Risk, Quality & Procurement

These three knowledge areas operate across the entire project lifecycle. Risk management is proactive — identifying and responding to uncertainty before it impacts the project. Quality focuses on delivering what was promised. Procurement governs external work and supplier relationships.

Exam Weight: Risk, quality, and procurement questions appear throughout all three PMP domains (People, Process, Business Environment). Risk questions alone account for a significant portion — especially scenario-based questions about which response strategy is most appropriate in a given situation.

⚠️ Risk at a Glance

Risk = uncertainty that matters. Threats have negative impact; opportunities have positive impact. Both require active management. EMV = Probability × Impact. Contingency reserve covers identified risks; management reserve covers the unknown unknowns.

✅ Quality at a Glance

Quality = conformance to requirements. Cost of Quality separates prevention/appraisal (conformance) from failure costs (non-conformance). QA improves processes; QC inspects deliverables. The 7 quality tools provide the analytical backbone.

📄 Procurement at a Glance

Procurement = structured buying. Contract type selection determines who bears financial risk. Fixed Price = seller's risk. Cost Reimbursable = buyer's risk. T&M is the hybrid. Make-or-buy analysis precedes any procurement decision.

🗺️ Risk Response Strategies — Quick Reference

Type	Strategy	Description	Example
Threats	Avoid	Eliminate the threat by changing the plan	Drop a risky feature from scope
	Transfer	Shift impact to a third party (cost still exists)	Purchase insurance; use fixed-price contract
	Mitigate	Reduce probability or impact below threshold	Add redundant systems; prototype early
	Accept	Acknowledge and deal with it if it occurs (active = contingency plan; passive = log and monitor)	Small-impact risk; no cost-effective response
Opportunities	Exploit	Ensure the opportunity definitely occurs	Assign best team to guarantee early delivery
	Share	Partner with another party to capture the opportunity	Joint venture to access a new market
	Enhance	Increase probability or positive impact	Add resources to accelerate a promising feature
	Accept	Take advantage if it occurs, but don't actively pursue	Minor benefit; not worth special investment

Risk Management

Effective risk management is proactive, not reactive. The risk management process flows from planning through identification, analysis (qualitative then quantitative), response planning, and monitoring throughout the project.

📋 Risk Register — Key Fields

The Risk Register is the primary risk management artifact. It is created during risk identification and updated continuously throughout the project.

Field	Description
Risk ID	Unique identifier (e.g., R-001)
Risk Description	"If [cause], then [risk event] may occur, resulting in [impact]"
Category	Technical, schedule, cost, external, organizational
Probability	Likelihood of occurrence (0–1 or %)
Impact	Effect on objectives if it occurs ($, days, quality)
Risk Score	Probability × Impact (for prioritization)
Response Strategy	Avoid / Transfer / Mitigate / Accept (or Exploit / Share / Enhance)
Risk Owner	Person responsible for monitoring and responding
Residual Risk	Risk remaining after response is implemented
Secondary Risk	New risk created by implementing the response

Residual vs Secondary Risk: Residual risk is what remains after a response — the response wasn't 100% effective. Secondary risk is a brand-new risk created by the response itself. For example, hiring a new vendor to mitigate one vendor's delay (primary response) creates a new integration risk with the replacement vendor (secondary risk).

Risk Identification Techniques

Brainstorming: Open team session; widely used. Produces large list, needs prioritization.

Delphi Technique: Anonymous expert consensus through iterative rounds. Removes groupthink bias. Time-consuming but high-quality.

SWOT Analysis: Strengths/Weaknesses (internal) + Opportunities/Threats (external). Ensures both opportunities and threats are captured.

Assumption and Constraint Analysis: Challenges each planning assumption — what if it's wrong?

📊 Probability-Impact Matrix (Qualitative Analysis)

Qualitative risk analysis quickly prioritizes risks using expert judgment — no detailed quantitative data needed. Each risk gets a probability rating and an impact rating; the product determines the risk score and zone.

