actions that the project manager should take. Communicating with the client to provide the previous shutdown plan is part of the risk response process, which comes after the risk identification and analysis processes. Reviewing and updating the project schedule is part of the schedule management process, which is not directly related to risk management. Interviewing the other project manager to learn more details is a technique that can be used to identify risks, but it is not the first action that the project manager should take. The project manager should first document the risk in the risk register and communicate with the stakeholders before seeking more information from other sources. References: 3, 4, 5

The Delphi technique allows the project risk manager to gather opinions from all stakeholders anonymously. This method would enable stakeholders to express their concerns without feeling uncomfortable in front of the influential stakeholder.

 The Delphi technique is a tool used to make quick decisions with consensus. This technique consists of sending several sets of anonymous questions to each expert. This is followed by a group discussion after every round. The Delphi technique can help the project risk manager to identify risks by soliciting the opinions of all stakeholders without revealing their identities. This way, the stakeholders can express their views freely and honestly, without being influenced or intimidated by the influential stakeholder. The Delphi technique can also reduce personal bias, ego, or emotional conflict among the participants. The project risk manager can use the results of the Delphi technique to create a list of potential risks and their causes, effects, and probabilities. References: 3, 2, 5

In the context of risk management, particularly as outlined in various risk management procedures and policies from Lycopodium documents, the validation of risk identification processes by knowledgeable team members is critical. This approach ensures that risks are accurately identified, assessed, and documented, which can mitigate disagreements about the potential impact of these risks on the project, including cost implications.

1.     Risk Management Procedure:

According to the Risk Management Procedure (BRM-PRC-009), the process of risk identification and assessment is a collaborative effort that involves input from individuals with relevant expertise. This ensures that risks are properly identified and that the risk assessment is robust (Section 4.1.1, Assessment and Identification)​.

2.     Importance of Expertise:

The procedure emphasizes the involvement of key personnel who are knowledgeable about the specific risks in their areas of responsibility. By involving these experts, the project can ensure that the risk identification process is thorough and that all potential risks are considered (Section 3.5, Project Manager or Lead Project Engineer responsibilities)​.

3.     Validation Process:

The risk management framework also requires the review and validation of identified risks by experienced team members, particularly those most knowledgeable about the project’s specific technical and operational aspects. This validation process helps in resolving any disputes regarding the impact of identified risks on the project, including cost implications (Section 6.4.1, Workplace Risk Assessment and Controls - WRAC)​.

4.     PMI Alignment:

According to PMI’s Project Management Body of Knowledge (PMBOK), risk management processes should involve key stakeholders and subject matter experts to ensure that all potential risks are identified and that the risk register is accurate. This aligns with the option of ensuring that the most knowledgeable members validate the risk identification processes to address concerns and enhance the credibility of the risk management efforts.

Thus, by selecting option D, the Risk Manager is ensuring a comprehensive and expert-validated approach to risk identification, which aligns with best practices in risk management and addresses the concerns of stakeholders by providing credible, expert-backed risk assessments.

The expected monetary value (EMV) for this project can be calculated as follows: (0.6 x US$100,000) - (0.4 x US$100,000) = US$60,000 - US$40,000 = US$20,000 profit.

The EMV of a project is the weighted average of the possible outcomes, which are a US$100,000 profit or a US$100,000 loss in this case. To calculate the EMV, we multiply the probability of each outcome by its monetary value, and then add them together. The formula is:

EMV = (Probability of profit x Value of profit) + (Probability of loss x Value of loss)

In this case, the probability of profit is 60%, and the value of profit is US$100,000. The probability of loss is 40%, and the value of loss is -US$100,000 (negative because it is a loss). Therefore, the EMV is:

EMV = (0.6 x 100,000) + (0.4 x -100,000) EMV = 60,000 - 40,000 EMV = US$20,000

This means that the project has an expected monetary value of US$20,000 profit, which is the answer option B. The other options are incorrect because they do not match the EMV calculation.

The EMV is a useful tool for comparing different projects or alternatives based on their expected values. However, it does not account for the variability or uncertainty of the outcomes, which may also affect the project decision making. For example, a project with a higher EMV but a higher risk may not be preferable to a project with a lower EMV but a lower risk. Therefore, the EMV should be used with caution and in conjunction with other risk analysis techniques.

For more information on the EMV and other risk analysis methods, you can refer to the PMI Risk Management Professional (PMI-RMP) Examination Content Outline and Specifications, the A Guide to the Project Management Body of Knowledge (PMBOK® Guide) – Sixth Edition, and the Expected Monetary Value (EMV): A Guide With Examples. I hope this helps you understand the concept of EMV and how to apply it to project risk management

A risk management plan is the foundational document for risk management. It defines processes, ownership, strategies, and baselines, and must be developed first before other detailed risk actions. PMBOK® Guide specifies:

" The risk management plan is the key document that outlines the approach, processes, roles, responsibilities, and documentation requirements for risk management. "

— PMBOK® Guide, 6th Edition, Section 11.1

Before deciding to hire an external vendor to accelerate the delivery plan, it ' s essential to assess the potential internal and external factors that could influence this decision. Conducting a SWOT analysis allows the project team to systematically evaluate:

Strengths: Internal capabilities that could support the decision.

