Here's the strange thing about risk management on the PMP exam.
Senior project managers usually score well on the technical PMP topics. They know schedule management. They've earned-valued more projects than they want to admit. They can talk procurement contracts in their sleep.
Then they hit the risk management questions and start missing them. Not because they don't manage risk. Because they manage it differently than PMBOK defines it.
At work, "the risk doc" is one spreadsheet. Reserves are "the buffer." Risks that come up after you act on something are just... risks. The PMI mindset distinguishes all of these things with surgical precision, and the 2026 exam tests whether you can switch from your work vocabulary to PMBOK's.
Below are 5 risk management questions modeled on the kinds of scenarios that show up on the 2026 PMP exam. Try each one before reading the explanation. The trap in every single one is the same: at work, you'd answer based on practice. On the exam, you have to answer based on definition.
Question 1: The CEO Wants a Summary
Your sponsor asks for a quick summary of the project's overall risk exposure for tomorrow's executive committee meeting. She doesn't want a list of individual risks — she wants to know the project's total risk posture: how many risks are open, the dominant risk categories, total reserves needed, and trends since the last review. You have a fully maintained risk register with 47 identified risks across all knowledge areas, each with probability, impact, response strategies, and owners assigned. What do you give her?
A. Print the risk register, highlight the top 10 risks by score, and bring it to the meeting
B. Generate the risk report from your risk register data and bring that to the meeting
C. Pull the top 5 risks by EMV and prepare a one-page summary
D. Bring the risk register and walk her through the highest-priority risks live
Reveal Answer
Answer: B. Generate the risk report.
The risk register and the risk report are two distinct PMI artifacts that serve different audiences and purposes.
The risk register is a living list of individual risks. Each row is a specific risk with its probability, impact, score, response, and owner. This is a working document for the project team.
The risk report is a summary of overall project risk. Includes total risk exposure, distribution by category, trends, reserves status, and top risks. This is the executive-facing artifact.
The sponsor asked for project-level risk posture, not a list of risks. That's a risk report request.
Why experienced PMs get this wrong: In real-world projects, "the risk register" is often the only risk document that exists. Many PMs have never produced a formal risk report — they just hand executives a filtered version of the register. So when PMI asks the question, the muscle memory says "give them the register" because that's what we actually do at work. PMI tests the artifact distinction PMBOK actually defines, not the shortcut most teams take.
The PMI principle: Risks (individual) live in the risk register. Risk (overall, aggregate) lives in the risk report. Audience determines artifact.
Question 2: The Budget Conversation
Your sponsor is reviewing your project budget. She points to two line items: $180,000 labeled "contingency reserve" and $90,000 labeled "management reserve." She asks: "If we hit a critical risk that needs $250,000 to mitigate, can you authorize the spend from these two reserves combined?" What's the correct answer?
A. Yes. Both reserves are part of the cost baseline and the project manager controls them
B. No. You can use the contingency reserve but the management reserve requires the sponsor's authorization
C. Yes, but only after the change control board approves the use of management reserve
D. No. Reserves can only be used for risks that were identified during planning
Reveal Answer
Answer: B. You can use the contingency reserve but the management reserve requires the sponsor's authorization.
Two different budget pools with two different authority levels.
The contingency reserve funds known risks — the ones identified in your risk register with assigned response strategies. The PM controls it. It's part of the cost baseline.
The management reserve funds unknown unknowns — risks that weren't identified during planning. The PM does NOT control it. It sits outside the cost baseline and requires sponsor or management approval to access.
The $180K is yours to deploy. The $90K isn't. You'd have access to $180K of the $250K needed, and you'd need to formally request the additional $70K from the sponsor or PMO.
Why experienced PMs get this wrong: In real-world projects, especially at smaller companies, the PM often controls the entire project budget — including any "buffer" the sponsor approved up front. The distinction between "your reserve" and "their reserve" gets lost because culturally it's all just "the cushion." Senior PMs answer A out of habit because at their last job they DID control both pools. PMI is testing the PMBOK definition, not your company's accounting practices.
The PMI principle: Contingency equals known risks, PM authority, inside baseline. Management equals unknown risks, sponsor authority, outside baseline.