Very High (0.9)

0.09

0.18

0.36

0.72

High (0.7)

0.07

0.14

0.28

0.56

Medium (0.5)

0.05

0.10

0.20

0.40

Low (0.3)

0.03

0.06

0.12

0.24

Very Low (0.1)

0.01

0.02

0.05

0.08

Very Low

Low

Medium

High

Very High

↑ Probability · → Impact · ■ Critical ■ High ■ Medium ■ Low

🔢 Quantitative Risk Analysis — EMV & Monte Carlo

Expected Monetary Value (EMV) quantifies the financial impact of a risk by weighting its outcome by its probability.

EMV = Probability × Impact

Threats: negative impact value · Opportunities: positive

Decision Tree Example — Build vs Buy

Build in-house (cost $200K)

→ Success (60%): benefit $500K0.6 × $500K = $300K

→ Failure (40%): benefit $100K0.4 × $100K = $40K

EMV (Build)$340K − $200K = $140K

Choose Build (higher EMV)$140K > Buy ($80K)

Monte Carlo Simulation runs thousands of iterations of the project schedule or budget, randomly sampling each activity's duration or cost from a probability distribution. The output is a probability distribution of possible project end dates or total costs.

Key outputs: S-curve showing probability of completing by a given date or within a given cost; P80 date (80% confidence of meeting that date); sensitivity analysis (tornado diagram) identifying which activities have the most impact on schedule/cost uncertainty.

When to use: Large, complex projects where qualitative analysis is insufficient for management decisions — especially for determining contingency reserve amounts.

Exam Tip: Monte Carlo is the only quantitative technique that produces a probability distribution of outcomes. EMV produces a single point estimate. Know when each is used.

🛡️ Risk Response Strategies — Deep Dive

⛔ Avoid

Eliminate the threat completely — change scope, schedule, or approach. Most aggressive response. Used when risk score is unacceptably high.

↔️ Transfer

Shift financial impact to a third party — insurance, fixed-price contracts, warranties. Risk still exists; you've just paid someone else to bear the cost.

📉 Mitigate

Reduce probability and/or impact to an acceptable level. Example: prototype to reduce technical uncertainty; add redundancy to reduce failure impact.

✅ Accept (Threat)

Active: Create contingency plan triggered if risk occurs. Passive: Simply acknowledge; deal with it if it happens (log in risk register).

🎯 Exploit

Guarantee the opportunity occurs — assign best resources, eliminate uncertainty. The opposite of Avoid. Used for high-value opportunities.

🤝 Share

Partner with another party better positioned to capture the opportunity. Joint ventures, teaming agreements. Opposite of Transfer.

📈 Enhance

Increase probability or positive impact. Add early resources to accelerate delivery. Opposite of Mitigate.

✅ Accept (Opportunity)

Take advantage if it occurs without actively pursuing it. Opportunity is minor or uncertain enough that no special action is justified.

Escalate: A ninth strategy for both threats and opportunities that are outside the PM's authority or scope — escalate to program manager, portfolio manager, or sponsor.

Quality Management

Quality management ensures the project delivers what it promised — on the first attempt, not through rework. Prevention over inspection is the guiding principle: it is always cheaper to build quality in than to find and fix defects later.

💰 Cost of Quality (CoQ)

Cost of Quality captures all costs incurred to achieve (or fail to achieve) quality. Every project has CoQ — the question is whether you spend it on prevention upfront or pay much more in failures later.

✅ Cost of Conformance (doing it right)

Prevention costs — training, process documentation, equipment maintenance, quality planning
Appraisal costs — testing, inspections, audits, peer reviews, destructive testing

❌ Cost of Non-Conformance (failure costs)

Internal failure — rework, scrap, re-testing, schedule delay (found before delivery)
External failure — warranty claims, liability, lost customers, recalls (found after delivery)

Key principle: Investing more in prevention reduces total CoQ. External failure costs are the most expensive — they include reputational damage and customer loss on top of the direct fix cost. Prevention is always cheaper than appraisal, which is always cheaper than failure.

📊 The 7 Basic Quality Tools

🐟 Ishikawa (Fishbone / Cause-Effect)

Identifies root causes of a defect or problem. Branches represent cause categories (6Ms: Man, Machine, Method, Material, Measurement, Mother Nature). Used to prevent recurrence.