Weaknesses: Internal limitations or challenges.

Opportunities: External factors the project could capitalize on.

Threats: External factors that could pose risks.

This comprehensive assessment provides a balanced perspective, enabling informed decision-making regarding the engagement of an external vendor.

PMI Risk Management Study Guide References:

The PMI-RMP Exam Content Outline lists SWOT analysis as a technique for assessing project risk complexity and identifying potential threats and opportunities, facilitating informed decision-making in project risk management.

The risk manager should consult the risks that have materialized and the overall risk profile to analyze the performance of managing the risks, as well as the risks due to the number of claims submitted to the client. These options provide insights into how well risks are being managed and the potential impact on the project.

 The risk manager should consult the risks that have materialized and the overall risk profile, as these are indicators of how well the risk management process is working and how the project is affected by the risks. The risk manager should also consult the risks due to the number of claims submitted to the client, as these are potential sources of conflict, litigation, and reputation damage that may impact the project objectives and stakeholder satisfaction. References: The Standard for Risk Management in Portfolios, Programs, and Projects, page 83; PMBOK Guide, 6th edition, page 414.

Comprehensive and Detailed In-Depth Explanation:

Extreme Programming (XP) emphasizes continuous feedback, early testing, and adaptive planning. When discrepancies arise, XP encourages identifying root causes and taking corrective actions without delaying value delivery.

Option D: Run a spike, identify what went wrong during implementation, and request a change to enhance value delivery (Correct Answer).

A spike is a time-boxed research activity used to explore a problem, test assumptions, and mitigate uncertainty in XP methodology.

By running a spike, the team analyzes what went wrong in implementation and applies the findings to ensure future iterations align with customer needs.

The PMI-RMP Guide states that “proactive risk response planning helps teams course-correct and maintain delivery momentum” (PMI-RMP Exam Prep Study Guide, 2021, p. 142).

The Agile Practice Guide supports the use of spikes, highlighting that “spikes allow agile teams to validate uncertainties in requirements, leading to more informed decision-making” (PMI & Agile Alliance, 2017, p. 89).

Option A: Release this version and leave changes to be done at the end of the project phase (Incorrect).

XP emphasizes continuous improvement and early defect resolution rather than postponing fixes.

Leaving changes until later may increase technical debt and reduce user satisfaction.

Option B: Arrange a workshop where all ideas will be discussed and take corrective actions ensuring value delivery (Partially Correct but Not the Best Answer).

While workshops help gather feedback, they do not provide technical validation of what went wrong.

A spike (Option D) is a better approach because it directly investigates the issue and leads to actionable changes.

Option C: Ask the development team to brainstorm and come up with suggestions that will improve the delivery date (Incorrect).

Brainstorming may generate ideas but does not analyze the root cause of the discrepancies.

Without a structured approach like a spike, there is a risk of guessing rather than using data-driven solutions.

Final Verdict:

The best answer is D (Run a spike, identify what went wrong during implementation, and request a change to enhance value delivery) because a spike provides empirical insights, leading to more effective corrective actions.

The risk manager should advise the project manager to hire additional developers as soon as project metrics indicate that the risk of delay is materializing. This approach ensures that the response is timely and directly tied to the project’s actual performance, allowing for better resource management and minimizing unnecessary costs. This aligns with PMI ' s risk management principles, which advocate for the timely execution of risk responses based on objective data and metrics​.

According to the PMBOK® Guide1, the risk management plan is a component of the project management plan that describes how risk management activities will be structured and performed. It provides guidance on how the project team will identify, analyze, respond, monitor, and control risks throughout the project life cycle. The risk management plan should be reviewed and updated whenever there are changes in the project scope, schedule, budget, or objectives, as these changes may introduce new risks or affect the existing ones. In this case, the organization’s decision to accelerate a key project is a significant change that may alter the risk profile of the project. Therefore, the first action for the project risk manager to take is to revise the risk management plan to reflect the new situation and ensure that the risk management processes are aligned with the project objectives and constraints. This is part of the Plan Risk Management process in the PMBOK® Guide1. References: 1: A Guide to the Project Management Body of Knowledge (PMBOK® Guide) – Sixth Edition

Risk handling strategies should be reviewed and revised periodically to ensure they remain effective and relevant as the project progresses. This allows the project manager to adapt to changing circumstances and minimize the impact of risks on the project.

According to the PMBOK® Guide, risk handling strategies are the specific actions that are taken to implement the risk response plan. The risk response plan is the output of the Plan Risk Responses process, which describes how the project team intends to address the identified risks. The risk handling strategies should be aligned with the risk response strategies, which are the general approaches to deal with the risks, such as avoid, transfer, mitigate, accept, exploit, share, enhance, or accept.