Question 3: The New Vendor Brings a New Problem
Your project depends on a critical software component. You identified a risk that your in-house team can't deliver it on time, and you implemented your response: transfer the work to a specialized vendor on a fixed-price contract. The vendor signs on. Two weeks later, you realize the vendor has limited capacity, and if their other clients push their work into your delivery window, your timeline could slip. You also note that even with the vendor delivering on time, there's still a small chance the component won't fully integrate with your existing systems. Which statement correctly classifies these two new risks?
A. The vendor capacity risk is a secondary risk. The integration risk is a residual risk.
B. The vendor capacity risk is a residual risk. The integration risk is a secondary risk.
C. Both are secondary risks because they arose after the original risk response was implemented.
D. Both are residual risks because they remain after the original risk was addressed.
Reveal Answer
Answer: A. Vendor capacity is secondary. Integration is residual.
These terms aren't interchangeable. PMI defines them precisely.
A secondary risk is a risk that arises directly from implementing a risk response. You wouldn't have this risk if you hadn't taken the action. The vendor capacity risk only exists because you transferred work to the vendor — it's a consequence of the response itself.
A residual risk is a risk that remains after the response has been applied. Even with the original risk addressed, some exposure is still present. The integration risk was always there in some form — it just wasn't fully eliminated by transferring the work.
The test: ask "did the response cause this risk?" If yes, it's secondary. If the response merely failed to fully eliminate it, it's residual.
Why experienced PMs get this wrong: Both risks happen "after" the response, and the words "secondary" and "residual" both sound like "leftover." So senior PMs grab whichever term sounds right and move on. Answers C and D are designed to catch the candidate who thinks the distinction is about timing rather than causation. In practice, most PMs use these terms interchangeably at work because nobody's grading them on definitions. PMI is.
The PMI principle: Secondary equals caused by the response. Residual equals remains despite the response. The test is causation, not timing.
Question 4: Your CFO Wants Numbers
You're 30% through a $4M infrastructure project. You've identified 23 risks during planning, ranked them by probability and impact using your risk matrix, and assigned response strategies to the top 8. Your CFO reviews the risk register and pushes back: "I don't want a 'high/medium/low' rating. I want to know what this is going to cost us. Give me an expected monetary value for the project's total risk exposure and a confidence range on our final cost." What's the correct next step?
A. Re-run qualitative risk analysis with more granular probability and impact scales to give the CFO better data
B. Perform quantitative risk analysis on the prioritized risks using techniques like EMV calculations, decision tree analysis, or Monte Carlo simulation
C. Update the risk register with cost estimates for each risk's impact and present that as the EMV
D. Tell the CFO that probabilistic cost ranges require historical project data the team doesn't have
Reveal Answer
Answer: B. Perform quantitative risk analysis.
The two analysis processes sit in sequence and serve different purposes.
Qualitative risk analysis is subjective. It rates risks by probability and impact using categories (high/medium/low, or 1-5 scales). Fast, cheap, gets you a prioritized list. Required on every project.
Quantitative risk analysis is numerical. It assigns actual dollar values and probability distributions, then runs techniques like EMV, decision trees, or Monte Carlo simulation to produce ranges and confidence levels. Slower, more expensive, optional but valuable when stakeholders need probabilistic forecasts.
The CFO is asking for numbers with confidence intervals. That's the exact output of quantitative analysis. You've already done the qualitative pass (the risk register exists, risks are prioritized) — now you move to the next process for the risks that warrant deeper analysis.
Why experienced PMs get this wrong: Most candidates have done qualitative analysis dozens of times — every risk matrix workshop is qualitative analysis. But very few have actually run Monte Carlo or built a quantitative model, so when PMI asks the question, the muscle memory says "make the qualitative analysis better" (answer A). Answer C is the "I'll fake it" trap — adding cost estimates to a register isn't the same as performing quantitative analysis, which uses specific techniques and produces probability distributions. Answer D is the "I don't have the data" cop-out PMI explicitly tests against — the answer they want is "do the process," not "tell stakeholders no."
The PMI principle: Qualitative comes first and is always done. Quantitative comes second and is done when stakeholders need numerical forecasts. The trigger is stakeholder demand for probabilistic data, not project size.