📊 Pareto Chart

Bar chart ranked by frequency, overlaid with cumulative % line. Based on the 80/20 rule — 80% of defects come from 20% of causes. Focus improvement efforts on the vital few.

📈 Control Chart

Tracks process performance over time against Upper Control Limit (UCL) and Lower Control Limit (LCL), each set at ±3σ. Points outside limits or 7 consecutive points on one side = out of control.

📉 Histogram

Bar chart showing frequency distribution of a variable. Reveals the shape of variation — normal, skewed, bimodal. Used to understand the spread of defect data.

🔵 Scatter Diagram

Plots two variables to show correlation. Strong correlation (positive or negative) suggests a cause-and-effect relationship that warrants further investigation.

🔲 Check Sheet

Structured data collection form — tally sheet for counting defects by type, location, or time. Simple but essential for gathering quality data systematically.

🔀 Flowchart

Diagrams the steps in a process. Identifies where defects can enter, where decisions are made, and where handoffs occur. Used in process improvement and QA.

📈 Control Charts — Deep Dive

Control charts distinguish between common cause variation (inherent to the process — expected, normal) and special cause variation (assignable cause — something specific changed — requires investigation).

Control limits (UCL/LCL) are set at ±3 standard deviations from the mean. They are not specification limits (customer requirements) — they are statistically derived from the process itself.

Rule of Seven (7-point rule): Even if all points are within control limits, seven consecutive data points trending in one direction OR on the same side of the mean indicates a non-random pattern — the process is considered out of control and must be investigated.

Signal	Meaning	Action
Point above UCL	Out of control (special cause)	Stop; investigate immediately
Point below LCL	Out of control (special cause)	Stop; investigate immediately
7 consecutive points one side of mean	Non-random pattern (out of control)	Investigate root cause
7 consecutive points trending up/down	Non-random trend	Investigate root cause
Points within control limits, random	In control (common cause only)	No action required
Points outside specification limits	Defective (may still be in control)	Address customer requirement

🔄 Manage Quality (QA) vs Control Quality (QC)

Dimension	Manage Quality (QA)	Control Quality (QC)
Focus	Process improvement — are we using the right processes?	Product inspection — does the deliverable meet requirements?
When	Throughout the project (ongoing)	When deliverables are produced
Tools	Process audits, quality audits, benchmarking, root cause analysis	Inspections, testing, statistical sampling, control charts
Output	Change requests, process improvements, updated plans	Verified deliverables, defect reports, test results
Sequence	Happens throughout execution	Typically before Scope Validation
Analogy	Reviewing the recipe while cooking	Tasting the dish when it's done

Procurement Management

Procurement management governs how the project acquires goods and services from outside the organization. The most exam-critical skill is knowing which contract type is appropriate — and who bears the financial risk under each.

📄 Contract Types — Full Breakdown

Fixed Price Family

FFP — Firm Fixed Price

Seller delivers for a set price regardless of actual costs. Most common. Buyer knows exact cost upfront. Seller bears all cost overrun risk — strong incentive to be efficient.

🔴 Risk: Seller

Fixed Price Family

FPIF — Fixed Price Incentive Fee

Fixed target price + incentive fee if seller beats targets (cost, schedule, tech). Ceiling price caps buyer's exposure. Shares risk/reward: seller motivated to perform; buyer shares savings.

🟡 Risk: Mostly Seller

Fixed Price Family

FP-EPA — Fixed Price + Economic Price Adjustment

Fixed price with provisions for pre-defined price adjustments (inflation, commodity indices). Used for long-duration contracts where market conditions may shift significantly.

🟡 Risk: Mostly Seller

Cost Reimbursable Family

CPFF — Cost Plus Fixed Fee

Buyer reimburses all allowable costs + pays a fixed fee (set at contract start). Fee doesn't change with actual costs — seller has little incentive to be efficient.

🔵 Risk: Buyer

Cost Reimbursable Family

CPIF — Cost Plus Incentive Fee

Buyer reimburses costs + fee tied to performance targets (cost, schedule). Savings shared by formula. Motivates seller efficiency. Used when scope is uncertain but performance can be measured.

