20 Project Risk Management Terms Explained

12 minute read    Updated:    Harwinder Singh

Risk Management explained with Example of Vacation Planning
I need a break from blogging to cool-off my brain, which as you rightly guessed, has got deep fried. I’m planning to go to Bali for vacation. I’ve heard it’s a great place and I have never been there before. But, I need your help in planning my trip, and particularly on Risk Management.

Let’s first give this project a name. How about we call it “The Deep Fried Brain Project”? As we plan the trip, we are going to identify the risks involved in the project, analyze the risks and plan risk responses. Also during the course of planning, we are going to explore some common Project Risk Management terms and see how they fit into our project. I’m quite excited about this project and looking forward to your support. So, shall we begin?

Project Cost Estimate

I’m going to fly to Bali, stay in a hotel, see a lot of places, do plenty of shopping and have loads of fun. The main cost components for the vacation (project) include:

  • Airfare - $500
  • Hotel accommodation - $1000
  • Car rental - $500
  • Food & leisure - $2000
  • Shopping - $1000

All these costs “roll up” to $5000. This is my project cost estimate.


I’ve never been to Bali before, and as a foreigner in a country, there’s always a level of uncertainty or risk involved.

PMBOK® Guide, 5th Edition defines risk as an uncertain event or condition that, if it occurs, has an effect on at least one project objective. Objectives can include scope, schedule, cost, and quality. A risk may have one or more causes and, if it occurs, it may have one or more impacts. A cause may be a requirement, assumption, constraint, or condition that creates the possibility of negative or positive outcomes.

It’s not all negative

Note the keywords negative or positive. The dictionary definition of the word ‘risk’ has a negative connotation. Therefore, it’s a bit counter-intuitive to think that risks can be positive too.

Negative Risks
Image credit: Flickr / tango48

Negative Risks or Threats

What are some of the things that can go wrong during my trip? Let’s list them down. I might:

  • Fall sick
  • Get robbed or mugged
  • Lose my wallet, passport, luggage or other valuables
  • Run out of money
  • Get kidnapped or high-jacked (if that adds any humor)
  • Become shark food on Bali beach
  • Drown or get killed
  • Call-off the vacation prematurely due to an emergency
  • Run into unfavorable weather
  • Get caught in a natural calamity

Positive Risks or Opportunities

Well, if I’m lucky, things may turn out better than I expect. What are the opportunities that lie ahead? I may:

  • Discover a great business opportunity
  • Meet an old friend
  • Get a good deal on hotel room and car rental
  • Win a lottery or lucky draw
  • Discover a hidden treasure at one of the remote beaches of Bali

Strategies for Negative Risks or Threats

Which are the risks I should really spend effort and resources on? Are there any risks that I can completely eliminate (avoid)? Can I do something to reduce the impact or probability (mitigate) of certain risks? Can I transfer the risk to someone else? Let’s see.

  • Fall sick
    • Get health insurance to cover the medical costs (transfer cost risk to the insurance company)
    • Get vaccinated (avoid - prevention is better than cure)
    • Carry a first aid kit along (mitigate)
    • Keep telephone numbers of local hospitals and emergency services handy (mitigate)
  • Get robbed or mugged
    • Get travel insurance (transfer cost risk to the insurance company)
    • Keep local emergency numbers handy (mitigate)
    • Not carry valuables along (avoid)
  • Lose wallet, passport, luggage or other valuables
    • Get travel insurance (transfer cost risk to the insurance company)
    • Keep copies of all my important documents. Perhaps, I can store scanned copies in a secure online file storage system, so that I can access them from anywhere as long as I have an internet connection. This will reduce the impact if this risk event occurs (mitigate).
  • Run out of money
    • Use credit card.
  • Become shark food on Bali beach
    • Wear shark-repellent body-spray (mitigate)
  • Unfavorable weather
    • Plan the trip around a time when weather forecast is good (mitigate)
  • Natural calamity
    • Make sure that life insurance premiums have been paid.

