PMBOK Risk Management
Get Started with This SkillOverview
The PMBOK Risk Management skill supports the elaboration of documents for the Risk Management knowledge area — planning, identifying, analyzing, response planning, response implementation, and monitoring risk on a project. It covers risk management plans defining methodology, roles, and funding for risk activities; risk registers using the structured “cause → risk → effect” statement format; probability-impact matrices with defined scales; risk breakdown structures; quantitative risk analysis reports using Expected Monetary Value (EMV), sensitivity analysis (tornado diagrams), and Monte Carlo simulation descriptions; risk response plans with strategies for both threats and opportunities; and risk monitoring reports tracking trigger watch lists, response effectiveness, and reserve consumption.
Getting Started
Upload your project charter, scope statement, or preliminary risk list to the workspace and activate the PMBOK Risk Management skill. The agent will ask about organizational risk appetite, relevant risk categories, and whether quantitative analysis is needed. It then identifies risks using the cause-risk-effect format, scores them against a defined probability-impact matrix, and develops response strategies with named owners, triggers, and contingency plans.
Example Conversation
Below is an example of a typical session building a risk register and response plan for an infrastructure project. The agent identifies risks, scores them, and proposes response strategies.
You: We’re building a new data center — 18-month construction project, $28M budget. I need a risk register with at least the top risks identified and scored, plus response plans for the high-priority ones. Main concerns: supply chain delays for electrical equipment, permitting timeline, concrete supplier reliability, and cybersecurity for the building management system.
Agent: I’ll build the risk register with probability-impact scoring. First, let me confirm the scales:
- Probability: 5-level scale (Very Low < 10%, Low 10–30%, Medium 30–50%, High 50–70%, Very High > 70%)
- Impact: 5-level scale on cost and schedule objectives (Very Low through Very High)
- Score: P × I, classified as Low (1–4), Medium (5–9), High (10–15), Very High (16–25)
Does this align with your organization’s risk framework, or do you use different scales?
You: Those scales work. Please also include some risks I might be missing — we want a comprehensive register.
Agent: I’ve identified 14 risks across 4 RBS categories (Technical, External, Organizational, Project Management). Here’s the summary:
- Very High (16–25): 2 risks — supply chain delays for switchgear/transformers (lead times currently 40–52 weeks), and permitting delays due to environmental review
- High (10–15): 4 risks — concrete supplier single-source dependency, cybersecurity vulnerabilities in BMS, skilled labor shortage in the region, and weather delays during foundation phase
- Medium (5–9): 5 risks — including scope creep from tenant requirements, utility connection delays, and commissioning complexity
- Low (1–4): 3 risks — including currency fluctuation on imported equipment
For the 6 Very High and High risks, I’ve developed full response plans with strategies (avoid, mitigate, transfer), specific actions, triggers, residual risk, and contingency plans. The response plan for the supply chain risk recommends a dual-source strategy with early procurement — placing orders 14 months before installation. Based on the risk analysis, I recommend a contingency reserve of $2.8M (10% of BAC) to cover the top risks.
Document Excerpt
Below is a representative excerpt from a risk register with response plan drafted with the skill.
Risk Register — Excerpt
Project: Metro East Data Center Construction Budget (BAC): $28,000,000 | Duration: 18 months
Probability-Impact Matrix (Reference)
| Very Low (1) | Low (2) | Medium (3) | High (4) | Very High (5) | |
|---|---|---|---|---|---|
| Very High (5) | 5 | 10 | 15 | 20 | 25 |
| High (4) | 4 | 8 | 12 | 16 | 20 |
| Medium (3) | 3 | 6 | 9 | 12 | 15 |
| Low (2) | 2 | 4 | 6 | 8 | 10 |
| Very Low (1) | 1 | 2 | 3 | 4 | 5 |
Top Risks
| Risk ID | Risk Statement (Cause → Risk → Effect) | P | I | Score | Priority | Owner |
|---|---|---|---|---|---|---|
| R-01 | Because of global semiconductor shortages and 40–52 week lead times, delivery of medium-voltage switchgear and transformers may be delayed by 3–6 months, leading to a critical-path delay of the electrical installation phase and potential $1.2M–$2.4M in idle labor costs. | 4 | 5 | 20 | Very High | Procurement Mgr |
| R-02 | Because of newly enacted wetland buffer regulations, the environmental review for the site permit may take 4–8 weeks longer than planned, leading to a delay in foundation work and a cascade to the overall schedule. | 4 | 4 | 16 | Very High | Project Director |
| R-03 | Because we rely on a single concrete supplier (MegaCrete Inc.) with no contractual volume guarantee, concrete delivery may be interrupted if the supplier prioritizes larger contracts, leading to foundation and structural delays of 2–4 weeks. | 3 | 4 | 12 | High | Construction Mgr |
| R-04 | Because the building management system (BMS) uses IP-connected controllers, a cybersecurity vulnerability may be exploited during commissioning when temporary network access is granted, leading to unauthorized control of HVAC/fire suppression and potential safety incident. | 3 | 4 | 12 | High | IT Security Lead |
Risk Response Plan (Top Risks)
| Risk ID | Strategy | Response Actions | Trigger | Contingency Plan |
|---|---|---|---|---|
| R-01 | Mitigate | (1) Place purchase orders for switchgear/transformers immediately (14 months before install). (2) Pre-qualify alternate supplier (ABB as backup to Siemens). (3) Include liquidated damages clause for late delivery. | Supplier confirms delivery date > 2 months past plan | Activate alternate supplier. Re-sequence non-critical electrical work. Deploy temporary power for commissioning. Budget impact: $400K contingency allocated. |
| R-02 | Mitigate | (1) Engage environmental consultant in Month 1 for pre-assessment. (2) Submit permit application with wetland mitigation plan proactively. (3) Schedule community stakeholder meeting early. | Environmental review extends beyond 6 weeks | Fast-track foundation work in non-restricted zones. Parallel-path interior design. Budget impact: $200K contingency allocated. |
| R-03 | Avoid | (1) Contract with 2 concrete suppliers (MegaCrete + regional backup). (2) Include minimum volume commitment in both contracts. (3) Maintain 1-week buffer stock at site. | Primary supplier misses 2 consecutive deliveries | Activate secondary supplier at pre-negotiated rates. Adjust pour schedule to available supply. |
| R-04 | Mitigate | (1) Require BMS vendor to perform penetration testing before commissioning. (2) Implement network segmentation — BMS on isolated VLAN. (3) Temporary commissioning network uses VPN-only access. | Vulnerability scan during commissioning reveals critical finding | Halt BMS network connectivity. Revert to manual controls for commissioning period. Engage incident response team. |
This excerpt is illustrative. Final content must reflect the specific project’s risks, organizational risk appetite, and current market conditions.