Question 5: The Risk You Can't Actually Own
Your project is implementing a new HR system. Halfway through delivery, your team identifies a risk: a pending state law (expected to pass in 6 months) could change how the system handles certain employee classifications. If the law passes, parts of the system you're building right now will need to be rebuilt to comply, costing an estimated $400K. The law is outside your project's scope. The decision to add legal-compliance capabilities to the system would require buy-in from legal, HR leadership, and the executive sponsor — none of whom report to you. What's the correct response strategy?
A. Mitigate — build flexibility into the system now so future legal changes can be accommodated without a full rebuild
B. Accept — document the risk in the register and continue, since the law hasn't passed yet
C. Avoid — pause the affected modules until legal direction is provided
D. Escalate — formally raise the risk to the sponsor and steering committee for ownership and decision
Reveal Answer
Answer: D. Escalate.
This is one of PMI's most distinctive 2026-era additions to risk response strategies. Escalation isn't a cop-out — it's the correct response when a risk meets specific criteria.
The risk is outside the project's scope or authority. The response requires decisions you don't have the authority to make. The risk's impact extends beyond the project's boundaries.
All three apply here. The law isn't a project risk you can mitigate, accept, or avoid — it's an organizational risk that the project happens to be exposed to. The right move is to formally hand it to the people who can actually own it.
After escalation, the risk leaves your risk register and moves to the organizational risk register (or equivalent). You don't continue tracking it as a project risk because it's no longer yours to manage.
Why experienced PMs get this wrong: Senior PMs have been trained their whole careers to "solve the problem." Escalating feels like failure — like you couldn't handle it. So they reach for A (mitigate by adding flexibility) because that feels like the responsible, capable answer. But mitigating a risk you don't have the authority to make decisions about is how projects end up with scope creep, hidden compliance gaps, and PMs taking blame for decisions they were never empowered to make. PMI added escalate as an explicit response strategy in PMBOK 7 specifically because the profession was bad at this. The 2026 exam tests whether you've absorbed the shift.
The PMI principle: Escalate when the risk is outside your authority, scope, or impact boundary. Escalation moves the risk off your register — you don't keep tracking what you can't control.
The Pattern: PMI Tests Definitions, Not Practice
Notice what these five questions have in common. They aren't asking you to solve a risk management problem. They're asking you to demonstrate that you know the precise PMBOK definition of:
- A risk register vs a risk report
- A contingency reserve vs a management reserve
- A secondary risk vs a residual risk
- Qualitative vs quantitative analysis
- When to escalate vs when to respond
In actual project work, these distinctions blur. You call the register "the risk doc," you use "reserves" loosely, you escalate when it feels political rather than when PMBOK says to. At work, that's fine. On the exam, it's wrong.
The PMI mindset isn't about being a better PM than you already are. It's about translating your real-world judgment into the precise vocabulary PMBOK uses. Every "experienced PM gets this wrong" scenario above comes from the same root cause: muscle memory from work bypassing the textbook distinction.
Study these five distinctions. Then audit your own risk management language at work — see how often you blur lines PMBOK draws sharply. The candidates who pass on first try aren't the ones with the most years of experience. They're the ones who can switch from "PM at work" mode to "PMI candidate" mode when the question demands it.
Want to Know Your Weak Spots Before the Exam?
Five questions is enough to surface a pattern but not enough to know where you actually need to focus. PM Mastery's diagnostic system shows you exactly which knowledge areas you're strong in, weak in, and which ones to drill before exam day. It's free to use. The full 4,500+ question bank is what you upgrade into once you know what you need to work on.
Free 2026 PMP Cheat Sheet
Every formula, all 12 principles, risk strategies, and exam tips. Plus a QR code that takes you straight to your free practice account.
Download Free Cheat SheetPractice 4,500+ Questions Like These
PM Mastery has 4,500+ practice questions aligned with the 2026 ECO, every one with detailed explanations of why each answer is right or wrong. Plus an AI Coach that breaks down any concept you're struggling with.
Start Free, 100 Questions IncludedNo credit card required. 7-day money-back guarantee on paid plans.