Strategies for Positive Risks or Opportunities

Can I increase the chances of getting a good deal on hotel room and car rental? What will I do with the treasure if I ever discover one? Let’s see.

  • Get a good deal on hotel room and car rental
    • Try to plan the trip during off-season (enhance)
    • Make reservations early (enhance)
  • Win a lottery or lucky draw
    • Buy a lottery everyday and fill up every lucky draw coupon that I can get my hands on (exploit)
  • Discover a hidden treasure at one of the remote beaches of Bali
    • Donate treasure to the needy (share)

Residual Risks

Residual Risks comprise of:

  • Risks that remain after applying risk response strategies have been implemented.
  • Risks that are not worth dealing with upfront (probably the cost involved in dealing with them is less than the cost to address their outcome). We simply accept them.


  • Early end to the vacation due to an emergency: There's nothing I can (or want to) do upfront to avoid/mitigate/transfer this risk.
  • Unfavorable weather: Even though we'll plan the trip around a time period when weather forecast is good, there's still a risk of bad weather. We'll also add this risk to the list of Residual Risks.

In order to deal with the outcome of residual risks, we put “Contingency Plans” in place.

Residual Risks
Image credit: Flickr / sflovestory

Contingency Plans

Contingency Plans are plans specifying the action to be taken when the risk event (positive or negative) occurs. These plans are specifically for the Residual Risks. For example:

  • Early end to the vacation due to an emergency: I'll reserve $500 for purchasing a potentially more expensive flight ticket back home. This is "cost" contingency reserve.
  • Unfavorable weather: I'll keep two "reserve days" in my vacation plan. This is "time" contingency reserve. I'll also keep additional $500 to cover for the expenses for these two days. This is also a "cost" contingency reserve.

Contingency Reserves

These are time and cost reserves that account for “known-unknowns” or simply “knowns”. They cover the “Residual Risks” on the project. In our Bali vacation project, we have $1000 and 2 days of contingency reserve. Project Manager is authorized to approve the use of contingency reserves.

Risk Triggers

Triggers are indications that a risk has occurred or about to occur. We can think of them as events, conditions, early warning signs that trigger the contingency response. For example, if the temperature shoots above 103 deg F, I’ll call an ambulance.

Risk Tolerance

I can go for bungee-jumping but skydiving is not my cup of tea.

Risk Tolerance
Image credit: Flickr / divemasterking2000

Risk Threshold

If I lose $200 in the casino, I’ll stop gambling and go back to my hotel room. Losing $200 in gambling is my risk threshold.

Fallback Plan

This is the so-called “Plan B” for the Residual Risks. If the contingency plan doesn’t work, we move to “Plan B”. For example:

  • If the weather turns hostile and flights stop operating, I will check-out of the hotel room and move to Denpasar International Airport departure terminal.


These are low priority (non-critical / non-top risks).

  • Meet an old friend: I'll be on a lookout for known faces.
  • Discover a great business opportunity: This is not my priority during vacation, but if something comes my way, then why not?
  • Drown or get killed: I'll be more careful near the water and will try not to venture into isolated places.
  • Get kidnapped: Highly unlikely, but I'll give my father-in-law's contact number to kidnappers, just in case they ask for ransom.

Secondary Risks

These are new risks that emerge as a result of applying risk response strategies. For example, the swine flu vaccine shot leads to serious side-effects and jeopardizes my vacation.


Workarounds are “corrective actions” taken to deal with a risk event that has occurred. Unlike contingency plans, these are “unplanned responses” to a risk. For example, I had planned to spend a day at the beach, but it was raining heavily. So, I went and watched a movie. Movie was not on my plan.

Management Reserves

These are time and cost reserves that account for “unknown-unknowns” or simply “unknowns”. What if something unforeseen happens, that I cannot think of right now? Usually the management reserves a certain amount (say 5% of the project cost baseline) for such unforeseen events. The Project Manager is NOT authorized to approve the use of management reserves. “Management” approval is required to use such funds.

