Managing risk is a central theme for a project manager, and indeed for the entire project team. Certified Associate in Project Management (CAPM) candidates are tested on five important risk objectives in order to demonstrate full knowledge of the impact of risks on a project. To pass the CAPM® exam, a candidate must know what risks are, how risks can affect a project, and the role that each project team member and project manager has in ensuring that risk does not derail a project.

The 24 practice questions in this chapter are mapped to the style and frequency of question types you will see on the CAPM exam.

Q QUESTIONS

1.   What is the difference between verified deliverables and accepted deliverables?

A.   Accepted deliverables are inputs to Validate Scope, whereas verified deliverables are outputs from Validate Scope.

B.   Accepted deliverables are created by the Control Quality process, and verified deliverables are created in the Closing process group.

C.   Verified deliverables are inputs to the Control Quality process, whereas accepted deliverables are outputs from the Closing process group.

D.   Verified deliverables are inputs to Validate Scope, whereas accepted deliverables are outputs from Validate Scope.

2.   How often should an organization address risk management during a project?

A.   At every management meeting

B.   Only in the planning phase

C.   On high-risk projects only

D.   Consistently throughout

3.   The PMO guidelines for all projects at your company advise that a project should have a balance between risk taking and risk avoidance. This policy is implemented in a project using:

A.   Risk responses

B.   Risk analysis

C.   Risk identification

D.   Risk classification

4.   Who is responsible for identifying risks in a new project?

A.   The project manager

B.   The project sponsor

C.   Any project personnel

D.   The main stakeholders

5.   The document that contains a list of identified risks, a list of potential responses for each risk, the root cause of the risk, and the risk category is called the:

A.   Risk management plan

B.   Project issues log

C.   Risk category checklist

D.   Risk register

6.   As part of your responsibility for managing risks in your project, you rate risks as low, medium, or high. What tool would you typically use to define these categories?

A.   Probability impact matrix

B.   Risk register updates

C.   Assumption analysis

D.   Checklist analysis

7.   A new member of your project team suggests that you should quantify risks using the lowest, highest, and most likely costs of the WBS elements in the project plan. What is the name for the technique being suggested?

A.   Three-point estimating

B.   Probability impact analysis

C.   Probability distributions

D.   Sensitivity analysis

8.   The process of project planning that involves developing options, determining actions to enhance opportunities, and reducing threats to project objectives is called (a):

A.   Perform Qualitative Risk Analysis

B.   Plan Risk Responses

C.   Perform Quantitative Risk Analysis

D.   Probability Impact Matrix

9.   Your team is developing a part of the risk management plan. For some of the risks, the team decides that a response plan will be executed only when certain predefined conditions exist. What is the term given to this type of risk strategy?

A.   Contingent

B.   Sharing

C.   Exploit

D.   Enhance

10.   Information such as outcomes of risk reassessments, risk audits, and periodic risk reviews are examples from which of the following?

A.   Risk management plan

B.   Approved change requests

C.   Project document updates

D.   Work performance information

11.   As part of implementing risk responses, you are updating your risk report. You should include:

A.   Any changes to overall risk exposure

B.   Impact of identified risks on achieving project benefits

C.   A change request process for risks that occur that affect project team assignments

D.   A revised list of prioritized issues that affect the project’s objectives

12.   In the Implement Risk Responses process, which of the following is done for each risk?

A.   Specify the risk thresholds based on the risk appetite of the sponsor.

B.   Encourage risk owners to take necessary action, if required.

C.   Document the risk description and impact if it happens.

D.   Inform project stakeholders of all ranked risks.

13.   What are you engaged in if you are documenting the effectiveness of risk responses in dealing with identified risks and their root causes, as well as the effectiveness of the risk management process?

A.   Implement risk responses

B.   Risk identification

C.   Risk analysis

D.   Risk audit

14.   In which process does a project manager prioritize individual risks by assessing their probability of occurrence and impact?

A.   Plan Risk Management

B.   Identify Risks

C.   Perform Qualitative Risk Analysis

D.   Perform Quantitative Risk Analysis

15.   In which process does the project manager numerically analyze the combined effect of identified individual project risks and other sources of uncertainty on overall project objectives?

A.   Plan Risk Management

B.   Identify Risks

C.   Perform Qualitative Risk Analysis

D.   Perform Quantitative Risk Analysis

16.   Calculate EMV for a risk event that has a 40 percent chance of occurring and that, if it occurred, would cost the project an additional $100,000.