🟡 Risk: Mostly Buyer

Cost Reimbursable Family

CPAF — Cost Plus Award Fee

Buyer reimburses costs + discretionary award fee based on subjective performance evaluation (buyer's judgment). Seller motivated but fee is uncertain. Used for R&D and innovative work.

🔵 Risk: Buyer

Hybrid

T&M — Time and Material

Pays fixed rate per unit of time + reimburses material costs. No defined end — can grow indefinitely without controls. Add not-to-exceed (NTE) clause to cap exposure. Best for staff augmentation.

🟢 Risk: Shared (NTE-dependent)

Risk Rule of Thumb: Fixed Price = seller bears cost overrun risk. Cost Reimbursable = buyer bears cost overrun risk. T&M = buyer bears risk of scope growth (but NTE clause limits exposure). When scope is well-defined → FFP. When scope is uncertain → Cost Reimbursable. Short-term staff → T&M.

📋 Procurement Documents

Document	Used When	Seller Responds With
RFP — Request for Proposal	Scope complex / not fully defined; buyer evaluates approach + price	Proposal (technical approach + price + team)
RFQ — Request for Quotation	Scope well-defined; buyer primarily evaluating price	Quotation (price only)
RFI — Request for Information	Early market research; not yet soliciting bids	Capability information (no binding offer)
IFB — Invitation for Bid	Construction / government; scope fully defined; lowest price wins	Sealed bid (price only)
SOW — Statement of Work	Included in all procurement documents	Describes the work the seller must perform

⚖️ Make-or-Buy Analysis

Before any procurement, the PM performs a make-or-buy analysis to determine whether work should be done internally or outsourced. This is the first step in the Plan Procurement Management process.

Factors favouring Make (in-house): idle internal capacity; proprietary technology; need for direct control; cost savings; confidentiality concerns.

Factors favouring Buy (outsource): specialized expertise not available internally; capacity constraints; risk transfer possible; one-time need not worth building internal capability; cost competitive.

Lease vs Buy decision: When equipment is needed, lease if the need is short-term or the lease cost per period × number of periods < purchase price. Buy if long-term need justifies the capital expense.

Centralized vs Decentralized Contracting: Centralized = one procurement department handles all contracts (expertise, consistency, career path for procurement staff). Decentralized = each project has its own procurement officer (more responsive, but inconsistent practices).

Integration

Risk, quality, and procurement are interconnected throughout the project. Risk drives procurement strategy. Quality requirements shape contract SOWs. Risk responses often involve procurement decisions.

🔗 How Risk Influences Procurement

Risk Situation	Procurement Response	Logic
Buyer wants to transfer cost overrun risk	Use FFP contract	Seller bears all overruns under fixed price
Scope is unclear; buyer needs flexibility	Use CPFF or CPIF	Cost reimbursable accommodates undefined scope
Seller performance uncertainty is high	Use FPIF or CPIF	Incentive fee motivates seller performance
New technology; R&D work	Use CPAF or CPFF	Can't define scope or measure performance objectively upfront
Key vendor identified as project risk	Dual-source / backup vendor	Risk mitigation through vendor redundancy

📊 Quality Meets Risk — Prevention as Risk Response

Quality prevention activities are also risk mitigation strategies. A risk identified as "technical defects may delay delivery" is mitigated by investing in design reviews, code reviews, and testing — all quality prevention and appraisal activities.

CoQ and Risk: The contingency reserve is sized partly based on the cost of non-conformance risks. Projects that under-invest in prevention face higher failure costs — which should be captured in risk register as quantified threats.

Quality audits (QA) can identify whether risk responses are being executed as planned. If a mitigation action (e.g., code review process) is not being followed, a quality audit surfaces the gap before it becomes a defect or delay.