For example, I spent all the cash and also used up the limit on my credit cards. I called my credit card company for help. They extended another $500 of credit for me to pack my bags and return home.

Project Cost Baseline

Project Cost Baseline = Project Estimate + (Cost) Contingency Reserves

For this project,

Project Cost Baseline = $5000 + $1000 = $6000

Note that Project Cost Baseline is usually not a single big lump-sum amount. It’s a time-phased budget (or costs by calendar period) and usually represented in the form of an S-curve.

Cost Budget

If we add the Management Reserves to the Project Cost Baseline, we get the Project Cost Budget.

Project Cost Budget = Project Cost Baseline + Management Reserves

For this project,

Project Cost Budget = $6000 + $500 = $6500

Refer to the diagram below to see graphical representation of the Contingency Reserves and Cost Budget.

Risk Reserves and Cost Budget
Image credit: Flickr / bookis

Risk Averse

If you have been following this blog, you might have noticed that this is the first ever post on Risk Management on this site. This shows how risk averse I am.


Let’s summarize the main points:

  • Risks are not always negative. Positive events or opportunities are considered risks too.
  • Residual Risks comprise of a) risks that remain after applying risk response strategies, and b) risks that we simply accept - if it happens, it happens, and we have a plan to deal with it.
  • Contingency Plans deal with the outcome of Residual Risks on the project.
  • Contingency Reserve covers the outcome of Residual Risks, and account for the "known unknowns".
  • Fallback plans are employed for Residual Risks when Contingency Plans fail.
  • Secondary Risks are new risks that emerge as a result of Risk Response planning.
  • All non-critical / non-top risks are put on the Watchlist and monitored ("watched") regularly.
  • Project Cost Baseline includes the Project Cost Estimates and Cost Contingency Reserves.
  • Management Reserves account for the "unknown unknowns".
  • Project Cost Budget is derived by adding Management Reserves to the Project Cost Baseline.
  • Project Manager can authorize the use of Contingency Reserves, but not Management Reserves. "Management" authorizes the use of Management Reserves.

I hope you enjoyed this exercise. Thanks for helping me out with the project. I’ll post the snaps soon. Let me know if you have any questions, tips or suggestions for me.

Leave a Comment

Please select the checkbox


Harwinder Singh Avatar

In response to:

"Really good article and above all very nice presentation in very simple language. The only thing which I found missing was about accepted risks. Like what takes care of it"

I did mention that Residual Risks are the "accepted" risks and we put Contingency Plans in place to deal with them. Does that answer your question or am I off-target?

Feel free to ask more questions.

Harwinder Singh Avatar

In response to:

"When secondary risks are found whether iterative process of qualitative,quantitative and response planning is carried out??"

That's a very good question.

The short answer is 'Yes'. A lot depends upon the nature of the risk too. If you find that the risk has a low probability / low impact, you might just skip Quantitative risk analysis and add it to the watch list. In some cases, you may simply "accept" it and plan a contingency for it.


Missing Avatar

Hi Harwinder,

As per your article: One of the risk is to Fall sick
* Fall sick
Get health insurance to cover the medical costs (transfer cost risk to the insurance company)
o Get vaccinated (avoid - prevention is better than cure)
o Carry a first aid kit along (mitigate)
o Keep telephone numbers of local hospitals and emergency services handy (mitigate)
Here - the risk is : to get sick while on vacation

Now we may have the following strategies for the risk (per my understanding):

- Accept , means do not do anything to avoid or minimize the probability of the risk and deal with it if it occurs
- Mitigate, means to do something to minimize the probability of the risk or to do something to minimize the the impact of the risk if the risk actually occurs..
- Avoid - do something so that the risk should not happen
- Transfer - means transfer the risk to somebody else (usually by paying him)

Contingency Plan:

Usually Contingency Planning involves:
Deciding how to combat the risk when/after it occurs.