A.   $4,000

B.   $40,000

C.   $100,000

D.   $400,000

17.   Risk A has a 50 percent chance of happening. Unrelated Risk B has a 20 percent chance of happening. What is the chance they will both happen?

A.   10 percent

B.   30 percent

C.   70 percent

D.   100 percent

18.   If the EMV of a risk is $200,000 and this risk exposure has been documented in the project business case, what is the maximum you could spend to remove the risk completely and be better off?

A.   $20,000

B.   $100,000

C.   $2,000,000

D.   $200,000

19.   A residual risk is assessed to have a probability of 0.1 and an impact value of $50,000. What is the EMV of the residual risk?

A.   $1,000

B.   $5,000

C.   $50,000

D.   EMV does not apply to residual risk

20.   How is secondary risk assessed?

A.   E = (a + 4m + b) / 6

B.   EMV plus 10 percent

C.   Determine probability and multiply by impact

D.   The same way as original or residual risks

21.   In order to prepare the risk management plan, what should a project manager define first?

A.   Your organization’s risk appetite

B.   The functional requirements document you plan to use to identify risks

C.   The resisting stakeholders

D.   Budget assumptions and constraints

22.   You are preparing to lead a project team creating a product that is expected to be available for the Christmas buying season and is anticipated to be popular with young adults ages 25 to 35. What should you be sure to review before finalizing the risk management plan for this particular project?

A.   Occupational safety and health issues

B.   Business case

C.   Potential suppliers on the prequalified sellers list

D.   Cultural differences in the production workers

23.   You have a design team of seven members and a support team of three people; these numbers are about half of what you believe you need. These limits are examples of:

A.   Constraints to document in your project scope statement

B.   Limitations to document in your project charter

C.   Known risks to set aside management reserves

D.   Key issues to document in the risk log

24.   A generally accepted business practice to follow regarding risks and issues is to:

A.   Use the risk register to capture operational-level issues

B.   Set up a risk control board for risks and issues that may occur

C.   Set up an escalation process for you to help resolve risks and issues

D.   Ensure a risk or issue is isolated to a single project phase

QUICK ANSWER KEY

1. D

2. D

3. A

4. C

5. D

6. A

7. A

8. B

9. A

10. C

11. A

12. B

13. D

14. C

15. D

16. B

17. A

18. D

19. B

20. D

21. A

22. B

23. A

24. C

A ANSWERS

1.   What is the difference between verified deliverables and accepted deliverables?

A.   Accepted deliverables are inputs to Validate Scope, whereas verified deliverables are outputs from Validate Scope.

B.   Accepted deliverables are created by the Control Quality process, and verified deliverables are created in the Closing process group.

C.   Verified deliverables are inputs to the Control Quality process, whereas accepted deliverables are outputs from the Closing process group.

D.   Verified deliverables are inputs to Validate Scope, whereas accepted deliverables are outputs from Validate Scope.

  D. Verified deliverables are created in the Control Quality process and are inputs to Validate Scope, whereas accepted deliverables are outputs from the Validate Scope process.

  A, B, and C are incorrect. Verifying deliverables is an internal project activity performed in the Control Quality process, whereas accepting the deliverables requires that the customer (external from the team) formally accepts and signs off on verified deliverables from the project team, making them “accepted” deliverables.

2.   How often should an organization address risk management during a project?

A.   At every management meeting

B.   Only in the planning phase

C.   On high-risk projects only

D.   Consistently throughout

  D. An organization should be committed to addressing risk management proactively and consistently throughout the project.

  A, B, and C are incorrect. Risk needs to be identified early, with mitigation strategies in place, and then constantly monitored as the details of the project are progressively elaborated to ensure that new risks have not been introduced.

3.   The PMO guidelines for all projects at your company advise that a project should have a balance between risk taking and risk avoidance. This policy is implemented in a project using:

A.   Risk responses

B.   Risk analysis

C.   Risk identification

D.   Risk classification

  A. A balance between risk taking and risk avoidance is the application of risk responses.

  B, C, and D are incorrect. Risk analysis, risk identification, and risk classification are parts of prior steps to the responses in the Risk Management process.

4.   Who is responsible for identifying risks in a new project?

A.   The project manager

B.   The project sponsor

C.   Any project personnel

D.   The main stakeholders

  C. Any project personnel can identify risks in a project.

  A, B, and D are incorrect. Any project personnel can identify risks. The project manager manages the Risk Management process, with input from the sponsor and main stakeholders.