The project manager should work with the risk handling strategies by reviewing and revising them periodically. This is because the project risks are not static, but dynamic and uncertain. They may change over time due to various factors, such as changes in the project scope, schedule, cost, quality, resources, stakeholder expectations, assumptions, constraints, etc. Therefore, the project manager should monitor and control the risk handling strategies to ensure that they are still effective and appropriate for the current risk situation. The project manager should also update the risk register and the risk report with the results of the risk handling strategies, such as the residual risks, secondary risks, and risk triggers.

The other options are not valid for how the project manager should work with the risk handling strategies:

Implement the strategies after completing the risk analysis: This is not a valid option because the risk analysis is not the final step in the risk management process. The risk analysis is part of the Perform Qualitative Risk Analysis and Perform Quantitative Risk Analysis processes, which come after the Identify Risks process and before the Plan Risk Responses process. The risk analysis helps the project manager to prioritize and evaluate the risks, but it does not provide the specific actions to address them. The risk handling strategies are developed in the Plan Risk Responses process, which comes after the risk analysis.

Implement the strategies immediately: This is not a valid option because the risk handling strategies should not be implemented without proper planning and approval. The risk handling strategies should be documented in the risk response plan, which should be communicated and approved by the project sponsor, customer, and other relevant stakeholders. The risk handling strategies should also be integrated with the other project management plans, such as the scope, schedule, cost, quality, resource, communication, procurement, and stakeholder management plans. The risk handling strategies should be implemented only when the risk triggers or conditions occur, or when the project manager decides to do so based on the risk analysis and evaluation.

Ensure the strategies are approved by the stakeholders: This is not a valid option because the approval of the risk handling strategies is not the only thing that the project manager should do with them. The approval of the risk handling strategies is part of the Plan Risk Responses process, which comes before the Implement Risk Responses and Monitor Risks processes. The project manager should also implement, monitor, and control the risk handling strategies to ensure that they are effective and appropriate for the current risk situation.

PMBOK® Guide1, Risk Management Professional (PMI-RMP)® Cert Guide1

The analysis currently being used is qualitative risk analysis. Qualitative risk analysis involves assessing risks based on their likelihood of occurrence and their potential impact on the project. This type of analysis can help identify biases that may be impacting how team members perceive risks.

Qualitative risk analysis is the process of prioritizing individual project risks for further analysis or action by assessing their probability of occurrence and impact as well as other characteristics. Qualitative risk analysis helps to identify the most significant risks that require attention and response planning. One of the tools and techniques used in qualitative risk analysis is risk data quality assessment, which evaluates the degree to which the data about individual project risks is useful for risk management. Risk data quality assessment considers various aspects of data quality, such as reliability, accuracy, integrity, precision, and bias. Bias is the tendency of human judgment to be influenced by personal or organizational preferences, assumptions, beliefs, or emotions, rather than by objective facts or evidence. Bias can affect how project team members perceive and assess risks, leading to inaccurate or incomplete risk analysis results. Therefore, the risk manager who realizes the project team members have biases impacting how they perceive risks is currently using qualitative risk analysis to prioritize the risks and assess the quality of risk data. References: PMI, Practice Standard for Project Risk Management, 2009, p. 37-38, 41-42.

The project manager should address the communication risk by meeting the client ' s preference for face-to-face conversations. This can be achieved by planning face-to-face meetings for critical milestones.

 Communication issues with the client are a potential risk that can affect the project scope, schedule, quality, and stakeholder satisfaction. To avoid this risk, the project manager should align the communication methods and preferences with the client’s expectations and needs. If the client prefers face-to-face conversations, the project manager should respect that and meet the client in person whenever possible. This can help build trust, rapport, and clarity between the project manager and the client. The project manager should also plan for critical milestone meetings with the client to review the project progress, deliverables, and feedback. This can help ensure that the project is on track and meets the client’s requirements and satisfaction. References: PMI, 2017. A Guide to the Project Management Body of Knowledge (PMBOK® Guide) – Sixth Edition. Newtown Square, PA: Project Management Institute, Inc., pp. 376-3771

In agile projects, the risk burndown chart is used to monitor the reduction of project risk over time. If risk exposure is found to be increasing, it is essential to act immedi ately by selecting and implementing risk mitigation actions that can reduce exposure in upcoming iterations. The PMI “Agile Practice Guide” and the PMBOK® Guide state:

“In agile projects, risks are identified and managed continuously. When risk exposure is high, mitigation actions (often called ‘risk mitigation stories’) should be prioritized in the next iteration or sprint to bring exposure back to acceptable levels.”

— Agile Practice Guide, PMI, Section 5.7 (Responding to Risks in Agile Projects)

“Project teams may develop risk response actions as work items and prioritize these for execution in the backlog, particularly in iterative and incremental environments.”

— PMBOK® Guide, 6th Edition, Section 11.6.2.3

Therefore, prioritizing risk mitigation stories for the next sprint (Option C) is the most effective and officially recommended response.