Procurement Quality Controls

Quality requirements for vendor deliverables must be specified in the SOW and evaluated during source selection. Key mechanisms:

Acceptance criteria in SOW define measurable quality standards the vendor must meet
Inspection & audits of vendor work (may be a contract right)
Warranty provisions transfer defect-correction responsibility post-delivery
Procurement audits at close review the entire process for lessons learned

📋 Key Terms — Quick Reference

Term	Definition
Risk Appetite	Overall degree of uncertainty an organization is willing to accept in pursuit of rewards (strategic, broad)
Risk Tolerance	Specific range of acceptable variation around an objective (tactical — e.g., "±10% budget variance is acceptable")
Risk Threshold	The specific point at which a risk becomes unacceptable and must be escalated or responded to
Residual Risk	Risk remaining after a response has been implemented — what you still live with
Secondary Risk	New risk created by implementing a risk response
Workaround	Unplanned response to an unidentified risk that has occurred (reactive)
Trigger Condition	Early warning sign that a risk is about to occur or has occurred
Gold Plating (Quality)	Adding features beyond agreed requirements — prohibited even if well-intentioned
Prevention over Inspection	PMI quality principle: build quality in from the start rather than inspect it in at the end
Privity of Contract	Legal relationship directly between contracting parties only — PM has no direct relationship with subcontractors of vendor

Practice Quiz

10 questions covering risk responses, EMV calculations, quality tools, control charts, and contract types. Select an answer to reveal the explanation.

Question 1 of 10

A risk has a 40% probability of occurring and would cost $50,000 to resolve if it does. What is the Expected Monetary Value (EMV)?

A$20,000

B$30,000

C$50,000

D$90,000

EMV = Probability × Impact = 0.40 × $50,000 = $20,000. This represents the expected financial exposure from this risk. EMV is used to size contingency reserves and compare decision tree alternatives. Option B ($30,000) = 60% × $50,000 (using the complement probability — a common trap). Option D adds them together incorrectly.

Question 2 of 10

The buyer has a project with highly uncertain scope and wants the seller to bear as little financial risk as possible to encourage participation. Which contract type is MOST appropriate?

AFFP — Firm Fixed Price

BCPFF — Cost Plus Fixed Fee

CFPIF — Fixed Price Incentive Fee

DT&M — Time and Material

CPFF puts financial risk on the buyer (cost reimbursable) — the seller is paid all allowable costs plus a fixed fee. This is appropriate when scope is uncertain, as sellers won't bid FFP on vague scope (or will inflate the price dramatically to cover risk). The buyer is explicitly accepting the cost uncertainty in exchange for seller participation. FFP would place all uncertainty risk on the seller, which discourages bids or leads to inflated prices.

Question 3 of 10

A control chart shows 7 consecutive data points all falling on the same side of the mean, but all within the Upper and Lower Control Limits. What does this indicate?

AThe process is in control — all points are within the limits.

BThe process needs new control limits recalculated.

CThe process is out of control — the 7-point rule indicates a non-random pattern.

DThe process is performing better than expected; no action needed.

The Rule of Seven states that 7 consecutive points on one side of the mean (or trending in one direction) is a statistically significant non-random pattern — the process is considered out of control, even if all points are within UCL and LCL. This indicates a special cause (assignable cause) that requires investigation, just as a point outside the control limits would. Being within the limits is necessary but not sufficient to declare a process in control.

Question 4 of 10

A project team identifies a risk that a key vendor may go out of business. They decide to add a backup vendor to the approved vendor list. Which risk response strategy is this?

AMitigate — reducing the probability or impact of the threat.

BAvoid — eliminating the threat by changing the plan.

CTransfer — shifting the risk to a third party.

DAccept — acknowledging the risk without active response.

Adding a backup vendor is Mitigate — it reduces the impact of the threat (if the primary vendor fails, work continues with the backup, reducing delay/cost impact). The threat itself (vendor going out of business) is not eliminated (not Avoid), not transferred to a third party (not Transfer — insurance would be Transfer), and not simply accepted. Mitigation reduces probability or impact to an acceptable level.

Question 5 of 10

Which category in the Cost of Quality framework includes the cost of training employees and documenting processes?

AAppraisal costs

BInternal failure costs

CPrevention costs

DExternal failure costs

Training and process documentation are Prevention costs — investments made to prevent defects from occurring in the first place. Prevention costs are the most beneficial form of CoQ investment. Appraisal costs cover testing and inspections (finding defects). Internal failures = rework before delivery. External failures = warranty claims, recalls after delivery. Prevention > Appraisal > Failure in terms of cost-effectiveness.