5.   The document that contains a list of identified risks, a list of potential responses for each risk, the root cause of the risk, and the risk category is called the:

A.   Risk management plan

B.   Project issues log

C.   Risk category checklist

D.   Risk register

  D. A list of identified risks, a list of potential responses for each risk, the root cause of the risk, and the risk category are the basic fields in a risk register.

  A, B, and C are incorrect. A is incorrect because the risk management plan is the overall management document and processes definitions for managing risk in the project. B is incorrect because the project issues log contains the list of all issues, not solely risks. C is incorrect because the risk category checklist contains weighting information on probability and impact.

6.   As part of your responsibility for managing risks in your project, you rate risks as low, medium, or high. What tool would you typically use to define these categories?

A.   Probability impact matrix

B.   Risk register updates

C.   Assumption analysis

D.   Checklist analysis

  A. Rating risks into a low, medium, or high category is performed and presented on a probability impact matrix.

  B, C, and D are incorrect. B is incorrect because risk register updates are an output from the Risk Management process. C and D are incorrect because assumption analysis and checklist analysis are tools used for risk identification.

7.   A new member of your project team suggests that you should quantify risks using the lowest, highest, and most likely costs of the WBS elements in the project plan. What is the name for the technique being suggested?

A.   Three-point estimating

B.   Probability impact analysis

C.   Probability distributions

D.   Sensitivity analysis

  A. Three-point estimating is a technique that is often used for risk analysis that calculates or obtains information on the lowest, highest, and most likely costs of the WBS elements in the project plan.

  B, C, and D are incorrect. B is incorrect because probability impact analysis is a ranking of risks. C is incorrect because probability distributions are the application of three-point estimates in different ways. D is incorrect because sensitivity analysis is used to test the major project variables independently for risks.

8.   The process of project planning that involves developing options, determining actions to enhance opportunities, and reducing threats to project objectives is called (a):

A.   Perform Qualitative Risk Analysis

B.   Plan Risk Responses

C.   Perform Quantitative Risk Analysis

D.   Probability Impact Matrix

  B. Developing options, determining actions to enhance opportunities, and reducing threats to project objectives is known as Plan Risk Responses.

  A, C, and D are incorrect. A and C are incorrect because Perform Qualitative Risk Analysis and Perform Quantitative Risk Analysis are prior steps in the Risk Management process. D is incorrect because the Probability Impact Matrix is a means of classifying the ranking of risks.

9.   Your team is developing a part of the risk management plan. For some of the risks, the team decides that a response plan will be executed only when certain predefined conditions exist. What is the term given to this type of risk strategy?

A.   Contingent

B.   Sharing

C.   Exploit

D.   Enhance

  A. For some of the risks in a project, whether they pose a threat or provide an opportunity, a response plan that will be executed only when certain predefined conditions exist is called a contingent response strategy.

  B, C, and D are incorrect. Sharing, exploiting, and enhancing are responses to opportunity related to risk events.

10.   Information such as outcomes of risk reassessments, risk audits, and periodic risk reviews are examples from which of the following?

A.   Risk management plan

B.   Approved change requests

C.   Project document updates

D.   Work performance information

  C. Information such as outcomes of risk reassessments, risk audits, and periodic risk reviews are examples of project document updates from the Control Risk process.

  A, B, and D are incorrect. A is incorrect because the risk management plan defines the process and resources involved in managing the risks. B and D are incorrect because approved change requests and work performance information do not match the question items.

11.   As part of implementing risk responses, you are updating your risk report. You should include:

A.   Any changes to overall risk exposure

B.   Impact of identified risks on achieving project benefits

C.   A change request process for risks that occur that affect project team assignments

D.   A revised list of prioritized issues that affect the project’s objectives

  A. The risk report may be updated to include changes to overall project risk exposure that occur from the Implement Risk Responses process.

  B, C, and D are incorrect. B is incorrect because the risk register already includes the impact of identified risks on achieving project benefits and was being monitored before implementing the risk response. C is incorrect because the question does not mention limiting the risk responses to those that affect project team assignments. D is incorrect because the issue log includes a revised list of prioritized issues that affect the project’s objectives.

12.   In the Implement Risk Responses process, which of the following is done for each risk?

A.   Specify the risk thresholds based on the risk appetite of the sponsor.

B.   Encourage risk owners to take necessary action, if required.

C.   Document the risk description and impact if it happens.

D.   Inform project stakeholders of all ranked risks.

  B. Regardless of the severity of the risk or threshold of risk appetite, every risk has an owner, and each owner is encouraged to take action when necessary whether it is a low-risk item or a high-risk item. No proactive action is taken other than encouraging the owner of the risk to take action at the appropriate time.

