Risk response is one of the most testable areas on the PMP exam. PMI loves it because every question can have three plausible answers, and the right one depends on details most candidates skim past.
The 8 strategies are simple to memorize. Picking the right one under exam pressure is where people lose points.
Here is the full breakdown, the decision logic PMI uses, and three worked questions you can drill right now.
The 8 Risk Response Strategies
PMI splits responses into two groups: 4 for threats (negative risks) and 4 for opportunities (positive risks).
For Threats (Negative Risks)
| Strategy | What it means | When to use |
|---|---|---|
| Avoid | Eliminate the risk entirely by changing the plan | High probability + high impact, no other option works |
| Transfer | Shift the risk to a third party (insurance, contract, warranty) | Financial impact, someone else can handle it better |
| Mitigate | Reduce probability or impact through action | The risk cannot be eliminated, but it can be shrunk |
| Accept | Take no proactive action, plan for it if it happens | Low probability or low impact, action would cost more than the risk |
For Opportunities (Positive Risks)
| Strategy | What it means | When to use |
|---|---|---|
| Exploit | Make sure the opportunity happens (eliminate uncertainty) | The upside is so big you guarantee it |
| Share | Partner with someone who can capture the upside better than you | You lack capability or capacity alone |
| Enhance | Increase the probability or impact of the opportunity | You can boost the chances with action |
| Accept | Take advantage if it appears, but do not pursue it | The opportunity is not worth dedicated effort |
Notice “Accept” appears in both lists. PMI tests this overlap on purpose. If you see “accept” on the answer list, do not assume it is wrong because it sounds passive. Sometimes accept is the right answer.
The Decision Tree PMI Wants You to Use
Before you pick a strategy, walk through these four checks in order:
- Is the risk a threat or an opportunity? Read the stem again. PMI sometimes hides positive risks inside corporate language. A new contract opportunity, a vendor offering early delivery, a price drop in raw materials. These are positive risks.
- Can the risk be eliminated by changing the plan? If yes, and the change does not break the project, the answer is usually avoid (for threats) or exploit (for opportunities).
- Can someone else handle it better? If yes, the answer is usually transfer (threats) or share (opportunities). Insurance and fixed-price contracts are classic transfer signals.
- Is the cost of action less than the cost of the risk? If yes, mitigate (threats) or enhance (opportunities). If no, accept.
That decision tree solves about 70% of risk questions. The other 30% require trap-spotting, which we cover next.
The 5 Exam Traps to Watch For
Trap 1: Confusing Mitigate with Avoid
Mitigate reduces a risk. Avoid eliminates it.
If the action in the answer choice changes the project plan to remove the risk entirely, that is avoid. If the action just makes the risk smaller or less likely, that is mitigate.
Example: switching from a new untested vendor to a vendor you have used for 10 years is avoid (the risk of vendor failure is gone). Adding penalty clauses to the new vendor’s contract is mitigate (the risk still exists, you just reduced the impact).
Trap 2: Insurance Is Always Transfer
PMI uses insurance as a clean transfer signal. So is a fixed-price contract. So is a warranty.
Anything that moves the financial liability to a third party is transfer, even if the wording sounds like mitigation.
Watch out for time-and-materials contracts. Those keep most of the risk with the buyer. They are not a transfer.
For more on contract-type traps, see vendor contract questions on the PMP.
Trap 3: Accept Is Often Correct for Low-Impact Risks
Candidates over-pick mitigate because it sounds proactive. PMI rewards accept when the action would cost more than the risk itself.
If the stem describes a low-probability or low-impact risk, and the other three answers all involve spending money or time, accept is probably the right answer.
There are two flavors of accept:
- Active acceptance. Set up a contingency reserve (time or budget) in case the risk hits.
- Passive acceptance. Do nothing in advance. Deal with it if it happens.
If the stem mentions a contingency reserve, the answer is active acceptance. If it does not, passive is fine.
Trap 4: The Hybrid Strategy Question
Sometimes the right answer combines two strategies. PMI rarely makes you pick a combo, but they will offer answer choices like “transfer the financial impact and mitigate the schedule impact.”
If you see a combo answer, check if the risk has two distinct dimensions (cost AND schedule, or scope AND quality). If it does, the combo answer is often correct.
Trap 5: Secondary Risks
When you respond to a risk, you can create a new risk. PMI calls this a secondary risk.
Example: you transfer a quality risk by hiring a subcontractor. The new risk is that the subcontractor misses the deadline. That is a secondary risk.
If a question describes a risk response and asks “what should the PM do next,” the answer is often: identify and analyze the secondary risks created by that response.
3 Worked Questions
Question 1
A construction project has a 30% chance of weather delays during the fall season. The project manager adds two extra weeks to the schedule and includes a $50,000 budget reserve. Which risk response strategy is the project manager using?
A) Avoid B) Transfer C) Mitigate D) Active acceptance
The PM is not changing the plan to remove the risk (not avoid). The PM is not shifting it to a third party (not transfer). The PM is not reducing the probability or impact (not mitigate). The PM is setting up a contingency reserve in case the risk hits.
Answer: D, active acceptance.
The trap here is that “added two extra weeks” sounds like mitigate. It is not. The project still has the same weather risk. The PM just built in a buffer to absorb the impact if it happens.
Question 2
A software project depends on a third-party API that has had three outages in the last six months. The project manager decides to build a local cache so the application works even if the API goes down. Which strategy is this?
A) Avoid B) Mitigate C) Transfer D) Accept
The risk (API outage) still exists. The cache does not eliminate it. But the cache reduces the impact of the outage on the project (the application still works).
Answer: B, mitigate.
If the answer choice had said “switch to a different API with 99.9% uptime,” that would be avoid.
Question 3
A new tax credit might become available next quarter that would save the project $200,000. The PM assigns a team member to monitor the legislation and prepare the paperwork in advance so the project can claim the credit immediately if it passes. Which strategy is this?
A) Exploit B) Enhance C) Share D) Accept
The PM is not guaranteeing the tax credit will pass (not exploit, the PM cannot control legislation). The PM is not partnering with another party (not share). The PM is doing more than just waiting (not accept).
The PM is taking action to increase the probability of capturing the opportunity if it appears.
Answer: B, enhance.
The exploit answer would be: “the PM lobbies legislators to ensure the tax credit passes.” That guarantees the opportunity. Enhance just improves the odds.
Memorize This One Sentence
When you see a risk question, run this sentence in your head before reading the answers:
“The strategy is determined by what the action does to the risk itself, not what it does to the project.”
Avoid removes the risk. Mitigate shrinks it. Transfer moves it. Accept leaves it alone.
That mental check breaks the surface-reading habit that costs candidates 5 to 8 risk questions on exam day.
What to Practice Next
If you nailed the three worked questions above, your decision tree is solid. The next gap is usually stem-reading. Practice the 4-pass method for situational questions on your next 20 risk questions. Most missed risk answers are stem-read failures, not strategy-knowledge failures.
If you missed one of the three above, the issue is usually trap-spotting. Drill the 5 traps in this article on every risk question for a week. Your accuracy will jump.
For the agile-flavored risk questions PMI loves to throw at you, also work through PMP questions that look agile but actually test predictive. Risk response strategies stay the same in agile projects, but the language PMI uses to wrap them changes.
PassCoach.ai is in beta waitlist. First 100 signups get lifetime access for $99. Every practice question comes with per-option rationales, so when you pick mitigate instead of avoid you see exactly why your reasoning broke down, not just which letter was right.