Question 6 of 10

A PM is analyzing project risks and wants to determine which root causes are responsible for the most defects. Which quality tool is BEST suited for this?

AControl chart

BPareto chart

CScatter diagram

DHistogram

The Pareto chart ranks defect causes by frequency and overlays a cumulative percentage line — directly revealing which causes are responsible for the most defects (80/20 rule). It prioritizes where to focus improvement efforts. Control charts track process stability over time. Scatter diagrams show correlation between two variables. Histograms show frequency distribution of a single variable without ranking by cause.

Question 7 of 10

A new risk emerges because the team implemented a risk mitigation response. This new risk is called a:

ASecondary risk

BResidual risk

CWorkaround

DTrigger condition

A secondary risk is a new risk that arises as a direct result of implementing a risk response. Example: hiring a subcontractor to mitigate a capacity risk creates a new integration/coordination risk — that new risk is secondary. Residual risk is what remains of the original risk after the response is applied. A workaround is an unplanned response to an unidentified risk that occurs. A trigger condition is an early warning sign that a risk is imminent.

Question 8 of 10

The buyer needs to procure specialized consulting services where scope cannot be fully defined upfront. The engagement will last about 3 months. Which procurement document should the buyer issue?

AIFB — Invitation for Bid

BRFQ — Request for Quotation

CRFP — Request for Proposal

DRFI — Request for Information

An RFP (Request for Proposal) is used when scope is not fully defined and the buyer wants sellers to propose their approach, methodology, team, and price. It allows evaluation of the seller's solution, not just their price. RFQ is for well-defined work where price is the primary differentiator. IFB is used in construction/government with fully defined scope where the lowest compliant bid wins. RFI is for market research only — not soliciting actual bids.

Question 9 of 10

Manage Quality (QA) and Control Quality (QC) are distinct processes. Which statement BEST describes the difference?

AQA inspects deliverables; QC improves processes.

BQA audits processes to improve them; QC inspects deliverables to verify they meet requirements.

CQA and QC are interchangeable terms for the same process.

DQC is performed before QA in the project lifecycle.

QA (Manage Quality) audits processes — it asks "are we using the right methods?" Output: process improvements, change requests. QC (Control Quality) inspects deliverables — it asks "does this output meet the requirements?" Output: verified deliverables, defect reports. QC typically happens after production but before Scope Validation. QA is ongoing throughout execution. They are completely different processes that complement each other.

Question 10 of 10

Which quantitative risk analysis technique runs thousands of simulations to produce a probability distribution of possible project end dates or costs?

AMonte Carlo simulation

BExpected Monetary Value (EMV) analysis

CProbability-Impact Matrix

DDelphi technique

Monte Carlo simulation randomly samples from probability distributions for each uncertain input (activity durations, costs) across thousands of iterations to produce a complete probability distribution of outcomes — including the probability of finishing on any given date or within any given budget. EMV produces a single point estimate. The P-I Matrix is qualitative (no numerical simulation). Delphi is a risk identification technique, not a quantitative analysis method.

0/10

Questions Correct

Review the explanations above for any missed questions.

Memory Hooks & Advisor

Mnemonics and patterns to lock in risk responses, CoQ categories, contract types, and quality tools before exam day.

🛡️

4 Threat Responses = ATMA

Avoid (eliminate the risk), Transfer (give it to someone else), Mitigate (reduce P or I), Accept (live with it — active with contingency plan, or passive). Escalate is the 5th for things outside your authority.

"A Thoughtful Manager Accepts — but escalates when needed"

🌟

4 Opportunity Responses = ESEA

Exploit (guarantee it happens), Share (partner to capture it), Enhance (increase P or I), Accept (take it if it comes). Mirrors threat responses: Avoid↔Exploit, Transfer↔Share, Mitigate↔Enhance, Accept↔Accept.

"Exploit Shared Enhancements Actively"

💸

CoQ: Prevention < Appraisal < Failure

Prevention costs the least per defect avoided. Appraisal finds defects but doesn't prevent them. Internal failure = rework before delivery. External failure = most expensive (recall, liability, reputation). Invest in prevention first.