  A, C, and D are incorrect. A is incorrect because specifying the risk thresholds based on the risk appetite of the sponsor is part of planning risk management. C is incorrect because you document risks in the risk register, and you inform stakeholders in a risk meeting. D is incorrect because even if the risk is a low-priority threat, the risk will still be added to the risk register and monitored in risk meetings.

13.   What are you engaged in if you are documenting the effectiveness of risk responses in dealing with identified risks and their root causes, as well as the effectiveness of the risk management process?

A.   Implement risk responses

B.   Risk identification

C.   Risk analysis

D.   Risk audit

  D. The actions of documenting the effectiveness of risk responses in dealing with identified risks and the root causes, and of the effectiveness of the Risk Management process, is known as a risk audit.

  A, B, and C are incorrect. A is incorrect because risk responses are a specific set of alternatives to manage risk. B and C are incorrect because Risk Identification and Risk Analysis are processes used to build a risk management plan.

14.   In which process does a project manager prioritize individual risks by assessing their probability of occurrence and impact?

A.   Plan Risk Management

B.   Identify Risks

C.   Perform Qualitative Risk Analysis

D.   Perform Quantitative Risk Analysis

  C. Within the Project Risk Management processes, it is during the Perform Qualitative Risk Analysis process that the project manager examines the probability that each risk will occur and the associated risk to the project.

  A, B, and D are incorrect. A is incorrect because in Plan Risk Management, the project manager plans an approach to risk that is appropriate to the project. B is incorrect because in Identify Risks, the project manager identifies all known risks. D is incorrect because in Quantitative Risk Analysis, the project manager numerically analyzes the combined effects of identified individual project risks and other sources of uncertainty on overall project objectives.

15.   In which process does the project manager numerically analyze the combined effect of identified individual project risks and other sources of uncertainty on overall project objectives?

A.   Plan Risk Management

B.   Identify Risks

C.   Perform Qualitative Risk Analysis

D.   Perform Quantitative Risk Analysis

  D. In Qualitative Risk Analysis, the project manager numerically analyzes the combined effects of identified individual project risks and other sources of uncertainty on overall project objectives.

  A, B, and C are incorrect. A is incorrect because in Plan Risk Management, the project manager plans an approach to risk that is appropriate to the project. B is incorrect because in Identify Risks, the project manager identifies all known risks. C is incorrect because in Perform Qualitative Risk Analysis, the project manager examines the probability that each risk will occur and the associated risk to the project.

16.   Calculate EMV for a risk event that has a 40 percent chance of occurring and that, if it occurred, would cost the project an additional $100,000.

A.   $4,000

B.   $40,000

C.   $100,000

D.   $400,000

  B. 40% * $100,000 = $40,000. The three steps to calculate EMV are as follows: 1. Assign a probability of occurrence for the risk. 2. Assign a monetary value for the impact of the risk when it occurs. 3. Multiply step 1 and step 2. The value you get after performing step 3 is the expected monetary value. This value is positive for opportunities (positive risks) and negative for threats (negative risks). Project Risk Management requires you to address both types of project risks.

  A, C, and D are incorrect. The answers do not come from following the three steps of calculating EMV.

17.   Risk A has a 50 percent chance of happening. Unrelated Risk B has a 20 percent chance of happening. What is the chance they will both happen?

A.   10 percent

B.   30 percent

C.   70 percent

D.   100 percent

  A. 10% because 0.50 * 0.20 = 0.10 = 10% (or 1/2 * 1/5 = 1/10). When two events are independent, the probability of both occurring is the product of the probabilities of the individual events. More formally, if events A and B are independent, then the probability of both A and B occurring is P(A and B) = P(A) × P(B).

  B, C, and D are incorrect. They were not arrived at by calculating the probability of two independent events through multiplication of the probabilities of the two events.

18.   If the EMV of a risk is $200,000 and this risk exposure has been documented in the project business case, what is the maximum you could spend to remove the risk completely and be better off?

A.   $20,000

B.   $100,000

C.   $2,000,000

D.   $200,000

  D. $200,000. The maximum amount you would spend to eliminate the risk completely is equal to the amount of risk exposure.

