ISYS90050 · It Project and Change Management
Managing Project Risk
Week 4 defines risk (the PMBOK uncertain event with a positive or negative effect on objectives) and separates a risk from an issue (a risk that has materialised). The signature exam skill is the quantitative P x I ranking — score each risk by probability times impact and rank it — alongside the four response strategies (avoid / transfer / mitigate / accept). This is a high-yield calculable topic and a common long-answer scenario.
What this chapter covers
- 01Risk (PMBOK): an uncertain event that, if it occurs, has a positive or negative effect on objectives; issue = a risk that has materialised
- 02Risk types: project (budget/schedule/scope), product/technical (quality/performance), business (economic success)
- 03Risk appetite vs risk tolerance; postures: risk-averse, risk-neutral, risk-loving
- 04Cause vs trigger; risk statement templates (event-cause-consequence; if-then-thus)
- 05Quantitative assessment: Score = Probability x Impact (P as decimal, I on 0-10), rank descending
- 06Qualitative P x I quadrants and the matching posture
- 07Four responses: avoidance, transfer (insurance/bonds/warranties), mitigation, acceptance (active vs passive; contingency allowance)
- 08Padding vs contingency reserves (PM-controlled) vs management reserves (senior-controlled); risk register columns
Rank four project risks by P x I and choose a response
- +1Convert each probability to a decimal and multiply by impact. Vendor: 0.70 x 8 = 5.6. Sponsor sign-off: 0.50 x 5 = 2.5.
- +1Developer resigns: 0.30 x 7 = 2.1. Budget cut: 0.20 x 9 = 1.8.
- +1Rank by score, highest first: (1) vendor misses integration 5.6; (2) sponsor sign-off 2.5; (3) developer resigns 2.1; (4) budget cut 1.8. Note the budget cut has the biggest impact but the lowest score because it is unlikely — ranking uses the product, not impact alone.
- +1Respond to the top risk. The vendor risk is high probability and high impact, so mitigate (and/or transfer): add schedule buffer and interim checkpoints to cut the probability, and put a delay penalty or performance bond in the contract to transfer the financial exposure — active acceptance with a contingency plan backs it up.
Key terms
- Risk vs issue
- A risk is an uncertain event that, if it occurs, has a positive or negative effect on project objectives (PMBOK). Once it materialises it is no longer a risk — it becomes an issue (a real problem to be managed).
- Risk appetite vs tolerance
- Risk appetite is how an organisation and its stakeholders collectively perceive and treat risk; risk tolerance is how much capital it is prepared to commit to managing risk. Postures range risk-averse, risk-neutral, risk-loving.
- Cause vs trigger
- The cause is why a risk could happen; the trigger is the observable warning sign that it is happening or about to. A risk statement should capture the cause, the event and the consequence.
- P x I score
- The quantitative risk ranking: Score = Probability x Impact, with probability as a decimal (0-1) and impact on a 0-10 scale. Risks are ranked highest score first.
- Risk responses
- The four strategies: avoidance (change the plan to remove the risk), transfer (shift the impact to a third party via insurance/bonds/warranties), mitigation (reduce probability and/or impact), and acceptance (active = contingency plan; passive = deal with it as it occurs).
- Contingency vs management reserve
- A contingency reserve is part of the project budget, measured and controlled by the PM for known/identified risks; a management reserve is held by senior management, outside the original budget, for unknown/unforeseen risks. Padding (hidden just-in-case estimates) is to be avoided.
Managing Project Risk FAQ
How do I rank risks quantitatively in ISYS90050?
Convert each risk's probability to a decimal, multiply by its impact on the 0-10 scale to get a P x I score, then rank descending — the highest score is rank 1. The point is that ranking uses the product: a low-probability, high-impact risk can score below a likely moderate one, so never rank on impact alone.
What is the difference between mitigation and transfer?
Mitigation reduces the probability and/or impact of a risk to an acceptable level (add resources, act early, buffer the schedule). Transfer shifts the impact or ownership to a third party without removing the risk — insurance, performance bonds, warranties or contractual penalties — and is most effective for financial exposure.
Is padding the same as a contingency reserve?
No. Padding is hidden extra time or money slipped into estimates "just in case"; it undermines trust and corrupts baselines, so it is avoided. A contingency reserve is an explicit, measured, documented amount the PM controls for identified risks. Unknown risks are covered by a management reserve held by senior management outside the budget.
Can AI help me with risk management in ISYS90050?
Yes, as a study aid. Sia can set you P x I ranking drills, check your scores and ranks, and rehearse matching responses to quadrants or writing a disciplined risk statement. Use it to learn the method; it does not do your graded assessment, and University of Melbourne academic-integrity rules apply — confirm details on Canvas.
Exam move
Make the P x I ranking mechanical: convert probability to a decimal, multiply by impact, rank on the product, and always check whether a high-impact but unlikely risk has been correctly pushed down the list. Memorise the four responses and the quadrant they suit (high/high mitigate-or-transfer, low/high transfer/avoid, high/low mitigate, low/low accept), and practise writing a risk in both templates (event-cause-consequence; if-then-thus). Keep the padding / contingency / management-reserve distinction and the risk-register columns ready for a definition question. This is one of the highest-yield calculable exam skills, so rehearse a full ranked table under time pressure for the closed-book paper.
Working through Managing Project Risk in ISYS90050? Sia is AskSia’s AI IT Project Management tutor — ask any ISYS90050 Managing Project Risk question and get a clear, step-by-step explanation grounded in how ISYS90050 is taught and assessed. Read this chapter free, then take your hardest questions to Sia.