"Pay now (prevention) or pay much more later (failure)"

📋

Contract Risk: Fixed=Seller, CR=Buyer

Fixed Price (FFP/FPIF/FP-EPA) — seller takes cost overrun risk. Cost Reimbursable (CPFF/CPIF/CPAF) — buyer takes cost overrun risk. T&M is hybrid — add NTE clause to cap buyer's exposure.

"Fixed Price = seller sweats; Cost Plus = buyer pays"

📈

Rule of 7 = Out of Control

7 consecutive points on one side of the mean OR trending in one direction = special cause = out of control, even if within UCL/LCL. Being inside the limits is necessary but not sufficient. Investigate the non-random pattern.

"Seven in a row? Something's wrong — go investigate"

🐟

Fishbone = Root Causes; Pareto = Vital Few

Ishikawa/fishbone diagram: WHY did the defect happen? (branches = cause categories — 6Ms). Pareto chart: WHICH causes matter most? (80% of defects from 20% of causes). Use fishbone first to identify, Pareto to prioritize.

"Fish finds reasons; Pareto picks priorities"

🔢

EMV = P × I (with sign)

Threats: negative EMV. Opportunities: positive EMV. Sum all risk EMVs to get total expected impact. Used to size contingency reserves and compare decision tree alternatives. Monte Carlo gives you the full distribution; EMV gives one number.

"Threat EMV is negative — opportunity EMV is positive"

🔄

QA = Process; QC = Product

QA (Manage Quality) = audit the process — are we doing things the right way? QC (Control Quality) = inspect the output — did we make the right thing? QC happens after production; scope validation happens after QC. Never reverse the order.

"QA checks the kitchen; QC tastes the dish"

🃏 Flashcards — Click to Flip

Formula

EMV Formula

Tap to reveal

Answer

EMV = Probability × Impact
Threat = negative · Opportunity = positive

Concept

Residual vs Secondary Risk

Tap to reveal

Answer

Residual = risk remaining after response
Secondary = new risk created BY the response

Rule

Control Chart Rule of Seven

Tap to reveal

Answer

7 consecutive points on one side of mean (or trending) = out of control, even within UCL/LCL

Concept

Which contract = most risk on BUYER?

Tap to reveal

Answer

Cost Reimbursable (CPFF, CPIF, CPAF)
Buyer pays all allowable costs regardless

Tool

Which quality tool uses the 80/20 rule?

Tap to reveal

Answer

Pareto chart — 80% of defects from 20% of causes. Ranked bar chart with cumulative % overlay.

Strategy

Opportunity equivalent of "Avoid"

Tap to reveal

Answer

Exploit — ensure the opportunity definitely occurs. Mirror of Avoid (which eliminates the threat).

CoQ

Most expensive cost of quality category

Tap to reveal

Answer

External failure costs — defects found after delivery. Includes warranty, liability, recall, reputation damage.

Procurement

Use RFP vs RFQ — when?

Tap to reveal

Answer

RFP: scope unclear, evaluating approach + price
RFQ: scope defined, evaluating price only

🤖 Expert Advisor — Ask a Category

Risk Identification & Analysis

Risk Responses

Quality Management

Contract Types

Procurement Process

⚠️ Risk Identification & Analysis

Risk register is created during risk identification and updated throughout the project — it's a living document, not a one-time deliverable.
Qualitative analysis (P-I matrix) prioritizes risks quickly without detailed data. Always done first. Outputs: ranked risk list, watch list, risks requiring quantitative analysis.
Quantitative analysis uses numerical models — EMV for single decisions, Monte Carlo for full distributions. Not all risks need quantitative analysis; only high-priority ones identified in qualitative analysis.
EMV = Probability × Impact. Threats are negative; opportunities positive. Sum all risk EMVs to find total expected impact for contingency reserve sizing.
Monte Carlo simulation produces a probability distribution (S-curve) of outcomes. Use it to find the P80 date (80% confidence of finishing by then) and to identify which activities have the most schedule/cost uncertainty (tornado diagram).
Risk appetite vs tolerance vs threshold: Appetite = overall attitude to risk (strategic). Tolerance = acceptable variation range (tactical). Threshold = the specific point at which a risk must be escalated or acted upon.