Fallback Plan:

A Fallback plan is an additional contingency plan to use in the event that the first contingency plan fails.

Now in your article, when one falls sick--

1) Get health insurance to cover the medical costs (transfer cost risk to the insurance company)

-- Is it really transferring the risk ? i mean transferring of the risk could be said that somebody else false sick in place of me !!! and ofcourse which can not happen even if i pay a large amount to someone.

What i was thinking that here the risk can't be really transferred..

by doing the insurance, ofcourse i would get the money what i spent on the medication/ treatment etc, but still i am not transferring the risk of getting sick...

2) Get vaccinated (avoid - prevention is better than cure) --

I think, getting vaccination is more of mitigation rather than avoid since by getting vaccinated, we are minimizing the probability of getting sick .., but still by vaccination, the risk of getting sick can't be avoided 100% . Only the way to completely avoid this risk is to cancel the trip !!

3) Carry a first aid kit along (mitigate)

I would agree that it can be said as mitigate i.e. to do something to minimize the impact of the risk if it occurs.

4) Keep telephone numbers of local hospitals and emergency services handy..

- basically i am a bit confuse if it could be said as mitigation or contingency planning.

It looks to me that it is more of Plan-B or the plan when risk actually occurs..

So, if we fall sick then we are getting admitted ourselves to the hospital by calling to the nearing hospital. So, it means that.., the risk has actually happened and now it is the time to do something to fight with it..

So, it looks more of a contingency plan than mitigation..

Please mention your comments.


Harwinder Singh Avatar

Hello Vikas,

Those are very thoughtful comments. I think you have a very sound understanding of the risk management terms.

Rather than answering all your questions point by point, I'll just one point, which should answer most of your questions.

There are vaccinations that can help "practically avoid" the disease. That's how I looked at it. There's no point going into too many technicalities of vaccination and divert from the topic.

I realize that there could be multiple ways to look at the same thing. That's why I tried to give multiple examples wherever possible, but I may have left some room for misinterpretation. I do take your feedback positively and will try to be more explicit in my future posts.

Thanks for your comments.

Harwinder Singh Avatar

Thank you, Anonymous. I tend to concentrate more on content and less on marketing. I'm not sure how you discovered my blog, but lot of people manage to pass (or even fail) the exam without ever knowing about this site.

So if you like some articles on this site, do spread the word by sharing the links with your social and professional networks.

All the best.

Missing Avatar

Mr. Harwinder,

No word to express. Simply a great and detail presentation. I been going through lots of reference docs, but non given this clear explanation and easy understanding. You're doing great for this community. Knowledge is power, just transferring this become super power. Keep up the great work.

Missing Avatar

Hi Harwinder,

I love the way that you use an example to explain the idea. It makes things easier to understand. Some people do cover the explanation of "Contingency plans" and
Contingency reserves". So far, I found your explanation most "creative" and solid. Well, thanks a lot!!!! Keep it up. :)

Missing Avatar

Hi Harwinder,
Wonderful Articles and BrainBOK! Its really helping me in my PMP preparation.
I still have a question,as the contingency reserve is for the residual risks, where the cost of planned risk will go.In your example, the cost of travel insurance, will it be part of cost estimation of any particular activity or cost estimation of the project or the contingency reserve? Please explain.

Harwinder Singh Avatar

Hello Amit,

If I'm buying travel insurance, then the cost of insurance would go into my project cost estimate, not the contingency reserve. By buying travel insurance, I'm transferring the risk to the insurance company and hence doing "something" about the risk, instead of simply "accepting" it.

Therefore, if I actually decide to buy health insurance, travel insurance, first aid kit etc. to respond to negatives risks, the cost of those actions would go into the Project Cost Baseline (over and above the original $5000). Remember that the planning processes are iterative and I can go back and update the project cost and schedule estimates after planning risk responses.

