The difference between a risk and an issue is timing: a risk is a potential future event, an issue is a risk that has already happened. PM4060 exists entirely to keep risks from becoming issues by giving students a repeatable process for finding them early and planning a response before they occur.
Risk identification and the probability/impact matrix
PM4060 begins with risk identification techniques — brainstorming, checklists from past projects, SWOT analysis, and expert interviews — to build a risk register capturing every plausible risk, both threats and opportunities. Each risk is then assessed qualitatively using a probability/impact matrix, plotting how likely the risk is to occur against how severe its consequences would be, which produces a prioritized list separating the handful of high-priority risks that need active management from the long tail of low-priority risks that only need monitoring.
The four risk response strategies
For threats, PM4060 teaches four response strategies: avoid (change the plan to eliminate the risk entirely), mitigate (reduce the probability or impact), transfer (shift the risk to a third party, such as through insurance or a fixed-price contract), and accept (acknowledge the risk and do nothing proactive, sometimes with a contingency reserve set aside). The mirror strategies exist for opportunities (positive risks): exploit, enhance, share, and accept. Students practice matching the right strategy to a given risk based on cost, feasibility, and risk tolerance, rather than defaulting to the same response for every risk.
Key topics in PM4060
- Risk identification techniques: brainstorming, checklists, SWOT analysis, and assumption analysis
- The risk register: description, category, probability, impact, owner, and response plan
- Qualitative risk analysis: probability/impact matrix and risk prioritization
- Quantitative risk analysis: expected monetary value (EMV) and decision tree analysis
- Risk response strategies for threats: avoid, mitigate, transfer, accept
- Risk response strategies for opportunities: exploit, enhance, share, accept
- Contingency reserves vs. management reserves, and residual and secondary risk
Working on a risk register, probability/impact matrix, or EMV analysis?
Our project management experts build PM4060-level coursework with accurate risk-analysis frameworks.
Worked example: expected monetary value (EMV) for a risk decision
- Risk: A key vendor might miss a delivery deadline, requiring an expedited shipment
- Probability: Estimated at 30% based on the vendor's past performance
- Impact if it occurs: $10,000 in expedited shipping costs
- EMV = 0.30 × $10,000 = $3,000 — this is the amount that should be set aside in the contingency reserve
- Response strategy chosen: Mitigate — negotiate a backup vendor agreement, reducing probability to 10% and EMV to $1,000
Get Help With PM4060
Risk registers, probability/impact matrices, EMV analyses — built with the right formulas.
Place Your OrderView All ServicesRelated courses
Frequently asked questions
A risk is an uncertain future event or condition that, if it occurs, would have a positive or negative effect on the project — it exists in the realm of probability. An issue is a risk (or an unforeseen problem) that has already occurred and now requires an active response, not a proactive plan. This distinction matters procedurally: risks are managed through the risk register with probability, impact, and a planned response strategy decided in advance; issues are managed through an issue log, tracked to resolution, often under time pressure since the event has already happened. PM4060 emphasizes that a well-run risk management process should convert as many potential issues into pre-planned risk responses as possible, since responding to a risk that was already anticipated is almost always cheaper and calmer than firefighting an issue that caught the team by surprise.
Both are proactive risk response strategies for threats, but they differ in who ultimately bears the consequence. Mitigating a risk means taking action to reduce its probability of occurring, its impact if it does occur, or both — for example, adding a code-review step to reduce the probability of a software defect, or building in schedule buffer to reduce the impact of a delay. The project team still owns the risk after mitigation; it's just smaller. Transferring a risk means shifting the financial consequence of the risk to a third party who is often better positioned to manage it — buying insurance against a risk, or negotiating a fixed-price contract with a vendor so that a cost overrun risk becomes the vendor's problem, not the project's. Transfer usually has an upfront cost (an insurance premium or a contract markup) in exchange for capping the downside; PM4060 teaches students to weigh that cost against the risk's expected monetary value before choosing transfer over mitigation.