🛡️ Risk Responses

Threats (ATMA+E): Avoid (eliminate), Transfer (insure/fixed-price contract), Mitigate (reduce P or I), Accept (active with contingency or passive), Escalate (outside PM authority).
Opportunities (ESEA+E): Exploit (guarantee it), Share (partner), Enhance (increase P or I), Accept, Escalate.
Transfer does not eliminate the risk — it shifts the financial consequence to a third party. The risk event can still occur (e.g., insured flood still happens; insurance pays the cost).
Active acceptance = create a contingency plan in advance (documented response triggered by a specific condition). Passive acceptance = log it; take no action unless it occurs.
Residual risk = what remains after a response. Secondary risk = new risk created by the response itself. Both must be added to the risk register and managed.
Workaround = unplanned response to an unidentified risk. Workarounds often result in change requests and updates to the risk register.

✅ Quality Management

Cost of Quality: Conformance = Prevention (training, documentation) + Appraisal (testing, inspection). Non-Conformance = Internal failure (rework, scrap) + External failure (warranty, recall). Prevention is cheapest per defect avoided.
QA (Manage Quality) = process improvement, audits, benchmarking. Output: quality reports, change requests. QC (Control Quality) = inspect deliverables, statistical sampling, control charts. Output: verified deliverables.
Control chart: UCL and LCL at ±3σ. Points outside = special cause = out of control. Rule of 7: seven consecutive points on one side of mean or trending = out of control even within limits.
Pareto chart (80/20): focuses improvement on the vital few causes. Ishikawa/fishbone: identifies root causes (6Ms: Man, Machine, Method, Material, Measurement, Mother Nature).
Scatter diagram: shows correlation between two variables — does not prove causation. Histogram: frequency distribution of a single variable. Check sheet: structured data tally.
Prevention over inspection is PMI's quality principle: it is always less expensive to prevent defects than to find and fix them after the fact.

📄 Contract Types

Fixed Price family: Seller bears cost overrun risk. FFP = most common, fixed total price. FPIF = fixed target + incentive fee if performance targets met (ceiling price protects buyer). FP-EPA = fixed price with inflation adjustment for long contracts.
Cost Reimbursable family: Buyer reimburses all allowable costs. CPFF = fixed fee regardless of costs (seller has little efficiency incentive). CPIF = fee tied to performance targets (motivates seller). CPAF = discretionary award fee at buyer's judgment (R&D/innovative work).
T&M (Time and Material): Hybrid — fixed rate per unit time + material reimbursement. No defined scope end — can grow indefinitely. Always add a not-to-exceed (NTE) clause to cap buyer exposure. Best for staff augmentation.
Select contract type based on scope certainty: well-defined → FFP. Uncertain → CR. Short-term/evolving → T&M with NTE.
Under FFP, if actual costs exceed the contract price, the seller absorbs the loss. This motivates cost efficiency but can lead to disputes if scope is unclear — sellers will pad estimates to cover risk.
Privity of contract: legal relationship exists only between contracting parties. PM has no direct legal relationship with subcontractors of vendors — must work through the prime vendor.

📋 Procurement Process

Make-or-buy analysis is the first step in planning procurement — determine whether to build internally or purchase before selecting contract type or issuing solicitation documents.
RFP: complex/undefined scope; evaluate approach + price + team. RFQ: defined scope; price is primary criterion. IFB: fully defined scope (government/construction); lowest compliant bid wins. RFI: market research only; not a bid solicitation.
Statement of Work (SOW) describes what the seller must deliver — scope, deliverables, location, schedule. Included in all procurement documents. Quality requirements and acceptance criteria belong in the SOW.
Source selection criteria weight technical capability, experience, price, references, past performance, and management approach. Not solely price — especially for complex or risky procurements.
Centralized contracting: one procurement department handles all contracts — expertise, consistency, career development for procurement staff. Decentralized: each PM has own procurement officer — more responsive, less consistent.
Procurement audits at project close review the entire procurement process — what worked, what didn't, lessons learned to improve future procurements.

Unlock Full Practice Tests on FlashGenius →