  A, B, and C are incorrect. A and B are incorrect because the question asks for the maximum amount you could spend. C is incorrect because spending any more than the amount of risk exposure is not a sound project management practice.

19.   A residual risk is assessed to have a probability of 0.1 and an impact value of $50,000. What is the EMV of the residual risk?

A.   $1,000

B.   $5,000

C.   $50,000

D.   EMV does not apply to residual risk

  B. $5,000. The three steps to calculate EMV are as follows: 1. Assign a probability of occurrence for the risk. 2. Assign a monetary value for the impact of the risk when it occurs. 3. Multiply step 1 and step 2. The value you get after performing step 3 is the expected monetary value. This value is positive for opportunities (positive risks) and negative for threats (negative risks). Project Risk Management requires you to address both types of project risks.

  A, C, and D are incorrect. The answers do not come from following the three steps for calculating EMV.

20.   How is secondary risk assessed?

A.   E = (a + 4m + b) / 6

B.   EMV plus 10 percent

C.   Determine probability and multiply by impact

D.   The same way as original or residual risks

  D. Secondary risk is a risk that happens because you implemented a risk response. A residual risk is the risk that remains after a risk response has been taken. Secondary risks should be assessed for proper action in the same way as original risks and residual risks.

  A, B, and C are incorrect. A is incorrect because it is the formula for three-point estimating. B is incorrect because it is an improper calculation. C is incorrect because it is the definition of risk exposure.

21.   In order to prepare the risk management plan, what should a project manager define first?

A.   Your organization’s risk appetite

B.   The functional requirements document you plan to use to identify risks

C.   The resisting stakeholders

D.   Budget assumptions and constraints

  A. In risk management, risk appetite is the level of risk an organization is prepared to accept. Risk appetite constraints are not easy to define; every organization can tolerate different levels of risk.

  B, C, and D are incorrect. B is incorrect because the functional requirements document may indicate project objectives that are particularly at risk and is an input to the risk management plan. C is incorrect because a resistant stakeholder will be identified in the stakeholder engagement assessment matrix in the stakeholder management plan. D is incorrect because budget assumptions and constraints will be used to keep the known risks within the identified risk thresholds.

22.   You are preparing to lead a project team creating a product that is expected to be available for the Christmas buying season and is anticipated to be popular with young adults ages 25 to 35. What should you be sure to review before finalizing the risk management plan for this particular project?

A.   Occupational safety and health issues

B.   Business case

C.   Potential suppliers on the prequalified sellers list

D.   Cultural differences in the production workers

  B. When managing risk, market factors that apply to the project should be included as an enterprise environmental factor. Market demand, a high risk, is included in the business case.

  A, C, and D are incorrect. A is incorrect because although you will comply with OSHA regulations in your new building, it is a relatively low risk compared to no market for your gadgets. C is incorrect because the question does not imply the use of potential sellers. D is incorrect because resource (production workers) risks are known risks and are mitigated later in the risk management processes.

23.   You have a design team of seven members and a support team of three people; these numbers are about half of what you believe you need. These limits are examples of:

A.   Constraints to document in your project scope statement

B.   Limitations to document in your project charter

C.   Known risks to set aside management reserves

D.   Key issues to document in the risk log

  A. These are examples of constraints. Constraints and assumptions should be included in the scope statement.

  B, C, and D are incorrect. B is incorrect because resource limitations are not documented in the project charter. High-level boundaries are listed in the project charter. C is incorrect because contingency reserves are set aside for known risks. Unknown risks are covered by management reserves. Risks are documented in the risk register. D is incorrect because key issues are documented in the issues log.

24.   A generally accepted business practice to follow regarding risks and issues is to:

A.   Use the risk register to capture operational-level issues

B.   Set up a risk control board for risks and issues that may occur

C.   Set up an escalation process for you to help resolve risks and issues

D.   Ensure a risk or issue is isolated to a single project phase

  C. Risks or issues related to project objectives, resource and intergroup conflicts, ambiguous roles and responsibilities, scope disagreements, and third-party dependencies are some known situations calling for escalation. Such issues require higher-level intervention because many times the authority, decision making, resources, or effort required to resolve them is beyond a project manager’s scope.

  A, B, and D are incorrect. A is incorrect because issues are recorded in the issues log, not the risk register. B is incorrect because although there is a change control board, there is not a separate risk control board. Risks are evaluated by the change control board during an impact assessment. D is incorrect because the risk management processes identify risks by category and select risk strategies to address overall risk exposure throughout the project, including when risks and issues span project phases.