Since you brought up this point, I think it would be good to update the article to reflect this, and I'm going to do that soon.

Hope it makes sense. BTW, it's an excellent question. Thanks for your feedback.


Missing Avatar

Thanks Harwinder for details explanation. It absolved all my Risk really doubts.
Again, it is an awesome article and I keep on referring it my fellow PMP aspirants.

Amit Mittal

Harwinder Singh Avatar


I can't approve your comment with Rita Mulcahy's question. But I agree with you. Actually both A and C look correct to me. Do not worry about one or two such questions. If you have a good understanding of the concepts, you are likely to get it right on the exam.

Good luck for your exam on Monday.

Missing Avatar

I was wondering if they didn't choose C because they indicated that they had finished the Plan Risk Responses process. And creating a contingency plan is part of this process so it should have already been created for the residual risks.

But then as part of the Plan Risk Process process you should have already updated/documented the risk register with your residual risks.

So now I am wondering if B should be the answer because when residual risks actually occur, you deal with them (via a contingency plan)

Missing Avatar

Harwinder, thanks a ton for the clear and concise coverage of this confusing topic. I have learnt a lot by looking at every corner of your web site. You have done a great job with the content - your web site layout, however, needs a little more work to become user-friendly though, just my thought......But for some awesome free content on the subject of PMP, I can live with that. Thanks again.

Missing Avatar

Dear Harwinder,

thanks for your article.

Can we say that secondary risk is a special case of residual risk where the primary risk is addressed by tranfering it?

Missing Avatar

Hi Harwinder,
I know contingency reserves are created for active risk acceptance. For passive acceptance of Risks do we create contingency reserves? If we don't create contingency reserves for passive acceptance risks, do we need to use management reserves when these risks happen?


Missing Avatar

Unfavourable weather

Dear Harwinder,
On the negative risk you've mentioned this threat and mitigation is to plan it when whether is good. Does it not mean that you are avoiding the threat by planning it when the weather is good rather than mitigating ?


Missing Avatar

Unfavourable weather

Dear Harwinder,
On the negative risk you've mentioned this threat and mitigation is to plan it when whether is good. Does it not mean that you are avoiding the threat by planning it when the weather is good rather than mitigating ?


Missing Avatar

Harwinder, I have a question on CR too. CR, as we all know, are the reserves used to cover the costs of known-unknowns. It is said that CR is calculated using EVM, which is a part of Perform Quantitative Analysis process of Risk Management. Now, we also know that this process is optional – if the cost of doing Perform Quantitative Analysis is high, it can be skipped altogether. Does it mean that calculating CR without doing a quantitative analysis a guesswork?

Stav Avatar

Hi! I just wanted to say that I’ve been studying for the PMP for a month now and so many times I thought, how is there no one out there that is explaining these things via normal examples, practical examples and project related examples. Even courses that are relatively good, simply didn’t provide examples that made it easy to grasp and truly comprehend. SO THANK GOD I FOUND YOUR BLOG!! I only wish I would of heard of it sooner. Wish there was a place to leave a 5 star review for blogs, but if anyone ever asks me, I’ll definitely point them here. Just a thank you. Hope you’ll keep on going and updating the content as the PMP content develops. Amazing job! 🙏🏼

Harwinder Singh Avatar

Hello Stav,

Thanks for your wonderful comments and support. I’m glad you found the posts useful.

I used to be very passionate about writing posts on this blog, but over the years, whatever I’ve posted here has been blatantly plagiarized by other bloggers (I’ll save them some humiliation and not name them) without giving me any credit. That has discouraged me from posting content on the blog for FREE. Nowadays, I invest whatever free time I get in developing content for BrainBOK PMP and CAPM Exam Prep and improving it further. We are coming up with a new PMP Study Guide that will have lots of useful study notes and content (similar to what you find on this blog).

Your comments have really motivated me to do more for the community.

Thanks again.